mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-25 02:53:46 +03:00
Some PEP8 related style cleaning
This commit is contained in:
parent
6cfa9cb0b3
commit
ca3d35a878
|
@ -18,15 +18,15 @@ def check(module):
|
||||||
if module[-3:] == ".py":
|
if module[-3:] == ".py":
|
||||||
|
|
||||||
print "CHECKING ", module
|
print "CHECKING ", module
|
||||||
pout = os.popen('pylint --rcfile=/dev/null %s'% module, 'r')
|
pout = os.popen("pylint --rcfile=/dev/null %s" % module, 'r')
|
||||||
for line in pout:
|
for line in pout:
|
||||||
if re.match("E....:.", line):
|
if re.match("E....:.", line):
|
||||||
print line
|
print line
|
||||||
if __RATING__ and "Your code has been rated at" in line:
|
if __RATING__ and "Your code has been rated at" in line:
|
||||||
print line
|
print line
|
||||||
score = re.findall("\d.\d\d", line)[0]
|
score = re.findall("\d.\d\d", line)[0]
|
||||||
total += float(score)
|
total += float(score)
|
||||||
count += 1
|
count += 1
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
try:
|
try:
|
||||||
|
@ -46,5 +46,5 @@ if __name__ == "__main__":
|
||||||
|
|
||||||
if __RATING__:
|
if __RATING__:
|
||||||
print "==" * 50
|
print "==" * 50
|
||||||
print "%d modules found"% count
|
print "%d modules found" % count
|
||||||
print "AVERAGE SCORE = %.02f"% (total / count)
|
print "AVERAGE SCORE = %.02f" % (total / count)
|
||||||
|
|
|
@ -20,7 +20,7 @@ CONFIG_FILE = 'sqlharvest.cfg'
|
||||||
TABLES_FILE = 'tables.txt'
|
TABLES_FILE = 'tables.txt'
|
||||||
USER_AGENT = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; AskTB5.3)'
|
USER_AGENT = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; AskTB5.3)'
|
||||||
SEARCH_URL = 'http://www.google.com/m?source=mobileproducts&dc=gorganic'
|
SEARCH_URL = 'http://www.google.com/m?source=mobileproducts&dc=gorganic'
|
||||||
MAX_FILE_SIZE = 2 * 1024 * 1024 # if a result (.sql) file for downloading is more than 2MB in size just skip it
|
MAX_FILE_SIZE = 2 * 1024 * 1024 # if a result (.sql) file for downloading is more than 2MB in size just skip it
|
||||||
QUERY = 'CREATE TABLE ext:sql'
|
QUERY = 'CREATE TABLE ext:sql'
|
||||||
REGEX_URLS = r';u=([^"]+?)&q='
|
REGEX_URLS = r';u=([^"]+?)&q='
|
||||||
REGEX_RESULT = r'(?i)CREATE TABLE\s*(/\*.*\*/)?\s*(IF NOT EXISTS)?\s*(?P<result>[^\(;]+)'
|
REGEX_RESULT = r'(?i)CREATE TABLE\s*(/\*.*\*/)?\s*(IF NOT EXISTS)?\s*(?P<result>[^\(;]+)'
|
||||||
|
@ -33,7 +33,7 @@ def main():
|
||||||
opener.addheaders = [("User-Agent", USER_AGENT)]
|
opener.addheaders = [("User-Agent", USER_AGENT)]
|
||||||
|
|
||||||
conn = opener.open(SEARCH_URL)
|
conn = opener.open(SEARCH_URL)
|
||||||
page = conn.read() #set initial cookie values
|
page = conn.read() # set initial cookie values
|
||||||
|
|
||||||
config = ConfigParser.ConfigParser()
|
config = ConfigParser.ConfigParser()
|
||||||
config.read(CONFIG_FILE)
|
config.read(CONFIG_FILE)
|
||||||
|
@ -82,7 +82,7 @@ def main():
|
||||||
break
|
break
|
||||||
|
|
||||||
sys.stdout.write("\n---------------\n")
|
sys.stdout.write("\n---------------\n")
|
||||||
sys.stdout.write("Result page #%d\n" % (i+1))
|
sys.stdout.write("Result page #%d\n" % (i + 1))
|
||||||
sys.stdout.write("---------------\n")
|
sys.stdout.write("---------------\n")
|
||||||
|
|
||||||
for sqlfile in files:
|
for sqlfile in files:
|
||||||
|
|
|
@ -319,7 +319,7 @@ def start():
|
||||||
elif conf.method == HTTPMETHOD.GET:
|
elif conf.method == HTTPMETHOD.GET:
|
||||||
if targetUrl.find("?") > -1:
|
if targetUrl.find("?") > -1:
|
||||||
firstPart = targetUrl[:targetUrl.find("?")]
|
firstPart = targetUrl[:targetUrl.find("?")]
