sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-05-15 05:03:49 +03:00
Code Issues Packages Projects Releases Wiki Activity

Converted from DOS format (\n\r to \n only)

Browse Source
This commit is contained in:
Bernardo Damele 2011-02-06 23:25:55 +00:00
parent 7dcfcca87f
commit 6a71629575
15 changed files with 1135 additions and 1135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

150
extra/pagerank/pagerank.py
View File

@ -1,75 +1,75 @@
#!/usr/bin/env python #!/usr/bin/env python
# #
# Script for getting Google Page Rank of page # Script for getting Google Page Rank of page
# Google Toolbar 3.0.x/4.0.x Pagerank Checksum Algorithm # Google Toolbar 3.0.x/4.0.x Pagerank Checksum Algorithm
# #
# original from http://pagerank.gamesaga.net/ # original from http://pagerank.gamesaga.net/
# this version was adapted from http://www.djangosnippets.org/snippets/221/ # this version was adapted from http://www.djangosnippets.org/snippets/221/
# by Corey Goldberg - 2010 # by Corey Goldberg - 2010
# #
# Licensed under the MIT license: http://www.opensource.org/licenses/mit-license.php # Licensed under the MIT license: http://www.opensource.org/licenses/mit-license.php
import urllib import urllib
def get_pagerank(url): def get_pagerank(url):
hsh = check_hash(hash_url(url)) hsh = check_hash(hash_url(url))
gurl = 'http://www.google.com/search?client=navclient-auto&features=Rank:&q=info:%s&ch=%s' % (urllib.quote(url), hsh) gurl = 'http://www.google.com/search?client=navclient-auto&features=Rank:&q=info:%s&ch=%s' % (urllib.quote(url), hsh)
try: try:
f = urllib.urlopen(gurl) f = urllib.urlopen(gurl)
rank = f.read().strip()[9:] rank = f.read().strip()[9:]
except Exception: except Exception:
rank = 'N/A' rank = 'N/A'
if rank == '': if rank == '':
rank = '0' rank = '0'
return rank return rank
def int_str(string, integer, factor): def int_str(string, integer, factor):
for i in range(len(string)) : for i in range(len(string)) :
integer *= factor integer *= factor
integer &= 0xFFFFFFFF integer &= 0xFFFFFFFF
integer += ord(string[i]) integer += ord(string[i])
return integer return integer
def hash_url(string): def hash_url(string):
c1 = int_str(string, 0x1505, 0x21) c1 = int_str(string, 0x1505, 0x21)
c2 = int_str(string, 0, 0x1003F) c2 = int_str(string, 0, 0x1003F)
c1 >>= 2 c1 >>= 2
c1 = ((c1 >> 4) & 0x3FFFFC0) | (c1 & 0x3F) c1 = ((c1 >> 4) & 0x3FFFFC0) | (c1 & 0x3F)
c1 = ((c1 >> 4) & 0x3FFC00) | (c1 & 0x3FF) c1 = ((c1 >> 4) & 0x3FFC00) | (c1 & 0x3FF)
c1 = ((c1 >> 4) & 0x3C000) | (c1 & 0x3FFF) c1 = ((c1 >> 4) & 0x3C000) | (c1 & 0x3FFF)
t1 = (c1 & 0x3C0) << 4 t1 = (c1 & 0x3C0) << 4
t1 |= c1 & 0x3C t1 |= c1 & 0x3C
t1 = (t1 << 2) | (c2 & 0xF0F) t1 = (t1 << 2) | (c2 & 0xF0F)
t2 = (c1 & 0xFFFFC000) << 4 t2 = (c1 & 0xFFFFC000) << 4
t2 |= c1 & 0x3C00 t2 |= c1 & 0x3C00
t2 = (t2 << 0xA) | (c2 & 0xF0F0000) t2 = (t2 << 0xA) | (c2 & 0xF0F0000)
return (t1 | t2) return (t1 | t2)
def check_hash(hash_int): def check_hash(hash_int):
hash_str = '%u' % (hash_int) hash_str = '%u' % (hash_int)
flag = 0 flag = 0
check_byte = 0 check_byte = 0
i = len(hash_str) - 1 i = len(hash_str) - 1
while i >= 0: while i >= 0:
byte = int(hash_str[i]) byte = int(hash_str[i])
if 1 == (flag % 2): if 1 == (flag % 2):
byte *= 2; byte *= 2;
byte = byte / 10 + byte % 10 byte = byte / 10 + byte % 10
check_byte += byte check_byte += byte
flag += 1 flag += 1
i -= 1 i -= 1
check_byte %= 10 check_byte %= 10
if 0 != check_byte: if 0 != check_byte:
check_byte = 10 - check_byte check_byte = 10 - check_byte
if 1 == flag % 2: if 1 == flag % 2:
if 1 == check_byte % 2: if 1 == check_byte % 2:
check_byte += 9 check_byte += 9
check_byte >>= 1 check_byte >>= 1
return '7' + str(check_byte) + hash_str return '7' + str(check_byte) + hash_str

