Completed support to get the list of targets from WebScarab/Burp proxies

log file and updated the documentation
This commit is contained in:
Bernardo Damele 2008-11-27 22:33:33 +00:00
parent 785352d700
commit 6e548eb2ec
13 changed files with 232 additions and 166 deletions

View File

@ -3,6 +3,10 @@ sqlmap (0.6.3-1) stable; urgency=low
* Major enhancement to support stacked queries when the web application * Major enhancement to support stacked queries when the web application
supports it which will be used in the long run by takeover supports it which will be used in the long run by takeover
functionality; functionality;
* Major enhancement to get list of targets to test from Burp proxy
(http://portswigger.net/suite/) requests log file path or WebScarab
proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
'conversations/' folder path;
* Minor enhancement to test if the injectable parameter is affected by * Minor enhancement to test if the injectable parameter is affected by
a time based blind SQL injection technique; a time based blind SQL injection technique;
* Minor enhancement to fingerprint the web server operating system and * Minor enhancement to fingerprint the web server operating system and
@ -28,6 +32,7 @@ sqlmap (0.6.3-1) stable; urgency=low
* Minor bug fix to correctly enumerate columns on Microsoft SQL Server; * Minor bug fix to correctly enumerate columns on Microsoft SQL Server;
* Minor bug fix to correctly dump table entries when the column is * Minor bug fix to correctly dump table entries when the column is
provided; provided;
* Updated documentation.
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Day, X YYY 2008 10:00:00 +0000 -- Bernardo Damele A. G. <bernardo.damele@gmail.com> Day, X YYY 2008 10:00:00 +0000
@ -218,14 +223,14 @@ sqlmap (0.4-1) stable; urgency=low
the remote DBMS; the remote DBMS;
* Major improvements in union.UnionCheck() and union.UnionUse() * Major improvements in union.UnionCheck() and union.UnionUse()
functions to make it possible to exploit inband SQL injection also functions to make it possible to exploit inband SQL injection also
with database comment characters ('--' and '#') in UNION SELECT with database comment characters ('--' and '#') in UNION query
statements; statements;
* Added the possibility to save the output into a file while performing * Added the possibility to save the output into a file while performing
the queries (-o OUTPUTFILE) so it is possible to stop and resume the the queries (-o OUTPUTFILE) so it is possible to stop and resume the
same query output retrieving in a second time (--resume); same query output retrieving in a second time (--resume);
* Added support to specify the database table column to enumerate * Added support to specify the database table column to enumerate
(-C COL); (-C COL);
* Added inband SQL injection (UNION SELECT) support (--union-use); * Added inband SQL injection (UNION query) support (--union-use);
* Complete code refactoring, a lot of minor and some major fixes in * Complete code refactoring, a lot of minor and some major fixes in
libraries, many minor improvements; libraries, many minor improvements;
* Reviewed the directory tree structure; * Reviewed the directory tree structure;

