Minor adjustments and minor bug fixes. Documentation almost complete for sqlmap 0.6.3.

2024-11-24 18:43:47 +03:00 · 2008-12-12 19:06:31 +00:00 · 2008-12-12 19:06:31 +00:00 · bf2a857b9a
commit bf2a857b9a
parent 072eb7154c
12 changed files with 2077 additions and 970 deletions
--- a/doc/README.html
+++ b/doc/README.html
--- a/doc/README.pdf
+++ b/doc/README.pdf
--- a/doc/README.sgml
+++ b/doc/README.sgml
--- a/extra/msfauxmod/README.txt
+++ b/extra/msfauxmod/README.txt
@ -2,10 +2,9 @@ To use Metasploit's sqlmap auxiliary module launch msfconsole and follow
 the example below.

 Note that if you are willing to run Metasploit's sqlmap auxiliary module on
-Metasploit Framework 3.0 or 3.1 you first need to copy wmap_sqlmap.rb to
-your <msf3 root path>/modules/auxiliary/scanner/http/ folder then launch
-msfconsole because this module has been officially integrated in Metasploit
-from the release 3.2.
+through WMAP framework you first need to install sqlmap on your system or
+add its file system path to the PATH environment variable.
+

 $ ./msfconsole

--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@ -24,6 +24,7 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA



+import re
 import time

 from lib.controller.action import action
@ -35,6 +36,7 @@ from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.exception import sqlmapConnectionException
 from lib.core.session import setString
+from lib.core.session import setRegexp
 from lib.request.connect import Connect as Request


@ -337,6 +339,38 @@ def checkString():
        return False


+def checkRegexp():
+    if not conf.regexp:
+        return True
+
+    condition = (
+                  kb.resumedQueries.has_key(conf.url) and
+                  kb.resumedQueries[conf.url].has_key("Regular expression") and
+                  kb.resumedQueries[conf.url]["Regular expression"][:-1] == conf.regexp
+                )
+
+    if condition:
+        return True
+
+    infoMsg  = "testing if the provided regular expression matches within "
+    infoMsg += "the target URL page content"
+    logger.info(infoMsg)
+
+    page = Request.queryPage(content=True)
+
+    if re.search(conf.regexp, page, re.I | re.M):
+        setRegexp()
+        return True
+    else:
+        errMsg  = "you provided '%s' as the regular expression to " % conf.regexp
+        errMsg += "match, but such a regular expression does not have any "
+        errMsg += "match within the target URL page content, please provide "
+        errMsg += "another regular expression."
+        logger.error(errMsg)
+
+        return False
+
+
 def checkConnection():
    infoMsg = "testing connection to the target url"
    logger.info(infoMsg)
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@ -29,6 +29,7 @@ from lib.controller.checks import checkSqlInjection
 from lib.controller.checks import checkDynParam
 from lib.controller.checks import checkStability
 from lib.controller.checks import checkString
+from lib.controller.checks import checkRegexp
 from lib.controller.checks import checkConnection
 from lib.core.common import paramToDict
 from lib.core.common import readInput
@ -117,7 +118,7 @@ def start():

        if conf.multipleTargets:
            hostCount += 1
-            message = "url %d:\n%s %s" % (hostCount, conf.method, targetUrl)
+            message = "url %d:\n%s %s" % (hostCount, conf.method or "GET", targetUrl)

            if conf.cookie:
                message += "\nCookie: %s" % conf.cookie
@ -140,7 +141,7 @@ def start():

        initTargetEnv()

-        if not checkConnection() or not checkString():
+        if not checkConnection() or not checkString() or not checkRegexp():
            continue

        for _, cookie in enumerate(conf.cj):
@ -173,14 +174,14 @@ def start():
                    __testableParameters = True

        if not kb.injPlace or not kb.injParameter or not kb.injType:
-            if not conf.string:
+            if not conf.string and not conf.regexp and not conf.eRegexp:
                if checkStability():
                    logMsg = "url is stable"
                    logger.info(logMsg)
                else:
-                    errMsg  = "url is not stable, try with --string option, refer "
-                    errMsg += "to the user's manual paragraph 'String match' "
-                    errMsg += "for details"
+                    errMsg  = "url is not stable, try with --string or "
+                    errMsg += "--regexp options, refer to the user's manual "
+                    errMsg += "paragraph 'Page comparison' for details"

                    if conf.multipleTargets:
                        errMsg += ", skipping to next url"
@ -214,7 +215,6 @@ def start():

                            if injType:
                                injData.append((place, parameter, injType))
-                                kb.parenthesis = parenthesis