204
lib/core/replication.py
View File

@ -1,102 +1,102 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
$Id$ $Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
from lib.core.exception import sqlmapMissingDependence from lib.core.exception import sqlmapMissingDependence
from lib.core.exception import sqlmapValueException from lib.core.exception import sqlmapValueException
class Replication: class Replication:
""" """
This class holds all methods/classes used for database This class holds all methods/classes used for database
replication purposes. replication purposes.
""" """
def __init__(self, dbpath): def __init__(self, dbpath):
try: try:
import sqlite3 import sqlite3
except ImportError, _: except ImportError, _:
errMsg = "missing module 'sqlite3' needed by --replicate switch" errMsg = "missing module 'sqlite3' needed by --replicate switch"
raise sqlmapMissingDependence, errMsg raise sqlmapMissingDependence, errMsg
self.dbpath = dbpath self.dbpath = dbpath
self.connection = sqlite3.connect(dbpath) self.connection = sqlite3.connect(dbpath)
self.connection.isolation_level = None self.connection.isolation_level = None
self.cursor = self.connection.cursor() self.cursor = self.connection.cursor()
class DataType: class DataType:
""" """
Using this class we define auxiliary objects Using this class we define auxiliary objects
used for representing sqlite data types. used for representing sqlite data types.
""" """
def __init__(self, name): def __init__(self, name):
self.name = name self.name = name
def __str__(self): def __str__(self):
return self.name return self.name
def __repr__(self): def __repr__(self):
return "<DataType: %s>" % self return "<DataType: %s>" % self
class Table: class Table:
""" """
This class defines methods used to manipulate table objects. This class defines methods used to manipulate table objects.
""" """
def __init__(self, parent, name, columns=None, create=True, typeless=False): def __init__(self, parent, name, columns=None, create=True, typeless=False):
self.parent = parent self.parent = parent
self.name = name self.name = name
self.columns = columns self.columns = columns
if create: if create:
self.parent.cursor.execute('DROP TABLE IF EXISTS %s' % self.name) self.parent.cursor.execute('DROP TABLE IF EXISTS %s' % self.name)
if not typeless: if not typeless:
self.parent.cursor.execute('CREATE TABLE %s (%s)' % (self.name, ','.join('%s %s' % (colname, coltype) for colname, coltype in self.columns))) self.parent.cursor.execute('CREATE TABLE %s (%s)' % (self.name, ','.join('%s %s' % (colname, coltype) for colname, coltype in self.columns)))
else: else:
self.parent.cursor.execute('CREATE TABLE %s (%s)' % (self.name, ','.join(colname for colname in self.columns))) self.parent.cursor.execute('CREATE TABLE %s (%s)' % (self.name, ','.join(colname for colname in self.columns)))
def insert(self, values): def insert(self, values):
""" """
This function is used for inserting row(s) into current table. This function is used for inserting row(s) into current table.
""" """
if len(values) == len(self.columns): if len(values) == len(self.columns):
self.parent.cursor.execute('INSERT INTO %s VALUES (%s)' % (self.name, ','.join(['?']*len(values))), values) self.parent.cursor.execute('INSERT INTO %s VALUES (%s)' % (self.name, ','.join(['?']*len(values))), values)
else: else:
errMsg = "wrong number of columns used in replicating insert" errMsg = "wrong number of columns used in replicating insert"
raise sqlmapValueException, errMsg raise sqlmapValueException, errMsg
def select(self, condition=None): def select(self, condition=None):
""" """
This function is used for selecting row(s) from current table. This function is used for selecting row(s) from current table.
""" """
stmt = 'SELECT * FROM %s' % self.name stmt = 'SELECT * FROM %s' % self.name
if condition: if condition:
stmt += 'WHERE %s' % condition stmt += 'WHERE %s' % condition
return self.parent.cursor.execute(stmt) return self.parent.cursor.execute(stmt)
def createTable(self, tblname, columns=None, typeless=False): def createTable(self, tblname, columns=None, typeless=False):
""" """
This function creates Table instance with current connection settings. This function creates Table instance with current connection settings.
""" """
return Replication.Table(parent=self, name=tblname, columns=columns, typeless=typeless) return Replication.Table(parent=self, name=tblname, columns=columns, typeless=typeless)
def dropTable(self, tblname): def dropTable(self, tblname):
""" """
This function drops table with given name using current connection. This function drops table with given name using current connection.
""" """
self.cursor.execute('DROP TABLE IF EXISTS %s' % tblname) self.cursor.execute('DROP TABLE IF EXISTS %s' % tblname)
def __del__(self): def __del__(self):
self.cursor.close() self.cursor.close()
self.connection.close() self.connection.close()
# sqlite data types # sqlite data types
NULL = DataType('NULL') NULL = DataType('NULL')
INTEGER = DataType('INTEGER') INTEGER = DataType('INTEGER')
REAL = DataType('REAL') REAL = DataType('REAL')
TEXT = DataType('TEXT') TEXT = DataType('TEXT')
BLOB = DataType('BLOB') BLOB = DataType('BLOB')

84
lib/core/revision.py
View File

@ -1,42 +1,42 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
$Id$ $Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
import os import os
import re import re
from subprocess import PIPE from subprocess import PIPE
from subprocess import Popen as execute from subprocess import Popen as execute
def getRevisionNumber(): def getRevisionNumber():
curDir = os.path.dirname(os.path.realpath(__file__)) curDir = os.path.dirname(os.path.realpath(__file__))
retVal = None retVal = None
try: try:
import pysvn import pysvn
client = pysvn.Client() client = pysvn.Client()
if client.info(curDir): if client.info(curDir):
retVal = client.info(curDir).revision.number retVal = client.info(curDir).revision.number
except ImportError, _: except ImportError, _:
process = execute("svn info %s" % curDir, shell=True, stdout=PIPE, stderr=PIPE) process = execute("svn info %s" % curDir, shell=True, stdout=PIPE, stderr=PIPE)
svnStdout, svnStderr = process.communicate() svnStdout, svnStderr = process.communicate()
if svnStdout: if svnStdout:
revision = re.search("Revision:\s+([\d]+)", svnStdout) revision = re.search("Revision:\s+([\d]+)", svnStdout)
if revision: if revision:
retVal = revision.group(1) retVal = revision.group(1)
if retVal: if retVal:
try: try:
retVal = int(retVal) retVal = int(retVal)
except ValueError: except ValueError:
retVal = None retVal = None
return retVal return retVal

66
lib/request/basicauthhandler.py
View File

@ -1,33 +1,33 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
$Id$ $Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
import urllib2 import urllib2
class SmartHTTPBasicAuthHandler(urllib2.HTTPBasicAuthHandler): class SmartHTTPBasicAuthHandler(urllib2.HTTPBasicAuthHandler):
""" """
Reference: http://selenic.com/hg/rev/6c51a5056020 Reference: http://selenic.com/hg/rev/6c51a5056020
Fix for a: http://bugs.python.org/issue8797 Fix for a: http://bugs.python.org/issue8797
""" """
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
urllib2.HTTPBasicAuthHandler.__init__(self, *args, **kwargs) urllib2.HTTPBasicAuthHandler.__init__(self, *args, **kwargs)
self.retried_req = set() self.retried_req = set()
def reset_retry_count(self): def reset_retry_count(self):
# Python 2.6.5 will call this on 401 or 407 errors and thus loop # Python 2.6.5 will call this on 401 or 407 errors and thus loop
# forever. We disable reset_retry_count completely and reset in # forever. We disable reset_retry_count completely and reset in
# http_error_auth_reqed instead. # http_error_auth_reqed instead.
pass pass
def http_error_auth_reqed(self, auth_header, host, req, headers): def http_error_auth_reqed(self, auth_header, host, req, headers):
# Reset the retry counter once for each request. # Reset the retry counter once for each request.
if hash(req) not in self.retried_req: if hash(req) not in self.retried_req:
self.retried_req.add(hash(req)) self.retried_req.add(hash(req))
self.retried = 0 self.retried = 0
return urllib2.HTTPBasicAuthHandler.http_error_auth_reqed( return urllib2.HTTPBasicAuthHandler.http_error_auth_reqed(
self, auth_header, host, req, headers) self, auth_header, host, req, headers)

