mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-12-01 14:03:52 +03:00
Minor update
This commit is contained in:
parent
ad01aa7449
commit
130bcd4b9b
|
@ -7,13 +7,11 @@ See the file 'LICENSE' for copying permission
|
||||||
|
|
||||||
import copy
|
import copy
|
||||||
import logging
|
import logging
|
||||||
import os
|
|
||||||
import random
|
import random
|
||||||
import re
|
import re
|
||||||
import socket
|
import socket
|
||||||
import subprocess
|
import subprocess
|
||||||
import sys
|
import sys
|
||||||
import tempfile
|
|
||||||
import time
|
import time
|
||||||
|
|
||||||
from extra.beep.beep import beep
|
from extra.beep.beep import beep
|
||||||
|
@ -33,7 +31,6 @@ from lib.core.common import hashDBRetrieve
|
||||||
from lib.core.common import hashDBWrite
|
from lib.core.common import hashDBWrite
|
||||||
from lib.core.common import intersect
|
from lib.core.common import intersect
|
||||||
from lib.core.common import listToStrValue
|
from lib.core.common import listToStrValue
|
||||||
from lib.core.common import openFile
|
|
||||||
from lib.core.common import parseFilePaths
|
from lib.core.common import parseFilePaths
|
||||||
from lib.core.common import popValue
|
from lib.core.common import popValue
|
||||||
from lib.core.common import pushValue
|
from lib.core.common import pushValue
|
||||||
|
@ -44,18 +41,15 @@ from lib.core.common import showStaticWords
|
||||||
from lib.core.common import singleTimeLogMessage
|
from lib.core.common import singleTimeLogMessage
|
||||||
from lib.core.common import singleTimeWarnMessage
|
from lib.core.common import singleTimeWarnMessage
|
||||||
from lib.core.common import unArrayizeValue
|
from lib.core.common import unArrayizeValue
|
||||||
from lib.core.common import urlencode
|
|
||||||
from lib.core.common import wasLastResponseDBMSError
|
from lib.core.common import wasLastResponseDBMSError
|
||||||
from lib.core.common import wasLastResponseHTTPError
|
from lib.core.common import wasLastResponseHTTPError
|
||||||
from lib.core.compat import xrange
|
from lib.core.compat import xrange
|
||||||
from lib.core.convert import getUnicode
|
from lib.core.convert import getUnicode
|
||||||
from lib.core.defaults import defaults
|
|
||||||
from lib.core.data import conf
|
from lib.core.data import conf
|
||||||
from lib.core.data import kb
|
from lib.core.data import kb
|
||||||
from lib.core.data import logger
|
from lib.core.data import logger
|
||||||
from lib.core.datatype import AttribDict
|
from lib.core.datatype import AttribDict
|
||||||
from lib.core.datatype import InjectionDict
|
from lib.core.datatype import InjectionDict
|
||||||
from lib.core.decorators import cachedmethod
|
|
||||||
from lib.core.decorators import stackedmethod
|
from lib.core.decorators import stackedmethod
|
||||||
from lib.core.dicts import FROM_DUMMY_TABLE
|
from lib.core.dicts import FROM_DUMMY_TABLE
|
||||||
from lib.core.enums import DBMS
|
from lib.core.enums import DBMS
|
||||||
|
@ -63,7 +57,6 @@ from lib.core.enums import HASHDB_KEYS
|
||||||
from lib.core.enums import HEURISTIC_TEST
|
from lib.core.enums import HEURISTIC_TEST
|
||||||
from lib.core.enums import HTTP_HEADER
|
from lib.core.enums import HTTP_HEADER
|
||||||
from lib.core.enums import HTTPMETHOD
|
from lib.core.enums import HTTPMETHOD
|
||||||
from lib.core.enums import MKSTEMP_PREFIX
|
|
||||||
from lib.core.enums import NOTE
|
from lib.core.enums import NOTE
|
||||||
from lib.core.enums import NULLCONNECTION
