2013-02-14 15:32:17 +04:00
#!/usr/bin/env python
2008-10-15 19:38:22 +04:00
"""
2014-01-13 21:24:49 +04:00
Copyright ( c ) 2006 - 2014 sqlmap developers ( http : / / sqlmap . org / )
2010-10-15 03:18:29 +04:00
See the file ' doc/COPYING ' for copying permission
2008-10-15 19:38:22 +04:00
"""
2010-05-21 16:09:31 +04:00
import os
2012-07-01 03:19:54 +04:00
import re
2009-06-11 19:01:48 +04:00
import subprocess
2012-07-01 03:19:54 +04:00
import string
2008-10-15 19:38:22 +04:00
import sys
2011-01-15 18:14:22 +03:00
from lib . core . enums import DBMS
2012-02-16 13:32:47 +04:00
from lib . core . enums import DBMS_DIRECTORY_NAME
2013-05-09 16:26:29 +04:00
from lib . core . enums import OS
2010-10-19 12:55:14 +04:00
from lib . core . revision import getRevisionNumber
2008-10-15 19:38:22 +04:00
# sqlmap version and site
2011-04-30 17:20:05 +04:00
VERSION = " 1.0-dev "
REVISION = getRevisionNumber ( )
2012-07-03 15:06:52 +04:00
VERSION_STRING = " sqlmap/ %s %s " % ( VERSION , " - %s " % REVISION if REVISION else " " )
2011-04-30 17:20:05 +04:00
DESCRIPTION = " automatic SQL injection and database takeover tool "
2012-07-03 16:14:39 +04:00
SITE = " http://sqlmap.org "
2012-07-05 19:26:50 +04:00
ISSUES_PAGE = " https://github.com/sqlmapproject/sqlmap/issues/new "
2012-07-08 21:24:25 +04:00
GIT_REPOSITORY = " git://github.com/sqlmapproject/sqlmap.git "
2011-04-30 17:20:05 +04:00
ML = " sqlmap-users@lists.sourceforge.net "
2008-10-15 19:38:22 +04:00
2012-10-02 16:23:58 +04:00
# Minimum distance of ratio from kb.matchRatio to result in True
2011-04-30 17:20:05 +04:00
DIFF_TOLERANCE = 0.05
CONSTANT_RATIO = 0.9
2010-11-10 01:32:05 +03:00
2012-10-02 16:23:58 +04:00
# Lower and upper values for match ratio in case of stable page
2011-01-03 11:32:06 +03:00
LOWER_RATIO_BOUND = 0.02
UPPER_RATIO_BOUND = 0.98
2012-10-02 16:23:58 +04:00
# Markers for special cases when parameter values contain html encoded characters
2012-02-14 18:08:10 +04:00
PARAMETER_AMP_MARKER = " __AMP__ "
PARAMETER_SEMICOLON_MARKER = " __SEMICOLON__ "
2013-01-25 19:38:41 +04:00
PARTIAL_VALUE_MARKER = " __PARTIAL_VALUE__ "
PARTIAL_HEX_VALUE_MARKER = " __PARTIAL_HEX_VALUE__ "
2011-02-04 15:43:18 +03:00
URI_QUESTION_MARKER = " __QUESTION_MARK__ "
2012-11-14 18:54:24 +04:00
ASTERISK_MARKER = " __ASTERISK_MARK__ "
2013-02-13 15:24:42 +04:00
REPLACEMENT_MARKER = " __REPLACEMENT_MARK__ "
2011-02-04 15:43:18 +03:00
2013-10-18 01:42:51 +04:00
PAYLOAD_DELIMITER = " __PAYLOAD_DELIMITER__ "
2010-12-10 14:32:46 +03:00
CHAR_INFERENCE_MARK = " %c "
2013-02-04 18:49:29 +04:00
PRINTABLE_CHAR_REGEX = r " [^ \ x00- \ x1f \ x7f- \ xff] "
2010-12-11 13:52:04 +03:00
2012-10-02 16:23:58 +04:00
# Regular expression used for recognition of generic permission messages
2012-10-02 15:36:15 +04:00
PERMISSION_DENIED_REGEX = r " (command|permission|access) \ s*(was|is)? \ s*denied "
2012-10-02 16:23:58 +04:00
# Regular expression used for recognition of generic maximum connection messages
2012-10-02 15:36:15 +04:00
MAX_CONNECTIONS_REGEX = r " max.+connections "
2013-11-25 23:57:07 +04:00
# Regular expression used for extracting results from Google search
2013-02-25 14:07:30 +04:00
GOOGLE_REGEX = r " url \ ? \ w+=((?![^>]+webcache \ .googleusercontent \ .com)http[^>]+)&(sa=U|rct=j) "
2012-04-11 01:48:34 +04:00
2013-11-25 23:57:07 +04:00
# Regular expression used for extracting results from DuckDuckGo search
DUCKDUCKGO_REGEX = r ' " u " : " ([^ " ]+) '
2012-10-02 16:23:58 +04:00
# Regular expression used for extracting content from "textual" tags
2012-04-11 01:48:34 +04:00
TEXT_TAG_REGEX = r " (?si)<(abbr|acronym|b|blockquote|br|center|cite|code|dt|em|font|h \ d|i|li|p|pre|q|strong|sub|sup|td|th|title|tt|u)(?! \ w).*?>(?P<result>[^<]+) "
2012-02-20 14:02:19 +04:00
2013-05-09 16:26:29 +04:00
# Regular expression used for recognition of IP addresses
IP_ADDRESS_REGEX = r " \ b \ d { 1,3} \ . \ d { 1,3} \ . \ d { 1,3} \ . \ d { 1,3} \ b "
2012-10-02 16:23:58 +04:00
# Dumping characters used in GROUP_CONCAT MySQL technique
2011-04-30 17:20:05 +04:00
CONCAT_ROW_DELIMITER = ' , '
CONCAT_VALUE_DELIMITER = ' | '
2011-02-15 03:28:27 +03:00
2012-10-02 16:23:58 +04:00
# Coefficient used for a time-based query delay checking (must be >= 7)
2011-08-12 21:19:19 +04:00
TIME_STDEV_COEFF = 7
2011-01-16 20:52:42 +03:00
2013-01-30 00:06:02 +04:00