930
lib/utils/hash.py
View File

@ -1,465 +1,465 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
$Id$ $Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
import re import re
import time import time
from hashlib import md5 from hashlib import md5
from hashlib import sha1 from hashlib import sha1
from zipfile import ZipFile from zipfile import ZipFile
from extra.pydes.pyDes import des from extra.pydes.pyDes import des
from extra.pydes.pyDes import CBC from extra.pydes.pyDes import CBC
from lib.core.common import checkFile from lib.core.common import checkFile
from lib.core.common import clearConsoleLine from lib.core.common import clearConsoleLine
from lib.core.common import dataToStdout from lib.core.common import dataToStdout
from lib.core.common import getCompiledRegex from lib.core.common import getCompiledRegex
from lib.core.common import getFileItems from lib.core.common import getFileItems
from lib.core.common import Backend from lib.core.common import Backend
from lib.core.common import getPublicTypeMembers from lib.core.common import getPublicTypeMembers
from lib.core.common import getUnicode from lib.core.common import getUnicode
from lib.core.common import paths from lib.core.common import paths
from lib.core.common import readInput from lib.core.common import readInput
from lib.core.convert import hexdecode from lib.core.convert import hexdecode
from lib.core.convert import hexencode from lib.core.convert import hexencode
from lib.core.data import kb from lib.core.data import kb
from lib.core.data import logger from lib.core.data import logger
from lib.core.enums import DBMS from lib.core.enums import DBMS
from lib.core.enums import HASH from lib.core.enums import HASH
from lib.core.exception import sqlmapUserQuitException from lib.core.exception import sqlmapUserQuitException
from lib.core.settings import COMMON_PASSWORD_SUFFIXES from lib.core.settings import COMMON_PASSWORD_SUFFIXES
from lib.core.settings import DUMMY_USER_PREFIX from lib.core.settings import DUMMY_USER_PREFIX
from lib.core.settings import UNICODE_ENCODING from lib.core.settings import UNICODE_ENCODING
def mysql_passwd(password, uppercase=True): def mysql_passwd(password, uppercase=True):
""" """
Reference(s): Reference(s):
http://csl.sublevel3.org/mysql-password-function/ http://csl.sublevel3.org/mysql-password-function/
>>> mysql_passwd(password='testpass', uppercase=True) >>> mysql_passwd(password='testpass', uppercase=True)
'*00E247AC5F9AF26AE0194B41E1E769DEE1429A29' '*00E247AC5F9AF26AE0194B41E1E769DEE1429A29'
""" """
retVal = "*%s" % sha1(sha1(password).digest()).hexdigest() retVal = "*%s" % sha1(sha1(password).digest()).hexdigest()
return retVal.upper() if uppercase else retVal.lower() return retVal.upper() if uppercase else retVal.lower()
def mysql_old_passwd(password, uppercase=True): # prior to version '4.1' def mysql_old_passwd(password, uppercase=True): # prior to version '4.1'
""" """
Reference(s): Reference(s):
http://www.sfr-fresh.com/unix/privat/tpop3d-1.5.5.tar.gz:a/tpop3d-1.5.5/password.c http://www.sfr-fresh.com/unix/privat/tpop3d-1.5.5.tar.gz:a/tpop3d-1.5.5/password.c
http://voidnetwork.org/5ynL0rd/darkc0de/python_script/darkMySQLi.html http://voidnetwork.org/5ynL0rd/darkc0de/python_script/darkMySQLi.html
>>> mysql_old_passwd(password='testpass', uppercase=True) >>> mysql_old_passwd(password='testpass', uppercase=True)
'7DCDA0D57290B453' '7DCDA0D57290B453'
""" """
a, b, c = 1345345333, 7, 0x12345671 a, b, c = 1345345333, 7, 0x12345671
for d in password: for d in password:
if d == ' ' or d == '\t': if d == ' ' or d == '\t':
continue continue
e = ord(d) e = ord(d)
a ^= (((a & 63) + b) * e) + (a << 8) a ^= (((a & 63) + b) * e) + (a << 8)
c += (c << 8) ^ a c += (c << 8) ^ a
b += e b += e
retVal = "%08lx%08lx" % (a & ((1 << 31) - 1), c & ((1 << 31) - 1)) retVal = "%08lx%08lx" % (a & ((1 << 31) - 1), c & ((1 << 31) - 1))
return retVal.upper() if uppercase else retVal.lower() return retVal.upper() if uppercase else retVal.lower()
def postgres_passwd(password, username, uppercase=False): def postgres_passwd(password, username, uppercase=False):
""" """
Reference(s): Reference(s):
http://pentestmonkey.net/blog/cracking-postgres-hashes/ http://pentestmonkey.net/blog/cracking-postgres-hashes/
>>> postgres_passwd(password='testpass', username='testuser', uppercase=False) >>> postgres_passwd(password='testpass', username='testuser', uppercase=False)
'md599e5ea7a6f7c3269995cba3927fd0093' 'md599e5ea7a6f7c3269995cba3927fd0093'
""" """
retVal = "md5%s" % md5(password + username).hexdigest() retVal = "md5%s" % md5(password + username).hexdigest()
return retVal.upper() if uppercase else retVal.lower() return retVal.upper() if uppercase else retVal.lower()
def mssql_passwd(password, salt, uppercase=False): def mssql_passwd(password, salt, uppercase=False):
""" """
Reference(s): Reference(s):
http://www.leidecker.info/projects/phrasendrescher/mssql.c http://www.leidecker.info/projects/phrasendrescher/mssql.c
https://www.evilfingers.com/tools/GSAuditor.php https://www.evilfingers.com/tools/GSAuditor.php
>>> mssql_passwd(password='testpass', salt='4086ceb6', uppercase=False) >>> mssql_passwd(password='testpass', salt='4086ceb6', uppercase=False)
'0x01004086ceb60c90646a8ab9889fe3ed8e5c150b5460ece8425a' '0x01004086ceb60c90646a8ab9889fe3ed8e5c150b5460ece8425a'
""" """
binsalt = hexdecode(salt) binsalt = hexdecode(salt)
unistr = "".join("%s\0" % c for c in password) unistr = "".join("%s\0" % c for c in password)
retVal = "0100%s%s" % (salt, sha1(unistr + binsalt).hexdigest()) retVal = "0100%s%s" % (salt, sha1(unistr + binsalt).hexdigest())
return "0x%s" % (retVal.upper() if uppercase else retVal.lower()) return "0x%s" % (retVal.upper() if uppercase else retVal.lower())
def mssql_old_passwd(password, salt, uppercase=True): # prior to version '2005' def mssql_old_passwd(password, salt, uppercase=True): # prior to version '2005'
""" """
Reference(s): Reference(s):
www.exploit-db.com/download_pdf/15537/ www.exploit-db.com/download_pdf/15537/
http://www.leidecker.info/projects/phrasendrescher/mssql.c http://www.leidecker.info/projects/phrasendrescher/mssql.c
https://www.evilfingers.com/tools/GSAuditor.php https://www.evilfingers.com/tools/GSAuditor.php