|
from lib.core.enums import NULLCONNECTION
|
||||||
from lib.core.enums import PAYLOAD
|
from lib.core.enums import PAYLOAD
|
||||||
|
@ -81,7 +74,6 @@ from lib.core.settings import CANDIDATE_SENTENCE_MIN_LENGTH
|
||||||
from lib.core.settings import CHECK_INTERNET_ADDRESS
|
from lib.core.settings import CHECK_INTERNET_ADDRESS
|
||||||
from lib.core.settings import CHECK_INTERNET_VALUE
|
from lib.core.settings import CHECK_INTERNET_VALUE
|
||||||
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
|
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
|
||||||
from lib.core.settings import DEV_EMAIL_ADDRESS
|
|
||||||
from lib.core.settings import DUMMY_NON_SQLI_CHECK_APPENDIX
|
from lib.core.settings import DUMMY_NON_SQLI_CHECK_APPENDIX
|
||||||
from lib.core.settings import FI_ERROR_REGEX
|
from lib.core.settings import FI_ERROR_REGEX
|
||||||
from lib.core.settings import FORMAT_EXCEPTION_STRINGS
|
from lib.core.settings import FORMAT_EXCEPTION_STRINGS
|
||||||
|
@ -1387,6 +1379,7 @@ def checkWaf():
|
||||||
pushValue(kb.resendPostOnRedirect)
|
pushValue(kb.resendPostOnRedirect)
|
||||||
pushValue(conf.timeout)
|
pushValue(conf.timeout)
|
||||||
|
|
||||||
|
kb.identYwaf = True
|
||||||
kb.redirectChoice = REDIRECTION.YES
|
kb.redirectChoice = REDIRECTION.YES
|
||||||
kb.resendPostOnRedirect = False
|
kb.resendPostOnRedirect = False
|
||||||
conf.timeout = IDS_WAF_CHECK_TIMEOUT
|
conf.timeout = IDS_WAF_CHECK_TIMEOUT
|
||||||
|
@ -1396,12 +1389,15 @@ def checkWaf():
|
||||||
except SqlmapConnectionException:
|
except SqlmapConnectionException:
|
||||||
retVal = True
|
retVal = True
|
||||||
finally:
|
finally:
|
||||||
|
kb.identYwaf = False
|
||||||
kb.matchRatio = None
|
kb.matchRatio = None
|
||||||
|
|
||||||
conf.timeout = popValue()
|
conf.timeout = popValue()
|
||||||
kb.resendPostOnRedirect = popValue()
|
kb.resendPostOnRedirect = popValue()
|
||||||
kb.redirectChoice = popValue()
|
kb.redirectChoice = popValue()
|
||||||
|
|
||||||
|
hashDBWrite(HASHDB_KEYS.CHECK_WAF_RESULT, retVal, True)
|
||||||
|
|
||||||
if retVal:
|
if retVal:
|
||||||
if not kb.identifiedWafs:
|
if not kb.identifiedWafs:
|
||||||
warnMsg = "heuristics detected that the target "
|
warnMsg = "heuristics detected that the target "
|
||||||
|
@ -1409,17 +1405,15 @@ def checkWaf():
|
||||||
logger.critical(warnMsg)
|
logger.critical(warnMsg)
|
||||||
|
|
||||||
message = "are you sure that you want to "
|
message = "are you sure that you want to "
|
||||||
message += "continue with further target testing? [y/N] "
|
message += "continue with further target testing? [Y/n] "
|
||||||
choice = readInput(message, default='N', boolean=True)
|
choice = readInput(message, default='Y', boolean=True)
|
||||||
|
|
||||||
if not conf.tamper:
|
|
||||||
warnMsg = "please consider usage of tamper scripts (option '--tamper')"
|
|
||||||
singleTimeWarnMessage(warnMsg)
|
|
||||||
|
|
||||||
if not choice:
|
if not choice:
|
||||||
raise SqlmapUserQuitException
|
raise SqlmapUserQuitException
|
||||||
|
else:
|
||||||
hashDBWrite(HASHDB_KEYS.CHECK_WAF_RESULT, retVal, True)
|
if not conf.tamper:
|
||||||
|
warnMsg = "please consider usage of tamper scripts (option '--tamper')"
|
||||||
|
singleTimeWarnMessage(warnMsg)
|
||||||
|
|
||||||
return retVal
|
return retVal
|
||||||
|
|
||||||
|
|
|
@ -68,7 +68,7 @@ from lib.core.decorators import cachedmethod
|
||||||
from lib.core.defaults import defaults
|
from lib.core.defaults import defaults
|