View File

@ -8,7 +8,7 @@
<H1>sqlmap user's manual</H1> <H1>sqlmap user's manual</H1>
<H2>by <H2>by
<A HREF="mailto:bernardo.damele@gmail.com">Bernardo Damele A. G.</A></H2>version 0.6.3, DDth of November 2008 <A HREF="mailto:bernardo.damele@gmail.com">Bernardo Damele A. G.</A></H2>version 0.6.3, DDth of December 2008
<HR> <HR>
<EM>This document is the user's manual to use <EM>This document is the user's manual to use
<A HREF="http://sqlmap.sourceforge.net">sqlmap</A>. <A HREF="http://sqlmap.sourceforge.net">sqlmap</A>.
@ -349,7 +349,7 @@ $ python sqlmap.py -h
sqlmap/0.6.3 coded by Bernardo Damele A. G. &lt;bernardo.damele@gmail.com> sqlmap/0.6.3 coded by Bernardo Damele A. G. &lt;bernardo.damele@gmail.com>
and Daniele Bellucci &lt;daniele.bellucci@gmail.com> and Daniele Bellucci &lt;daniele.bellucci@gmail.com>
Usage: sqlmap.py [options] {-u &lt;URL> | -g &lt;google dork> | -c &lt;config file>} Usage: sqlmap.py [options] {-u "&lt;URL>" | -g "&lt;google dork>" | -c "&lt;config file>"}
Options: Options:
--version show program's version number and exit --version show program's version number and exit
@ -384,8 +384,8 @@ Options:
using the default blind SQL injection technique. using the default blind SQL injection technique.
--time-test Test for Time based blind SQL injection --time-test Test for Time based blind SQL injection
--union-test Test for UNION SELECT (inband) SQL injection --union-test Test for UNION query (inband) SQL injection
--union-use Use the UNION SELECT (inband) SQL injection to --union-use Use the UNION query (inband) SQL injection to
retrieve the queries output. No need to go blind retrieve the queries output. No need to go blind
Fingerprint: Fingerprint:
@ -487,7 +487,7 @@ headers and level 5 show also HTTP responses page content.</P>
<P> <P>
<BLOCKQUOTE><CODE> <BLOCKQUOTE><CODE>
<PRE> <PRE>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 1 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 1
[hh:mm:01] [INFO] testing connection to the target url [hh:mm:01] [INFO] testing connection to the target url
[hh:mm:01] [INFO] testing if the url is stable, wait a few seconds [hh:mm:01] [INFO] testing if the url is stable, wait a few seconds
@ -525,7 +525,7 @@ back-end DBMS: MySQL >= 5.0.0
<P> <P>
<BLOCKQUOTE><CODE> <BLOCKQUOTE><CODE>
<PRE> <PRE>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 2 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 2
[hh:mm:34] [DEBUG] initializing the configuration [hh:mm:34] [DEBUG] initializing the configuration
[hh:mm:34] [DEBUG] initializing the knowledge base [hh:mm:34] [DEBUG] initializing the knowledge base
@ -548,7 +548,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat
<P> <P>
<BLOCKQUOTE><CODE> <BLOCKQUOTE><CODE>
<PRE> <PRE>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 3 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 3
[...] [...]
[hh:mm:28] [INFO] testing connection to the target url [hh:mm:28] [INFO] testing connection to the target url
@ -575,7 +575,7 @@ Connection: close
<P> <P>
<BLOCKQUOTE><CODE> <BLOCKQUOTE><CODE>
<PRE> <PRE>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 4 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 4
[...] [...]
[hh:mm:32] [INFO] testing connection to the target url [hh:mm:32] [INFO] testing connection to the target url
@ -620,7 +620,7 @@ Content-Type: text/html
<P> <P>
<BLOCKQUOTE><CODE> <BLOCKQUOTE><CODE>
<PRE> <PRE>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 5 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5
[...] [...]
[hh:mm:23] [INFO] testing connection to the target url [hh:mm:23] [INFO] testing connection to the target url
@ -675,6 +675,13 @@ Content-Type: text/html
</P> </P>
<H3>List of targets</H3>
<P>Option: <CODE>-l</CODE></P>
<P>TODO</P>
<H3>Process Google dork results as target urls</H3> <H3>Process Google dork results as target urls</H3>
<P>Option: <CODE>-g</CODE></P> <P>Option: <CODE>-g</CODE></P>
@ -733,7 +740,7 @@ injection test and inject directly only against the provided parameter(s).</P>
<BLOCKQUOTE><CODE> <BLOCKQUOTE><CODE>
<PRE> <PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;cat=2" -v 1 \ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;cat=2" -v 1 \
-p id -p "id"
[hh:mm:48] [INFO] testing connection to the target url [hh:mm:48] [INFO] testing connection to the target url
[hh:mm:48] [INFO] testing if the url is stable, wait a few seconds [hh:mm:48] [INFO] testing if the url is stable, wait a few seconds
@ -769,7 +776,7 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;ca
<BLOCKQUOTE><CODE> <BLOCKQUOTE><CODE>
<PRE> <PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 1 \ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 1 \
-p user-agent --user-agent "sqlmap/0.6.3 (http://sqlmap.sourceforge.net)" -p "user-agent" --user-agent "sqlmap/0.6.3 (http://sqlmap.sourceforge.net)"
[hh:mm:40] [WARNING] the testable parameter 'user-agent' you provided is not into the GET [hh:mm:40] [WARNING] the testable parameter 'user-agent' you provided is not into the GET
[hh:mm:40] [INFO] testing connection to the target url [hh:mm:40] [INFO] testing connection to the target url
@ -816,7 +823,7 @@ tested for SQL injection like the <CODE>GET</CODE> parameters.</P>
<P> <P>
<BLOCKQUOTE><CODE> <BLOCKQUOTE><CODE>
<PRE> <PRE>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/oracle/post_int.php --method POST \ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/post_int.php" --method POST \
--data "id=1&amp;cat=2" --data "id=1&amp;cat=2"
[hh:mm:53] [INFO] testing connection to the target url [hh:mm:53] [INFO] testing connection to the target url
@ -1216,7 +1223,7 @@ request. The valid value is a float, for instance 0.5.</P>
<P>TODO</P> <P>TODO</P>
<H3>Test for UNION SELECT query SQL injection</H3> <H3>Test for UNION query SQL injection</H3>
<P>Option: <CODE>--union-test</CODE></P> <P>Option: <CODE>--union-test</CODE></P>
@ -1266,7 +1273,7 @@ affected by an inband SQL injection.
In case this vulnerability is exploitable it is strongly recommended to In case this vulnerability is exploitable it is strongly recommended to
use it.</P> use it.</P>
<H3>Use the UNION SELECT query SQL injection</H3> <H3>Use the UNION query SQL injection</H3>
<P>Option: <CODE>--union-use</CODE></P> <P>Option: <CODE>--union-use</CODE></P>