>>> mssql_old_passwd(password='testpass', salt='4086ceb6', uppercase=True) >>> mssql_old_passwd(password='testpass', salt='4086ceb6', uppercase=True)
'0x01004086CEB60C90646A8AB9889FE3ED8E5C150B5460ECE8425AC7BB7255C0C81D79AA5D0E93D4BB077FB9A51DA0' '0x01004086CEB60C90646A8AB9889FE3ED8E5C150B5460ECE8425AC7BB7255C0C81D79AA5D0E93D4BB077FB9A51DA0'
""" """
binsalt = hexdecode(salt) binsalt = hexdecode(salt)
unistr = "".join("%s\0" % c for c in password) unistr = "".join("%s\0" % c for c in password)
retVal = "0100%s%s%s" % (salt, sha1(unistr + binsalt).hexdigest(), sha1(unistr.upper() + binsalt).hexdigest()) retVal = "0100%s%s%s" % (salt, sha1(unistr + binsalt).hexdigest(), sha1(unistr.upper() + binsalt).hexdigest())
return "0x%s" % (retVal.upper() if uppercase else retVal.lower()) return "0x%s" % (retVal.upper() if uppercase else retVal.lower())
def oracle_passwd(password, salt, uppercase=True): def oracle_passwd(password, salt, uppercase=True):
""" """
Reference(s): Reference(s):
https://www.evilfingers.com/tools/GSAuditor.php https://www.evilfingers.com/tools/GSAuditor.php
http://www.notesbit.com/index.php/scripts-oracle/oracle-11g-new-password-algorithm-is-revealed-by-seclistsorg/ http://www.notesbit.com/index.php/scripts-oracle/oracle-11g-new-password-algorithm-is-revealed-by-seclistsorg/
http://seclists.org/bugtraq/2007/Sep/304 http://seclists.org/bugtraq/2007/Sep/304
>>> oracle_passwd(password='SHAlala', salt='1B7B5F82B7235E9E182C', uppercase=True) >>> oracle_passwd(password='SHAlala', salt='1B7B5F82B7235E9E182C', uppercase=True)
'S:2BFCFDF5895014EE9BB2B9BA067B01E0389BB5711B7B5F82B7235E9E182C' 'S:2BFCFDF5895014EE9BB2B9BA067B01E0389BB5711B7B5F82B7235E9E182C'
""" """
binsalt = hexdecode(salt) binsalt = hexdecode(salt)
retVal="s:%s%s" % (sha1(password + binsalt).hexdigest(), salt) retVal="s:%s%s" % (sha1(password + binsalt).hexdigest(), salt)
return retVal.upper() if uppercase else retVal.lower() return retVal.upper() if uppercase else retVal.lower()
def oracle_old_passwd(password, username, uppercase=True): # prior to version '11g' def oracle_old_passwd(password, username, uppercase=True): # prior to version '11g'
""" """
Reference(s): Reference(s):
http://www.notesbit.com/index.php/scripts-oracle/oracle-11g-new-password-algorithm-is-revealed-by-seclistsorg/ http://www.notesbit.com/index.php/scripts-oracle/oracle-11g-new-password-algorithm-is-revealed-by-seclistsorg/
>>> oracle_old_passwd(password='tiger', username='scott', uppercase=True) >>> oracle_old_passwd(password='tiger', username='scott', uppercase=True)
'F894844C34402B67' 'F894844C34402B67'
""" """
IV, pad = "\0"*8, "\0" IV, pad = "\0"*8, "\0"
if isinstance(username, unicode): if isinstance(username, unicode):
username = unicode.encode(username, UNICODE_ENCODING) #pyDes has issues with unicode strings username = unicode.encode(username, UNICODE_ENCODING) #pyDes has issues with unicode strings
unistr = "".join("\0%s" % c for c in (username + password).upper()) unistr = "".join("\0%s" % c for c in (username + password).upper())
cipher = des(hexdecode("0123456789ABCDEF"), CBC, IV, pad) cipher = des(hexdecode("0123456789ABCDEF"), CBC, IV, pad)
encrypted = cipher.encrypt(unistr) encrypted = cipher.encrypt(unistr)
cipher = des(encrypted[-8:], CBC, IV, pad) cipher = des(encrypted[-8:], CBC, IV, pad)
encrypted = cipher.encrypt(unistr) encrypted = cipher.encrypt(unistr)
retVal = hexencode(encrypted[-8:]) retVal = hexencode(encrypted[-8:])
return retVal.upper() if uppercase else retVal.lower() return retVal.upper() if uppercase else retVal.lower()
def md5_generic_passwd(password, uppercase=False): def md5_generic_passwd(password, uppercase=False):
""" """
>>> md5_generic_passwd(password='testpass', uppercase=False) >>> md5_generic_passwd(password='testpass', uppercase=False)
'179ad45c6ce2cb97cf1029e212046e81' '179ad45c6ce2cb97cf1029e212046e81'
""" """
retVal = md5(password).hexdigest() retVal = md5(password).hexdigest()
return retVal.upper() if uppercase else retVal.lower() return retVal.upper() if uppercase else retVal.lower()
def sha1_generic_passwd(password, uppercase=False): def sha1_generic_passwd(password, uppercase=False):
""" """
>>> sha1_generic_passwd(password='testpass', uppercase=False) >>> sha1_generic_passwd(password='testpass', uppercase=False)
'206c80413b9a96c1312cc346b7d2517b84463edd' '206c80413b9a96c1312cc346b7d2517b84463edd'
""" """
retVal = sha1(password).hexdigest() retVal = sha1(password).hexdigest()
return retVal.upper() if uppercase else retVal.lower() return retVal.upper() if uppercase else retVal.lower()
__functions__ = { __functions__ = {
HASH.MYSQL: mysql_passwd, HASH.MYSQL: mysql_passwd,
HASH.MYSQL_OLD: mysql_old_passwd, HASH.MYSQL_OLD: mysql_old_passwd,
HASH.POSTGRES: postgres_passwd, HASH.POSTGRES: postgres_passwd,
HASH.MSSQL: mssql_passwd, HASH.MSSQL: mssql_passwd,
HASH.MSSQL_OLD: mssql_old_passwd, HASH.MSSQL_OLD: mssql_old_passwd,
HASH.ORACLE: oracle_passwd, HASH.ORACLE: oracle_passwd,
HASH.ORACLE_OLD: oracle_old_passwd, HASH.ORACLE_OLD: oracle_old_passwd,
HASH.MD5_GENERIC: md5_generic_passwd, HASH.MD5_GENERIC: md5_generic_passwd,
HASH.SHA1_GENERIC: sha1_generic_passwd HASH.SHA1_GENERIC: sha1_generic_passwd
} }
def attackCachedUsersPasswords(): def attackCachedUsersPasswords():
if kb.data.cachedUsersPasswords: if kb.data.cachedUsersPasswords:
results = dictionaryAttack(kb.data.cachedUsersPasswords) results = dictionaryAttack(kb.data.cachedUsersPasswords)
for (user, hash_, password) in results: for (user, hash_, password) in results:
for i in xrange(len(kb.data.cachedUsersPasswords[user])): for i in xrange(len(kb.data.cachedUsersPasswords[user])):
if kb.data.cachedUsersPasswords[user][i] and hash_.lower() in kb.data.cachedUsersPasswords[user][i].lower(): if kb.data.cachedUsersPasswords[user][i] and hash_.lower() in kb.data.cachedUsersPasswords[user][i].lower():
kb.data.cachedUsersPasswords[user][i] += "%s clear-text password: %s" % ('\n' if kb.data.cachedUsersPasswords[user][i][-1] != '\n' else '', password) kb.data.cachedUsersPasswords[user][i] += "%s clear-text password: %s" % ('\n' if kb.data.cachedUsersPasswords[user][i][-1] != '\n' else '', password)
def attackDumpedTable(): def attackDumpedTable():
if kb.data.dumpedTable: if kb.data.dumpedTable:
