sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-03-23 19:34:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

more code refactoring

Browse Source
This commit is contained in:
Miroslav Stampar 2010-11-23 14:50:47 +00:00
parent 3cae76627c
commit aa5d038f18
4 changed files with 532 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/core/common.py
View File

@ -663,7 +663,8 @@ def setPaths():
paths.COMMON_TABLES = os.path.join(paths.SQLMAP_TXT_PATH, "common-tables.txt") paths.COMMON_TABLES = os.path.join(paths.SQLMAP_TXT_PATH, "common-tables.txt")
paths.COMMON_OUTPUTS = os.path.join(paths.SQLMAP_TXT_PATH, 'common-outputs.txt') paths.COMMON_OUTPUTS = os.path.join(paths.SQLMAP_TXT_PATH, 'common-outputs.txt')
paths.SQL_KEYWORDS = os.path.join(paths.SQLMAP_TXT_PATH, "keywords.txt") paths.SQL_KEYWORDS = os.path.join(paths.SQLMAP_TXT_PATH, "keywords.txt")
paths.WORDLIST_TXT = os.path.join(paths.SQLMAP_TXT_PATH, "wordlist.txt") paths.ORACLE_DEFAULT_PASSWD = os.path.join(paths.SQLMAP_TXT_PATH, "oracle-default-passwords.txt")
paths.WORDLIST = os.path.join(paths.SQLMAP_TXT_PATH, "wordlist.txt")
paths.PHPIDS_RULES_XML = os.path.join(paths.SQLMAP_XML_PATH, "phpids_rules.xml") paths.PHPIDS_RULES_XML = os.path.join(paths.SQLMAP_XML_PATH, "phpids_rules.xml")
paths.ERRORS_XML = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml") paths.ERRORS_XML = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml")
paths.INJECTIONS_XML = os.path.join(paths.SQLMAP_XML_PATH, "injections.xml") paths.INJECTIONS_XML = os.path.join(paths.SQLMAP_XML_PATH, "injections.xml")
@ -1607,10 +1608,13 @@ def logHTTPTraffic(requestLogMsg, responseLogMsg):
kb.locks.reqLock.release() kb.locks.reqLock.release()
def getPublicTypeMembers(type_): def getPublicTypeMembers(type_):
"""
Useful for getting members from types (e.g. in enums)
"""
retVal = [] retVal = []
for name, value in getmembers(type_): for name, value in getmembers(type_):
if not name.startswith('__'): if not name.startswith('__'):
retVal.append((name, value)) retVal.append((name, value))
return retVal return retVal

2
lib/core/enums.py
View File

@ -50,6 +50,6 @@ class HASH:
MSSQL = r'(?i)\A0x0100[0-9a-f]{8}[0-9a-f]{40}\Z' MSSQL = r'(?i)\A0x0100[0-9a-f]{8}[0-9a-f]{40}\Z'
MSSQL_OLD = r'(?i)\A0x0100[0-9a-f]{8}[0-9a-f]{80}\Z' MSSQL_OLD = r'(?i)\A0x0100[0-9a-f]{8}[0-9a-f]{80}\Z'
ORACLE = r'(?i)\As:[0-9a-f]{60}\Z' ORACLE = r'(?i)\As:[0-9a-f]{60}\Z'
ORACLE_OLD = r'(?i)\A[0-9a-f]{16}\Z' ORACLE_OLD = r'(?i)\A[01-9a-f]{16}\Z'
MD5_GENERIC = r'(?i)\A[0-9a-f]{32}\Z' MD5_GENERIC = r'(?i)\A[0-9a-f]{32}\Z'
SHA1_GENERIC = r'(?i)\A[0-9a-f]{40}\Z' SHA1_GENERIC = r'(?i)\A[0-9a-f]{40}\Z'

