From 9564c8e8b1984e5f7eba741750cfca5fbde387f7 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Fri, 21 Dec 2018 11:29:57 +0100 Subject: [PATCH] Refactoring regarding casting warnings --- lib/controller/checks.py | 17 ++++++++++++++--- lib/core/enums.py | 2 +- lib/core/settings.py | 4 ++-- lib/request/connect.py | 4 ++-- lib/takeover/web.py | 34 +++++++++++++++++----------------- txt/checksum.md5 | 10 +++++----- 6 files changed, 41 insertions(+), 30 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index 104aeec9e..05bfd6cd9 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -69,6 +69,7 @@ from lib.core.enums import NULLCONNECTION from lib.core.enums import PAYLOAD from lib.core.enums import PLACE from lib.core.enums import REDIRECTION +from lib.core.enums import WEB_PLATFORM from lib.core.exception import SqlmapConnectionException from lib.core.exception import SqlmapDataException from lib.core.exception import SqlmapNoneDataException @@ -1052,9 +1053,19 @@ def heuristicCheckSqlInjection(place, parameter): kb.heuristicTest = HEURISTIC_TEST.CASTED if casting else HEURISTIC_TEST.NEGATIVE if not result else HEURISTIC_TEST.POSITIVE if casting: - errMsg = "possible %s casting " % ("integer" if origValue.isdigit() else "type") - errMsg += "detected (e.g. \"$%s=intval($_REQUEST['%s'])\") " % (parameter, parameter) - errMsg += "at the back-end web application" + errMsg = "possible %s casting detected (e.g. '" % ("integer" if origValue.isdigit() else "type") + + platform = conf.url.split('.')[-1].lower() + if platform == WEB_PLATFORM.ASP: + errMsg += "%s=CInt(request.querystring(\"%s\"))" % (parameter, parameter) + elif platform == WEB_PLATFORM.ASPX: + errMsg += "int.TryParse(Request.QueryString[\"%s\"], out %s)" % (parameter, parameter) + elif platform == WEB_PLATFORM.JSP: + errMsg += "%s=Integer.parseInt(request.getParameter(\"%s\"))" % (parameter, parameter) + else: + errMsg += "$%s=intval($_REQUEST[\"%s\"])" % (parameter, parameter) + + errMsg += "') at the back-end web application" logger.error(errMsg) if kb.ignoreCasted is None: diff --git a/lib/core/enums.py b/lib/core/enums.py index 45b08c526..16125dd17 100644 --- a/lib/core/enums.py +++ b/lib/core/enums.py @@ -310,7 +310,7 @@ class ADJUST_TIME_DELAY: NO = 0 YES = 1 -class WEB_API: +class WEB_PLATFORM: PHP = "php" ASP = "asp" ASPX = "aspx" diff --git a/lib/core/settings.py b/lib/core/settings.py index 70c2280a5..c7291655a 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME from lib.core.enums import OS # sqlmap version (...) -VERSION = "1.2.12.35" +VERSION = "1.2.12.36" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) @@ -687,7 +687,7 @@ MAX_HELP_OPTION_LENGTH = 18 MAX_CONNECT_RETRIES = 100 # Strings for detecting formatting errors -FORMAT_EXCEPTION_STRINGS = ("Type mismatch", "Error converting", "Conversion failed", "String or binary data would be truncated", "Failed to convert", "unable to interpret text value", "Input string was not in a correct format", "System.FormatException", "java.lang.NumberFormatException", "ValueError: invalid literal", "TypeMismatchException", "CF_SQL_INTEGER", " for CFSQLTYPE ", "cfqueryparam cfsqltype", "InvalidParamTypeException", "Invalid parameter type", "is not of type numeric", "__VIEWSTATE[^"]*)[^>]+value="(?P[^"]+)' diff --git a/lib/request/connect.py b/lib/request/connect.py index 8dfe94383..f5f3642fe 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -78,7 +78,7 @@ from lib.core.enums import PAYLOAD from lib.core.enums import PLACE from lib.core.enums import POST_HINT from lib.core.enums import REDIRECTION -from lib.core.enums import WEB_API +from lib.core.enums import WEB_PLATFORM from lib.core.exception import SqlmapCompressionException from lib.core.exception import SqlmapConnectionException from lib.core.exception import SqlmapGenericException @@ -889,7 +889,7 @@ class Connect(object): postUrlEncode = False if conf.hpp: - if not