Binary file not shown.

View File

@ -4,7 +4,7 @@
<title>sqlmap user's manual <title>sqlmap user's manual
<author>by <htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G."> <author>by <htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">
<date>version 0.6.3, DDth of November 2008 <date>version 0.6.3, DDth of December 2008
<abstract> <abstract>
This document is the user's manual to use <htmlurl url="http://sqlmap.sourceforge.net" name="sqlmap">. This document is the user's manual to use <htmlurl url="http://sqlmap.sourceforge.net" name="sqlmap">.
Check the project <htmlurl url="http://sqlmap.sourceforge.net" name="homepage"> Check the project <htmlurl url="http://sqlmap.sourceforge.net" name="homepage">
@ -309,7 +309,7 @@ $ python sqlmap.py -h
sqlmap/0.6.3 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com> sqlmap/0.6.3 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
and Daniele Bellucci <daniele.bellucci@gmail.com> and Daniele Bellucci <daniele.bellucci@gmail.com>
Usage: sqlmap.py [options] {-u <URL> | -g <google dork> | -c <config file>} Usage: sqlmap.py [options] {-u "<URL>" | -g "<google dork>" | -c "<config file>"}
Options: Options:
--version show program's version number and exit --version show program's version number and exit
@ -344,8 +344,8 @@ Options:
using the default blind SQL injection technique. using the default blind SQL injection technique.
--time-test Test for Time based blind SQL injection --time-test Test for Time based blind SQL injection
--union-test Test for UNION SELECT (inband) SQL injection --union-test Test for UNION query (inband) SQL injection
--union-use Use the UNION SELECT (inband) SQL injection to --union-use Use the UNION query (inband) SQL injection to
retrieve the queries output. No need to go blind retrieve the queries output. No need to go blind
Fingerprint: Fingerprint:
@ -446,7 +446,7 @@ headers and level 5 show also HTTP responses page content.
Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>1</bf>): Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>1</bf>):
<tscreen><verb> <tscreen><verb>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 1 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 1
[hh:mm:01] [INFO] testing connection to the target url [hh:mm:01] [INFO] testing connection to the target url
[hh:mm:01] [INFO] testing if the url is stable, wait a few seconds [hh:mm:01] [INFO] testing if the url is stable, wait a few seconds
@ -482,7 +482,7 @@ back-end DBMS: MySQL >= 5.0.0
Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>2</bf>): Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>2</bf>):
<tscreen><verb> <tscreen><verb>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 2 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 2
[hh:mm:34] [DEBUG] initializing the configuration [hh:mm:34] [DEBUG] initializing the configuration
[hh:mm:34] [DEBUG] initializing the knowledge base [hh:mm:34] [DEBUG] initializing the knowledge base
@ -503,7 +503,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat
Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>3</bf>): Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>3</bf>):
<tscreen><verb> <tscreen><verb>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 3 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 3
[...] [...]
[hh:mm:28] [INFO] testing connection to the target url [hh:mm:28] [INFO] testing connection to the target url
@ -528,7 +528,7 @@ Connection: close
Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>4</bf>): Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>4</bf>):
<tscreen><verb> <tscreen><verb>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 4 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 4
[...] [...]
[hh:mm:32] [INFO] testing connection to the target url [hh:mm:32] [INFO] testing connection to the target url
@ -571,7 +571,7 @@ Content-Type: text/html
Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>5</bf>): Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>5</bf>):
<tscreen><verb> <tscreen><verb>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 5 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5
[...] [...]
[hh:mm:23] [INFO] testing connection to the target url [hh:mm:23] [INFO] testing connection to the target url
@ -624,6 +624,15 @@ Content-Type: text/html
</verb></tscreen> </verb></tscreen>
<sect2>List of targets
<p>
Option: <tt>-l</tt>
<p>
TODO
<sect2>Process Google dork results as target urls <sect2>Process Google dork results as target urls
<p> <p>
@ -685,7 +694,7 @@ Example on a <bf>PostgreSQL 8.2.7</bf> target:
<tscreen><verb> <tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;cat=2" -v 1 \ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;cat=2" -v 1 \
-p id -p "id"
[hh:mm:48] [INFO] testing connection to the target url [hh:mm:48] [INFO] testing connection to the target url
[hh:mm:48] [INFO] testing if the url is stable, wait a few seconds [hh:mm:48] [INFO] testing if the url is stable, wait a few seconds
@ -718,7 +727,7 @@ Example on a <bf>MySQL 5.0.51</bf> target:
<tscreen><verb> <tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 1 \ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 1 \
-p user-agent --user-agent "sqlmap/0.6.3 (http://sqlmap.sourceforge.net)" -p "user-agent" --user-agent "sqlmap/0.6.3 (http://sqlmap.sourceforge.net)"
[hh:mm:40] [WARNING] the testable parameter 'user-agent' you provided is not into the GET [hh:mm:40] [WARNING] the testable parameter 'user-agent' you provided is not into the GET
[hh:mm:40] [INFO] testing connection to the target url [hh:mm:40] [INFO] testing connection to the target url
@ -765,7 +774,7 @@ tested for SQL injection like the <tt>GET</tt> parameters.
Example on an <bf>Oracle XE 10.2.0.1</bf> target: Example on an <bf>Oracle XE 10.2.0.1</bf> target:
<tscreen><verb> <tscreen><verb>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/oracle/post_int.php --method POST \ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/post_int.php" --method POST \
--data "id=1&amp;cat=2" --data "id=1&amp;cat=2"
[hh:mm:53] [INFO] testing connection to the target url [hh:mm:53] [INFO] testing connection to the target url
@ -1158,7 +1167,7 @@ Option: <tt>--time-test</tt>
TODO TODO
<sect2>Test for UNION SELECT query SQL injection <sect2>Test for UNION query SQL injection
<p> <p>
Option: <tt>--union-test</tt> Option: <tt>--union-test</tt>
@ -1207,7 +1216,7 @@ affected by an inband SQL injection.
In case this vulnerability is exploitable it is strongly recommended to In case this vulnerability is exploitable it is strongly recommended to
use it. use it.
<sect2>Use the UNION SELECT query SQL injection <sect2>Use the UNION query SQL injection
<p> <p>
Option: <tt>--union-use</tt> Option: <tt>--union-use</tt>