48
lib/utils/hash.py
View File

@ -16,6 +16,7 @@ from zipfile import ZipFile
from extra.pydes.pyDes import des from extra.pydes.pyDes import des
from extra.pydes.pyDes import CBC from extra.pydes.pyDes import CBC
from lib.core.common import checkFile
from lib.core.common import conf from lib.core.common import conf
from lib.core.common import dataToStdout from lib.core.common import dataToStdout
from lib.core.common import getFileItems from lib.core.common import getFileItems
@ -191,11 +192,23 @@ def dictionaryAttack():
hash_ = hash_.split()[0] hash_ = hash_.split()[0]
for _, regex in getPublicTypeMembers(HASH): for name, regex in getPublicTypeMembers(HASH):
if re.match(regex, hash_): if kb.dbms == DBMS.ORACLE and regex == HASH.MYSQL_OLD:
continue
elif kb.dbms == DBMS.MYSQL and regex == HASH.ORACLE_OLD:
continue
elif re.match(regex, hash_):
rehash = regex rehash = regex
infoMsg = "using hash method: '%s'" % name
logger.info(infoMsg)
break break
if rehash:
break
if rehash:
break
if rehash: if rehash:
for (user, hashes) in kb.data.cachedUsersPasswords.items(): for (user, hashes) in kb.data.cachedUsersPasswords.items():
for hash_ in hashes: for hash_ in hashes:
@ -207,7 +220,7 @@ def dictionaryAttack():
if re.match(rehash, hash_): if re.match(rehash, hash_):
hash_ = hash_.lower() hash_ = hash_.lower()
if rehash in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC) and kb.dbms != DBMS.ORACLE: if rehash in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC):
attack_info.append([(user, hash_), {}]) attack_info.append([(user, hash_), {}])
elif rehash in (HASH.ORACLE_OLD, HASH.POSTGRES): elif rehash in (HASH.ORACLE_OLD, HASH.POSTGRES):
attack_info.append([(user, hash_), {'username': user}]) attack_info.append([(user, hash_), {'username': user}])
@ -216,16 +229,26 @@ def dictionaryAttack():
elif rehash in (HASH.MSSQL, HASH.MSSQL_OLD): elif rehash in (HASH.MSSQL, HASH.MSSQL_OLD):
attack_info.append([(user, hash_), {'salt': hash_[6:14]}]) attack_info.append([(user, hash_), {'salt': hash_[6:14]}])
infoMsg = "loading dictionary from: '%s'" % paths.WORDLIST_TXT if rehash == HASH.ORACLE_OLD: #it's the slowest of all methods hence smaller default dict
message = "what's the dictionary's location? [%s]" % paths.ORACLE_DEFAULT_PASSWD
dictpath = readInput(message, default=paths.ORACLE_DEFAULT_PASSWD)
else:
message = "what's the dictionary's location? [%s]" % paths.WORDLIST
dictpath = readInput(message, default=paths.WORDLIST)
checkFile(dictpath)
infoMsg = "loading dictionary from: '%s'" % dictpath
logger.info(infoMsg) logger.info(infoMsg)
wordlist = getFileItems(paths.WORDLIST_TXT, None, False) wordlist = getFileItems(dictpath, None, False)
infoMsg = "running dictionary attack" infoMsg = "running dictionary attack"
logger.info(infoMsg) logger.info(infoMsg)
length = len(wordlist) length = len(wordlist)
