major refactoring

This commit is contained in:
Miroslav Stampar 2010-10-07 12:12:26 +00:00
parent 1bf8939e2f
commit 1e9ae40397
7 changed files with 646 additions and 61 deletions

extra/xmlobject/ Executable file
View File

@ -0,0 +1,19 @@
#!/usr/bin/env python
# Copyright 2007-2008 David McNab
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with this program. If not, see <>.

View File

@ -0,0 +1,534 @@
Allows XML files to be operated on like Python objects.
- load XML source from file pathnames, readable file objects or raw strings
- add, get and set tag attributes like with python attributes
- iterate over nodes
- save the modified XMLFile or XMLObject to file
Example XML file::
<?xml version="1.0" encoding="UTF-8"?>
<person name="John Smith" age="42">
<!-- John Smith has an appeal in process against his last conviction -->
<crime name="Armed robbery" date="March 11, 1994"/>
<crime name="Aggravated burglary" date="June 9, 2001"/>
<person name="Mary Jones" age="33">
<crime name="Prostitution" date="January 8, 1997"/>
<crime name="Selling heroin" date="September 4, 2002"/>
<crime name="Manslaughter" date="December 21, 2004"/>
Example usage::
>>> from xmlobject import XMLFile
>>> x = XMLFile(path="sample.xml)
>>> print x
<xmlobj.XMLFile instance at 0xb7ccc52c>
>>> print x.root
<XMLNode: rapsheets>
>>> print x.root._children
[<XMLNode: text>, <XMLNode: person>, <XMLNode: text>,
<XMLNode: person>, <XMLNode: text>]
>>> print x.root.person
[<XMLNode: person>, <XMLNode: person>]
>>> print x.root.person[0].name
John Smith
>>> john = x.root.person[0]
>>> john.height = 184
>>> c = john._addNode("crime")
>>> = "Grand Theft Auto"
>>> = "4 May, 2005"
>>> print x.toxml()
<?xml version="1.0" ?>
<person age="42" height="184" name="John Smith">
<!-- John Smith has an appeal in process against his last conviction -->
<crime date="March 11, 1994" name="Armed robbery"/>
<crime date="June 9, 2001" name="Aggravated burglary"/>
<crime date="4 May, 2005" name="Grand Theft Auto"/></person>
<person age="33" name="Mary Jones">
<crime date="January 8, 1997" name="Prostitution"/>
<crime date="September 4, 2002" name="Selling heroin"/>
<crime date="December 21, 2004" name="Manslaughter"/>
import sys, os
import xml.dom
import xml.dom.minidom
from xml.dom.minidom import parse, parseString, getDOMImplementation
impl = getDOMImplementation()
class MissingRootTag(Exception):
"""root tag name was not given"""
class InvalidXML(Exception):
"""failed to parse XML input"""
class CannotSave(Exception):
"""unable to save"""
class InvalidNode(Exception):
"""not a valid minidom node"""
class XMLFile:
Allows an xml file to be viewed and operated on
as a python object.
(If you're viewing the epydoc-generated HTML documentation, click the 'show private'
link at the top right of this page to see all the methods)
Holds the root node in the .root attribute, also in an attribute
with the same name as this root node.
def __init__(self, **kw):
Create an XMLFile
- path - a pathname from which the file can be read
- file - an open file object from which the raw xml
can be read
- raw - the raw xml itself
- root - name of root tag, if not reading content
Usage scenarios:
1. Working with existing content - you must supply input in
one of the following ways:
- 'path' must be an existing file, or
- 'file' must be a readable file object, or
- 'raw' must contain raw xml as a string
2. Creating whole new content - you must give the name
of the root tag in the 'root' keyword
- Keyword precedence governing existing content is:
1. path (if existing file)
2. file
3. raw
- If working with existing content:
- if the 'root' is given, then the content's toplevel tag
MUST match the value given for 'root'
- trying to _save will raise an exception unless 'path'
has been given
- if not working with existing content:
- 'root' must be given
- _save() will raise an exception unless 'path' has been given
path = kw.get("path", None)
fobj = kw.get("file", None)
raw = kw.get("raw", None)
root = kw.get("root", None)
if path:
self.path = path
fobj = file(path)
except IOError:
self.path = None
if fobj:
raw =
if raw:
self.dom = xml.dom.minidom.parseString(raw)
# could not source content, so create a blank slate
if not root:
# in which case, must give a root node name
raise MissingRootTag(
"No existing content, so must specify root")
# ok, create a blank dom
self.dom = impl.createDocument(None, root, None)
# get the root node, save it as attributes 'root' and name of node
rootnode = self.dom.documentElement
# now validate root tag
if root:
if rootnode.nodeName != root:
raise IncorrectRootTag("Gave root='%s', input has root='%s'" % (
root, rootnode.nodeName))
# need this for recursion in XMLNode
self._childrenByName = {}
self._children = []
# add all the child nodes
for child in self.dom.childNodes:
childnode = XMLNode(self, child)
#print "compare %s to %s" % (rootnode, child)
if child == rootnode:
#print "found root"
self.root = childnode
setattr(self, rootnode.nodeName, self.root)
def save(self, where=None, obj=None):
Saves the document.
If argument 'where' is given, saves to it, otherwise
tries to save to the original given 'path' (or barfs)
Value can be a string (taken to be a file path), or an open
file object.
obj = obj or self.dom
if not where:
if self._root.path:
where = self._root.path
if isinstance(where, str):
where = file(where, "w")
if not where:
raise CannotSave("No save destination, and no original path")
def saveAs(self, path):
save this time, and all subsequent times, to filename 'path'
self.path = path
def toxml(self):
return self.dom.toxml()
def __len__(self):
returns number of child nodes
return len(self._children)
def __getitem__(self, idx):
if isinstance(idx, int):
return self._children[idx]
return self._childrenByName[idx]
class XMLNode:
This is the workhorse for the xml object interface
(If you're viewing the epydoc-generated HTML documentation, click the 'show private'
link at the top right of this page to see all the methods)
def __init__(self, parent, node):
You shouldn't need to instantiate this directly