# Minimum response time that can be even considered as delayed (not a complete requirement)
MIN_VALID_DELAYED_RESPONSE = 0.5
2012-10-02 16:23:58 +04:00
# Standard deviation after which a warning message should be displayed about connection lags
2011-04-19 14:37:20 +04:00
WARN_TIME_STDEV = 0.5
2012-10-02 16:23:58 +04:00
# Minimum length of usable union injected response (quick defense against substr fields)
2011-03-31 13:35:09 +04:00
UNION_MIN_RESPONSE_CHARS = 10
2012-10-02 16:23:58 +04:00
# Coefficient used for a union-based number of columns checking (must be >= 7)
2011-02-02 14:22:35 +03:00
UNION_STDEV_COEFF = 7
2012-10-02 16:23:58 +04:00
# Length of queue for candidates for time delay adjustment
2011-01-16 20:52:42 +03:00
TIME_DELAY_CANDIDATES = 3
2012-10-02 16:23:58 +04:00
# Default value for HTTP Accept header
2011-07-06 09:44:47 +04:00
HTTP_ACCEPT_HEADER_VALUE = " text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 "
2012-10-02 16:23:58 +04:00
# Default value for HTTP Accept-Encoding header
2012-07-23 16:14:22 +04:00
HTTP_ACCEPT_ENCODING_HEADER_VALUE = " gzip,deflate "
2013-03-19 22:24:14 +04:00
# Default timeout for running commands over backdoor
BACKDOOR_RUN_CMD_TIMEOUT = 5
2011-02-22 16:00:58 +03:00
2012-10-02 16:23:58 +04:00
# Maximum number of techniques used in inject.py/getValue() per one value
2010-12-21 18:26:23 +03:00
MAX_TECHNIQUES_PER_VALUE = 2
2010-12-21 18:24:14 +03:00
2013-12-27 12:40:33 +04:00
# In case of missing piece of partial union dump, buffered array must be flushed after certain size
MAX_BUFFERED_PARTIAL_UNION_LENGTH = 1024
2012-10-02 16:23:58 +04:00
# Suffix used for naming meta databases in DBMS(es) without explicit database name
2011-01-16 20:52:42 +03:00
METADB_SUFFIX = " _masterdb "
2010-12-12 01:13:19 +03:00
2012-10-02 16:23:58 +04:00
# Minimum time response set needed for time-comparison based on standard deviation
2012-12-08 11:53:25 +04:00
MIN_TIME_RESPONSES = 15
2010-12-08 15:49:26 +03:00
2012-10-02 16:23:58 +04:00
# Minimum comparison ratio set needed for searching valid union column number based on standard deviation
2011-02-02 16:03:24 +03:00
MIN_UNION_RESPONSES = 5
2012-10-02 16:23:58 +04:00
# After these number of blanks at the end inference should stop (just in case)
2012-01-30 14:19:03 +04:00
INFERENCE_BLANK_BREAK = 10
2010-12-11 13:52:04 +03:00
2012-10-02 16:23:58 +04:00
# Use this replacement character for cases when inference is not able to retrieve the proper character value
2011-01-17 13:15:19 +03:00
INFERENCE_UNKNOWN_CHAR = ' ? '
2012-10-02 16:23:58 +04:00
# Character used for operation "greater" in inference
2011-01-31 18:00:41 +03:00
INFERENCE_GREATER_CHAR = " > "
2012-10-02 16:23:58 +04:00
# Character used for operation "equals" in inference
2011-01-31 18:00:41 +03:00
INFERENCE_EQUALS_CHAR = " = "
2012-10-02 16:23:58 +04:00
# Character used for operation "not-equals" in inference
2011-01-31 19:07:23 +03:00
INFERENCE_NOT_EQUALS_CHAR = " != "
2013-01-25 15:34:57 +04:00
# String used for representation of unknown dbms
UNKNOWN_DBMS = " Unknown "
2012-10-02 16:23:58 +04:00
# String used for representation of unknown dbms version
2010-12-21 18:13:13 +03:00
UNKNOWN_DBMS_VERSION = " Unknown "
2012-10-02 16:23:58 +04:00
# Dynamicity mark length used in dynamicity removal engine
2010-12-24 14:06:57 +03:00
DYNAMICITY_MARK_LENGTH = 32
2012-10-02 16:23:58 +04:00
# Dummy user prefix used in dictionary attack
2011-01-17 13:23:37 +03:00
DUMMY_USER_PREFIX = " __dummy__ "
# Reference: http://en.wikipedia.org/wiki/ISO/IEC_8859-1
DEFAULT_PAGE_ENCODING = " iso-8859-1 "
2010-12-27 13:56:28 +03:00
2013-02-28 23:20:08 +04:00
# URL used in dummy runs
DUMMY_URL = " http://foo/bar?id=1 "
2009-04-22 15:48:07 +04:00
# System variables
2011-04-30 17:20:05 +04:00
IS_WIN = subprocess . mswindows
2012-10-02 16:23:58 +04:00
# The name of the operating system dependent module imported. The following names have currently been registered: 'posix', 'nt', 'mac', 'os2', 'ce', 'java', 'riscos'
2011-04-30 17:20:05 +04:00
PLATFORM = os . name
PYVERSION = sys . version . split ( ) [ 0 ]
2009-04-22 15:48:07 +04:00
2013-08-20 20:36:31 +04:00
# DBMS system databases
2013-01-09 18:38:41 +04:00
MSSQL_SYSTEM_DBS = ( " Northwind " , " master " , " model " , " msdb " , " pubs " , " tempdb " )