|
||||||
secondPart = targetUrl[targetUrl.find("?")+1:]
|
secondPart = targetUrl[targetUrl.find("?") + 1:]
|
||||||
message = "Edit GET data [default: %s]: " % secondPart
|
message = "Edit GET data [default: %s]: " % secondPart
|
||||||
test = readInput(message, default=secondPart)
|
test = readInput(message, default=secondPart)
|
||||||
test = _randomFillBlankFields(test)
|
test = _randomFillBlankFields(test)
|
||||||
|
@ -603,7 +603,7 @@ def start():
|
||||||
showHttpErrorCodes()
|
showHttpErrorCodes()
|
||||||
|
|
||||||
if kb.maxConnectionsFlag:
|
if kb.maxConnectionsFlag:
|
||||||
warnMsg = "it appears that the target "
|
warnMsg = "it appears that the target "
|
||||||
warnMsg += "has a maximum connections "
|
warnMsg += "has a maximum connections "
|
||||||
warnMsg += "constraint"
|
warnMsg += "constraint"
|
||||||
logger.warn(warnMsg)
|
logger.warn(warnMsg)
|
||||||
|
@ -612,8 +612,9 @@ def start():
|
||||||
logger.info("fetched data logged to text files under '%s'" % conf.outputPath)
|
logger.info("fetched data logged to text files under '%s'" % conf.outputPath)
|
||||||
|
|
||||||
if conf.multipleTargets and conf.resultsFilename:
|
if conf.multipleTargets and conf.resultsFilename:
|
||||||
infoMsg = "you can find results of scanning in multiple targets "
|
infoMsg = "you can find results of scanning in multiple targets "
|
||||||
infoMsg += "mode inside the CSV file '%s'" % conf.resultsFilename
|
infoMsg += "mode inside the CSV file '%s'" % conf.resultsFilename
|
||||||
logger.info(infoMsg)
|
logger.info(infoMsg)
|
||||||
|
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|
|
@ -758,7 +758,7 @@ class Agent(object):
|
||||||
limitStr = queries[Backend.getIdentifiedDbms()].limit.query
|
limitStr = queries[Backend.getIdentifiedDbms()].limit.query
|
||||||
fromIndex = limitedQuery.index(" FROM ")
|
fromIndex = limitedQuery.index(" FROM ")
|
||||||
untilFrom = limitedQuery[:fromIndex]
|
untilFrom = limitedQuery[:fromIndex]
|
||||||
fromFrom = limitedQuery[fromIndex+1:]
|
fromFrom = limitedQuery[fromIndex + 1:]
|
||||||
orderBy = False
|
orderBy = False
|
||||||
|
|
||||||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
|
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
|
||||||
|
@ -766,7 +766,7 @@ class Agent(object):
|
||||||
limitedQuery += " %s" % limitStr
|
limitedQuery += " %s" % limitStr
|
||||||
|
|
||||||
elif Backend.isDbms(DBMS.FIREBIRD):
|
elif Backend.isDbms(DBMS.FIREBIRD):
|
||||||
limitStr = queries[Backend.getIdentifiedDbms()].limit.query % (num+1, num+1)
|
limitStr = queries[Backend.getIdentifiedDbms()].limit.query % (num + 1, num + 1)
|
||||||
limitedQuery += " %s" % limitStr
|
limitedQuery += " %s" % limitStr
|
||||||
|
|
||||||
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
|
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
|
||||||
|
|
|
@ -560,7 +560,7 @@ def paramToDict(place, parameters=None):
|
||||||
elif len(conf.testParameter) != len(testableParameters.keys()):
|
elif len(conf.testParameter) != len(testableParameters.keys()):
|
||||||
for parameter in conf.testParameter:
|
for parameter in conf.testParameter:
|
||||||
if parameter not in testableParameters:
|
if parameter not in testableParameters:
|
||||||
warnMsg = "provided parameter '%s' " % parameter
|
warnMsg = "provided parameter '%s' " % parameter
|
||||||
warnMsg += "is not inside the %s" % place
|
warnMsg += "is not inside the %s" % place
|
||||||
logger.warn(warnMsg)
|
logger.warn(warnMsg)
|
||||||
|
|
||||||
|
@ -1489,7 +1489,7 @@ def getConsoleWidth(default=80):
|
||||||
if os.getenv("COLUMNS", "").isdigit():