table = kb.data.dumpedTable table = kb.data.dumpedTable
columns = table.keys() columns = table.keys()
count = table["__infos__"]["count"] count = table["__infos__"]["count"]
colUser = '' colUser = ''
attack_dict = {} attack_dict = {}
for column in columns: for column in columns:
if column and column.lower() in ('user', 'username', 'user_name'): if column and column.lower() in ('user', 'username', 'user_name'):
colUser = column colUser = column
break break
for i in range(count): for i in range(count):
for column in columns: for column in columns:
if column == colUser or column == '__infos__': if column == colUser or column == '__infos__':
continue continue
if len(table[column]['values']) <= i: if len(table[column]['values']) <= i:
continue continue
value = table[column]['values'][i] value = table[column]['values'][i]
if hashRecognition(value): if hashRecognition(value):
if colUser: if colUser:
if table[colUser]['values'][i] not in attack_dict: if table[colUser]['values'][i] not in attack_dict:
attack_dict[table[colUser]['values'][i]] = [] attack_dict[table[colUser]['values'][i]] = []
attack_dict[table[colUser]['values'][i]].append(value) attack_dict[table[colUser]['values'][i]].append(value)
else: else:
attack_dict['%s%d' % (DUMMY_USER_PREFIX, i)] = [value] attack_dict['%s%d' % (DUMMY_USER_PREFIX, i)] = [value]
if attack_dict: if attack_dict:
message = "recognized possible password hash values. " message = "recognized possible password hash values. "
message += "do you want to use dictionary attack on retrieved table items? [Y/n/q]" message += "do you want to use dictionary attack on retrieved table items? [Y/n/q]"
test = readInput(message, default="Y") test = readInput(message, default="Y")
if test[0] in ("n", "N"): if test[0] in ("n", "N"):
return return
elif test[0] in ("q", "Q"): elif test[0] in ("q", "Q"):
raise sqlmapUserQuitException raise sqlmapUserQuitException
results = dictionaryAttack(attack_dict) results = dictionaryAttack(attack_dict)
for (user, hash_, password) in results: for (user, hash_, password) in results:
for i in range(count): for i in range(count):
for column in columns: for column in columns:
if column == colUser or column == '__infos__': if column == colUser or column == '__infos__':
continue continue
if len(table[column]['values']) <= i: if len(table[column]['values']) <= i:
continue continue
value = table[column]['values'][i] value = table[column]['values'][i]
if value.lower() == hash_.lower(): if value.lower() == hash_.lower():
table[column]['values'][i] += " (%s)" % password table[column]['values'][i] += " (%s)" % password
table[column]['length'] = max(table[column]['length'], len(table[column]['values'][i])) table[column]['length'] = max(table[column]['length'], len(table[column]['values'][i]))
def hashRecognition(value): def hashRecognition(value):
retVal = None retVal = None
if value: if value:
for name, regex in getPublicTypeMembers(HASH): for name, regex in getPublicTypeMembers(HASH):
# Hashes for Oracle and old MySQL look the same hence these checks # Hashes for Oracle and old MySQL look the same hence these checks
if Backend.getIdentifiedDbms() == DBMS.ORACLE and regex == HASH.MYSQL_OLD: if Backend.getIdentifiedDbms() == DBMS.ORACLE and regex == HASH.MYSQL_OLD:
continue continue
elif Backend.getIdentifiedDbms() == DBMS.MYSQL and regex == HASH.ORACLE_OLD: elif Backend.getIdentifiedDbms() == DBMS.MYSQL and regex == HASH.ORACLE_OLD:
continue continue
elif getCompiledRegex(regex).match(value): elif getCompiledRegex(regex).match(value):
retVal = regex retVal = regex
break break
return retVal return retVal
def dictionaryAttack(attack_dict): def dictionaryAttack(attack_dict):
hash_regexes = [] hash_regexes = []
results = [] results = []
for (_, hashes) in attack_dict.items(): for (_, hashes) in attack_dict.items():
for hash_ in hashes: for hash_ in hashes:
if not hash_: if not hash_:
continue continue
hash_ = hash_.split()[0] hash_ = hash_.split()[0]
regex = hashRecognition(hash_) regex = hashRecognition(hash_)
if regex and regex not in hash_regexes: if regex and regex not in hash_regexes:
hash_regexes.append(regex) hash_regexes.append(regex)
infoMsg = "using hash method: '%s'" % __functions__[regex].func_name infoMsg = "using hash method: '%s'" % __functions__[regex].func_name
logger.info(infoMsg) logger.info(infoMsg)
for hash_regex in hash_regexes: for hash_regex in hash_regexes:
attack_info = [] attack_info = []
for (user, hashes) in attack_dict.items(): for (user, hashes) in attack_dict.items():
for hash_ in hashes: for hash_ in hashes:
if not hash_: if not hash_:
continue continue
hash_ = hash_.split()[0] hash_ = hash_.split()[0]
if re.match(hash_regex, hash_): if re.match(hash_regex, hash_):
hash_ = hash_.lower() hash_ = hash_.lower()
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC): if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC):
attack_info.append([(user, hash_), {}]) attack_info.append([(user, hash_), {}])
elif hash_regex in (HASH.ORACLE_OLD, HASH.POSTGRES): elif hash_regex in (HASH.ORACLE_OLD, HASH.POSTGRES):
attack_info.append([(user, hash_), {'username': user}]) attack_info.append([(user, hash_), {'username': user}])
elif hash_regex in (HASH.ORACLE): elif hash_regex in (HASH.ORACLE):
attack_info.append([(user, hash_), {'salt': hash_[-20:]}]) attack_info.append([(user, hash_), {'salt': hash_[-20:]}])
elif hash_regex in (HASH.MSSQL, HASH.MSSQL_OLD): elif hash_regex in (HASH.MSSQL, HASH.MSSQL_OLD):
attack_info.append([(user, hash_), {'salt': hash_[6:14]}]) attack_info.append([(user, hash_), {'salt': hash_[6:14]}])
if not kb.wordlist: if not kb.wordlist:
if hash_regex == HASH.ORACLE_OLD: #it's the slowest of all methods hence smaller default dict if hash_regex == HASH.ORACLE_OLD: #it's the slowest of all methods hence smaller default dict
message = "what's the dictionary's location? [%s]" % paths.ORACLE_DEFAULT_PASSWD message = "what's the dictionary's location? [%s]" % paths.ORACLE_DEFAULT_PASSWD
dictpath = readInput(message, default=paths.ORACLE_DEFAULT_PASSWD) dictpath = readInput(message, default=paths.ORACLE_DEFAULT_PASSWD)
else: else:
message = "what's the dictionary's location? [%s]" % paths.WORDLIST message = "what's the dictionary's location? [%s]" % paths.WORDLIST