MYSQL_SYSTEM_DBS = ( " information_schema " , " mysql " ) # Before MySQL 5.0 only "mysql"
PGSQL_SYSTEM_DBS = ( " information_schema " , " pg_catalog " , " pg_toast " )
2013-01-15 18:51:29 +04:00
ORACLE_SYSTEM_DBS = ( " CTXSYS " , " DBSNMP " , " DMSYS " , " EXFSYS " , " MDSYS " , " OLAPSYS " , " ORDSYS " , " OUTLN " , " SYS " , " SYSAUX " , " SYSMAN " , " SYSTEM " , " TSMSYS " , " WMSYS " , " XDB " ) # These are TABLESPACE_NAME
2013-01-09 18:38:41 +04:00
SQLITE_SYSTEM_DBS = ( " sqlite_master " , " sqlite_temp_master " )
ACCESS_SYSTEM_DBS = ( " MSysAccessObjects " , " MSysACEs " , " MSysObjects " , " MSysQueries " , " MSysRelationships " , " MSysAccessStorage " , \
" MSysAccessXML " , " MSysModules " , " MSysModules2 " )
FIREBIRD_SYSTEM_DBS = ( " RDB$BACKUP_HISTORY " , " RDB$CHARACTER_SETS " , " RDB$CHECK_CONSTRAINTS " , " RDB$COLLATIONS " , " RDB$DATABASE " , \
2010-03-18 20:20:54 +03:00
" RDB$DEPENDENCIES " , " RDB$EXCEPTIONS " , " RDB$FIELDS " , " RDB$FIELD_DIMENSIONS " , " RDB$FILES " , " RDB$FILTERS " , \
" RDB$FORMATS " , " RDB$FUNCTIONS " , " RDB$FUNCTION_ARGUMENTS " , " RDB$GENERATORS " , " RDB$INDEX_SEGMENTS " , " RDB$INDICES " , \
" RDB$LOG_FILES " , " RDB$PAGES " , " RDB$PROCEDURES " , " RDB$PROCEDURE_PARAMETERS " , " RDB$REF_CONSTRAINTS " , " RDB$RELATIONS " , \
" RDB$RELATION_CONSTRAINTS " , " RDB$RELATION_FIELDS " , " RDB$ROLES " , " RDB$SECURITY_CLASSES " , " RDB$TRANSACTIONS " , " RDB$TRIGGERS " , \
2013-01-09 18:38:41 +04:00
" RDB$TRIGGER_MESSAGES " , " RDB$TYPES " , " RDB$USER_PRIVILEGES " , " RDB$VIEW_RELATIONS " )
MAXDB_SYSTEM_DBS = ( " SYSINFO " , " DOMAIN " )
SYBASE_SYSTEM_DBS = ( " master " , " model " , " sybsystemdb " , " sybsystemprocs " )
DB2_SYSTEM_DBS = ( " NULLID " , " SQLJ " , " SYSCAT " , " SYSFUN " , " SYSIBM " , " SYSIBMADM " , " SYSIBMINTERNAL " , " SYSIBMTS " , \
" SYSPROC " , " SYSPUBLIC " , " SYSSTAT " , " SYSTOOLS " )
2013-07-01 13:57:47 +04:00
HSQLDB_SYSTEM_DBS = ( " INFORMATION_SCHEMA " , " SYSTEM_LOB " )
2013-01-09 18:38:41 +04:00
MSSQL_ALIASES = ( " microsoft sql server " , " mssqlserver " , " mssql " , " ms " )
MYSQL_ALIASES = ( " mysql " , " my " )
PGSQL_ALIASES = ( " postgresql " , " postgres " , " pgsql " , " psql " , " pg " )
ORACLE_ALIASES = ( " oracle " , " orcl " , " ora " , " or " )
SQLITE_ALIASES = ( " sqlite " , " sqlite3 " )
ACCESS_ALIASES = ( " msaccess " , " access " , " jet " , " microsoft access " )
FIREBIRD_ALIASES = ( " firebird " , " mozilla firebird " , " interbase " , " ibase " , " fb " )
MAXDB_ALIASES = ( " maxdb " , " sap maxdb " , " sap db " )
SYBASE_ALIASES = ( " sybase " , " sybase sql server " )
DB2_ALIASES = ( " db2 " , " ibm db2 " , " ibmdb2 " )
2013-07-01 13:57:47 +04:00
HSQLDB_ALIASES = ( " hsql " , " hsqldb " , " hs " , " hypersql " )
2011-04-30 17:20:05 +04:00
2012-02-16 13:32:47 +04:00
DBMS_DIRECTORY_DICT = dict ( ( getattr ( DBMS , _ ) , getattr ( DBMS_DIRECTORY_NAME , _ ) ) for _ in dir ( DBMS ) if not _ . startswith ( " _ " ) )
2013-07-01 13:57:47 +04:00
SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES + DB2_ALIASES + HSQLDB_ALIASES
2013-01-09 18:38:41 +04:00
SUPPORTED_OS = ( " linux " , " windows " )
2009-02-09 13:28:03 +03:00
2013-01-09 18:38:41 +04:00
USER_AGENT_ALIASES = ( " ua " , " useragent " , " user-agent " )
REFERER_ALIASES = ( " ref " , " referer " , " referrer " )
HOST_ALIASES = ( " host " , )
2011-02-14 00:58:48 +03:00
2012-10-02 16:23:58 +04:00
# Items displayed in basic help (-h) output
2012-07-03 14:09:18 +04:00
BASIC_HELP_ITEMS = (
" url " ,
" googleDork " ,
" data " ,
" cookie " ,
" randomAgent " ,
" proxy " ,
" testParameter " ,
" dbms " ,
" level " ,
" risk " ,
" tech " ,
2012-10-05 12:24:09 +04:00
" getAll " ,
2012-07-03 14:09:18 +04:00
" getBanner " ,
" getCurrentUser " ,
" getCurrentDb " ,
" getPasswordHashes " ,
" getTables " ,
" getColumns " ,
" getSchema " ,
" dumpTable " ,
" dumpAll " ,
" db " ,
" tbl " ,
" col " ,
" osShell " ,
" osPwn " ,
" batch " ,
" checkTor " ,
" flushSession " ,
" tor " ,
2013-01-10 18:02:28 +04:00
" wizard " ,
2012-07-03 14:09:18 +04:00
)
2012-10-02 16:23:58 +04:00
# String representation for NULL value
2012-02-07 14:46:55 +04:00
NULL = " NULL "
2012-10-02 16:23:58 +04:00
# String representation for blank ('') value
2012-03-14 17:52:23 +04:00
BLANK = " <blank> "
2012-10-02 16:23:58 +04:00
# String representation for current database
2012-02-16 18:42:28 +04:00