                                break
                            else:
--- a/lib/core/session.py
+++ b/lib/core/session.py
@ -48,6 +48,20 @@ def setString():
        dataToSessionFile("[%s][None][None][String][%s]\n" % (conf.url, conf.string))


+def setRegexp():
+    """
+    Save regular expression to match in session file.
+    """
+
+    condition = (
+                  not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
+                  not kb.resumedQueries[conf.url].has_key("Regular expression") )
+                )
+
+    if condition:
+        dataToSessionFile("[%s][None][None][Regular expression][%s]\n" % (conf.url, conf.regexp))
+
+
 def setInjection():
    """
    Save information retrieved about injection place and parameter in the
@ -178,6 +192,28 @@ def resumeConfKb(expression, url, value):
            if not test or test[0] in ("y", "Y"):
                conf.string = string

+    elif expression == "Regular expression" and url == conf.url:
+        regexp = value[:-1]
+
+        logMsg  = "resuming regular expression match '%s' from session file" % regexp
+        logger.info(logMsg)
+
+        if regexp and ( not conf.regexp or regexp != conf.regexp ):
+            if not conf.regexp:
+                message  = "you did not provide any regular expression "
+                message += "to match. "
+            else:
+                message  = "The regular expression you provided does not "
+                message += "match the resumed regular expression. "
+
+            message += "Do you want to use the resumed regular expression "
+            message += "to be matched in page when the query "
+            message += "is valid? [Y/n] "
+            test = readInput(message, default="Y")
+
+            if not test or test[0] in ("y", "Y"):
+                conf.regexp = regexp
+
    elif expression == "Injection point" and url == conf.url:
        injPlace = value[:-1]

--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -30,7 +30,7 @@ import sys


 # sqlmap version and site
-VERSION            = "0.6.3-rc5"
+VERSION            = "0.6.3"
 VERSION_STRING     = "sqlmap/%s" % VERSION
 SITE               = "http://sqlmap.sourceforge.net"

--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@ -24,6 +24,8 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA



+import sys
+
 from optparse import OptionError
 from optparse import OptionGroup
 from optparse import OptionParser
@ -37,7 +39,7 @@ def cmdLineParser():
    This function parses the command line parameters and arguments
    """

-    usage = "sqlmap.py [options]"
+    usage = "%s [options]" % sys.argv[0]
    parser = OptionParser(usage=usage, version=VERSION_STRING)

    try:
@ -108,7 +110,12 @@ def cmdLineParser():


        # Injection options
-        injection = OptionGroup(parser, "Injection")
+        injection = OptionGroup(parser, "Injection", "These options can be "
+                                "used to specify which parameters to test "
+                                "for, provide custom injection payloads and "
+                                "how to parse and compare HTTP responses "
+                                "page content when using the blind SQL "
+                                "injection technique.")

        injection.add_option("-p", dest="testParameter",
                             help="Testable parameter(s)")
--- a/lib/utils/parenthesis.py
+++ b/lib/utils/parenthesis.py
@ -46,7 +46,11 @@ def checkForParenthesis():

    count = 0

+    if kb.parenthesis != None:
+        return
+
    if conf.prefix or conf.postfix:
+        kb.parenthesis = 0
        return

    for parenthesis in range(1, 4):
--- a/sqlmap.conf
+++ b/sqlmap.conf
@ -3,8 +3,8 @@
 # Target URL.
 # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
 # PHP and MySQL (local)
-url = http://127.0.0.1/sqlmap/mysql/get_str.php?id=1
-#url = http://127.0.0.1/sqlmap/mysql/get_int_partialunion.php?id=1
+#url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1
+url = http://127.0.0.1/sqlmap/mysql/get_int_partialunion.php?id=1
 # PHP and Oracle (local)
 #url = http://127.0.0.1/sqlmap/oracle/get_int.php?id=1
 # PHP and PostgreSQL (local)
--- a/xml/banner/postgresql.xml
+++ b/xml/banner/postgresql.xml
@ -7,6 +7,10 @@

    <!-- Ubuntu -->
    <regexp value="PostgreSQL\s+(8\.2\.7)\s+on\s+.*?\s+\(Ubuntu 4\.2\.3-2ubuntu4\)">
-        <info dbms_version="1" type="Linux" distrib="Ubuntu" release="8.10" codename="Intrepid"/>
+        <info dbms_version="1" type="Linux" distrib="Ubuntu" release="8.04" codename="Hardy Heron"/>
+    </regexp>
+
+    <regexp value="PostgreSQL\s+(8\.3\.5)\s+on\s+.*?\s+\(Ubuntu 4\.3\.2-1ubuntu11\)">
+        <info dbms_version="1" type="Linux" distrib="Ubuntu" release="8.10" codename="Intrepid Ibex"/>
    </regexp>
 </root>