From 486a113560d4ecc2ba5fe27c07521d347de8a046 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Sun, 31 Oct 2010 16:58:38 +0000 Subject: [PATCH] Consolidate logger messages for --*-test switches --- lib/controller/action.py | 8 ++--- lib/request/inject.py | 6 ++-- lib/techniques/blind/timebased.py | 27 ++++++++------- lib/techniques/error/test.py | 17 +++++---- lib/techniques/error/use.py | 7 ++-- lib/techniques/inband/union/test.py | 53 +++++++++++------------------ lib/techniques/outband/stacked.py | 10 +++--- plugins/generic/enumeration.py | 2 +- 8 files changed, 62 insertions(+), 68 deletions(-) diff --git a/lib/controller/action.py b/lib/controller/action.py index 530a481cd..8b18c3b2b 100644 --- a/lib/controller/action.py +++ b/lib/controller/action.py @@ -56,16 +56,16 @@ def action(): # Techniques options if conf.stackedTest: - conf.dumper.technic("stacked queries support", stackedTest()) + conf.dumper.technic("stacked queries injection payload", stackedTest()) if conf.errorTest: - conf.dumper.technic("error based injection support", errorTest()) + conf.dumper.technic("error-based injection payload", errorTest()) if conf.timeTest: - conf.dumper.technic("time based blind sql injection payload", timeTest()) + conf.dumper.technic("time-based blind injection payload", timeTest()) if conf.unionTest and kb.unionPosition is None: - conf.dumper.technic("valid union", unionTest()) + conf.dumper.technic("inband injection payload", unionTest()) # Enumeration options if conf.getBanner: diff --git a/lib/request/inject.py b/lib/request/inject.py index db872c071..2465f335d 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -406,7 +406,7 @@ def goStacked(expression, silent=False): return payload, page -def goError(expression, suppressOutput=False): +def goError(expression, suppressOutput=False, returnPayload=False): #expression = cleanQuery(expression) if suppressOutput: @@ -416,9 +416,9 @@ def goError(expression, suppressOutput=False): if conf.direct: return direct(expression), None - result = errorUse(expression) + result, payload = errorUse(expression, returnPayload) if suppressOutput: conf.verbose = popValue() - return result + return result, payload diff --git a/lib/techniques/blind/timebased.py b/lib/techniques/blind/timebased.py index 0fa8cc245..8135658ff 100644 --- a/lib/techniques/blind/timebased.py +++ b/lib/techniques/blind/timebased.py @@ -19,7 +19,7 @@ from lib.request import inject from lib.request.connect import Connect as Request def timeTest(): - infoMsg = "testing time based blind sql injection on parameter " + infoMsg = "testing time-based blind sql injection on parameter " infoMsg += "'%s' with %s condition syntax" % (kb.injParameter, conf.logic) logger.info(infoMsg) @@ -32,19 +32,20 @@ def timeTest(): duration = calculateDeltaSeconds(start) if duration >= conf.timeSec: - infoMsg = "the parameter '%s' is affected by a time " % kb.injParameter - infoMsg += "based blind sql injection with AND condition syntax" + infoMsg = "the target url is affected by a time-based blind " + infoMsg += "sql injection with AND condition syntax on parameter " + infoMsg += "'%s'" % kb.injParameter logger.info(infoMsg) kb.timeTest = payload - else: - warnMsg = "the parameter '%s' is not affected by a time " % kb.injParameter - warnMsg += "based blind sql injection with AND condition syntax" + warnMsg = "the target url is not affected by a time-based blind " + warnMsg += "sql injection with AND condition syntax on parameter " + warnMsg += "'%s'" % kb.injParameter logger.warn(warnMsg) - infoMsg = "testing time based blind sql injection on parameter " - infoMsg += "'%s' with stacked query syntax" % kb.injParameter + infoMsg = "testing time-based blind sql injection on parameter " + infoMsg += "'%s' with stacked queries syntax" % kb.injParameter logger.info(infoMsg) timeQuery = getDelayQuery(andCond=True) @@ -53,14 +54,16 @@ def timeTest(): duration = calculateDeltaSeconds(start) if duration >= conf.timeSec: - infoMsg = "the parameter '%s' is affected by a time " % kb.injParameter - infoMsg += "based blind