|
if os.getenv("COLUMNS", "").isdigit():
|
||||||
width = int(os.getenv("COLUMNS"))
|
width = int(os.getenv("COLUMNS"))
|
||||||
else:
|
else:
|
||||||
output=execute('stty size', shell=True, stdout=PIPE, stderr=PIPE).stdout.read()
|
output = execute("stty size", shell=True, stdout=PIPE, stderr=PIPE).stdout.read()
|
||||||
items = output.split()
|
items = output.split()
|
||||||
|
|
||||||
if len(items) == 2 and items[1].isdigit():
|
if len(items) == 2 and items[1].isdigit():
|
||||||
|
|
|
@ -54,8 +54,8 @@ def md5hash(value):
|
||||||
return md5.new(value).hexdigest()
|
return md5.new(value).hexdigest()
|
||||||
|
|
||||||
def orddecode(value):
|
def orddecode(value):
|
||||||
packedString = struct.pack("!"+"I" * len(value), *value)
|
packedString = struct.pack("!" + "I" * len(value), *value)
|
||||||
return "".join(chr(char) for char in struct.unpack("!"+"I"*(len(packedString)/4), packedString))
|
return "".join(chr(char) for char in struct.unpack("!" + "I" * (len(packedString) / 4), packedString))
|
||||||
|
|
||||||
def ordencode(value):
|
def ordencode(value):
|
||||||
return tuple(ord(char) for char in value)
|
return tuple(ord(char) for char in value)
|
||||||
|
|
|
@ -7,7 +7,7 @@ See the file 'doc/COPYING' for copying permission
|
||||||
|
|
||||||
from lib.core.datatype import AttribDict
|
from lib.core.datatype import AttribDict
|
||||||
|
|
||||||
_defaults = {
|
_defaults = {
|
||||||
"csvDel": ",",
|
"csvDel": ",",
|
||||||
"timeSec": 5,
|
"timeSec": 5,
|
||||||
"googlePage": 1,
|
"googlePage": 1,
|
||||||
|
@ -23,6 +23,6 @@ _defaults = {
|
||||||
"dumpFormat": "CSV",
|
"dumpFormat": "CSV",
|
||||||
"tech": "BEUSTQ",
|
"tech": "BEUSTQ",
|
||||||
"torType": "HTTP"
|
"torType": "HTTP"
|
||||||
}
|
}
|
||||||
|
|
||||||
defaults = AttribDict(_defaults)
|
defaults = AttribDict(_defaults)
|
||||||
|
|
|
@ -69,38 +69,38 @@ SYBASE_TYPES = {
|
||||||
}
|
}
|
||||||
|
|
||||||
MYSQL_PRIVS = {
|
MYSQL_PRIVS = {
|
||||||
1:"select_priv",
|
1: "select_priv",
|
||||||
2:"insert_priv",
|
2: "insert_priv",
|
||||||
3:"update_priv",
|
3: "update_priv",
|
||||||
4:"delete_priv",
|
4: "delete_priv",
|
||||||
5:"create_priv",
|
5: "create_priv",
|
||||||
6:"drop_priv",
|
6: "drop_priv",
|
||||||
7:"reload_priv",
|
7: "reload_priv",
|
||||||
8:"shutdown_priv",
|
8: "shutdown_priv",
|
||||||
9:"process_priv",
|
9: "process_priv",
|
||||||
10:"file_priv",
|
10: "file_priv",
|
||||||
11:"grant_priv",
|
11: "grant_priv",
|
||||||
12:"references_priv",
|
12: "references_priv",
|
||||||
13:"index_priv",
|
13: "index_priv",
|
||||||
14:"alter_priv",
|
14: "alter_priv",
|
||||||
15:"show_db_priv",
|
15: "show_db_priv",
|
||||||
16:"super_priv",
|
16: "super_priv",
|
||||||
17:"create_tmp_table_priv",
|
17: "create_tmp_table_priv",
|
||||||
18:"lock_tables_priv",
|
18: "lock_tables_priv",
|
||||||
19:"execute_priv",
|
19: "execute_priv",
|
||||||
20:"repl_slave_priv",
|
20: "repl_slave_priv",
|
||||||
21:"repl_client_priv",
|
21: "repl_client_priv",
|
||||||
22:"create_view_priv",
|
22: "create_view_priv",
|
||||||
23:"show_view_priv",
|
23: "show_view_priv",
|
||||||
24:"create_routine_priv",
|
24: "create_routine_priv",
|
||||||
25:"alter_routine_priv",
|
25: "alter_routine_priv",
|
||||||
26:"create_user_priv",
|
26: "create_user_priv",
|
||||||
}
|
}
|
||||||
|
|
||||||
PGSQL_PRIVS = {
|
PGSQL_PRIVS = {
|
||||||
1:"createdb",
|
1: "createdb",
|
||||||
2:"super",
|
2: "super",
|
||||||
3:"catupd",
|
3: "catupd",
|
||||||
}
|
}
|
||||||
|
|
||||||
FIREBIRD_PRIVS = {
|
FIREBIRD_PRIVS = {
|
||||||
|
|
|