self._parent = parent
if isinstance(parent, XMLFile):
self._root = parent
self._root = parent._root
self._node = node
self._childrenByName = {}
self._children = []
# add ourself to parent's children registry
# the deal with named subtags is that we store the first instance
# as itself, and with second and subsequent instances, we make a list
parentDict = self._parent._childrenByName
nodeName = node.nodeName
if not parentDict.has_key(nodeName):
parentDict[nodeName] = parent.__dict__[nodeName] = self
if isinstance(parentDict[nodeName], XMLNode):
# this is the second child node of a given tag name, so convert
# the instance to a list
parentDict[nodeName] = parent.__dict__[nodeName] = [parentDict[nodeName]]
# figure out our type
self._value = None
if isinstance(node, xml.dom.minidom.Text):
self._type = "text"
self._value = node.nodeValue
elif isinstance(node, xml.dom.minidom.Element):
self._type = "node"
elif isinstance(node, xml.dom.minidom.Comment):
self._type = "comment"
self._value = node.nodeValue
raise InvalidNode("node class %s" % node.__class__)
# and wrap all the child nodes
for child in node.childNodes:
XMLNode(self, child)
def _render(self):
Produces well-formed XML of this node's contents,
indented as required
return self._node.toxml()
def __repr__(self):
if self._type == "node":
return "<XMLNode: %s>" % self._node.nodeName
return "<XMLNode: %s>" % self._type
def __getattr__(self, attr):
Fetches an attribute or child node of this tag
If it's an attribute, then returns the attribute value as a string.
If a child node, then:
- if there is only one child node of that name, return it
- if there is more than one child node of that name, return a list
of child nodes of that tag name
Supports some magic attributes:
- _text - the value of the first child node of type text
#print "%s: __getattr__: attr=%s" % (self, attr)
if attr == '_text':
# magic attribute to return text
tnode = self['#text']
if isinstance(tnode, list):
tnode = tnode[0]
return tnode._value
if self._type in ['text', 'comment']:
if attr == '_value':
return self._node.nodeValue
raise AttributeError(attr)
if self._node.hasAttribute(attr):
return self._node.getAttribute(attr)
elif self._childrenByName.has_key(attr):
return self._childrenByName[attr]
#elif attr == 'value':
# magic attribute
raise AttributeError(attr)
def __setattr__(self, attr, val):
Change the value of an attribute of this tag
The magic attribute '_text' can be used to set the first child
text node's value
For example::
>>> somenode
<XMLNODE: somenode>
>>> somenode.child
<XMLNODE: child>
>>> somenode.child._text
>>> somenode._toxml()
>>> somenode.child._text = 'bar'
>>> somenode.child._text
>>> somenode.child._toxml()
if attr.startswith("_"):
# magic attribute for setting _text
if attr == '_text':
tnode = self['#text']
if isinstance(tnode, list):
tnode = tnode[0]
tnode._node.nodeValue = val
tnode._value = val
self.__dict__[attr] = val
elif self._type in ['text', 'comment']:
self._node.nodeValue = val
# discern between attribute and child node
if self._childrenByName.has_key(attr):
raise Exception("Attribute Exists")
self._node.setAttribute(attr, str(val))
def _keys(self):
Return a list of attribute names
return self._node.attributes.keys()
def _values(self):
Returns a list of (attrname, attrval) tuples for this tag
return [self._node.getAttribute(k) for k in self._node.attributes.keys()]
def _items(self):
returns a list of attribute values for this tag
return [(k, self._node.getAttribute(k)) for k in self._node.attributes.keys()]
def _has_key(self, k):
returns True if this tag has an attribute of the given name
return self._node.hasAttribute(k) or self._childrenByName.has_key(k)
def _get(self, k, default=None):
returns the value of attribute k, or default if no such attribute
if self._has_key(k):
return getattr(self, k)
return default
def __len__(self):
returns number of child nodes
return len(self._children)
def __getitem__(self, idx):
if given key is numeric, return the nth child, otherwise
try to return the child tag (or list of child tags) having
the key as the tag name
#print "__getitem__: idx=%s" % str(idx)
if isinstance(idx, slice) or isinstance(idx, int):
return self._children[idx]
elif isinstance(idx, str):
return self._childrenByName[idx]
raise IndexError(idx)
def _addNode(self, child):
Tries to append a child node to the tree, and returns it
Value of 'child' must be one of:
- a string (in which case it is taken to be the name
of the new node's tag)
- a dom object, in which case it will be wrapped and added
- an XMLNode object, in which case it will be added without
if isinstance(child, XMLNode):
# add it to our children registry
parentDict = self._childrenByName
nodeName = child._node.nodeName
if not parentDict.has_key(nodeName):
parentDict[nodeName] = parent.__dict__[nodeName] = child
if isinstance(parentDict[nodeName], XMLNode):
# this is the second child node of a given tag name, so convert
# the instance to a list
parentDict[nodeName] = self.__dict__[nodeName] = [parentDict[nodeName]]
# and stick it in the dom
return child
elif isinstance(child, str):
childNode = self._root.dom.createElement(child)
elif isinstance(child, xml.dom.minidom.Element):
childNode = child
child = childNode.nodeName
return XMLNode(self, childNode)
def _addText(self, value):
Tries to append a child text node, with the given text, to the tree,
and returns the created node object
childNode = self._root.dom.createTextNode(value)
return XMLNode(self, childNode)
def _addComment(self, comment):
Tries to append a child comment node (with the given text value)
to the tree, and returns the create node object
childNode = self._root.dom.createCommentNode(comment)
return XMLNode(self, childNode)
def _save(self, where=None):
Generates well-formed XML from just this node, and saves it
to a file.
Argument 'where' is either an open file object, or a pathname
If 'where' is not given, then saves the entire document tree.
if not where:
else:, self._node)
def _toxml(self):
renders just this node out to raw xml code
return self._node.toxml()