dictpath = readInput(message, default=paths.WORDLIST) dictpath = readInput(message, default=paths.WORDLIST)
checkFile(dictpath) checkFile(dictpath)
infoMsg = "loading dictionary from: '%s'" % dictpath infoMsg = "loading dictionary from: '%s'" % dictpath
logger.info(infoMsg) logger.info(infoMsg)
kb.wordlist = getFileItems(dictpath, None, False) kb.wordlist = getFileItems(dictpath, None, False)
message = "do you want to use common password suffixes? (slow!) [y/N] " message = "do you want to use common password suffixes? (slow!) [y/N] "
test = readInput(message, default="N") test = readInput(message, default="N")
suffix_list = [""] suffix_list = [""]
if test[0] in ("y", "Y"): if test[0] in ("y", "Y"):
suffix_list += COMMON_PASSWORD_SUFFIXES suffix_list += COMMON_PASSWORD_SUFFIXES
infoMsg = "starting dictionary attack (%s)" % __functions__[hash_regex].func_name infoMsg = "starting dictionary attack (%s)" % __functions__[hash_regex].func_name
logger.info(infoMsg) logger.info(infoMsg)
for item in attack_info: for item in attack_info:
((user, _), _) = item ((user, _), _) = item
kb.wordlist.append(getUnicode(user)) kb.wordlist.append(getUnicode(user))
length = len(kb.wordlist) * len(suffix_list) length = len(kb.wordlist) * len(suffix_list)
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC): if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC):
count = 0 count = 0
for suffix in suffix_list: for suffix in suffix_list:
if not attack_info: if not attack_info:
break break
for word in kb.wordlist: for word in kb.wordlist:
if not attack_info: if not attack_info:
break break
count += 1 count += 1
if suffix: if suffix:
word = word + suffix word = word + suffix
try: try:
current = __functions__[hash_regex](password = word, uppercase = False) current = __functions__[hash_regex](password = word, uppercase = False)
for item in attack_info: for item in attack_info:
((user, hash_), _) = item ((user, hash_), _) = item
if hash_ == current: if hash_ == current:
results.append((user, hash_, word)) results.append((user, hash_, word))
clearConsoleLine() clearConsoleLine()
infoMsg = "[%s] [INFO] found: '%s'" % (time.strftime("%X"), word) infoMsg = "[%s] [INFO] found: '%s'" % (time.strftime("%X"), word)
if user and not user.startswith(DUMMY_USER_PREFIX): if user and not user.startswith(DUMMY_USER_PREFIX):
infoMsg += " for user: '%s'\n" % user infoMsg += " for user: '%s'\n" % user
else: else:
infoMsg += " for hash: '%s'\n" % hash_ infoMsg += " for hash: '%s'\n" % hash_
dataToStdout(infoMsg, True) dataToStdout(infoMsg, True)
attack_info.remove(item) attack_info.remove(item)
elif count % 1117 == 0 or count == length or hash_regex in (HASH.ORACLE_OLD): elif count % 1117 == 0 or count == length or hash_regex in (HASH.ORACLE_OLD):
status = '%d/%d words (%d%s)' % (count, length, round(100.0*count/length), '%') status = '%d/%d words (%d%s)' % (count, length, round(100.0*count/length), '%')
dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status)) dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status))
except KeyboardInterrupt: except KeyboardInterrupt:
raise raise
except: except:
warnMsg = "there was a problem while hashing entry: %s. " % repr(word) warnMsg = "there was a problem while hashing entry: %s. " % repr(word)
warnMsg += "Please report by e-mail to sqlmap-users@lists.sourceforge.net." warnMsg += "Please report by e-mail to sqlmap-users@lists.sourceforge.net."
logger.critical(warnMsg) logger.critical(warnMsg)
clearConsoleLine() clearConsoleLine()
else: else:
for ((user, hash_), kwargs) in attack_info: for ((user, hash_), kwargs) in attack_info:
count = 0 count = 0
found = False found = False
for suffix in suffix_list: for suffix in suffix_list:
if found: if found:
break break
for word in kb.wordlist: for word in kb.wordlist:
current = __functions__[hash_regex](password = word, uppercase = False, **kwargs) current = __functions__[hash_regex](password = word, uppercase = False, **kwargs)
count += 1 count += 1
if suffix: if suffix:
word = word + suffix word = word + suffix
try: try:
if hash_ == current: if hash_ == current:
if regex == HASH.ORACLE_OLD: #only for cosmetic purposes if regex == HASH.ORACLE_OLD: #only for cosmetic purposes
word = word.upper() word = word.upper()
results.append((user, hash_, word)) results.append((user, hash_, word))
clearConsoleLine() clearConsoleLine()
infoMsg = "[%s] [INFO] found: '%s'" % (time.strftime("%X"), word) infoMsg = "[%s] [INFO] found: '%s'" % (time.strftime("%X"), word)
if user and not user.startswith(DUMMY_USER_PREFIX): if user and not user.startswith(DUMMY_USER_PREFIX):
infoMsg += " for user: '%s'\n" % user infoMsg += " for user: '%s'\n" % user
else: else:
infoMsg += " for hash: '%s'\n" % hash_ infoMsg += " for hash: '%s'\n" % hash_
dataToStdout(infoMsg, True) dataToStdout(infoMsg, True)
found = True found = True
break break
elif count % 1117 == 0 or count == length or hash_regex in (HASH.ORACLE_OLD): elif count % 1117 == 0 or count == length or hash_regex in (HASH.ORACLE_OLD):
status = '%d/%d words (%d%s) (user: %s)' % (count, length, round(100.0*count/length), '%', user) status = '%d/%d words (%d%s) (user: %s)' % (count, length, round(100.0*count/length), '%', user)
dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status)) dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status))
except KeyboardInterrupt: except KeyboardInterrupt:
raise raise
except: except:
warnMsg = "there was a problem while hashing entry: %s. " % repr(word) warnMsg = "there was a problem while hashing entry: %s. " % repr(word)
warnMsg += "Please report by e-mail to sqlmap-users@lists.sourceforge.net." warnMsg += "Please report by e-mail to sqlmap-users@lists.sourceforge.net."
logger.critical(warnMsg) logger.critical(warnMsg)
clearConsoleLine() clearConsoleLine()
if len(hash_regexes) == 0: if len(hash_regexes) == 0:
warnMsg = "unknown hash Format. " warnMsg = "unknown hash Format. "
warnMsg += "Please report by e-mail to sqlmap-users@lists.sourceforge.net." warnMsg += "Please report by e-mail to sqlmap-users@lists.sourceforge.net."
logger.warn(warnMsg) logger.warn(warnMsg)
if len(results) == 0: if len(results) == 0:
warnMsg = "no clear password(s) found" warnMsg = "no clear password(s) found"
logger.warn(warnMsg) logger.warn(warnMsg)
return results return results