CURRENT_DB = " CD "
2011-03-29 16:08:07 +04:00
# Regular expressions used for parsing error messages (--parse-errors)
2012-02-22 14:40:11 +04:00
ERROR_PARSING_REGEXES = (
r " <b>[^<]*(fatal|error|warning|exception)[^<]*</b>:? \ s*(?P<result>.+?)<br \ s*/? \ s*> " ,
2012-06-18 02:48:23 +04:00
r " (?m)^(fatal|error|warning|exception):? \ s*(?P<result>.+?)$ " ,
2012-02-22 14:40:11 +04:00
r " <li>Error Type:<br>(?P<result>.+?)</li> " ,
2013-01-10 18:02:28 +04:00
r " error ' [0-9a-f] {8} ' ((<[^>]+>)| \ s)+(?P<result>[^<>]+) " ,
2010-12-25 13:16:20 +03:00
)
2011-01-04 18:49:20 +03:00
2011-03-29 16:08:07 +04:00
# Regular expression used for parsing charset info from meta html headers
2012-12-03 15:13:59 +04:00
META_CHARSET_REGEX = r ' (?si)<head>.*<meta http-equiv= " ?content-type " ?[^>]+charset=(?P<result>[^ " >]+).*</head> '
2011-01-15 18:56:11 +03:00
2011-03-29 18:16:28 +04:00
# Regular expression used for parsing refresh info from meta html headers
2012-12-03 15:13:59 +04:00
META_REFRESH_REGEX = r ' (?si)<head>.*<meta http-equiv= " ?refresh " ?[^>]+content= " ?[^ " >]+url=(?P<result>[^ " >]+).*</head> '
2011-03-29 18:16:28 +04:00
2011-03-29 16:08:07 +04:00
# Regular expression used for parsing empty fields in tested form data
2012-10-19 13:02:14 +04:00
EMPTY_FORM_FIELDS_REGEX = r ' (&| \ A)(?P<result>[^=]+=(&| \ Z)) '
2011-03-29 02:48:00 +04:00
2011-01-17 12:28:25 +03:00
# Reference: http://www.cs.ru.nl/bachelorscripties/2010/Martin_Devillers___0437999___Analyzing_password_strength.pdf
2011-11-21 00:14:47 +04:00
COMMON_PASSWORD_SUFFIXES = ( " 1 " , " 123 " , " 2 " , " 12 " , " 3 " , " 13 " , " 7 " , " 11 " , " 5 " , " 22 " , " 23 " , " 01 " , " 4 " , " 07 " , " 21 " , " 14 " , " 10 " , " 06 " , " 08 " , " 8 " , " 15 " , " 69 " , " 16 " , " 6 " , " 18 " )
2011-01-17 12:28:25 +03:00
2011-01-15 18:56:11 +03:00
# Reference: http://www.the-interweb.com/serendipity/index.php?/archives/94-A-brief-analysis-of-40,000-leaked-MySpace-passwords.html
2013-01-10 16:18:44 +04:00
COMMON_PASSWORD_SUFFIXES + = ( " ! " , " . " , " * " , " !! " , " ? " , " ; " , " .. " , " !!! " , " , " , " @ " )
2011-01-20 19:07:08 +03:00
# Splitter used between requests in WebScarab log files
WEBSCARAB_SPLITTER = " ### Conversation "
# Splitter used between requests in BURP log files
2012-04-11 02:20:53 +04:00
BURP_REQUEST_REGEX = r " = { 10,} \ s+[^=]+= { 10,} \ s(.+?) \ s= { 10,} "
2011-01-27 19:55:58 +03:00
2013-11-08 12:23:38 +04:00
# Regex used for parsing XML Burp saved history items
BURP_XML_HISTORY_REGEX = r ' <request base64= " true " ><! \ [CDATA \ [([^]]+) '
2011-01-30 14:36:03 +03:00
# Encoding used for Unicode data
UNICODE_ENCODING = " utf8 "
2011-01-31 15:41:39 +03:00
# Reference: http://www.w3.org/Protocols/HTTP/Object_Headers.html#uri
URI_HTTP_HEADER = " URI "
2011-01-31 23:36:01 +03:00
# Uri format which could be injectable (e.g. www.site.com/id82)
2012-01-06 04:06:38 +04:00
URI_INJECTABLE_REGEX = r " //[^/]*/([^ \ .*?]+) \ Z "
2011-02-02 13:10:28 +03:00
2011-02-02 17:25:16 +03:00
# Regex used for masking sensitive data
2011-03-02 13:09:17 +03:00
SENSITIVE_DATA_REGEX = " ( \ s|=)(?P<result>[^ \ s=]* %s [^ \ s]*) \ s "
2011-02-02 17:25:16 +03:00
2011-02-02 13:10:28 +03:00
# Maximum number of threads (avoiding connection issues and/or DoS)
MAX_NUMBER_OF_THREADS = 10
2011-02-03 19:59:49 +03:00
# Minimum range between minimum and maximum of statistical set
MIN_STATISTICAL_RANGE = 0.01
2011-02-04 02:25:56 +03:00
# Minimum value for comparison ratio
MIN_RATIO = 0.0
# Maximum value for comparison ratio
MAX_RATIO = 1.0
2011-02-04 15:25:14 +03:00
2012-04-17 12:41:19 +04:00
# Character used for marking injectable position inside provided data
CUSTOM_INJECTION_MARK_CHAR = ' * '
2011-02-04 20:40:55 +03:00
2012-11-28 14:41:39 +04:00
# Other way to declare injection position
INJECT_HERE_MARK = ' % INJECT HERE % '
2011-02-04 20:40:55 +03:00
# Maximum length used for retrieving data over MySQL error based payload due to "known" problems with longer result strings
2011-02-08 19:23:33 +03:00
MYSQL_ERROR_CHUNK_LENGTH = 50
2011-02-07 01:32:44 +03:00
2011-05-03 17:25:20 +04:00
# Maximum length used for retrieving data over MSSQL error based payload due to trimming problems with longer result strings
MSSQL_ERROR_CHUNK_LENGTH = 100
2013-01-18 18:40:37 +04:00