View File

@ -31,7 +31,6 @@ from lib.core.common import getUnicode
from lib.core.common import preparePageForLineComparison from lib.core.common import preparePageForLineComparison
from lib.core.common import randomInt from lib.core.common import randomInt
from lib.core.common import randomStr from lib.core.common import randomStr
from lib.core.common import readXmlFile
from lib.core.common import DynamicContentItem from lib.core.common import DynamicContentItem
from lib.core.convert import md5hash from lib.core.convert import md5hash
from import conf from import conf
@ -67,41 +66,30 @@ def checkSqlInjection(place, parameter, value, parenthesis):
if conf.postfix: if conf.postfix:
postfix = conf.postfix postfix = conf.postfix
injections = readXmlFile(paths.INJECTIONS_XML) for case in
positive = case.test.positive
negative = case.test.negative
for case in injections.getElementsByTagName("case"): if not prefix and not postfix and == "custom":
tag = case.getAttribute("tag")
desc = case.getAttribute("desc")
positive = case.getElementsByTagName("positive")[0]
negative = case.getElementsByTagName("negative")[0]
params = positive.getAttribute("params")
format = positive.getAttribute("format")
if not prefix and not postfix and tag == "custom":
continue continue
infoMsg = "testing %s injection " % desc infoMsg = "testing %s injection " % case.desc
infoMsg += "on %s parameter '%s'" % (place, parameter) infoMsg += "on %s parameter '%s'" % (place, parameter)
payload = agent.payload(place, parameter, value, format % eval(params)) payload = agent.payload(place, parameter, value, positive.format % eval(positive.params))
trueResult = Request.queryPage(payload, place) trueResult = Request.queryPage(payload, place)
if trueResult: if trueResult:
params = negative.getAttribute("params") payload = agent.payload(place, parameter, value, negative.format % eval(negative.params))
format = negative.getAttribute("format")
payload = agent.payload(place, parameter, value, format % eval(params))
falseResult = Request.queryPage(payload, place) falseResult = Request.queryPage(payload, place)
if not falseResult: if not falseResult:
infoMsg = "%s parameter '%s' is %s injectable " % (place, parameter, desc) infoMsg = "%s parameter '%s' is %s injectable " % (place, parameter, case.desc)
infoMsg += "with %d parenthesis" % parenthesis infoMsg += "with %d parenthesis" % parenthesis
return tag return
return None return None