98
tamper/between.py
View File

@ -1,49 +1,49 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
$Id$ $Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
from lib.core.enums import PRIORITY from lib.core.enums import PRIORITY
__priority__ = PRIORITY.HIGHEST __priority__ = PRIORITY.HIGHEST
def tamper(value): def tamper(value):
""" """
Replaces '>' with 'NOT BETWEEN 0 AND #' Replaces '>' with 'NOT BETWEEN 0 AND #'
Example: 'A > B' becomes 'A NOT BETWEEN 0 AND B' Example: 'A > B' becomes 'A NOT BETWEEN 0 AND B'
""" """
retVal = value retVal = value
if value: if value:
retVal = "" retVal = ""
quote, doublequote, firstspace = False, False, False quote, doublequote, firstspace = False, False, False
for i in xrange(len(value)): for i in xrange(len(value)):
if not firstspace: if not firstspace:
if value[i].isspace(): if value[i].isspace():
firstspace = True firstspace = True
retVal += " " retVal += " "
continue continue
elif value[i] == '\'': elif value[i] == '\'':
quote = not quote quote = not quote
elif value[i] == '"': elif value[i] == '"':
doublequote = not doublequote doublequote = not doublequote
elif value[i] == ">" and not doublequote and not quote: elif value[i] == ">" and not doublequote and not quote:
retVal += " " if i > 0 and not value[i-1].isspace() else "" retVal += " " if i > 0 and not value[i-1].isspace() else ""
retVal += "NOT BETWEEN 0 AND" retVal += "NOT BETWEEN 0 AND"
retVal += " " if i < len(value) - 1 and not value[i+1].isspace() else "" retVal += " " if i < len(value) - 1 and not value[i+1].isspace() else ""
continue continue
retVal += value[i] retVal += value[i]
return retVal return retVal

74
tamper/charencode.py
View File

@ -1,37 +1,37 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
$Id$ $Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
import string import string
from lib.core.enums import PRIORITY from lib.core.enums import PRIORITY
from lib.core.exception import sqlmapUnsupportedFeatureException from lib.core.exception import sqlmapUnsupportedFeatureException
__priority__ = PRIORITY.LOWEST __priority__ = PRIORITY.LOWEST
def tamper(value): def tamper(value):
""" """
Replaces value with urlencode of non-encoded chars in value Replaces value with urlencode of non-encoded chars in value
Example: 'SELECT%20FIELD%20FROM%20TABLE' becomes '%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45' Example: 'SELECT%20FIELD%20FROM%20TABLE' becomes '%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45'
""" """
retVal = value retVal = value
if value: if value:
retVal = "" retVal = ""
i = 0 i = 0
while i < len(value): while i < len(value):
if value[i] == '%' and (i < len(value) - 2) and value[i+1] in string.hexdigits and value[i+2] in string.hexdigits: if value[i] == '%' and (i < len(value) - 2) and value[i+1] in string.hexdigits and value[i+2] in string.hexdigits:
retVal += value[i:i+3] retVal += value[i:i+3]
i += 3 i += 3
else: else:
retVal += '%%%X' % ord(value[i]) retVal += '%%%X' % ord(value[i])
i += 1 i += 1
return retVal return retVal

74
tamper/charunicodeencode.py
View File

@ -1,37 +1,37 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
$Id$ $Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
import string import string
from lib.core.enums import PRIORITY from lib.core.enums import PRIORITY
from lib.core.exception import sqlmapUnsupportedFeatureException from lib.core.exception import sqlmapUnsupportedFeatureException
__priority__ = PRIORITY.LOWEST __priority__ = PRIORITY.LOWEST
def tamper(value): def tamper(value):
""" """
Replaces value with unicode-urlencode of non-encoded chars in value Replaces value with unicode-urlencode of non-encoded chars in value
Example: 'SELECT%20FIELD%20FROM%20TABLE' becomes '%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045' Example: 'SELECT%20FIELD%20FROM%20TABLE' becomes '%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045'
""" """
retVal = value retVal = value
if value: if value:
retVal = "" retVal = ""
i = 0 i = 0
while i < len(value): while i < len(value):
if value[i] == '%' and (i < len(value) - 2) and value[i+1] in string.hexdigits and value[i+2] in string.hexdigits: if value[i] == '%' and (i < len(value) - 2) and value[i+1] in string.hexdigits and value[i+2] in string.hexdigits:
retVal += "%%u00%s" % value[i+1:i+3] retVal += "%%u00%s" % value[i+1:i+3]
i += 3 i += 3
else: else:
retVal += '%%u00%X' % ord(value[i]) retVal += '%%u00%X' % ord(value[i])
i += 1 i += 1
return retVal return retVal

98
tamper/ifnull2ifisnull.py
View File

@ -1,49 +1,49 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
$Id$ $Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
from lib.core.enums import PRIORITY from lib.core.enums import PRIORITY
__priority__ = PRIORITY.HIGHEST __priority__ = PRIORITY.HIGHEST
def tamper(value): def tamper(value):
""" """
Replaces 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' Replaces 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'
Example: 'IFNULL(1, 2)' becomes 'IF(ISNULL(1), 2, 1)' Example: 'IFNULL(1, 2)' becomes 'IF(ISNULL(1), 2, 1)'
""" """
if value and value.find("IFNULL") > -1: if value and value.find("IFNULL") > -1:
while value.find("IFNULL(") > -1: while value.find("IFNULL(") > -1:
index = value.find("IFNULL(") index = value.find("IFNULL(")
deepness = 1 deepness = 1
comma, end = None, None comma, end = None, None
for i in xrange(index + len("IFNULL("), len(value)): for i in xrange(index + len("IFNULL("), len(value)):
if deepness == 1 and value[i] == ',': if deepness == 1 and value[i] == ',':
comma = i comma = i
elif deepness == 1 and value[i] == ')': elif deepness == 1 and value[i] == ')':
end = i end = i
break break
elif value[i] == '(': elif value[i] == '(':
deepness += 1 deepness += 1
elif value[i] == ')': elif value[i] == ')':
deepness -= 1 deepness -= 1
if comma and end: if comma and end:
A = value[index + len("IFNULL("):comma] A = value[index + len("IFNULL("):comma]
B = value[comma + 1:end] B = value[comma + 1:end]
newVal = "IF(ISNULL(%s),%s,%s)" % (A, B, A) newVal = "IF(ISNULL(%s),%s,%s)" % (A, B, A)
value = value[:index] + newVal + value[end+1:] value = value[:index] + newVal + value[end+1:]
else: else:
break break
return value return value

76
tamper/randomcase.py
View File

@ -1,38 +1,38 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
$Id$ $Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
import re import re
from lib.core.common import randomRange from lib.core.common import randomRange
from lib.core.data import kb from lib.core.data import kb
from lib.core.enums import PRIORITY from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL __priority__ = PRIORITY.NORMAL
def tamper(value): def tamper(value):
""" """
Replaces each character with random case value Replaces each character with random case value
Example: 'INSERT' might become 'InsERt' Example: 'INSERT' might become 'InsERt'
""" """
retVal = value retVal = value
if value: if value:
for match in re.finditer(r"[A-Za-z_]+", retVal): for match in re.finditer(r"[A-Za-z_]+", retVal):
word = match.group() word = match.group()
if word.upper() in kb.keywords: if word.upper() in kb.keywords:
newWord = str() newWord = str()
for i in xrange(len(word)): for i in xrange(len(word)):
newWord += word[i].upper() if randomRange(0, 1) else word[i].lower() newWord += word[i].upper() if randomRange(0, 1) else word[i].lower()
retVal = retVal.replace(word, newWord) retVal = retVal.replace(word, newWord)
return retVal return retVal