# Do not escape the injected statement if it contains any of the following SQL keywords
2011-07-04 23:58:41 +04:00
EXCLUDE_UNESCAPE = ( " WAITFOR DELAY " , " INTO DUMPFILE " , " INTO OUTFILE " , " CREATE " , " BULK " , " EXEC " , " RECONFIGURE " , " DECLARE " , " ' %s ' " % CHAR_INFERENCE_MARK )
2011-02-24 19:52:46 +03:00
# Mark used for replacement of reflected values
2012-03-29 16:44:20 +04:00
REFLECTED_VALUE_MARKER = " __REFLECTED_VALUE__ "
2012-04-12 01:26:00 +04:00
# Regular expression used for replacing border non-alphanum characters
REFLECTED_BORDER_REGEX = r " [^A-Za-z]+ "
2012-03-28 23:27:12 +04:00
# Regular expression used for replacing non-alphanum characters
2012-03-29 16:44:20 +04:00
REFLECTED_REPLACEMENT_REGEX = r " .+? "
2011-03-09 12:36:56 +03:00
2011-07-13 03:21:15 +04:00
# Maximum number of alpha-numerical parts in reflected regex (for speed purposes)
REFLECTED_MAX_REGEX_PARTS = 10
2011-04-13 15:25:42 +04:00
# Chars which can be used as a failsafe values in case of too long URL encoding value
2012-03-29 16:44:20 +04:00
URLENCODE_FAILSAFE_CHARS = " ()|, "
2011-03-09 12:36:56 +03:00
2013-04-09 13:48:42 +04:00
# Maximum length of URL encoded value after which failsafe procedure takes away
2011-04-11 02:57:17 +04:00
URLENCODE_CHAR_LIMIT = 2000
2011-03-27 11:58:15 +04:00
2011-04-13 15:25:42 +04:00
# Default schema for Microsoft SQL Server DBMS
2012-03-29 16:44:20 +04:00
DEFAULT_MSSQL_SCHEMA = " dbo "
2011-03-29 16:08:07 +04:00
2011-04-13 15:25:42 +04:00
# Display hash attack info every mod number of items
2011-11-02 10:53:43 +04:00
HASH_MOD_ITEM_DISPLAY = 11
2011-04-11 15:59:02 +04:00
2011-04-13 15:25:42 +04:00
# Maximum integer value
2011-04-11 15:59:02 +04:00
MAX_INT = sys . maxint
2011-04-13 23:01:02 +04:00
2013-04-10 21:33:31 +04:00
# Options that need to be restored in multiple targets run mode
RESTORE_MERGED_OPTIONS = ( " col " , " db " , " dnsName " , " privEsc " , " tbl " , " regexp " , " string " , " textOnly " , " threads " , " timeSec " , " tmpPath " , " uChar " , " user " )
2011-04-14 16:58:03 +04:00
# Parameters to be ignored in detection phase (upper case)
2012-09-06 15:36:34 +04:00
IGNORE_PARAMETERS = ( " __VIEWSTATE " , " __VIEWSTATEENCRYPTED " , " __EVENTARGUMENT " , " __EVENTTARGET " , " __EVENTVALIDATION " , " ASPSESSIONID " , " ASP.NET_SESSIONID " , " JSESSIONID " , " CFID " , " CFTOKEN " )
2011-04-22 23:58:10 +04:00
2012-10-19 13:02:14 +04:00
# Regular expression used for recognition of ASP.NET control parameters
ASP_NET_CONTROL_REGEX = r " (?i) \ Actl \ d+ \ $ "
2013-12-04 12:56:37 +04:00
# Prefix for Google analytics cookie names
GOOGLE_ANALYTICS_COOKIE_PREFIX = " __UTM "
2011-04-22 23:58:10 +04:00
# Turn off resume console info to avoid potential slowdowns
TURN_OFF_RESUME_INFO_LIMIT = 20
2011-05-16 02:21:38 +04:00
# Strftime format for results file used in multiple target mode
2012-03-29 16:44:20 +04:00
RESULTS_FILE_FORMAT = " results- % m %d % Y_ % I % M % p.csv "
2011-05-18 03:03:31 +04:00
# Official web page with the list of Python supported codecs
2012-03-29 16:44:20 +04:00
CODECS_LIST_PAGE = " http://docs.python.org/library/codecs.html#standard-encodings "
2011-05-19 20:45:05 +04:00
# Simple regular expression used to distinguish scalar from multiple-row commands (not sole condition)
SQL_SCALAR_REGEX = r " \ A(SELECT(?! \ s+DISTINCT \ (?))? \ s* \ w* \ ( "
2011-05-24 15:06:58 +04:00
# IP address of the localhost
LOCALHOST = " 127.0.0.1 "
2011-11-24 01:39:53 +04:00
# Default port used by Tor
DEFAULT_TOR_SOCKS_PORT = 9050
2011-05-27 00:48:18 +04:00
2011-12-14 14:19:45 +04:00
# Default ports used in Tor proxy bundles
DEFAULT_TOR_HTTP_PORTS = ( 8123 , 8118 )
2011-05-27 00:48:18 +04:00
# Percentage below which comparison engine could have problems
LOW_TEXT_PERCENT = 20
2011-05-28 21:34:43 +04:00
# These MySQL keywords can't go (alone) into versioned comment form (/*!...*/)
# Reference: http://dev.mysql.com/doc/refman/5.1/en/function-resolution.html
IGNORE_SPACE_AFFECTED_KEYWORDS = ( " CAST " , " COUNT " , " EXTRACT " , " GROUP_CONCAT " , " MAX " , " MID " , " MIN " , " SESSION_USER " , " SUBSTR " , " SUBSTRING " , " SUM " , " SYSTEM_USER " , " TRIM " )
2011-05-28 22:54:14 +04:00
2012-07-17 01:50:29 +04:00
LEGAL_DISCLAIMER = " Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user ' s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program "