@ -117,13 +117,13 @@ class Dump(object):
|
||||||
if elements:
|
if elements:
|
||||||
self._write("")
|
self._write("")
|
||||||
|
|
||||||
def banner(self,data):
|
def banner(self, data):
|
||||||
self.string("banner", data)
|
self.string("banner", data)
|
||||||
|
|
||||||
def currentUser(self,data):
|
def currentUser(self, data):
|
||||||
self.string("current user", data)
|
self.string("current user", data)
|
||||||
|
|
||||||
def currentDb(self,data):
|
def currentDb(self, data):
|
||||||
if Backend.isDbms(DBMS.MAXDB):
|
if Backend.isDbms(DBMS.MAXDB):
|
||||||
self.string("current database (no practical usage on %s)" % Backend.getIdentifiedDbms(), data)
|
self.string("current database (no practical usage on %s)" % Backend.getIdentifiedDbms(), data)
|
||||||
elif Backend.isDbms(DBMS.ORACLE):
|
elif Backend.isDbms(DBMS.ORACLE):
|
||||||
|
@ -131,13 +131,13 @@ class Dump(object):
|
||||||
else:
|
else:
|
||||||
self.string("current database", data)
|
self.string("current database", data)
|
||||||
|
|
||||||
def hostname(self,data):
|
def hostname(self, data):
|
||||||
self.string("hostname", data)
|
self.string("hostname", data)
|
||||||
|
|
||||||
def dba(self,data):
|
def dba(self, data):
|
||||||
self.string("current user is DBA", data)
|
self.string("current user is DBA", data)
|
||||||
|
|
||||||
def users(self,users):
|
def users(self, users):
|
||||||
self.lister("database management system users", users)
|
self.lister("database management system users", users)
|
||||||
|
|
||||||
def userSettings(self, header, userSettings, subHeader):
|
def userSettings(self, header, userSettings, subHeader):
|
||||||
|
@ -174,7 +174,7 @@ class Dump(object):
|
||||||
|
|
||||||
self.singleString("")
|
self.singleString("")
|
||||||
|
|
||||||
def dbs(self,dbs):
|
def dbs(self, dbs):
|
||||||
self.lister("available databases", dbs)
|
self.lister("available databases", dbs)
|
||||||
|
|
||||||
def dbTables(self, dbTables):
|
def dbTables(self, dbTables):
|
||||||
|
|
|
@ -272,7 +272,7 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
|
||||||
index = 5
|
index = 5
|
||||||
|
|
||||||
url = line[index:line.index(" HTTP/")]
|
url = line[index:line.index(" HTTP/")]
|
||||||
method = line[:index-1]
|
method = line[:index - 1]
|
||||||
|
|
||||||
if "?" in line and "=" in line:
|
if "?" in line and "=" in line:
|
||||||
params = True
|
params = True
|
||||||
|
@ -587,7 +587,7 @@ def _findPageForms():
|
||||||
for i in xrange(len(targets)):
|
for i in xrange(len(targets)):
|
||||||
try:
|
try:
|
||||||
target = targets[i]
|
target = targets[i]
|
||||||
page, _, _= Request.getPage(url=target.strip(), crawling=True, raise404=False)
|
page, _, _ = Request.getPage(url=target.strip(), crawling=True, raise404=False)
|
||||||
findPageForms(page, target, False, True)
|
findPageForms(page, target, False, True)
|
||||||
|
|
||||||
if conf.verbose in (1, 2):
|
if conf.verbose in (1, 2):
|
||||||
|
@ -942,7 +942,7 @@ def _setHTTPProxy():
|
||||||
try:
|
try:
|
||||||
port = int(hostnamePort[1])
|
port = int(hostnamePort[1])
|
||||||
except:
|
except:
|
||||||
pass #drops into the next check block
|
pass # drops into the next check block
|
||||||
|
|
||||||
if not all((scheme, hasattr(PROXY_TYPE, scheme), hostname, port)):
|
if not all((scheme, hasattr(PROXY_TYPE, scheme), hostname, port)):
|
||||||
errMsg = "proxy value must be in format '(%s)://url:port'" % "|".join(_[0].lower() for _ in getPublicTypeMembers(PROXY_TYPE))
|
errMsg = "proxy value must be in format '(%s)://url:port'" % "|".join(_[0].lower() for _ in getPublicTypeMembers(PROXY_TYPE))