if rehash in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC) and kb.dbms != DBMS.ORACLE: if rehash in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC):
count = 0 count = 0
for word in wordlist: for word in wordlist:
count += 1 count += 1
@ -233,7 +256,7 @@ def dictionaryAttack():
for item in attack_info: for item in attack_info:
((user, hash_), _) = item ((user, hash_), _) = item
if count % 1117 == 0 or count == length: if count % 1117 == 0 or count == length or rehash in (HASH.ORACLE_OLD):
status = '%d/%d words (%d%s)' % (count, length, round(100.0*count/length), '%') status = '%d/%d words (%d%s)' % (count, length, round(100.0*count/length), '%')
dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status), True) dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status), True)
@ -242,6 +265,7 @@ def dictionaryAttack():
#dataToStdout("\r[%s] [INFO] found: %s:%s\n" % (time.strftime("%X"), user, word), True) #dataToStdout("\r[%s] [INFO] found: %s:%s\n" % (time.strftime("%X"), user, word), True)
attack_info.remove(item) attack_info.remove(item)
dataToStdout("\n", True)
else: else:
for ((user, hash_), kwargs) in attack_info: for ((user, hash_), kwargs) in attack_info:
count = 0 count = 0
@ -249,8 +273,8 @@ def dictionaryAttack():
current = __functions__[rehash](password = word, uppercase = False, **kwargs) current = __functions__[rehash](password = word, uppercase = False, **kwargs)
count += 1 count += 1
if count % 1117 == 0 or count == length: if count % 1117 == 0 or count == length or rehash in (HASH.ORACLE_OLD):
status = '%d/%d words (%d%s)' % (count, length, round(100.0*count/length), '%') status = '%d/%d words (%d%s) (user: %s)' % (count, length, round(100.0*count/length), '%', user)
dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status), True) dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status), True)
if hash_ == current: if hash_ == current:
@ -258,9 +282,13 @@ def dictionaryAttack():
#dataToStdout("\r[%s] [INFO] found: %s:%s\n" % (time.strftime("%X"), user, word), True) #dataToStdout("\r[%s] [INFO] found: %s:%s\n" % (time.strftime("%X"), user, word), True)
break break
dataToStdout("\n", True) dataToStdout("\n", True)
blank = " " blank = " "
for (user, hash_, password) in results: for (user, hash_, password) in results:
for i in xrange(len(kb.data.cachedUsersPasswords[user])): for i in xrange(len(kb.data.cachedUsersPasswords[user])):
if kb.data.cachedUsersPasswords[user][i] and hash_.lower() in kb.data.cachedUsersPasswords[user][i].lower(): if kb.data.cachedUsersPasswords[user][i] and hash_.lower() in kb.data.cachedUsersPasswords[user][i].lower():
kb.data.cachedUsersPasswords[user][i] += "%s%spassword: %s" % ('\n' if kb.data.cachedUsersPasswords[user][i][-1] != '\n' else '', blank, password) kb.data.cachedUsersPasswords[user][i] += "%s%spassword: %s" % ('\n' if kb.data.cachedUsersPasswords[user][i][-1] != '\n' else '', blank, password)
else:
errMsg = "hash format unrecognized"
logger.error(errMsg)