2011-05-30 13:46:32 +04:00
# After this number of misses reflective removal mechanism is turned off (for speed up reasons)
REFLECTIVE_MISS_THRESHOLD = 20
2011-06-11 03:18:43 +04:00
# Regular expression used for extracting HTML title
HTML_TITLE_REGEX = " <title>(?P<result>[^<]+)</title> "
2011-06-18 02:04:25 +04:00
2011-11-20 23:10:46 +04:00
# Table used for Base64 conversion in WordPress hash cracking routine
2012-03-29 16:44:20 +04:00
ITOA64 = " ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz "
2011-11-20 23:10:46 +04:00
2011-06-18 02:04:25 +04:00
# Chars used to quickly distinguish if the user provided tainted parameter values
2011-08-16 13:21:01 +04:00
DUMMY_SQL_INJECTION_CHARS = " ;() ' "
2011-06-21 02:41:38 +04:00
2012-01-07 21:16:14 +04:00
# Simple check against dummy users
2013-08-22 12:44:21 +04:00
DUMMY_USER_INJECTION = r " (?i)[^ \ w](AND|OR) \ s+[^ \ s]+[=><]| \ bUNION \ b.+ \ bSELECT \ b "
2012-01-07 21:16:14 +04:00
2011-06-21 02:41:38 +04:00
# Extensions skipped by crawler
2013-10-18 17:39:46 +04:00
CRAWL_EXCLUDE_EXTENSIONS = ( " gif " , " jpg " , " jpeg " , " image " , " jar " , " tif " , " bmp " , " war " , " ear " , " mpg " , " mpeg " , " wmv " , " mpeg " , " scm " , " iso " , " dmp " , " dll " , " cab " , " so " , " avi " , " mkv " , " bin " , " iso " , " tar " , " png " , " pdf " , " ps " , " wav " , " mp3 " , " mp4 " , " au " , " aiff " , " aac " , " zip " , " rar " , " 7z " , " gz " , " flv " , " mov " )
2011-07-04 23:58:41 +04:00
2013-02-14 19:18:16 +04:00
# Patterns often seen in HTTP headers containing custom injection marking character
PROBLEMATIC_CUSTOM_INJECTION_PATTERNS = r " ( \ bq=[^; ' ]+)|( \ */ \ *) "
2011-07-04 23:58:41 +04:00
# Template used for common table existence check
BRUTE_TABLE_EXISTS_TEMPLATE = " EXISTS(SELECT %d FROM %s ) "
# Template used for common column existence check
BRUTE_COLUMN_EXISTS_TEMPLATE = " EXISTS(SELECT %s FROM %s ) "
2011-07-06 09:44:47 +04:00
# Payload used for checking of existence of IDS/WAF (dummier the better)
2013-02-21 17:33:12 +04:00
IDS_WAF_CHECK_PAYLOAD = " AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1 "
# Vectors used for provoking specific WAF/IDS/IPS behavior(s)
WAF_ATTACK_VECTORS = (
2013-02-26 18:54:50 +04:00
" " , # NIL
2013-02-21 17:33:12 +04:00
" search=<script>alert(1)</script> " ,
" file=../../../../etc/passwd " ,
" q=<invalid>foobar " ,
" id=1 %s " % IDS_WAF_CHECK_PAYLOAD
)
2011-07-15 17:24:13 +04:00
# Used for status representation in dictionary attack phase
ROTATING_CHARS = ( ' \\ ' , ' | ' , ' | ' , ' / ' , ' - ' )
2011-07-23 23:04:59 +04:00
2011-07-24 13:19:33 +04:00
# Chunk length (in items) used by BigArray objects (only last chunk and cached one are held in memory)
2011-07-26 00:17:44 +04:00
BIGARRAY_CHUNK_LENGTH = 4096
2011-07-24 13:19:33 +04:00
# Only console display last n table rows
2011-10-26 18:31:00 +04:00
TRIM_STDOUT_DUMP_SIZE = 256
2011-08-03 13:08:16 +04:00
2011-11-22 16:18:24 +04:00
# Parse response headers only first couple of times
PARSE_HEADERS_LIMIT = 3
2011-08-03 13:08:16 +04:00
# Step used in ORDER BY technique used for finding the right number of columns in UNION query injections
ORDER_BY_STEP = 10
2011-08-16 10:50:20 +04:00
# Maximum number of times for revalidation of a character in time-based injections
MAX_TIME_REVALIDATION_STEPS = 5
2011-08-29 17:08:25 +04:00
# Characters that can be used to split parameter values in provided command line (e.g. in --tamper)
PARAMETER_SPLITTING_REGEX = r ' [,|;] '
2011-10-10 01:21:41 +04:00
# Regular expression describing possible union char value (e.g. used in --union-char)
UNION_CHAR_REGEX = r ' \ A \ w+ \ Z '
2011-10-25 13:53:44 +04:00
# Attribute used for storing original parameter value in special cases (e.g. POST)
2011-11-20 23:10:46 +04:00
UNENCODED_ORIGINAL_VALUE = ' original '
# Common column names containing usernames (used for hash cracking in some cases)
2011-11-22 01:31:08 +04:00
COMMON_USER_COLUMNS = ( ' user ' , ' username ' , ' user_name ' , ' benutzername ' , ' benutzer ' , ' utilisateur ' , ' usager ' , ' consommateur ' , ' utente ' , ' utilizzatore ' , ' usufrutuario ' , ' korisnik ' , ' usuario ' , ' consumidor ' )
# Default delimiter in GET/POST values
DEFAULT_GET_POST_DELIMITER = ' & '