|
||||||
|
@ -1373,8 +1373,9 @@ def _cleanupOptions():
|
||||||
conf.data = re.sub(INJECT_HERE_MARK.replace(" ", r"[^A-Za-z]*"), CUSTOM_INJECTION_MARK_CHAR, conf.data, re.I)
|
conf.data = re.sub(INJECT_HERE_MARK.replace(" ", r"[^A-Za-z]*"), CUSTOM_INJECTION_MARK_CHAR, conf.data, re.I)
|
||||||
|
|
||||||
if re.search(r'%[0-9a-f]{2}', conf.data, re.I):
|
if re.search(r'%[0-9a-f]{2}', conf.data, re.I):
|
||||||
|
class _(unicode):
|
||||||
|
pass
|
||||||
original = conf.data
|
original = conf.data
|
||||||
class _(unicode): pass
|
|
||||||
conf.data = _(urldecode(conf.data))
|
conf.data = _(urldecode(conf.data))
|
||||||
setattr(conf.data, UNENCODED_ORIGINAL_VALUE, original)
|
setattr(conf.data, UNENCODED_ORIGINAL_VALUE, original)
|
||||||
else:
|
else:
|
||||||
|
@ -1409,7 +1410,7 @@ def _cleanupOptions():
|
||||||
conf.code = int(conf.code)
|
conf.code = int(conf.code)
|
||||||
|
|
||||||
if conf.csvDel:
|
if conf.csvDel:
|
||||||
conf.csvDel = conf.csvDel.decode("string_escape") # e.g. '\\t' -> '\t'
|
conf.csvDel = conf.csvDel.decode("string_escape") # e.g. '\\t' -> '\t'
|
||||||
|
|
||||||
if conf.torPort and conf.torPort.isdigit():
|
if conf.torPort and conf.torPort.isdigit():
|
||||||
conf.torPort = int(conf.torPort)
|
conf.torPort = int(conf.torPort)
|
||||||
|
@ -1504,7 +1505,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
|
||||||
kb.authHeader = None
|
kb.authHeader = None
|
||||||
kb.bannerFp = AttribDict()
|
kb.bannerFp = AttribDict()
|
||||||
|
|
||||||
kb.brute = AttribDict({"tables":[], "columns":[]})
|
kb.brute = AttribDict({"tables": [], "columns": []})
|
||||||
kb.bruteMode = False
|
kb.bruteMode = False
|
||||||
|
|
||||||
kb.cache = AttribDict()
|
kb.cache = AttribDict()
|
||||||
|
@ -1592,7 +1593,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
|
||||||
kb.redirectChoice = None
|
kb.redirectChoice = None
|
||||||
kb.redirectSetCookie = None
|
kb.redirectSetCookie = None
|
||||||
kb.reflectiveMechanism = True
|
kb.reflectiveMechanism = True
|
||||||
kb.reflectiveCounters = {REFLECTIVE_COUNTER.MISS:0, REFLECTIVE_COUNTER.HIT:0}
|
kb.reflectiveCounters = {REFLECTIVE_COUNTER.MISS: 0, REFLECTIVE_COUNTER.HIT: 0}
|
||||||
kb.responseTimes = []
|
kb.responseTimes = []
|
||||||
kb.resumeValues = True
|
kb.resumeValues = True
|
||||||
kb.safeCharEncode = False
|
kb.safeCharEncode = False
|
||||||
|
|
|
@ -65,7 +65,7 @@ def profile(profileOutputFile=None, dotOutputFile=None, imageOutputFile=None):
|
||||||
dotFilePointer = codecs.open(dotOutputFile, 'wt', UNICODE_ENCODING)
|
dotFilePointer = codecs.open(dotOutputFile, 'wt', UNICODE_ENCODING)
|
||||||
parser = gprof2dot.PstatsParser(profileOutputFile)
|
parser = gprof2dot.PstatsParser(profileOutputFile)
|
||||||
profile = parser.parse()
|
profile = parser.parse()
|
||||||
profile.prune(0.5/100.0, 0.1/100.0)
|
profile.prune(0.5 / 100.0, 0.1 / 100.0)
|
||||||
dot = gprof2dot.DotWriter(dotFilePointer)
|
dot = gprof2dot.DotWriter(dotFilePointer)
|
||||||
dot.graph(profile, gprof2dot.TEMPERATURE_COLORMAP)
|
dot.graph(profile, gprof2dot.TEMPERATURE_COLORMAP)
|
||||||
dotFilePointer.close()
|
dotFilePointer.close()
|
||||||
|
|
|
@ -64,7 +64,7 @@ def purge(directory):
|
||||||
except:
|
except:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
dirpaths.sort(cmp = lambda x, y: y.count(os.path.sep) - x.count(os.path.sep))
|
dirpaths.sort(cmp=lambda x, y: y.count(os.path.sep) - x.count(os.path.sep))
|
||||||
|
|
||||||
logger.debug("renaming directory names to random values...")
|
logger.debug("renaming directory names to random values...")