||||||
from lib.core.dicts import DBMS_DICT
|
from lib.core.dicts import DBMS_DICT
|
||||||
from lib.core.dicts import DEFAULT_DOC_ROOTS
|
from lib.core.dicts import DEFAULT_DOC_ROOTS
|
||||||
from lib.core.dicts import DEPRECATED_OPTIONS
|
from lib.core.dicts import OLD_OPTIONS
|
||||||
from lib.core.dicts import SQL_STATEMENTS
|
from lib.core.dicts import SQL_STATEMENTS
|
||||||
from lib.core.enums import ADJUST_TIME_DELAY
|
from lib.core.enums import ADJUST_TIME_DELAY
|
||||||
from lib.core.enums import CONTENT_STATUS
|
from lib.core.enums import CONTENT_STATUS
|
||||||
|
@ -4457,17 +4457,19 @@ def getHostHeader(url):
|
||||||
|
|
||||||
return retVal
|
return retVal
|
||||||
|
|
||||||
def checkDeprecatedOptions(args):
|
def checkOldOptions(args):
|
||||||
"""
|
"""
|
||||||
Checks for deprecated options
|
Checks for deprecated/obsolete options
|
||||||
"""
|
"""
|
||||||
|
|
||||||
for _ in args:
|
for _ in args:
|
||||||
_ = _.split('=')[0].strip()
|
_ = _.split('=')[0].strip()
|
||||||
if _ in DEPRECATED_OPTIONS:
|
if _ in OLD_OPTIONS:
|
||||||
|
if OLD_OPTIONS[_]:
|
||||||
errMsg = "switch/option '%s' is deprecated" % _
|
errMsg = "switch/option '%s' is deprecated" % _
|
||||||
if DEPRECATED_OPTIONS[_]:
|
errMsg += " (hint: %s)" % OLD_OPTIONS[_]
|
||||||
errMsg += " (hint: %s)" % DEPRECATED_OPTIONS[_]
|
else:
|
||||||
|
errMsg = "switch/option '%s' is obsolete" % _
|
||||||
raise SqlmapSyntaxException(errMsg)
|
raise SqlmapSyntaxException(errMsg)
|
||||||
|
|
||||||
def checkSystemEncoding():
|
def checkSystemEncoding():
|
||||||
|
|
|
@ -280,7 +280,7 @@ POST_HINT_CONTENT_TYPES = {
|
||||||
POST_HINT.ARRAY_LIKE: "application/x-www-form-urlencoded; charset=utf-8",
|
POST_HINT.ARRAY_LIKE: "application/x-www-form-urlencoded; charset=utf-8",
|
||||||
}
|
}
|
||||||
|
|
||||||
DEPRECATED_OPTIONS = {
|
OLD_OPTIONS = {
|
||||||
"--replicate": "use '--dump-format=SQLITE' instead",
|
"--replicate": "use '--dump-format=SQLITE' instead",
|
||||||
"--no-unescape": "use '--no-escape' instead",
|
"--no-unescape": "use '--no-escape' instead",
|
||||||
"--binary": "use '--binary-fields' instead",
|
"--binary": "use '--binary-fields' instead",
|
||||||
|
|
|
@ -1886,6 +1886,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
|
||||||
kb.hintValue = None
|
kb.hintValue = None
|
||||||
kb.htmlFp = []
|
kb.htmlFp = []
|
||||||
kb.httpErrorCodes = {}
|
kb.httpErrorCodes = {}
|
||||||
|
kb.identYwaf = False
|
||||||
kb.inferenceMode = False
|
kb.inferenceMode = False
|
||||||
kb.ignoreCasted = None
|
kb.ignoreCasted = None
|
||||||
kb.ignoreNotFound = False
|
kb.ignoreNotFound = False
|
||||||
|
|
|
@ -18,7 +18,7 @@ from lib.core.enums import OS
|
||||||
from thirdparty.six import unichr as _unichr
|
from thirdparty.six import unichr as _unichr
|
||||||
|
|
||||||
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
|
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
|
||||||
VERSION = "1.3.5.132"
|
VERSION = "1.3.5.133"
|
||||||
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
|
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
|
||||||
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
|
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
|
||||||
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
|
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
|
||||||
|
|
|
@ -71,7 +71,7 @@ def vulnTest():
|
||||||
thread.start()
|
thread.start()
|
||||||
|
|
||||||
for options, checks in (
|
for options, checks in (