# Default delimiter in cookie values
2011-11-22 14:54:29 +04:00
DEFAULT_COOKIE_DELIMITER = ' ; '
2013-04-15 13:49:11 +04:00
# Unix timestamp used for forcing cookie expiration when provided with --load-cookies
FORCE_COOKIE_EXPIRATION_TIME = " 9999999999 "
2011-11-22 14:54:29 +04:00
# Skip unforced HashDB flush requests below the threshold number of cached items
2011-11-22 15:04:43 +04:00
HASHDB_FLUSH_THRESHOLD = 32
2011-12-23 00:14:56 +04:00
2012-09-25 13:21:39 +04:00
# Number of retries for unsuccessful HashDB flush attempts
HASHDB_FLUSH_RETRIES = 3
2012-03-13 13:35:37 +04:00
# Unique milestone value used for forced deprecation of old HashDB values (e.g. when changing hash/pickle mechanism)
2013-06-01 16:06:58 +04:00
HASHDB_MILESTONE_VALUE = " cAWxkLYCQT " # r5129 "".join(random.sample(string.ascii_letters, 10))
2012-03-13 02:55:57 +04:00
2011-12-23 00:14:56 +04:00
# Warn user of possible delay due to large page dump in full UNION query injections
2013-01-10 16:18:44 +04:00
LARGE_OUTPUT_THRESHOLD = 1024 * * 2
2011-12-23 00:42:57 +04:00
# On huge tables there is a considerable slowdown if every row retrieval requires ORDER BY (most noticable in table dumping using ERROR injections)
SLOW_ORDER_COUNT_THRESHOLD = 10000
2011-12-23 00:54:20 +04:00
# Give up on hash recognition if nothing was found in first given number of rows
HASH_RECOGNITION_QUIT_THRESHOLD = 10000
2011-12-28 19:59:30 +04:00
2012-03-15 15:10:58 +04:00
# Maximum number of redirections to any single URL - this is needed because of the state that cookies introduce
MAX_SINGLE_URL_REDIRECTIONS = 4
# Maximum total number of redirections (regardless of URL) - before assuming we're in a loop
MAX_TOTAL_REDIRECTIONS = 10
2012-04-02 18:05:30 +04:00
# Reference: http://www.tcpipguide.com/free/t_DNSLabelsNamesandSyntaxRules.htm
MAX_DNS_LABEL = 63
2012-04-06 12:42:36 +04:00
2012-07-01 03:19:54 +04:00
# Alphabet used for prefix and suffix strings of name resolution requests in DNS technique (excluding hexadecimal chars for not mixing with inner content)
2013-06-01 16:06:58 +04:00
DNS_BOUNDARIES_ALPHABET = re . sub ( " [a-fA-F] " , " " , string . ascii_letters )
2012-07-01 03:19:54 +04:00
2012-10-28 03:42:08 +04:00
# Alphabet used for heuristic checks
HEURISTIC_CHECK_ALPHABET = ( ' " ' , ' \' ' , ' ) ' , ' ( ' , ' [ ' , ' ] ' , ' , ' , ' . ' )
2012-10-28 02:36:09 +04:00
# Connection chunk size (processing large responses in chunks to avoid MemoryError crashes - e.g. large table dump in full UNION injections)
2012-04-06 12:42:36 +04:00
MAX_CONNECTION_CHUNK_SIZE = 10 * 1024 * 1024
2012-08-07 02:50:58 +04:00
# Maximum response total page size (trimmed if larger)
MAX_CONNECTION_TOTAL_SIZE = 100 * 1024 * 1024
2013-07-09 12:24:48 +04:00
# Maximum (multi-threaded) length of entry in bisection algorithm
MAX_BISECTION_LENGTH = 50 * 1024 * 1024
2012-04-06 12:42:36 +04:00
# Mark used for trimming unnecessary content in large chunks
LARGE_CHUNK_TRIM_MARKER = " __TRIMMED_CONTENT__ "
2012-05-09 13:08:23 +04:00
# Generic SQL comment formation
GENERIC_SQL_COMMENT = " -- "
2012-05-26 11:00:26 +04:00
# Threshold value for turning back on time auto-adjustment mechanism
VALID_TIME_CHARS_RUN_THRESHOLD = 100
2012-07-12 16:31:28 +04:00
# Check for empty columns only if table is sufficiently large
CHECK_ZERO_COLUMNS_THRESHOLD = 10
2012-07-12 18:30:35 +04:00
# Boldify all logger messages containing these "patterns"
2013-02-01 20:24:04 +04:00
BOLD_PATTERNS = ( " ' injectable " , " might be injectable " , " ' is vulnerable " , " is not injectable " , " test failed " , " test passed " , " live test final result " , " test shows that " )
2012-07-13 13:23:21 +04:00
# Generic www root directory names
2013-04-29 12:50:04 +04:00
GENERIC_DOC_ROOT_DIRECTORY_NAMES = ( " htdocs " , " httpdocs " , " public " , " wwwroot " , " www " )
2012-07-24 17:43:29 +04:00
# Maximum length of a help part containing switch/option name(s)
MAX_HELP_OPTION_LENGTH = 18
2012-08-22 17:51:47 +04:00
2013-03-04 21:05:40 +04:00
# Maximum number of connection retries (to prevent problems with recursion)
MAX_CONNECT_RETRIES = 100
2012-08-22 17:51:47 +04:00
# Strings for detecting formatting errors
2012-08-23 17:37:17 +04:00
FORMAT_EXCEPTION_STRINGS = ( " Type mismatch " , " Error converting " , " Failed to convert " , " System.FormatException " , " java.lang.NumberFormatException " )