|
||||||
for dirpath in dirpaths:
|
for dirpath in dirpaths:
|
||||||
|
|
|
@ -61,7 +61,7 @@ class Replication(object):
|
||||||
"""
|
"""
|
||||||
|
|
||||||
if len(values) == len(self.columns):
|
if len(values) == len(self.columns):
|
||||||
self.execute('INSERT INTO "%s" VALUES (%s)' % (self.name, ','.join(['?']*len(values))), safechardecode(values))
|
self.execute('INSERT INTO "%s" VALUES (%s)' % (self.name, ','.join(['?'] * len(values))), safechardecode(values))
|
||||||
else:
|
else:
|
||||||
errMsg = "wrong number of columns used in replicating insert"
|
errMsg = "wrong number of columns used in replicating insert"
|
||||||
raise SqlmapValueException(errMsg)
|
raise SqlmapValueException(errMsg)
|
||||||
|
|
|
@ -234,7 +234,7 @@ EMPTY_FORM_FIELDS_REGEX = r'(&|\A)(?P<result>[^=]+=(&|\Z))'
|
||||||
COMMON_PASSWORD_SUFFIXES = ("1", "123", "2", "12", "3", "13", "7", "11", "5", "22", "23", "01", "4", "07", "21", "14", "10", "06", "08", "8", "15", "69", "16", "6", "18")
|
COMMON_PASSWORD_SUFFIXES = ("1", "123", "2", "12", "3", "13", "7", "11", "5", "22", "23", "01", "4", "07", "21", "14", "10", "06", "08", "8", "15", "69", "16", "6", "18")
|
||||||
|
|
||||||
# Reference: http://www.the-interweb.com/serendipity/index.php?/archives/94-A-brief-analysis-of-40,000-leaked-MySpace-passwords.html
|
# Reference: http://www.the-interweb.com/serendipity/index.php?/archives/94-A-brief-analysis-of-40,000-leaked-MySpace-passwords.html
|
||||||
COMMON_PASSWORD_SUFFIXES += ("!", ".", "*", "!!", "?", ";", "..", "!!!", ",", "@")
|
COMMON_PASSWORD_SUFFIXES += ("!", ".", "*", "!!", "?", ";", "..", "!!!", ", ", "@")
|
||||||
|
|
||||||
# Splitter used between requests in WebScarab log files
|
# Splitter used between requests in WebScarab log files
|
||||||
WEBSCARAB_SPLITTER = "### Conversation"
|
WEBSCARAB_SPLITTER = "### Conversation"
|
||||||
|
@ -363,7 +363,7 @@ DUMMY_SQL_INJECTION_CHARS = ";()'"
|
||||||
DUMMY_USER_INJECTION = r"(?i)[^\w](AND|OR)\s+[^\s]+[=><]"
|
DUMMY_USER_INJECTION = r"(?i)[^\w](AND|OR)\s+[^\s]+[=><]"
|
||||||
|
|
||||||
# Extensions skipped by crawler
|
# Extensions skipped by crawler
|
||||||
CRAWL_EXCLUDE_EXTENSIONS = ("gif","jpg","jar","tif","bmp","war","ear","mpg","wmv","mpeg","scm","iso","dmp","dll","cab","so","avi","bin","exe","iso","tar","png","pdf","ps","mp3","zip","rar","gz")
|
CRAWL_EXCLUDE_EXTENSIONS = ("gif", "jpg", "jar", "tif", "bmp", "war", "ear", "mpg", "wmv", "mpeg", "scm", "iso", "dmp", "dll", "cab", "so", "avi", "bin", "exe", "iso", "tar", "png", "pdf", "ps", "mp3", "zip", "rar", "gz")
|
||||||
|
|
||||||
# Template used for common table existence check
|
# Template used for common table existence check
|
||||||
BRUTE_TABLE_EXISTS_TEMPLATE = "EXISTS(SELECT %d FROM %s)"
|
BRUTE_TABLE_EXISTS_TEMPLATE = "EXISTS(SELECT %d FROM %s)"
|
||||||
|
@ -420,7 +420,7 @@ HASHDB_FLUSH_RETRIES = 3
|
||||||
HASHDB_MILESTONE_VALUE = "cAWxkLYCQT" # r5129 "".join(random.sample(string.letters, 10))
|
HASHDB_MILESTONE_VALUE = "cAWxkLYCQT" # r5129 "".join(random.sample(string.letters, 10))
|
||||||
|
|
||||||
# Warn user of possible delay due to large page dump in full UNION query injections
|
# Warn user of possible delay due to large page dump in full UNION query injections
|
||||||
LARGE_OUTPUT_THRESHOLD = 1024**2
|
LARGE_OUTPUT_THRESHOLD = 1024 ** 2
|
||||||
|
|
||||||
# On huge tables there is a considerable slowdown if every row retrieval requires ORDER BY (most noticable in table dumping using ERROR injections)
|
# On huge tables there is a considerable slowdown if every row retrieval requires ORDER BY (most noticable in table dumping using ERROR injections)
|
||||||
SLOW_ORDER_COUNT_THRESHOLD = 10000
|
SLOW_ORDER_COUNT_THRESHOLD = 10000
|
||||||
|
|
|
@ -142,7 +142,7 @@ class Popen(subprocess.Popen):
|
||||||
try:
|
try:
|
||||||
written = os.write(self.stdin.fileno(), input)
|
written = os.write(self.stdin.fileno(), input)
|
||||||
except OSError, why:
|
except OSError, why:
|
||||||
if why[0] == errno.EPIPE: #broken pipe
|
if why[0] == errno.EPIPE: # broken pipe
|
||||||
return self._close('stdin')
|
return self._close('stdin')
|
||||||
raise
|
raise
|
||||||
|
|