View File

@ -51,8 +51,11 @@ Will Holcomb <wholcomb@gmail.com>
Luke Jahnke <luke.jahnke@gmail.com> Luke Jahnke <luke.jahnke@gmail.com>
for reporting a bug when running against MySQL < 5.0 for reporting a bug when running against MySQL < 5.0
Anant Kochhar <anant.kochhar@secureyes.net>
for providing me with feedback on the user's manual
Nico Leidecker <nico@leidecker.info> Nico Leidecker <nico@leidecker.info>
for providing with feedback on a few features for providing me with feedback on a few features
Pavol Luptak <pavol.luptak@nethemba.com> Pavol Luptak <pavol.luptak@nethemba.com>
for reporting a bug when injecting on a POST data parameter for reporting a bug when injecting on a POST data parameter
@ -62,6 +65,10 @@ Michael Majchrowicz <mmajchrowicz@gmail.com>
for providing really appreciated feedback for providing really appreciated feedback
for suggesting a lot of ideas and features for suggesting a lot of ideas and features
Ferruh Mavituna <ferruh@mavituna.com>
for providing me with ideas on the implementation on a couple of
new features
Enrico Milanese <enricomilanese@gmail.com> Enrico Milanese <enricomilanese@gmail.com>
for reporting a bugs when using (-a) a single line User-Agent file for reporting a bugs when using (-a) a single line User-Agent file
for providing me with some ideas for the PHP backdoor for providing me with some ideas for the PHP backdoor