|
||||||
("--flush-session --identify-waf", ("CloudFlare",)),
|
("--flush-session", ("CloudFlare",)),
|
||||||
("--flush-session --parse-errors --eval=\"id2=2\" --referer=\"localhost\" --cookie=\"PHPSESSID=d41d8cd98f00b204e9800998ecf8427e\"", (": syntax error", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", "back-end DBMS: SQLite", "3 columns")),
|
("--flush-session --parse-errors --eval=\"id2=2\" --referer=\"localhost\" --cookie=\"PHPSESSID=d41d8cd98f00b204e9800998ecf8427e\"", (": syntax error", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", "back-end DBMS: SQLite", "3 columns")),
|
||||||
("--banner --schema --dump -T users --binary-fields=surname --where \"id>3\"", ("banner: '3", "INTEGER", "TEXT", "id", "name", "surname", "2 entries", "6E616D6569736E756C6C")),
|
("--banner --schema --dump -T users --binary-fields=surname --where \"id>3\"", ("banner: '3", "INTEGER", "TEXT", "id", "name", "surname", "2 entries", "6E616D6569736E756C6C")),
|
||||||
("--all --tamper=between,randomcase", ("5 entries", "luther", "blisset", "fluffy", "179ad45c6ce2cb97cf1029e212046e81", "NULL", "nameisnull", "testpass")),
|
("--all --tamper=between,randomcase", ("5 entries", "luther", "blisset", "fluffy", "179ad45c6ce2cb97cf1029e212046e81", "NULL", "nameisnull", "testpass")),
|
||||||
|
|
|
@ -5,7 +5,6 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||||
See the file 'LICENSE' for copying permission
|
See the file 'LICENSE' for copying permission
|
||||||
"""
|
"""
|
||||||
|
|
||||||
import os
|
|
||||||
import zipfile
|
import zipfile
|
||||||
|
|
||||||
from lib.core.common import getSafeExString
|
from lib.core.common import getSafeExString
|
||||||
|
|
|
@ -17,7 +17,7 @@ from optparse import OptionGroup
|
||||||
from optparse import OptionParser
|
from optparse import OptionParser
|
||||||
from optparse import SUPPRESS_HELP
|
from optparse import SUPPRESS_HELP
|
||||||
|
|
||||||
from lib.core.common import checkDeprecatedOptions
|
from lib.core.common import checkOldOptions
|
||||||
from lib.core.common import checkSystemEncoding
|
from lib.core.common import checkSystemEncoding
|
||||||
from lib.core.common import dataToStdout
|
from lib.core.common import dataToStdout
|
||||||
from lib.core.common import expandMnemonics
|
from lib.core.common import expandMnemonics
|
||||||
|
@ -789,7 +789,7 @@ def cmdLineParser(argv=None):
|
||||||
_.append(getUnicode(arg, encoding=sys.stdin.encoding))
|
_.append(getUnicode(arg, encoding=sys.stdin.encoding))
|
||||||
|
|
||||||
argv = _
|
argv = _
|
||||||
checkDeprecatedOptions(argv)
|
checkOldOptions(argv)
|
||||||
|
|
||||||
prompt = "--sqlmap-shell" in argv
|
prompt = "--sqlmap-shell" in argv
|
||||||
|
|
||||||
|
|
|
@ -387,6 +387,7 @@ def processResponse(page, responseHeaders, code=None, status=None):
|
||||||
|
|
||||||
rawResponse = "%s %s %s\n%s\n%s" % (_http_client.HTTPConnection._http_vsn_str, code or "", status or "", "".join(responseHeaders.headers), page)
|
rawResponse = "%s %s %s\n%s\n%s" % (_http_client.HTTPConnection._http_vsn_str, code or "", status or "", "".join(responseHeaders.headers), page)
|
||||||
|
|
||||||
|
if kb.identYwaf:
|
||||||
identYwaf.non_blind.clear()
|
identYwaf.non_blind.clear()
|
||||||
if identYwaf.non_blind_check(rawResponse, silent=True):
|
if identYwaf.non_blind_check(rawResponse, silent=True):
|
||||||
for waf in identYwaf.non_blind:
|
for waf in identYwaf.non_blind:
|
||||||
|
|
Loading…
Reference in New Issue
Block a user