sql injection with stacked query syntax" + infoMsg = "the target url is affected by a time-based blind sql " + infoMsg += "injection with stacked queries syntax on parameter " + infoMsg += "'%s'" % kb.injParameter logger.info(infoMsg) kb.timeTest = payload else: - warnMsg = "the parameter '%s' is not affected by a time " % kb.injParameter - warnMsg += "based blind sql injection with stacked query syntax" + warnMsg = "the target url is not affected by a time-based blind " + warnMsg += "sql injection with stacked queries syntax on parameter " + warnMsg += "'%s'" % kb.injParameter logger.warn(warnMsg) kb.timeTest = False diff --git a/lib/techniques/error/test.py b/lib/techniques/error/test.py index 7b5c2da4d..6fa1f5bbe 100644 --- a/lib/techniques/error/test.py +++ b/lib/techniques/error/test.py @@ -25,27 +25,30 @@ def errorTest(): if kb.errorTest is not None: return kb.errorTest - infoMsg = "testing error based sql injection on parameter " + infoMsg = "testing error-based sql injection on parameter " infoMsg += "'%s' with %s condition syntax" % (kb.injParameter, conf.logic) logger.info(infoMsg) randInt = getUnicode(randomInt(1)) query = queries[kb.dbms].case.query % ("%s=%s" % (randInt, randInt)) - result = inject.goError(query, True) + result, usedPayload = inject.goError(query, suppressOutput=True, returnPayload=True) if result: - infoMsg = "the web application supports error based injection " - infoMsg += "on parameter '%s'" % kb.injParameter + infoMsg = "the target url is affected by an error-based sql " + infoMsg += "injection on parameter '%s'" % kb.injParameter logger.info(infoMsg) kb.errorTest = True else: - warnMsg = "the web application does not support error based injection " - warnMsg += "on parameter '%s'" % kb.injParameter + warnMsg = "the target url is not affected by an error-based sql " + warnMsg += "injection on parameter '%s'" % kb.injParameter logger.warn(warnMsg) kb.errorTest = False setError() - return kb.errorTest + if kb.errorTest: + return usedPayload + else: + return False diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py index ee2941d38..6a68f20f1 100644 --- a/lib/techniques/error/use.py +++ b/lib/techniques/error/use.py @@ -29,7 +29,7 @@ from lib.core.settings import ERROR_EMPTY_CHAR from lib.core.settings import ERROR_START_CHAR from lib.core.settings import ERROR_END_CHAR -def errorUse(expression): +def errorUse(expression, returnPayload=False): """ Retrieve the output of a SQL query taking advantage of an error SQL injection vulnerability on the affected parameter. @@ -79,4 +79,7 @@ def errorUse(expression): infoMsg = "retrieved: %s" % replaceNewlineTabs(output, stdout=True) logger.info(infoMsg) - return output + if returnPayload: + return output, payload + else: + return output diff --git a/lib/techniques/inband/union/test.py b/lib/techniques/inband/union/test.py index 89d287143..7c0a131ad 100644 --- a/lib/techniques/inband/union/test.py +++ b/lib/techniques/inband/union/test.py @@ -18,25 +18,8 @@ from lib.core.unescaper import unescaper from lib.parse.html import htmlParser from lib.request.connect import Connect as Request -def __forgeUserFriendlyValue(payload): - value = "" - - if kb.injPlace == "GET": - value = "%s?%s" % (conf.url, payload) - elif kb.injPlace == "POST": - value = "URL:\t'%s'" % conf.url - value += "\nPOST:\t'%s'\n" % payload - elif kb.injPlace == "Cookie": - value = "URL:\t'%s'" % conf.url - value += "\nCookie:\t'%s'\n" % payload - elif kb.injPlace == "User-Agent": - value = "URL:\t\t'%s'" % conf.url - value += "\nUser-Agent:\t'%s'\n" % payload - - return value - def __unionPosition(negative=False, falseCond=False): - value = None + validPayload = None if negative or falseCond: negLogMsg = "partial (single entry)" @@ -77,17 +60,19 @@ def __unionPosition(negative=False, falseCond=False): if resultPage and randQuery in resultPage and not htmlParsed: setUnion(position=exprPosition) - value = __forgeUserFriendlyValue(payload) + validPayload = payload break if isinstance(kb.unionPosition, int): infoMsg = "the target url is affected by an