View File

@ -92,25 +92,40 @@ def start():
""" """
if conf.url: if conf.url:
kb.targetUrls[conf.url] = None kb.targetUrls.add(( conf.url, conf.method, conf.data, conf.cookie ))
if conf.configFile and not kb.targetUrls: if conf.configFile and not kb.targetUrls:
errMsg = "you did not edit the configuration file properly, set " errMsg = "you did not edit the configuration file properly, set "
errMsg += "the target url, list of targets or google dork" errMsg += "the target url, list of targets or google dork"
logger.error(errMsg) logger.error(errMsg)
if kb.targetUrls and len(kb.targetUrls) > 1:
infoMsg = "sqlmap got a total of %d targets" % len(kb.targetUrls)
logger.info(infoMsg)
hostCount = 0 hostCount = 0
injData = []
receivedCookies = [] receivedCookies = []
cookieStr = "" cookieStr = ""
setCookieAsInjectable = True setCookieAsInjectable = True
for targetUrl, targetData in kb.targetUrls.items(): for targetUrl, targetMethod, targetData, targetCookie in kb.targetUrls:
conf.url = targetUrl
conf.method = targetMethod
conf.data = targetData
conf.cookie = targetCookie
injData = []
if conf.multipleTargets: if conf.multipleTargets:
hostCount += 1 hostCount += 1
message = "url %d:\n%s %s" % (hostCount, conf.method, targetUrl)
message = "url %d: %s, " % (hostCount, targetUrl) if conf.cookie:
message += "do you want to test this url? [Y/n/q] " message += "\nCookie: %s" % conf.cookie
if conf.data:
message += "\nPOST data: %s" % conf.data
message += "\ndo you want to test this url? [Y/n/q] "
test = readInput(message, default="Y") test = readInput(message, default="Y")
if not test: if not test:
@ -123,10 +138,6 @@ def start():
logMsg = "testing url %s" % targetUrl logMsg = "testing url %s" % targetUrl
logger.info(logMsg) logger.info(logMsg)
if targetData:
conf.method, conf.data, conf.cookie = targetData
conf.url = targetUrl
initTargetEnv() initTargetEnv()
if not checkConnection() or not checkString(): if not checkConnection() or not checkString():
@ -206,9 +217,14 @@ def start():
break break
else: else:
warnMsg = "%s parameter '%s' is not " % (place, parameter) infoMsg = "%s parameter '%s' is not " % (place, parameter)
warnMsg += "injectable with %d parenthesis" % parenthesis infoMsg += "injectable with %d parenthesis" % parenthesis
logger.warn(warnMsg) logger.info(infoMsg)
if not injData:
warnMsg = "%s parameter '%s' is not " % (place, parameter)
warnMsg += "injectable"
logger.warn(warnMsg)
if not kb.injPlace or not kb.injParameter or not kb.injType: if not kb.injPlace or not kb.injParameter or not kb.injType:
if len(injData) == 1: if len(injData) == 1:
@ -230,6 +246,7 @@ def start():
kb.injPlace, kb.injParameter, kb.injType = injDataSelected kb.injPlace, kb.injParameter, kb.injType = injDataSelected
setInjection() setInjection()
print kb.injPlace, kb.injParameter, kb.injType
if not conf.multipleTargets and ( not kb.injPlace or not kb.injParameter or not kb.injType ): if not conf.multipleTargets and ( not kb.injPlace or not kb.injParameter or not kb.injType ):
raise sqlmapNotVulnerableException, "all parameters are not injectable" raise sqlmapNotVulnerableException, "all parameters are not injectable"
elif kb.injPlace and kb.injParameter and kb.injType: elif kb.injPlace and kb.injParameter and kb.injType:

View File

@ -75,7 +75,7 @@ def paramToDict(place, parameters=None):
elem = element.split("=") elem = element.split("=")
if len(elem) == 2: if len(elem) == 2:
parameter = elem[0] parameter = elem[0].replace(" ", "")
condition = not conf.testParameter condition = not conf.testParameter
condition |= parameter in conf.testParameter condition |= parameter in conf.testParameter