2012-09-06 16:13:54 +04:00
2012-10-19 13:02:14 +04:00
# Regular expression used for extracting ASP.NET view state values
2012-10-29 13:48:49 +04:00
VIEWSTATE_REGEX = r ' (?i)(?P<name>__VIEWSTATE[^ " ]*)[^>]+value= " (?P<result>[^ " ]+) '
2012-10-19 13:02:14 +04:00
# Regular expression used for extracting ASP.NET event validation values
2012-10-29 13:48:49 +04:00
EVENTVALIDATION_REGEX = r ' (?i)(?P<name>__EVENTVALIDATION[^ " ]*)[^>]+value= " (?P<result>[^ " ]+) '
2012-09-06 17:51:38 +04:00
# Number of rows to generate inside the full union test for limited output (mustn't be too large to prevent payload length problems)
LIMITED_ROWS_TEST_NUMBER = 15
2012-10-02 16:23:58 +04:00
2012-12-28 01:43:39 +04:00
# Format used for representing invalid unicode characters
INVALID_UNICODE_CHAR_FORMAT = r " \ ? %02x "
2012-10-04 20:26:07 +04:00
# Regular expression for SOAP-like POST data
SOAP_RECOGNITION_REGEX = r " (?s) \ A(< \ ?xml[^>]+>)? \ s*<([^> ]+)( [^>]+)?>.+</ \ 2.*> \ s* \ Z "
2012-10-04 13:43:37 +04:00
2012-10-16 14:32:58 +04:00
# Regular expression used for detecting JSON-like POST data
2013-10-16 13:48:00 +04:00
JSON_RECOGNITION_REGEX = r ' (?s) \ A( \ s* \ [)* \ s* \ { .* " [^ " ]+ " \ s*: \ s*( " [^ " ]+ " | \ d+).* \ } \ s*( \ ] \ s*)* \ Z '
2012-10-04 13:25:44 +04:00
2012-10-16 14:32:58 +04:00
# Regular expression used for detecting multipart POST data
MULTIPART_RECOGNITION_REGEX = r " (?i)Content-Disposition:[^;]+; \ s*name= "
2012-10-04 13:25:44 +04:00
# Default POST data content-type
2013-03-27 16:39:27 +04:00
DEFAULT_CONTENT_TYPE = " application/x-www-form-urlencoded; charset=utf-8 "
# Raw text POST data content-type
PLAIN_TEXT_CONTENT_TYPE = " text/plain; charset=utf-8 "
2012-10-25 15:21:32 +04:00
2013-01-16 05:31:03 +04:00
# Length used while checking for existence of Suhosin-patch (like) protection mechanism
SUHOSIN_MAX_VALUE_LENGTH = 512
2012-10-29 17:08:48 +04:00
2013-01-17 14:37:45 +04:00
# Minimum size of an (binary) entry before it can be considered for dumping to disk
MIN_BINARY_DISK_DUMP_SIZE = 100
2012-10-29 17:08:48 +04:00
# Regular expression used for extracting form tags
FORM_SEARCH_REGEX = r " (?si)<form(?!.+<form).+?</form> "
2012-11-28 15:46:43 +04:00
2013-01-18 14:00:21 +04:00
# Minimum field entry length needed for encoded content (hex, base64,...) check
MIN_ENCODED_LEN_CHECK = 5
2013-02-08 19:28:58 +04:00
# Timeout in seconds in which Metasploit remote session has to be initialized
2013-02-14 13:18:40 +04:00
METASPLOIT_SESSION_TIMEOUT = 180
2013-02-08 19:20:48 +04:00
2013-02-12 15:42:12 +04:00
# Reference: http://www.cookiecentral.com/faq/#3.5
NETSCAPE_FORMAT_HEADER_COOKIES = " # Netscape HTTP Cookie File. "
2013-05-09 16:26:29 +04:00
# Prefixes used in brute force search for web server document root
BRUTE_DOC_ROOT_PREFIXES = {
OS . LINUX : ( " /var/www " , " /var/www/ % TARGET % " , " /var/www/vhosts/ % TARGET % " , " /var/www/virtual/ % TARGET % " , " /var/www/clients/vhosts/ % TARGET % " , " /var/www/clients/virtual/ % TARGET % " ) ,
OS . WINDOWS : ( " /xampp " , " /Program Files/xampp/ " , " /wamp " , " /Program Files/wampp/ " , " /Inetpub/wwwroot " , " /Inetpub/wwwroot/ % TARGET % " , " /Inetpub/vhosts/ % TARGET % " )
}
# Suffixes used in brute force search for web server document root
BRUTE_DOC_ROOT_SUFFIXES = ( " " , " html " , " htdocs " , " httpdocs " , " php " , " public " , " src " , " site " , " build " , " web " , " sites/all " , " www/build " )
# String used for marking target name inside used brute force web server document root
BRUTE_DOC_ROOT_TARGET_MARK = " % TARGET % "
2013-06-11 00:14:45 +04:00
# Character used as a boundary in kb.chars (preferably less frequent letter)
KB_CHARS_BOUNDARY_CHAR = ' q '
2012-11-28 15:46:43 +04:00
# CSS style used in HTML dump format
HTML_DUMP_CSS_STYLE = """ <style>
table {
2012-11-29 18:36:38 +04:00
margin : 10 ;
background - color : #FFFFFF;
font - family : verdana ;
font - size : 12 px ;
align : center ;
}
thead {
font - weight : bold ;
background - color : #4F81BD;
color : #FFFFFF;
}
tr : nth - child ( even ) {
background - color : #D3DFEE
2012-11-28 15:46:43 +04:00
}
td {
2012-11-29 18:36:38 +04:00
font - size : 10 px ;
2012-11-28 15:46:43 +04:00
}
2013-10-19 22:54:52 +04:00
th {
font - size : 10 px ;
}
2012-11-28 15:46:43 +04:00
< / style > """