any(conf.url.lower().endswith(_.lower()) for _ in (WEB_API.ASP, WEB_API.ASPX)): + if not any(conf.url.lower().endswith(_.lower()) for _ in (WEB_PLATFORM.ASP, WEB_PLATFORM.ASPX)): warnMsg = "HTTP parameter pollution should work only against " warnMsg += "ASP(.NET) targets" singleTimeWarnMessage(warnMsg) diff --git a/lib/takeover/web.py b/lib/takeover/web.py index 67e0fdcb1..921366a00 100644 --- a/lib/takeover/web.py +++ b/lib/takeover/web.py @@ -43,7 +43,7 @@ from lib.core.enums import HTTP_HEADER from lib.core.enums import OS from lib.core.enums import PAYLOAD from lib.core.enums import PLACE -from lib.core.enums import WEB_API +from lib.core.enums import WEB_PLATFORM from lib.core.exception import SqlmapNoneDataException from lib.core.settings import BACKDOOR_RUN_CMD_TIMEOUT from lib.core.settings import EVENTVALIDATION_REGEX @@ -60,7 +60,7 @@ class Web: """ def __init__(self): - self.webApi = None + self.webPlatform = None self.webBaseUrl = None self.webBackdoorUrl = None self.webBackdoorFilePath = None @@ -109,14 +109,14 @@ class Web: except TypeError: pass - if self.webApi in getPublicTypeMembers(WEB_API, True): + if self.webPlatform in getPublicTypeMembers(WEB_PLATFORM, True): multipartParams = { "upload": "1", "file": stream, "uploadDir": directory, } - if self.webApi == WEB_API.ASPX: + if self.webPlatform == WEB_PLATFORM.ASPX: multipartParams['__EVENTVALIDATION'] = kb.data.__EVENTVALIDATION multipartParams['__VIEWSTATE'] = kb.data.__VIEWSTATE @@ -130,7 +130,7 @@ class Web: else: return True else: - logger.error("sqlmap hasn't got a web backdoor nor a web file stager for %s" % self.webApi) + logger.error("sqlmap hasn't got a web backdoor nor a web file stager for %s" % self.webPlatform) return False def _webFileInject(self, fileContent, fileName, directory): @@ -158,13 +158,13 @@ class Web: remote directory within the web server document root. """ - if self.webBackdoorUrl is not None and self.webStagerUrl is not None and self.webApi is not None: + if self.webBackdoorUrl is not None and self.webStagerUrl is not None and self.webPlatform is not None: return self.checkDbmsOs() default = None - choices = list(getPublicTypeMembers(WEB_API, True)) + choices = list(getPublicTypeMembers(WEB_PLATFORM, True)) for ext in choices: if conf.url.endswith(ext): @@ -172,7 +172,7 @@ class Web: break if not default: - default = WEB_API.ASP if Backend.isOs(OS.WINDOWS) else WEB_API.PHP + default = WEB_PLATFORM.ASP if Backend.isOs(OS.WINDOWS) else WEB_PLATFORM.PHP message = "which web application language does the web server " message += "support?\n" @@ -196,7 +196,7 @@ class Web: logger.warn("invalid value, it must be between 1 and %d" % len(choices)) else: - self.webApi = choices[int(choice) - 1] + self.webPlatform = choices[int(choice) - 1] break if not kb.absFilePaths: @@ -266,16 +266,16 @@ class Web: _.append("%s/%s" % (directory.rstrip('/'), path.strip('/'))) directories = _ - backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi) - backdoorContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoors", "backdoor.%s_" % self.webApi)) + backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webPlatform) + backdoorContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoors", "backdoor.%s_" % self.webPlatform)) - stagerContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "stagers", "stager.%s_" % self.webApi)) + stagerContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "stagers", "stager.%s_" % self.webPlatform)) for directory in directories: if not directory: continue - stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi) + stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webPlatform) self.webStagerFilePath = posixpath.join(ntToPosixSlashes(directory), stagerName) uploaded = False @@ -317,14 +317,14 @@ class Web: infoMsg += "via UNION method" logger.info(infoMsg) - stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi) + stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webPlatform) self.webStagerFilePath = posixpath.join(ntToPosixSlashes(directory), stagerName) handle, filename = tempfile.mkstemp() os.close(handle) with open(filename, "w+b") as f: - _ = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "stagers", "stager.