View File

@ -81,6 +81,111 @@ def __urllib2Opener():
urllib2.install_opener(opener) urllib2.install_opener(opener)
def __feedTargetsDict(reqFile, addedTargetUrls):
fp = open(reqFile, "r")
fread = fp.read()
fread = fread.replace("\r", "")
reqResList = fread.split("======================================================")
for request in reqResList:
if not re.search ("^[\n]*(GET|POST).*?\sHTTP\/", request, re.I):
continue
getPostReq = False
url = None
host = None
method = None
data = None
cookie = None
params = False
lines = request.split("\n")
for line in lines:
if len(line) == 0 or line == "\n":
continue
if line.startswith("GET ") or line.startswith("POST "):
if line.startswith("GET "):
index = 4
else:
index = 5
url = line[index:line.index(" HTTP/")]
method = line[:index-1]
if "?" in line and "=" in line:
params = True
getPostReq = True
elif "?" in line and "=" in line and ": " not in line:
data = line
params = True
elif ": " in line:
key, value = line.split(": ", 1)
if key.lower() == "cookie":
cookie = value
elif key.lower() == "host":
host = value
if getPostReq and params:
if not url.startswith("http"):
url = "http://%s%s" % (host, url)
if not kb.targetUrls or url not in addedTargetUrls:
kb.targetUrls.add(( url, method, data, cookie ))
addedTargetUrls.add(url)
def __setMultipleTargets():
"""
Define a configuration parameter if we are running in multiple target
mode.
"""
initialTargetsCount = len(kb.targetUrls)
addedTargetUrls = set()
if not conf.list:
return
debugMsg = "parsing targets list from '%s'" % conf.list
logger.debug(debugMsg)
if not os.path.exists(conf.list):
errMsg = "the specified list of targets does not exist"
raise sqlmapFilePathException, errMsg
if os.path.isfile(conf.list):
__feedTargetsDict(conf.list, addedTargetUrls)
elif os.path.isdir(conf.list):
files = os.listdir(conf.list)
files.sort()
for reqFile in files:
if not re.search("([\d]+)\-request", reqFile):
continue
__feedTargetsDict(os.path.join(conf.list, reqFile), addedTargetUrls)
else:
errMsg = "the specified list of targets is not a file "
errMsg += "nor a directory"
raise sqlmapFilePathException, errMsg
updatedTargetsCount = len(kb.targetUrls)
if updatedTargetsCount > initialTargetsCount:
infoMsg = "sqlmap parsed %d " % (updatedTargetsCount - initialTargetsCount)
infoMsg += "testable requests from the targets list"
logger.info(infoMsg)
def __setGoogleDorking(): def __setGoogleDorking():
""" """
This function checks if the way to request testable hosts is through This function checks if the way to request testable hosts is through
@ -109,7 +214,7 @@ def __setGoogleDorking():
errMsg += "Google dork expression" errMsg += "Google dork expression"
raise sqlmapGenericException, errMsg raise sqlmapGenericException, errMsg
kb.targetUrls = googleObj.getTargetUrls() googleObj.getTargetUrls()
if kb.targetUrls: if kb.targetUrls:
logMsg = "sqlmap got %d results for your " % len(matches) logMsg = "sqlmap got %d results for your " % len(matches)
@ -120,7 +225,7 @@ def __setGoogleDorking():
else: else:
logMsg += "%d " % len(kb.targetUrls) logMsg += "%d " % len(kb.targetUrls)
logMsg += "of them are testable hosts" logMsg += "of them are testable targets"
logger.info(logMsg) logger.info(logMsg)
else: else:
errMsg = "sqlmap got %d results " % len(matches) errMsg = "sqlmap got %d results " % len(matches)
@ -129,103 +234,6 @@ def __setGoogleDorking():
raise sqlmapGenericException, errMsg raise sqlmapGenericException, errMsg
def __feedTargetsDict(reqFile):
fp = open(reqFile, "r")
fread = fp.read()
fread = fread.replace("\r", "")
# TODO: fix for Burp log file
reqResList = fread.split("\n\n======================================================\n\n\n\n")
for request in reqResList:
url = None
host = None
method = None
data = None
cookie = None
params = False
lines = request.split("\n")
for line in lines:
if len(line) == 0 or line == "\n":
continue
if line.startswith("GET ") or line.startswith("POST "):
if line.startswith("GET "):
index = 4
else:
index = 5
url = line[index:line.index(" HTTP/")]
method = line[:index-1]
if "?" in line and "=" in line:
params = True
elif "?" in line and "=" in line:
data = line
params = True
elif ": " in line:
key, value = line.split(": ", 1)
if key.lower() == "cookie":
cookie = value
elif key.lower() == "host":
host = value
if params:
if not url.startswith("http"):
url = "http://%s%s" % (host, url)
# TODO: exclude duplicated urls
kb.targetUrls[url] = ( method, data, cookie )
def __setMultipleTargets():
"""
Define a configuration parameter if we are running in multiple target
mode.
"""
initialTargetsCount = len(kb.targetUrls)
if conf.googleDork or conf.list:
conf.multipleTargets = True
if not conf.list:
return
if not os.path.exists(conf.list):
errMsg = "the specified list of target urls does not exist"
raise sqlmapFilePathException, errMsg
if os.path.isfile(conf.list):
__feedTargetsDict(conf.list)
elif os.path.isdir(conf.list):
files = os.listdir(conf.list)
files.sort()
for reqFile in files:
if not re.search("([\d]+)\-request", reqFile):
continue
__feedTargetsDict(os.path.join(conf.list, reqFile))
else:
errMsg = "the specified list of target urls is not a file "
errMsg += "nor a directory"
raise sqlmapFilePathException, errMsg
updatedTargetsCount = len(kb.targetUrls)
if updatedTargetsCount > initialTargetsCount:
infoMsg = "sqlmap parsed %d requests from the targets list" % (updatedTargetsCount - initialTargetsCount)
logger.info(infoMsg)
def __setRemoteDBMS(): def __setRemoteDBMS():
""" """
Checks and set the back-end DBMS option. Checks and set the back-end DBMS option.
@ -359,9 +367,6 @@ def __setHTTPMethod():
""" """
if conf.method: if conf.method:
debugMsg = "setting the HTTP method to perform HTTP requests through"
logger.debug(debugMsg)
conf.method = conf.method.upper() conf.method = conf.method.upper()
if conf.method not in ("GET", "POST"): if conf.method not in ("GET", "POST"):
@ -374,6 +379,9 @@ def __setHTTPMethod():
else: else:
conf.method = "GET" conf.method = "GET"
debugMsg = "setting the HTTP method to %s" % conf.method
logger.debug(debugMsg)
def __setHTTPStandardHeaders(): def __setHTTPStandardHeaders():
conf.httpHeaders.append(("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")) conf.httpHeaders.append(("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"))
@ -509,6 +517,9 @@ def __cleanupOptions():
if conf.delay: if conf.delay:
conf.delay = float(conf.delay) conf.delay = float(conf.delay)
if conf.googleDork or conf.list:
conf.multipleTargets = True
def __setConfAttributes(): def __setConfAttributes():
""" """
@ -560,7 +571,7 @@ def __setKnowledgeBaseAttributes():
kb.injType = None kb.injType = None
kb.parenthesis = None kb.parenthesis = None
kb.resumedQueries = {} kb.resumedQueries = {}
kb.targetUrls = {} kb.targetUrls = set()
kb.timeTest = None kb.timeTest = None
kb.unionComment = "" kb.unionComment = ""
kb.unionCount = None kb.unionCount = None
@ -680,8 +691,8 @@ def init(inputOptions=advancedDict()):
__setHTTPProxy() __setHTTPProxy()
__setThreads() __setThreads()
__setRemoteDBMS() __setRemoteDBMS()
__setMultipleTargets()
__setGoogleDorking() __setGoogleDorking()
__setMultipleTargets()
__urllib2Opener() __urllib2Opener()
update() update()