||||||
|
@ -155,7 +155,7 @@ class Popen(subprocess.Popen):
|
||||||
|
|
||||||
flags = fcntl.fcntl(conn, fcntl.F_GETFL)
|
flags = fcntl.fcntl(conn, fcntl.F_GETFL)
|
||||||
if not conn.closed:
|
if not conn.closed:
|
||||||
fcntl.fcntl(conn, fcntl.F_SETFL, flags| os.O_NONBLOCK)
|
fcntl.fcntl(conn, fcntl.F_SETFL, flags | os.O_NONBLOCK)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
if not select.select([conn], [], [], 0)[0]:
|
if not select.select([conn], [], [], 0)[0]:
|
||||||
|
@ -175,7 +175,7 @@ class Popen(subprocess.Popen):
|
||||||
def recv_some(p, t=.1, e=1, tr=5, stderr=0):
|
def recv_some(p, t=.1, e=1, tr=5, stderr=0):
|
||||||
if tr < 1:
|
if tr < 1:
|
||||||
tr = 1
|
tr = 1
|
||||||
x = time.time()+t
|
x = time.time() + t
|
||||||
y = []
|
y = []
|
||||||
r = ''
|
r = ''
|
||||||
if stderr:
|
if stderr:
|
||||||
|
@ -189,7 +189,7 @@ def recv_some(p, t=.1, e=1, tr=5, stderr=0):
|
||||||
elif r:
|
elif r:
|
||||||
y.append(r)
|
y.append(r)
|
||||||
else:
|
else:
|
||||||
time.sleep(max((x-time.time())/tr, 0))
|
time.sleep(max((x - time.time()) / tr, 0))
|
||||||
return ''.join(y)
|
return ''.join(y)
|
||||||
|
|
||||||
def send_all(p, data):
|
def send_all(p, data):
|
||||||
|
|
|
@ -131,7 +131,7 @@ def _setRequestParams():
|
||||||
kb.processUserMarks = True if kb.postHint else kb.processUserMarks
|
kb.processUserMarks = True if kb.postHint else kb.processUserMarks
|
||||||
|
|
||||||
if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(map(lambda place: place in conf.parameters, [PLACE.GET, PLACE.POST])):
|
if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(map(lambda place: place in conf.parameters, [PLACE.GET, PLACE.POST])):
|
||||||
warnMsg = "you've provided target url without any GET "
|
warnMsg = "you've provided target url without any GET "
|
||||||
warnMsg += "parameters (e.g. www.site.com/article.php?id=1) "
|
warnMsg += "parameters (e.g. www.site.com/article.php?id=1) "
|
||||||
warnMsg += "and without providing any POST parameters "
|
warnMsg += "and without providing any POST parameters "
|
||||||
warnMsg += "through --data option"
|
warnMsg += "through --data option"
|
||||||
|
|
|
@ -234,7 +234,7 @@ def runCase(switches=None, parse=None):
|
||||||
logger.error("unhandled exception occurred ('%s')" % str(exception))
|
logger.error("unhandled exception occurred ('%s')" % str(exception))
|
||||||
tback = traceback.format_exc()
|
tback = traceback.format_exc()
|
||||||
retVal = False
|
retVal = False
|
||||||
elif result is False: # if None, ignore
|
elif result is False: # if None, ignore
|
||||||
logger.error("the test did not run")
|
logger.error("the test did not run")
|
||||||
retVal = False
|
retVal = False
|
||||||
|
|
||||||
|
|
|
@ -755,7 +755,7 @@ def cmdLineParser():
|
||||||
# Expand given mnemonic options (e.g. -z "ign,flu,bat")
|
# Expand given mnemonic options (e.g. -z "ign,flu,bat")
|
||||||
for i in xrange(len(sys.argv) - 1):
|
for i in xrange(len(sys.argv) - 1):
|
||||||
if sys.argv[i] == '-z':
|
if sys.argv[i] == '-z':
|
||||||
expandMnemonics(sys.argv[i+1], parser, args)
|
expandMnemonics(sys.argv[i + 1], parser, args)
|
||||||
|
|
||||||
if not any((args.direct, args.url, args.logFile, args.bulkFile, args.googleDork, args.configFile, \
|
if not any((args.direct, args.url, args.logFile, args.bulkFile, args.googleDork, args.configFile, \
|
||||||
args.requestFile, args.updateAll, args.smokeTest, args.liveTest, args.wizard, args.dependencies, \
|
args.requestFile, args.updateAll, args.smokeTest, args.liveTest, args.wizard, args.dependencies, \
|
||||||
|
|
|
@ -44,7 +44,7 @@ class FingerprintHandler(ContentHandler):
|
||||||
def startElement(self, name, attrs):
|
def startElement(self, name, attrs):
|
||||||
if name == "regexp":
|
if name == "regexp":
|
||||||
self._regexp = sanitizeStr(attrs.get("value"))
|
self._regexp = sanitizeStr(attrs.get("value"))
|
||||||
_ = re.match("\A[A-Za-z0-9]+", self._regexp) # minor trick avoiding compiling of large amount of regexes
|
_ = re.match("\A[A-Za-z0-9]+", self._regexp) # minor trick avoiding compiling of large amount of regexes
|
||||||
|
|
||||||
if _ and _.group(0).lower() in self._banner.lower() or not _:
