sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-02 20:54:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

added Ctrl+C check in detection phase

Browse Source
This commit is contained in:
Miroslav Stampar 2010-12-18 10:42:09 +00:00
parent e355f92f22
commit 03220d34ba
1 changed files with 283 additions and 268 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

551
lib/controller/checks.py
View File

@ -77,335 +77,350 @@ def checkSqlInjection(place, parameter, value):
kb.testMode = True kb.testMode = True
for test in conf.tests: for test in conf.tests:
title = test.title try:
stype = test.stype title = test.title
clause = test.clause stype = test.stype
clause = test.clause
# Skip test if the user's wants to test only for a specific # Skip test if the user's wants to test only for a specific
# technique # technique
if conf.technique and isinstance(conf.technique, int) and stype != conf.technique: if conf.technique and isinstance(conf.technique, int) and stype != conf.technique:
debugMsg = "skipping test '%s' because the user " % title debugMsg = "skipping test '%s' because the user " % title
debugMsg += "specified to test only for " debugMsg += "specified to test only for "
debugMsg += "%s" % PAYLOAD.SQLINJECTION[conf.technique] debugMsg += "%s" % PAYLOAD.SQLINJECTION[conf.technique]
logger.debug(debugMsg)
continue
# Skip test if the risk is higher than the provided (or default)
# value
# Parse test's <risk>
if test.risk > conf.risk:
debugMsg = "skipping test '%s' because the risk " % title
debugMsg += "is higher than the provided"
logger.debug(debugMsg)
continue
# Skip test if the level is higher than the provided (or default)
# value
# Parse test's <level>
if test.level > conf.level:
debugMsg = "skipping test '%s' because the level " % title
debugMsg += "is higher than the provided"
logger.debug(debugMsg)
continue
# Skip DBMS-specific test if it does not match either the
# previously identified or the user's provided DBMS
if "details" in test and "dbms" in test.details:
dbms = test.details.dbms
else:
dbms = None
if dbms is not None:
if injection.dbms is not None and injection.dbms != dbms:
debugMsg = "skipping test '%s' because " % title
debugMsg += "the back-end DBMS identified is "
debugMsg += "%s" % injection.dbms
logger.debug(debugMsg) logger.debug(debugMsg)
continue continue
if conf.dbms is not None and conf.dbms.lower() != dbms.lower(): # Skip test if the risk is higher than the provided (or default)
debugMsg = "skipping test '%s' because " % title # value
debugMsg += "the provided DBMS is %s" % conf.dbms # Parse test's <risk>
if test.risk > conf.risk:
debugMsg = "skipping test '%s' because the risk " % title
debugMsg += "is higher than the provided"
logger.debug(debugMsg) logger.debug(debugMsg)
continue continue
# Skip test if it is the same SQL injection type already # Skip test if the level is higher than the provided (or default)
# identified by another test # value
if injection.data and stype in injection.data: # Parse test's <level>
debugMsg = "skipping test '%s' because " % title if test.level > conf.level:
debugMsg += "the payload for %s has " % PAYLOAD.SQLINJECTION[stype] debugMsg = "skipping test '%s' because the level " % title
debugMsg += "already been identified" debugMsg += "is higher than the provided"
logger.debug(debugMsg) logger.debug(debugMsg)
continue continue
# Skip test if it does not match the same SQL injection clause # Skip DBMS-specific test if it does not match either the
# already identified by another test # previously identified or the user's provided DBMS
clauseMatch = False if "details" in test and "dbms" in test.details:
dbms = test.details.dbms
for clauseTest in clause:
if injection.clause is not None and clauseTest in injection.clause:
clauseMatch = True
break
if clause != [ 0 ] and injection.clause and injection.clause != [ 0 ] and not clauseMatch:
debugMsg = "skipping test '%s' because the clauses " % title
debugMsg += "differs from the clause already identified"
logger.debug(debugMsg)
continue
infoMsg = "testing '%s'" % title