View File

@ -197,6 +197,20 @@ def initTargetEnv():
Initialize target environment. Initialize target environment.
""" """
if conf.multipleTargets:
conf.paramDict = {}
conf.parameters = {}
kb.dbms = None
kb.dbmsDetected = False
kb.dbmsVersion = None
kb.injParameter = None
kb.injPlace = None
kb.injType = None
kb.parenthesis = None
kb.unionComment = ""
kb.unionCount = None
kb.unionPosition = None
parseTargetUrl() parseTargetUrl()
__setRequestParams() __setRequestParams()
__setOutputResume() __setOutputResume()

View File

@ -37,7 +37,7 @@ def cmdLineParser():
This function parses the command line parameters and arguments This function parses the command line parameters and arguments
""" """
usage = "sqlmap.py [options] {-u <URL> | -g <google dork> | -c <config file>}" usage = "sqlmap.py [options] {-u \"<URL>\" | -g \"<google dork>\" | -c \"<config file>\"}"
parser = OptionParser(usage=usage, version=VERSION_STRING) parser = OptionParser(usage=usage, version=VERSION_STRING)
try: try:
@ -49,7 +49,7 @@ def cmdLineParser():
request.add_option("-u", "--url", dest="url", help="Target url") request.add_option("-u", "--url", dest="url", help="Target url")
request.add_option("-l", dest="list", help="List of target urls") request.add_option("-l", dest="list", help="List of targets")
request.add_option("-g", dest="googleDork", request.add_option("-g", dest="googleDork",
help="Process Google dork results as target urls") help="Process Google dork results as target urls")
@ -118,11 +118,11 @@ def cmdLineParser():
techniques.add_option("--union-test", dest="unionTest", techniques.add_option("--union-test", dest="unionTest",
action="store_true", action="store_true",
help="Test for UNION SELECT (inband) SQL injection") help="Test for UNION query (inband) SQL injection")
techniques.add_option("--union-use", dest="unionUse", techniques.add_option("--union-use", dest="unionUse",
action="store_true", action="store_true",
help="Use the UNION SELECT (inband) SQL injection " help="Use the UNION query (inband) SQL injection "
"to retrieve the queries output. No " "to retrieve the queries output. No "
"need to go blind") "need to go blind")