View File

@ -26,6 +26,7 @@ import re
from xml.etree import ElementTree as ET from xml.etree import ElementTree as ET
from lib.core.common import getInjectionCase
from lib.core.common import randomInt from lib.core.common import randomInt
from lib.core.common import randomStr from lib.core.common import randomStr
from lib.core.common import replaceSpaces from lib.core.common import replaceSpaces
@ -142,19 +143,19 @@ class Agent:
if if
return self.payloadDirect(string) return self.payloadDirect(string)
query = "" query = str()
case = getInjectionCase(kb.injType)
if case is None:
raise sqlmapNoneDataException, "unsupported injection type"
if conf.prefix: if conf.prefix:
query = conf.prefix query = conf.prefix
else: else:
if kb.injType == "numeric" or conf.postfix: if case.usage.prefix._has_key('value'):
pass query = case.usage.prefix.value
elif kb.injType in ( "stringsingle", "likesingle" ): elif case.usage.prefix._has_key('format'):
query = "'" query = case.usage.prefix.format % eval(case.usage.prefix.params)
elif kb.injType in ( "stringdouble", "likedouble" ):
query = "\""
raise sqlmapNoneDataException, "unsupported injection type"
if kb.parenthesis not in ( None, 0 ): if kb.parenthesis not in ( None, 0 ):
query += "%s " % (")" * kb.parenthesis) query += "%s " % (")" * kb.parenthesis)
@ -172,6 +173,11 @@ class Agent:
if if
return self.payloadDirect(string) return self.payloadDirect(string)
case = getInjectionCase(kb.injType)
if case is None:
raise sqlmapNoneDataException, "unsupported injection type"
randInt = randomInt() randInt = randomInt()
randStr = randomStr() randStr = randomStr()
@ -186,18 +192,10 @@ class Agent:
else: else:
raise sqlmapNoneDataException, "unable to get the number of parenthesis" raise sqlmapNoneDataException, "unable to get the number of parenthesis"
if kb.injType == "numeric": if case.usage.postfix._has_key('value'):
string += "%d=%d" % (randInt, randInt) string += case.usage.postfix.value
elif kb.injType == "stringsingle": elif case.usage.postfix._has_key('format'):
string += "'%s'='%s" % (randStr, randStr) string += case.usage.postfix.format % eval(case.usage.postfix.params)
elif kb.injType == "likesingle":
string += "'%s' LIKE '%s" % (randStr, randStr)
elif kb.injType == "stringdouble":
string += "\"%s\"=\"%s" % (randStr, randStr)
elif kb.injType == "likedouble":
string += "\"%s\" LIKE \"%s" % (randStr, randStr)
raise sqlmapNoneDataException, "unsupported injection type"
return replaceSpaces(string) return replaceSpaces(string)

View File

@ -1241,6 +1241,14 @@ def calculateDeltaSeconds(start, epsilon=0.05):
""" """
return int(time.time() - start + epsilon) return int(time.time() - start + epsilon)
def getInjectionCase(name):
retVal = None
for case in
if == name:
retVal = case
return retVal
def initCommonOutputs(): def initCommonOutputs():
kb.commonOutputs = {} kb.commonOutputs = {}
key = None key = None