487
txt/oracle-default-passwords.txt Normal file
View File

@ -0,0 +1,487 @@
06071992
0racl3
0racl38
0racl38i
0racl39
0racl39i
0racle
0racle8
0racle8i
0racle9
0racle9i
199220706
abm
adgangskode
adldemo
admin
administrator
ahl
ahm
airoplane
ak
akf7d98s2
alr
ams
amv
anonymous
ap
applmgr
applsys
applsyspub
apppassword
apps
aq
aqdemo
aqjava
aquser
ar
asf
asg
asl
aso
asp
ast
audiouser
ax
az
bar
bc4j
ben
bic
bil
bim
bis
biv
bix
blewis
bom
brio_admin
bsc
bug_reports
catalog
cct
cdemo82
cdemo83
cdemocor
cdemorid
cdemoucb
cdouglas
ce
centra
central
change_on_install
cids
cis
cisinfo
clave
clerk
cloth
cn
company
compiere
crp
cs
csc
csd
cse
csf
csi
csl
csmig
csp
csr
css
ctxdemo
ctxsys
cua
cue
cuf
cug
cui
cun
cup
cus
cz
d_syspw
d_systpw
dbsnmp
dbvision
demo
demo8
demo9
des
des2k
dev2000_demos
dip
discoverer_admin
dmsys
dpfpass
dsgateway
dssys
dtsp
eaa
eam
east
ec
ecx
ejb
ejsadmin
ejsadmin_password
emp
eng
eni
estore
event
evm
example
exfsys
extdemo
extdemo2
fa
fem
fii
finance
finprod
flm
fnd
fndpub
fpt
frm
fte
fv
gl
gma
gmd
gme
gmf
gmi
gml
gmp
gms
gpfd
gpld
gr
hades
hcpark
hlw
hobbes
hr
hri
hvst
hxc
hxt
iba
ibe
ibp
ibu
iby
icdbown
icx
idemo_user
ieb
iec
iem
ieo
ies
ieu
iex
ifssys
igc
igf
igi
igs
igw
imageuser
imc
imedia
imt
instance
inv
invalid
invalid password
ipa
ipd
iplanet
isc
itg
ja
je
jetspeed
jg
jl
jmuser
john
jtf
jtm
jts
kwalker
l2ldemo
laskjdf098ksdaf09
lbacsys
manag3r
manager
manprod
mddata
mddemo
mddemo_mgr
mdsys
me
mfg
mgr
mgwuser
migrate
miller
mmo2
mmo3
moreau
mot_de_passe
mrp
msc
msd
mso
msr
mt6ch5
mtrpw
mts_password
mtssys
mumblefratz
mwa
mxagent
names
neotix_sys
nneulpass
oas_public
ocitest
ocm_db_admin
odm
ods
ods_server
odscommon
oe
oem_temp
oemadm
oemrep
okb
okc
oke
oki
oko
okr
oks
okx
olapdba
olapsvr
olapsys
ont
oo
openspirit
opi
oracache
oracl3
oracle
oracle8
oracle8i
oracle9
oracle9i
oradbapass
oraprobe
oraregsys
orasso
orasso_ds
orasso_pa
orasso_ps
orasso_public
orastat
ordcommon
ordplugins
ordsys
osm
osp22
ota
outln
owa
owa_public
owf_mgr
owner
ozf
ozp
ozs
pa
panama
paper
parol
passwd
passwo1
passwo2
passwo3
passwo4
password
patrol
paul
perfstat
perstat
pjm
planning
plex
pm
pmi
pn
po
po7
po8
poa
pom
portal30
portal30_admin
portal30_demo
portal30_ps
portal30_public
portal30_sso
portal30_sso_admin
portal30_sso_ps
portal30_sso_public
portal31
portal_demo
portal_sso_ps
pos
powercartuser
primary
psa
psb
psp
pub
pubsub
pubsub1
pv
qa
qdba
qp
qs
qs_adm
qs_cb
qs_cbadm
qs_cs
qs_es
qs_os
qs_ws
re
rep_owner
repadmin
reports
rg
rhx
rla
rlm
rmail
rman
rrs
sample
sampleatm
sap
sapr3
sdos_icsap
secdemo
senha
serviceconsumer1
sh
shelves
si_informtn_schema
siteminder
slidepw
snowman
spierson
ssp
starter
steel
strat_passwd
supersecret
support
swordfish
swpro
swuser
sympa
sys
sys_stnt
sysadm
sysadmin
sysman
syspass
system
systempass
tahiti
tdos_icsap
tectec
test
test_user
testpilot
thinsamplepw
tibco
tiger
tigger
tip37
trace
travel
tsdev
tsuser
turbine
ultimate
um_admin
um_client
unknown
user
user0
user1
user2
user3
user4
user5
user6
user7
user8
user9
utility
utlestat
vea
veh
vertex_login
videouser
vif_dev_pwd
viruser
vrr1
vrr2
webcal01
webdb
webread
welcome
west
wfadmin
wh
wip
wk_test
wkadmin
wkproxy
wksys
wkuser
wms
wmsys
wob
wood
wps
wsh
wsm
www
wwwuser
xademo
xdp
xla
xnc
xni
xnm
xnp
xns
xprt
xtr
xxx
yes
your_pass
zwerg