logger.info(infoMsg)
# Parse test's <request>
comment = agent.getComment(test.request)
fstPayload = agent.cleanupPayload(test.request.payload, value)
fstPayload = unescapeDbms(fstPayload, injection, dbms)
fstPayload = "%s%s" % (fstPayload, comment)
if stype != 4 and clause != [2, 3] and clause != [ 3 ]:
space = " "
else:
space = ""
if conf.prefix is not None and conf.suffix is not None:
# Create a custom boundary object for user's supplied prefix
# and suffix
boundary = advancedDict()
boundary.level = 1
boundary.clause = [ 0 ]
boundary.where = [ 1, 2, 3 ]
boundary.prefix = conf.prefix
boundary.suffix = conf.suffix
if " like" in boundary.suffix.lower():
if "'" in boundary.suffix.lower():
boundary.ptype = 3
elif '"' in boundary.suffix.lower():
boundary.ptype = 5
elif "'" in boundary.suffix:
boundary.ptype = 2
elif '"' in boundary.suffix:
boundary.ptype = 4
else: else:
boundary.ptype = 1 dbms = None
# Prepend user's provided boundaries to all others boundaries if dbms is not None:
conf.boundaries.insert(0, boundary) if injection.dbms is not None and injection.dbms != dbms:
debugMsg = "skipping test '%s' because " % title
debugMsg += "the back-end DBMS identified is "
debugMsg += "%s" % injection.dbms
logger.debug(debugMsg)
for boundary in conf.boundaries: continue
injectable = False
# Skip boundary if the level is higher than the provided (or if conf.dbms is not None and conf.dbms.lower() != dbms.lower():
# default) value debugMsg = "skipping test '%s' because " % title
# Parse boundary's <level> debugMsg += "the provided DBMS is %s" % conf.dbms
if boundary.level > conf.level: logger.debug(debugMsg)
# NOTE: shall we report every single skipped boundary too?
continue
# Skip test if it is the same SQL injection type already
# identified by another test
if injection.data and stype in injection.data:
debugMsg = "skipping test '%s' because " % title
debugMsg += "the payload for %s has " % PAYLOAD.SQLINJECTION[stype]
debugMsg += "already been identified"
logger.debug(debugMsg)
continue continue
# Skip boundary if it does not match against test's <clause> # Skip test if it does not match the same SQL injection clause
# Parse test's <clause> and boundary's <clause> # already identified by another test
clauseMatch = False clauseMatch = False
for clauseTest in test.clause: for clauseTest in clause:
if clauseTest in boundary.clause: if injection.clause is not None and clauseTest in injection.clause:
clauseMatch = True clauseMatch = True
break break
if test.clause != [ 0 ] and boundary.clause != [ 0 ] and not clauseMatch: if clause != [ 0 ] and injection.clause and injection.clause != [ 0 ] and not clauseMatch:
debugMsg = "skipping test '%s' because the clauses " % title
debugMsg += "differs from the clause already identified"
logger.debug(debugMsg)
continue continue
# Skip boundary if it does not match against test's <where> infoMsg = "testing '%s'" % title
# Parse test's <where> and boundary's <where> logger.info(infoMsg)
whereMatch = False
for where in test.where: # Parse test's <request>
if where in boundary.where: comment = agent.getComment(test.request)
whereMatch = True fstPayload = agent.cleanupPayload(test.request.payload, value)
break fstPayload = unescapeDbms(fstPayload, injection, dbms)
fstPayload = "%s%s" % (fstPayload, comment)
if not whereMatch: if stype != 4 and clause != [2, 3] and clause != [ 3 ]:
continue space = " "
else:
space = ""
# Parse boundary's <prefix>, <suffix> and <ptype> if conf.prefix is not None and conf.suffix is not None:
prefix = boundary.prefix if boundary.prefix else "" # Create a custom boundary object for user's supplied prefix
suffix = boundary.suffix if boundary.suffix else "" # and suffix
ptype = boundary.ptype boundary = advancedDict()
# If the previous injections succeeded, we know which prefix, boundary.level = 1
# suffix and parameter type to use for further tests, no boundary.clause = [ 0 ]
# need to cycle through the boundaries for the following tests boundary.where = [ 1, 2, 3 ]
condBound = (injection.prefix is not None and injection.suffix is not None) boundary.prefix = conf.prefix