View File

@ -34,6 +34,7 @@ import urllib2
import urlparse import urlparse
from extra.keepalive import keepalive from extra.keepalive import keepalive
from extra.xmlobject import xmlobject
from lib.core.common import getConsoleWidth from lib.core.common import getConsoleWidth
from lib.core.common import getFileType from lib.core.common import getFileType
from lib.core.common import normalizePath from lib.core.common import normalizePath
@ -1010,6 +1011,7 @@ def __setKnowledgeBaseAttributes():
kb.injParameter = None kb.injParameter = None
kb.injPlace = None kb.injPlace = None
kb.injType = None kb.injType = None
kb.injections = xmlobject.XMLFile(path=paths.INJECTIONS_XML)
kb.hintValue = None kb.hintValue = None
kb.nullConnection = None kb.nullConnection = None

View File

@ -1,28 +1,64 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<root> <root>
<case tag="custom" desc="custom"> <case name="custom" desc="custom">
<positive format="%s%s%s AND %s%d=%d %s" params="value, prefix, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randInt, randInt, postfix"/> <test>
<negative format="%s%s%s AND %s%d=%d %s" params="value, prefix, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randInt, randInt + 1, postfix"/> <positive format="%s%s%s AND %s%d=%d %s" params="value, prefix, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randInt, randInt, postfix"/>
<negative format="%s%s%s AND %s%d=%d %s" params="value, prefix, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randInt, randInt + 1, postfix"/>
</case> </case>
<case tag="numeric" desc="unescaped numeric"> <case name="numeric" desc="unescaped numeric">
<positive format="%s%s AND %s%d=%d" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randInt, randInt"/> <test>
<negative format="%s%s AND %s%d=%d" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randInt, randInt + 1"/> <positive format="%s%s AND %s%d=%d" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randInt, randInt"/>
<negative format="%s%s AND %s%d=%d" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randInt, randInt + 1"/>
<postfix format="%d=%d" params="randInt, randInt"/>
</case> </case>
<case tag="stringsingle" desc="single quoted string"> <case name="stringsingle" desc="single quoted string">
<positive format="%s'%s AND %s'%s'='%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr"/> <test>
<negative format="%s'%s AND %s'%s'='%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr + randomStr(1)"/> <positive format="%s'%s AND %s'%s'='%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr"/>
<negative format="%s'%s AND %s'%s'='%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr + randomStr(1)"/>
<prefix value="'"/>
<postfix format="'%s'='%s" params="randStr, randStr"/>
</case> </case>
<case tag="likesingle" desc="LIKE single quoted string"> <case name="likesingle" desc="LIKE single quoted string">
<positive format="%s'%s AND %s'%s' LIKE '%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr"/> <test>
<negative format="%s'%s AND %s'%s' LIKE '%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr + randomStr(1)"/> <positive format="%s'%s AND %s'%s' LIKE '%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr"/>
<negative format="%s'%s AND %s'%s' LIKE '%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr + randomStr(1)"/>
<prefix value="'"/>
<postfix format="'%s' LIKE '%s" params="randStr, randStr"/>
</case> </case>
<case tag="stringdouble" desc="double quoted string"> <case name="stringdouble" desc="double quoted string">
<positive format="%s\&quot;%s AND %s\&quot;%s\&quot;=\&quot;%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr"/> <test>
<negative format="%s\&quot;%s AND %s\&quot;%s\&quot;=\&quot;%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr + randomStr(1)"/> <positive format="%s\&quot;%s AND %s\&quot;%s\&quot;=\&quot;%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr"/>
<negative format="%s\&quot;%s AND %s\&quot;%s\&quot;=\&quot;%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr + randomStr(1)"/>
<prefix value="&quot;"/>
<postfix format="\&quot;%s\&quot;=\&quot;%s" params="randStr, randStr"/>
</case> </case>
<case tag="likedouble" desc="LIKE double quoted string"> <case name="likedouble" desc="LIKE double quoted string">
<positive format="%s\&quot;%s AND %s\&quot;%s\&quot; LIKE \&quot;%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr"/> <test>
<negative format="%s\&quot;%s AND %s\&quot;%s\&quot; LIKE \&quot;%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr + randomStr(1)"/> <positive format="%s\&quot;%s AND %s\&quot;%s\&quot; LIKE \&quot;%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr"/>
<negative format="%s\&quot;%s AND %s\&quot;%s\&quot; LIKE \&quot;%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr + randomStr(1)"/>
<prefix value="&quot;"/>
<postfix format="\&quot;%s\&quot; LIKE \&quot;%s" params="randStr, randStr"/>
</case> </case>
</root> </root>