exploitable " - infoMsg += "%s inband sql injection vulnerability" % negLogMsg + infoMsg += "%s inband sql injection vulnerability " % negLogMsg + infoMsg += "on parameter '%s'" % kb.injParameter logger.info(infoMsg) else: warnMsg = "the target url is not affected by an exploitable " - warnMsg += "%s inband sql injection vulnerability" % negLogMsg + warnMsg += "%s inband sql injection vulnerability " % negLogMsg + warnMsg += "on parameter '%s'" % kb.injParameter if negLogMsg == "partial": warnMsg += ", sqlmap will retrieve the query output " @@ -95,30 +80,30 @@ def __unionPosition(negative=False, falseCond=False): logger.warn(warnMsg) - return value + return validPayload def __unionConfirm(): - value = None + validPayload = None # Confirm the inband SQL injection and get the exact column # position if not isinstance(kb.unionPosition, int): - value = __unionPosition() + validPayload = __unionPosition() # Assure that the above function found the exploitable full inband # SQL injection position if not isinstance(kb.unionPosition, int): - value = __unionPosition(negative=True) + validPayload = __unionPosition(negative=True) # Assure that the above function found the exploitable partial # (single entry) inband SQL injection position with negative - # parameter value + # parameter validPayload if not isinstance(kb.unionPosition, int): - value = __unionPosition(falseCond=True) + validPayload = __unionPosition(falseCond=True) # Assure that the above function found the exploitable partial # (single entry) inband SQL injection position by appending - # a false condition after the parameter value + # a false condition after the parameter validPayload if not isinstance(kb.unionPosition, int): return else: @@ -126,7 +111,7 @@ def __unionConfirm(): else: setUnion(negative=True) - return value + return validPayload def __unionTestByNULLBruteforce(comment): """ @@ -200,7 +185,7 @@ def unionTest(): infoMsg += "'%s' with %s technique" % (kb.injParameter, technique) logger.info(infoMsg) - value = None + validPayload = None columns = None for comment in (queries[kb.dbms].comment.query, ""): @@ -215,13 +200,13 @@ def unionTest(): break if kb.unionCount: - value = __unionConfirm() + validPayload = __unionConfirm() else: warnMsg = "the target url is not affected by an " warnMsg += "inband sql injection vulnerability" logger.warn(warnMsg) - if value is None: - value = "" + if validPayload is None: + validPayload = "" - return value + return validPayload diff --git a/lib/techniques/outband/stacked.py b/lib/techniques/outband/stacked.py index 16b812e2f..20f493e24 100644 --- a/lib/techniques/outband/stacked.py +++ b/lib/techniques/outband/stacked.py @@ -24,7 +24,7 @@ def stackedTest(): if kb.stackedTest is not None: return kb.stackedTest - infoMsg = "testing stacked queries support on parameter " + infoMsg = "testing stacked queries sql injection on parameter " infoMsg += "'%s'" % kb.injParameter logger.info(infoMsg) @@ -34,14 +34,14 @@ def stackedTest(): duration = calculateDeltaSeconds(start) if duration >= conf.timeSec: - infoMsg = "the web application supports stacked queries " - infoMsg += "on parameter '%s'" % kb.injParameter + infoMsg = "the target url is affected by a stacked queries " + infoMsg += "sql injection on parameter '%s'" % kb.injParameter logger.info(infoMsg) kb.stackedTest = payload else: - warnMsg = "the web application does not support stacked queries " - warnMsg += "on parameter '%s'" % kb.injParameter + warnMsg = "the target url is not affected by a stacked queries " + warnMsg += "sql injection on parameter '%s'" % kb.injParameter logger.warn(warnMsg) kb.stackedTest = False diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py index 411dee56b..1b7335e4d 100644 --- a/plugins/generic/enumeration.py +++ b/plugins/generic/enumeration.py @@ -75,7 +75,7 @@ class Enumeration: if not kb.data.banner: if conf.unionTest: - conf.dumper.technic("valid union", unionTest()) + conf.dumper.technic("inband injection payload", unionTest()) query = queries[kb.dbms].banner.query kb.data.banner = inject.getValue(query)