condBound &= (injection.prefix != prefix or injection.suffix != suffix) boundary.suffix = conf.suffix
condType = injection.ptype is not None and injection.ptype != ptype
if condBound or condType: if " like" in boundary.suffix.lower():
continue if "'" in boundary.suffix.lower():
boundary.ptype = 3
elif '"' in boundary.suffix.lower():
boundary.ptype = 5
elif "'" in boundary.suffix:
boundary.ptype = 2
elif '"' in boundary.suffix:
boundary.ptype = 4
else:
boundary.ptype = 1
# For each test's <where> # Prepend user's provided boundaries to all others boundaries
for where in test.where: conf.boundaries.insert(0, boundary)
templatePayload = None
# Threat the parameter original value according to the for boundary in conf.boundaries:
# test's <where> tag injectable = False
if where == 1:
origValue = value
elif where == 2:
origValue = "-%s" % randomInt()
# Use different page template than the original one
# as we are changing parameters value, which will result
# most definitely with a different content
templatePayload = agent.payload(place, parameter, value, origValue)
elif where == 3:
origValue = ""
kb.pageTemplate = getPageTemplate(templatePayload, place) # Skip boundary if the level is higher than the provided (or
# default) value
# Parse boundary's <level>
if boundary.level > conf.level:
# NOTE: shall we report every single skipped boundary too?
continue
# Forge request payload by prepending with boundary's # Skip boundary if it does not match against test's <clause>
# prefix and appending the boundary's suffix to the # Parse test's <clause> and boundary's <clause>
# test's ' <payload><comment> ' string clauseMatch = False
boundPayload = "%s%s%s%s %s" % (origValue, prefix, space, fstPayload, suffix)
boundPayload = boundPayload.strip()
boundPayload = agent.cleanupPayload(boundPayload, value)
reqPayload = agent.payload(place, parameter, value, boundPayload)
# Perform the test's request and check whether or not the for clauseTest in test.clause:
# payload was successful if clauseTest in boundary.clause:
# Parse test's <response> clauseMatch = True
for method, check in test.response.items(): break
check = agent.cleanupPayload(check, value)
# In case of boolean-based blind SQL injection if test.clause != [ 0 ] and boundary.clause != [ 0 ] and not clauseMatch:
if method == PAYLOAD.METHOD.COMPARISON: continue
sndPayload = agent.cleanupPayload(test.response.comparison, value)
sndPayload = unescapeDbms(sndPayload, injection, dbms)
sndPayload = "%s%s" % (sndPayload, comment)
# Forge response payload by prepending with # Skip boundary if it does not match against test's <where>
# boundary's prefix and appending the boundary's # Parse test's <where> and boundary's <where>
# suffix to the test's ' <payload><comment> ' whereMatch = False
# string
boundPayload = "%s%s%s%s %s" % (origValue, prefix, space, sndPayload, suffix)
boundPayload = boundPayload.strip()
boundPayload = agent.cleanupPayload(boundPayload, value)
cmpPayload = agent.payload(place, parameter, value, boundPayload)
# Useful to set kb.matchRatio at first based on for where in test.where:
# the False response content if where in boundary.where:
kb.matchRatio = None whereMatch = True
_ = Request.queryPage(cmpPayload, place) break
# Perform the test's True request if not whereMatch:
trueResult = Request.queryPage(reqPayload, place) continue
if trueResult: # Parse boundary's <prefix>, <suffix> and <ptype>
falseResult = Request.queryPage(cmpPayload, place) prefix = boundary.prefix if boundary.prefix else ""
suffix = boundary.suffix if boundary.suffix else ""
ptype = boundary.ptype
# Perform the test's False request # If the previous injections succeeded, we know which prefix,
if not falseResult: # suffix and parameter type to use for further tests, no
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title) # need to cycle through the boundaries for the following tests
logger.info(infoMsg) condBound = (injection.prefix is not None and injection.suffix is not None)
condBound &= (injection.prefix != prefix or injection.suffix != suffix)