%s_" % self.webApi)) + _ = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "stagers", "stager.%s_" % self.webPlatform)) _ = _.replace(SHELL_WRITABLE_DIR_TAG, utf8encode(directory.replace('/', '\\\\') if Backend.isOs(OS.WINDOWS) else directory)) f.write(_) @@ -353,7 +353,7 @@ class Web: logger.warn(warnMsg) continue - elif self.webApi == WEB_API.ASPX: + elif self.webPlatform == WEB_PLATFORM.ASPX: kb.data.__EVENTVALIDATION = extractRegexResult(EVENTVALIDATION_REGEX, uplPage) kb.data.__VIEWSTATE = extractRegexResult(VIEWSTATE_REGEX, uplPage) @@ -361,7 +361,7 @@ class Web: infoMsg += "on '%s' - %s" % (directory, self.webStagerUrl) logger.info(infoMsg) - if self.webApi == WEB_API.ASP: + if self.webPlatform == WEB_PLATFORM.ASP: match = re.search(r'input type=hidden name=scriptsdir value="([^"]+)"', uplPage) if match: diff --git a/txt/checksum.md5 b/txt/checksum.md5 index 31c3ac8d3..fc51b6506 100644 --- a/txt/checksum.md5 +++ b/txt/checksum.md5 @@ -23,7 +23,7 @@ b3e60ea4e18a65c48515d04aab28ff68 extra/sqlharvest/sqlharvest.py 1e5532ede194ac9c083891c2f02bca93 extra/wafdetectify/__init__.py c1bccc94522d3425a372dcd57f78418e extra/wafdetectify/wafdetectify.py 3459c562a6abb9b4bdcc36925f751f3e lib/controller/action.py -0f0feede9750be810d2b8a7ab159b7b0 lib/controller/checks.py +d4582467b0735525d8d8bdc0396ec87f lib/controller/checks.py 197bdf07f8ea15ecc7e0dafea4f9ae2f lib/controller/controller.py 988b548f6578adf9cec17afdeee8291c lib/controller/handler.py 1e5532ede194ac9c083891c2f02bca93 lib/controller/__init__.py @@ -37,7 +37,7 @@ c347f085bd561adfa26d3a9512e5f3b9 lib/core/bigarray.py fbb55cc6100318ff922957b6577dc58f lib/core/defaults.py ac7c070b2726d39fbac1916b1a5f92b2 lib/core/dicts.py 760de985e09f5d11aacd3a8f2d8e9ff2 lib/core/dump.py -0cf974cf4ff3b96e1a349a12e39f4693 lib/core/enums.py +5b6999c4b78180961e9f33e172d4dd66 lib/core/enums.py cada93357a7321655927fc9625b3bfec lib/core/exception.py 1e5532ede194ac9c083891c2f02bca93 lib/core/__init__.py 458a194764805cd8312c14ecd4be4d1e lib/core/log.py @@ -49,7 +49,7 @@ c8c386d644d57c659d74542f5f57f632 lib/core/patch.py 0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py a7db43859b61569b601b97f187dd31c5 lib/core/revision.py fcb74fcc9577523524659ec49e2e964b lib/core/session.py -08295f121daafa4c20282201861422cb lib/core/settings.py +3afa2b42741332ce14a8c98befcfdff7 lib/core/settings.py a971ce157d04de96ba6e710d3d38a9a8 lib/core/shell.py a7edc9250d13af36ac0108f259859c19 lib/core/subprocessng.py 1581be48127a3a7a9fd703359b6e7567 lib/core/target.py @@ -71,7 +71,7 @@ f6b5957bf2103c3999891e4f45180bce lib/parse/payloads.py 30eed3a92a04ed2c29770e1b10d39dc0 lib/request/basicauthhandler.py 2b81435f5a7519298c15c724e3194a0d lib/request/basic.py 859b6ad583e0ffba154f17ee179b5b89 lib/request/comparison.py -40c4cc791ec657b612ccecf5b3241651 lib/request/connect.py +7ec820ec27161208a8411d81ec48161a lib/request/connect.py dd4598675027fae99f2e2475b05986da lib/request/direct.py 2044fce3f4ffa268fcfaaf63241b1e64 lib/request/dns.py 98535d0efca5551e712fcc4b34a3f772 lib/request/httpshandler.py @@ -88,7 +88,7 @@ acc1db3667bf910b809eb279b60595eb lib/takeover/icmpsh.py 4bf186a747e1a0c4ed5127ef064c3920 lib/takeover/metasploit.py fb9e34d558293b5d6b9727f440712886 lib/takeover/registry.py 6a49f359b922df0247eb236126596336 lib/takeover/udf.py -a3d07df8a780c668a11f06be42014cdc lib/takeover/web.py +ce8524022df29602f3d6c3c41f938ad4 lib/takeover/web.py debc36a3ff80ba915aeeee69b21a8ddc lib/takeover/xp_cmdshell.py db208ab47de010836c6bf044e2357861 lib/techniques/blind/inference.py 1e5532ede194ac9c083891c2f02bca93 lib/techniques/blind/__init__.py