View File

@ -30,6 +30,7 @@ import urllib2
from lib.core.convert import urlencode from lib.core.convert import urlencode
from lib.core.data import conf from lib.core.data import conf
from lib.core.data import kb
from lib.core.exception import sqlmapConnectionException from lib.core.exception import sqlmapConnectionException
from lib.core.exception import sqlmapRegExprException from lib.core.exception import sqlmapRegExprException
@ -68,17 +69,9 @@ class Google:
your Google dork search results your Google dork search results
""" """
targetUrls = {}
targetUrlsSet = set()
for match in self.__matches: for match in self.__matches:
if re.search("(.*?)\?(.+)", match, re.I): if re.search("(.*?)\?(.+)", match, re.I):
targetUrlsSet.add(match) kb.targetUrls.add(( match, None, None, None ))
for targetUrl in targetUrlsSet:
targetUrls[targetUrl] = None
return targetUrls
def getCookie(self): def getCookie(self):

View File

@ -126,7 +126,7 @@ def resume(expression, payload):
# If we called this function without providing a payload it means that # If we called this function without providing a payload it means that
# we have called it from lib/request/inject __goInband() function # we have called it from lib/request/inject __goInband() function
# in UNION SELECT (inband) SQL injection so we return to the calling # in UNION query (inband) SQL injection so we return to the calling
# function so that the query output will be retrieved taking advantage # function so that the query output will be retrieved taking advantage
# of the inband SQL injection vulnerability. # of the inband SQL injection vulnerability.
if not payload: if not payload:

View File

@ -3,13 +3,13 @@
# Target URL. # Target URL.
# Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2 # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
# PHP and MySQL (local) # PHP and MySQL (local)
#url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1 url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1
# PHP and Oracle (local) # PHP and Oracle (local)
#url = http://127.0.0.1/sqlmap/oracle/get_int.php?id=1 #url = http://127.0.0.1/sqlmap/oracle/get_int.php?id=1
# PHP and PostgreSQL (local) # PHP and PostgreSQL (local)
#url = http://127.0.0.1/sqlmap/pgsql/get_int.php?id=1 #url = http://127.0.0.1/sqlmap/pgsql/get_int.php?id=1
# PHP and Microsoft SQL Server (remote) # PHP and Microsoft SQL Server (remote)
url = http://127.0.0.1/sqlmap/mssql/get_int.php?id=1 #url = http://127.0.0.1/sqlmap/mssql/get_int.php?id=1
# PHP and MySQL (remote on Windows) # PHP and MySQL (remote on Windows)
#url = http://127.0.0.1/sqlmap/mysql/win_get_int.php?id=1 #url = http://127.0.0.1/sqlmap/mysql/win_get_int.php?id=1
# ASP and Microsoft SQL Server (local) # ASP and Microsoft SQL Server (local)
@ -21,6 +21,9 @@ url = http://127.0.0.1/sqlmap/mssql/get_int.php?id=1
#url = #url =
# List of targets # List of targets
# Valid: Burp proxy (http://portswigger.net/suite/) requests log file path
# or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
# 'conversations/' folder path
list = list =
# Rather than providing a target url, let Google return target # Rather than providing a target url, let Google return target
@ -107,11 +110,11 @@ dbms =
# Valid: True or False # Valid: True or False
timeTest = False timeTest = False
# Test for UNION SELECT (inband) SQL injection. # Test for UNION query (inband) SQL injection.
# Valid: True or False # Valid: True or False
unionTest = False unionTest = False
# Use the UNION SELECT (inband) SQL injection to retrieve the queries # Use the UNION query (inband) SQL injection to retrieve the queries
# output. No need to go blind. # output. No need to go blind.
# Valid: True or False # Valid: True or False
unionUse = False unionUse = False