84
tamper/randomcomments.py
View File

@ -1,42 +1,42 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
$Id$ $Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
import re import re
from lib.core.common import randomRange from lib.core.common import randomRange
from lib.core.data import kb from lib.core.data import kb
from lib.core.enums import PRIORITY from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW __priority__ = PRIORITY.LOW
def tamper(value): def tamper(value):
""" """
Add random comments to SQL keywords in value Add random comments to SQL keywords in value
Example: 'INSERT' becomes 'IN/**/S/**/ERT' Example: 'INSERT' becomes 'IN/**/S/**/ERT'
""" """
retVal = value retVal = value
if value: if value:
for match in re.finditer(r"[A-Za-z_]+", retVal): for match in re.finditer(r"[A-Za-z_]+", retVal):
word = match.group() word = match.group()
if len(word) < 2: if len(word) < 2:
continue continue
if word.upper() in kb.keywords: if word.upper() in kb.keywords:
newWord = word[0] newWord = word[0]
for i in xrange(1, len(word) - 1): for i in xrange(1, len(word) - 1):
newWord += "%s%s" % ("/**/" if randomRange(0, 1) else "", word[i]) newWord += "%s%s" % ("/**/" if randomRange(0, 1) else "", word[i])
newWord += word[-1] newWord += word[-1]
retVal = retVal.replace(word, newWord) retVal = retVal.replace(word, newWord)
return retVal return retVal

92
tamper/space2comment.py
View File

@ -1,46 +1,46 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
$Id$ $Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
from lib.core.enums import PRIORITY from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW __priority__ = PRIORITY.LOW
def tamper(value): def tamper(value):
""" """
Replaces ' ' with '/**/' Replaces ' ' with '/**/'
Example: 'SELECT id FROM users' becomes 'SELECT/**/id/**/FROM/**/users' Example: 'SELECT id FROM users' becomes 'SELECT/**/id/**/FROM/**/users'
""" """
retVal = value retVal = value
if value: if value:
retVal = "" retVal = ""
quote, doublequote, firstspace = False, False, False quote, doublequote, firstspace = False, False, False
for i in xrange(len(value)): for i in xrange(len(value)):
if not firstspace: if not firstspace:
if value[i].isspace(): if value[i].isspace():
firstspace = True firstspace = True
retVal += "/**/" retVal += "/**/"
continue continue
elif value[i] == '\'': elif value[i] == '\'':
quote = not quote quote = not quote
elif value[i] == '"': elif value[i] == '"':
doublequote = not doublequote doublequote = not doublequote
elif value[i]==" " and not doublequote and not quote: elif value[i]==" " and not doublequote and not quote:
retVal += "/**/" retVal += "/**/"
continue continue
retVal += value[i] retVal += value[i]
return retVal return retVal

92
tamper/space2plus.py
View File

@ -1,46 +1,46 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
$Id$ $Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
from lib.core.enums import PRIORITY from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW __priority__ = PRIORITY.LOW
def tamper(value): def tamper(value):
""" """
Replaces ' ' with '+' Replaces ' ' with '+'
Example: 'SELECT id FROM users' becomes 'SELECT+id+FROM+users' Example: 'SELECT id FROM users' becomes 'SELECT+id+FROM+users'
""" """
retVal = value retVal = value
if value: if value:
retVal = "" retVal = ""
quote, doublequote, firstspace = False, False, False quote, doublequote, firstspace = False, False, False
for i in xrange(len(value)): for i in xrange(len(value)):
if not firstspace: if not firstspace:
if value[i].isspace(): if value[i].isspace():
firstspace = True firstspace = True
retVal += "+" retVal += "+"
continue continue
elif value[i] == '\'': elif value[i] == '\'':
quote = not quote quote = not quote
elif value[i] == '"': elif value[i] == '"':
doublequote = not doublequote doublequote = not doublequote
elif value[i]==" " and not doublequote and not quote: elif value[i]==" " and not doublequote and not quote:
retVal += "+" retVal += "+"
continue continue
retVal += value[i] retVal += value[i]
return retVal return retVal

98
tamper/space2randomblank.py
View File

@ -1,49 +1,49 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
$Id$ $Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
import random import random
from lib.core.enums import PRIORITY from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW __priority__ = PRIORITY.LOW
def tamper(value): def tamper(value):
""" """
Replaces ' ' with a random blank char from a set ('\r', '\n', '\t') Replaces ' ' with a random blank char from a set ('\r', '\n', '\t')
Example: 'SELECT id FROM users' becomes 'SELECT\rid\tFROM\nusers' Example: 'SELECT id FROM users' becomes 'SELECT\rid\tFROM\nusers'
""" """
blanks = ['\r', '\n', '\t'] blanks = ['\r', '\n', '\t']
retVal = value retVal = value
if value: if value:
retVal = "" retVal = ""
quote, doublequote, firstspace = False, False, False quote, doublequote, firstspace = False, False, False
for i in xrange(len(value)): for i in xrange(len(value)):
if not firstspace: if not firstspace:
if value[i].isspace(): if value[i].isspace():
firstspace = True firstspace = True
retVal += random.choice(blanks) retVal += random.choice(blanks)
continue continue
elif value[i] == '\'': elif value[i] == '\'':
quote = not quote quote = not quote
elif value[i] == '"': elif value[i] == '"':
doublequote = not doublequote doublequote = not doublequote
elif value[i]==" " and not doublequote and not quote: elif value[i]==" " and not doublequote and not quote:
retVal += random.choice(blanks) retVal += random.choice(blanks)
continue continue
retVal += value[i] retVal += value[i]
return retVal return retVal

50
tamper/urlencode.py
View File

@ -1,25 +1,25 @@
#!/usr/bin/env python #!/usr/bin/env python
""" """
$Id$ $Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
from lib.core.convert import urlencode from lib.core.convert import urlencode
from lib.core.enums import PRIORITY from lib.core.enums import PRIORITY
from lib.core.exception import sqlmapUnsupportedFeatureException from lib.core.exception import sqlmapUnsupportedFeatureException
__priority__ = PRIORITY.LOWER __priority__ = PRIORITY.LOWER
def tamper(value): def tamper(value):
""" """
Replaces value with urlencode(value) Replaces value with urlencode(value)
Example: 'SELECT FIELD FROM TABLE' becomes 'SELECT%20FIELD%20FROM%20TABLE' Example: 'SELECT FIELD FROM TABLE' becomes 'SELECT%20FIELD%20FROM%20TABLE'
""" """
if value: if value:
value = urlencode(value, convall=True) value = urlencode(value, convall=True)
return value return value