condType = injection.ptype is not None and injection.ptype != ptype
injectable = True if condBound or condType:
continue
# In case of error-based or UNION query SQL injections # For each test's <where>
elif method == PAYLOAD.METHOD.GREP: for where in test.where:
# Perform the test's request and grep the response templatePayload = None
# body for the test's <grep> regular expression
reqBody, _ = Request.queryPage(reqPayload, place, content=True)
output = extractRegexResult(check, reqBody, re.DOTALL | re.IGNORECASE)
if output: # Threat the parameter original value according to the
result = output.replace(kb.misc.space, " ") == "1" # test's <where> tag
if where == 1:
origValue = value
elif where == 2:
origValue = "-%s" % randomInt()
# Use different page template than the original one
# as we are changing parameters value, which will result
# most definitely with a different content
templatePayload = agent.payload(place, parameter, value, origValue)
elif where == 3:
origValue = ""
if result: kb.pageTemplate = getPageTemplate(templatePayload, place)
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
injectable = True # Forge request payload by prepending with boundary's
# prefix and appending the boundary's suffix to the
# test's ' <payload><comment> ' string
boundPayload = "%s%s%s%s %s" % (origValue, prefix, space, fstPayload, suffix)
boundPayload = boundPayload.strip()
boundPayload = agent.cleanupPayload(boundPayload, value)
reqPayload = agent.payload(place, parameter, value, boundPayload)
# In case of time-based blind or stacked queries # Perform the test's request and check whether or not the
# SQL injections # payload was successful
elif method == PAYLOAD.METHOD.TIME: # Parse test's <response>
# Store old value of socket timeout for method, check in test.response.items():
pushValue(socket.getdefaulttimeout()) check = agent.cleanupPayload(check, value)
# Set socket timeout to 2 minutes as some # In case of boolean-based blind SQL injection
# time based checks can take awhile if method == PAYLOAD.METHOD.COMPARISON:
socket.setdefaulttimeout(120) sndPayload = agent.cleanupPayload(test.response.comparison, value)
sndPayload = unescapeDbms(sndPayload, injection, dbms)
sndPayload = "%s%s" % (sndPayload, comment)
# Perform the test's request # Forge response payload by prepending with
trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True) # boundary's prefix and appending the boundary's
# suffix to the test's ' <payload><comment> '
# string
boundPayload = "%s%s%s%s %s" % (origValue, prefix, space, sndPayload, suffix)
boundPayload = boundPayload.strip()
boundPayload = agent.cleanupPayload(boundPayload, value)
cmpPayload = agent.payload(place, parameter, value, boundPayload)
if trueResult: # Useful to set kb.matchRatio at first based on
# Confirm test's results # the False response content
kb.matchRatio = None
_ = Request.queryPage(cmpPayload, place)
# Perform the test's True request
trueResult = Request.queryPage(reqPayload, place)
if trueResult:
falseResult = Request.queryPage(cmpPayload, place)
# Perform the test's False request
if not falseResult:
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
injectable = True
# In case of error-based or UNION query SQL injections
elif method == PAYLOAD.METHOD.GREP:
# Perform the test's request and grep the response
# body for the test's <grep> regular expression
reqBody, _ = Request.queryPage(reqPayload, place, content=True)
output = extractRegexResult(check, reqBody, re.DOTALL | re.IGNORECASE)
if output:
result = output.replace(kb.misc.space, " ") == "1"
if result:
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
injectable = True
# In case of time-based blind or stacked queries
# SQL injections
elif method == PAYLOAD.METHOD.TIME:
# Store old value of socket timeout
pushValue(socket.getdefaulttimeout())
# Set socket timeout to 2 minutes as some
# time based checks can take awhile
socket.setdefaulttimeout(120)
# Perform the test's request
trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True) trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True)
if trueResult: if trueResult:
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title) # Confirm test's results
logger.info(infoMsg) trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True)
injectable = True if trueResult:
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
# Restore value of socket timeout injectable = True
socket.setdefaulttimeout(popValue())
# If the injection test was successful feed the injection # Restore value of socket timeout
# object with the test's details socket.setdefaulttimeout(popValue())
if injectable is True:
# Feed with the boundaries details only the first time a # If the injection test was successful feed the injection
# test has been successful # object with the test's details
if injection.place is None or injection.parameter is None: if injectable is True:
if place == PLACE.UA: # Feed with the boundaries details only the first time a
injection.parameter = conf.agent # test has been successful
if injection.place is None or injection.parameter is None:
if place == PLACE.UA:
injection.parameter = conf.agent
else:
injection.parameter = parameter
injection.place = place
injection.ptype = ptype
injection.prefix = prefix
injection.suffix = suffix
injection.clause = clause
if "vector" in test and test.vector is not None:
vector = "%s%s" % (test.vector, comment)
else: else:
injection.parameter = parameter vector = None
injection.place = place # Feed with test details every time a test is successful
injection.ptype = ptype injection.data[stype] = advancedDict()
injection.prefix = prefix injection.data[stype].title = title
injection.suffix = suffix injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload, False)
injection.clause = clause injection.data[stype].where = where
injection.data[stype].vector = vector
injection.data[stype].comment = comment
injection.data[stype].matchRatio = kb.matchRatio
injection.data[stype].templatePayload = templatePayload
if "vector" in test and test.vector is not None: if hasattr(test, "details"):
vector = "%s%s" % (test.vector, comment) for detailKey, detailValue in test.details.items():
else: if detailKey == "dbms" and injection.dbms is None:
vector = None injection.dbms = detailValue
kb.dbms = detailValue
elif detailKey == "dbms_version" and injection.dbms_version is None:
injection.dbms_version = detailValue
kb.dbmsVersion = [ detailValue ]
elif detailKey == "os" and injection.os is None:
injection.os = detailValue
# Feed with test details every time a test is successful if conf.beep:
injection.data[stype] = advancedDict() beep()
injection.data[stype].title = title
injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload, False)
injection.data[stype].where = where
injection.data[stype].vector = vector
injection.data[stype].comment = comment
injection.data[stype].matchRatio = kb.matchRatio
injection.data[stype].templatePayload = templatePayload
if hasattr(test, "details"): # There is no need to perform this test for other
for detailKey, detailValue in test.details.items(): # <where> tags
if detailKey == "dbms" and injection.dbms is None: break
injection.dbms = detailValue
kb.dbms = detailValue
elif detailKey == "dbms_version" and injection.dbms_version is None:
injection.dbms_version = detailValue
kb.dbmsVersion = [ detailValue ]
elif detailKey == "os" and injection.os is None:
injection.os = detailValue
if conf.beep: if injectable is True:
beep() # There is no need to perform this test with others
# boundaries
# There is no need to perform this test for other
# <where> tags
break break
if injectable is True: except KeyboardInterrupt:
# There is no need to perform this test with others warnMsg = "Ctrl+C detected in detection mode"
# boundaries logger.warn(warnMsg)
message = "What do you want to do? [(S)kip current/(a)bort detection/(q)uit]"
test = readInput(message, default="S")
if not test or test[0] in ("s", "S"):
pass
elif test[0] in ("a", "A"):
break break
elif test[0] in ("q", "Q"):
raise sqlmapUserQuitException
# Flush the flag # Flush the flag
kb.testMode = False kb.testMode = False