|
if _ and _.group(0).lower() in self._banner.lower() or not _:
|
||||||
self._match = re.search(self._regexp, self._banner, re.I | re.M)
|
self._match = re.search(self._regexp, self._banner, re.I | re.M)
|
||||||
|
|
|
@ -110,7 +110,7 @@ def checkCharEncoding(encoding, warn=True):
|
||||||
else:
|
else:
|
||||||
return encoding
|
return encoding
|
||||||
|
|
||||||
# http://www.destructor.de/charsets/index.htm
|
# Reference: http://www.destructor.de/charsets/index.htm
|
||||||
translate = { "windows-874": "iso-8859-11", "en_us": "utf8", "macintosh": "iso-8859-1", "euc_tw": "big5_tw", "th": "tis-620", "unicode": "utf8", "utc8": "utf8", "ebcdic": "ebcdic-cp-be"}
|
translate = { "windows-874": "iso-8859-11", "en_us": "utf8", "macintosh": "iso-8859-1", "euc_tw": "big5_tw", "th": "tis-620", "unicode": "utf8", "utc8": "utf8", "ebcdic": "ebcdic-cp-be"}
|
||||||
|
|
||||||
for delimiter in (';', ',', '('):
|
for delimiter in (';', ',', '('):
|
||||||
|
@ -119,17 +119,17 @@ def checkCharEncoding(encoding, warn=True):
|
||||||
|
|
||||||
# popular typos/errors
|
# popular typos/errors
|
||||||
if "8858" in encoding:
|
if "8858" in encoding:
|
||||||
encoding = encoding.replace("8858", "8859") # iso-8858 -> iso-8859
|
encoding = encoding.replace("8858", "8859") # iso-8858 -> iso-8859
|
||||||
elif "8559" in encoding:
|
elif "8559" in encoding:
|
||||||
encoding = encoding.replace("8559", "8859") # iso-8559 -> iso-8859
|
encoding = encoding.replace("8559", "8859") # iso-8559 -> iso-8859
|
||||||
elif "5889" in encoding:
|
elif "5889" in encoding:
|
||||||
encoding = encoding.replace("5889", "8859") # iso-5889 -> iso-8859
|
encoding = encoding.replace("5889", "8859") # iso-5889 -> iso-8859
|
||||||
elif "5589" in encoding:
|
elif "5589" in encoding:
|
||||||
encoding = encoding.replace("5589", "8859") # iso-5589 -> iso-8859
|
encoding = encoding.replace("5589", "8859") # iso-5589 -> iso-8859
|
||||||
elif "2313" in encoding:
|
elif "2313" in encoding:
|
||||||
encoding = encoding.replace("2313", "2312") # gb2313 -> gb2312
|
encoding = encoding.replace("2313", "2312") # gb2313 -> gb2312
|
||||||
elif "x-euc" in encoding:
|
elif "x-euc" in encoding:
|
||||||
encoding = encoding.replace("x-euc", "euc") # x-euc-kr -> euc-kr
|
encoding = encoding.replace("x-euc", "euc") # x-euc-kr -> euc-kr
|
||||||
|
|
||||||
# name adjustment for compatibility
|
# name adjustment for compatibility
|
||||||
if encoding.startswith("8859"):
|
if encoding.startswith("8859"):
|
||||||
|
@ -149,14 +149,14 @@ def checkCharEncoding(encoding, warn=True):
|
||||||
elif encoding.find("utf8") > 0:
|
elif encoding.find("utf8") > 0:
|
||||||
encoding = "utf8"
|
encoding = "utf8"
|
||||||
|
|
||||||
# http://philip.html5.org/data/charsets-2.html
|
# Reference: http://philip.html5.org/data/charsets-2.html
|
||||||
if encoding in translate:
|
if encoding in translate:
|
||||||
encoding = translate[encoding]
|
encoding = translate[encoding]
|
||||||
elif encoding in ("null", "{charset}", "*"):
|
elif encoding in ("null", "{charset}", "*"):
|
||||||
return None
|
return None
|
||||||
|
|
||||||
# http://www.iana.org/assignments/character-sets
|
# Reference: http://www.iana.org/assignments/character-sets
|
||||||
# http://docs.python.org/library/codecs.html
|
# Reference: http://docs.python.org/library/codecs.html
|
||||||
try:
|
try:
|
||||||
codecs.lookup(encoding)
|
codecs.lookup(encoding)
|
||||||
except LookupError:
|
except LookupError:
|
||||||
|
@ -216,7 +216,7 @@ def decodePage(page, contentEncoding, contentType):
|
||||||
if not conf.charset:
|
if not conf.charset:
|
||||||
httpCharset, metaCharset = None, None
|
httpCharset, metaCharset = None, None
|
||||||
|
|
||||||
# http://stackoverflow.com/questions/1020892/python-urllib2-read-to-unicode
|
# Reference: http://stackoverflow.com/questions/1020892/python-urllib2-read-to-unicode
|
||||||
if contentType and (contentType.find("charset=") != -1):
|
if contentType and (contentType.find("charset=") != -1):
|
||||||
httpCharset = checkCharEncoding(contentType.split("charset=")[-1])
|
httpCharset = checkCharEncoding(contentType.split("charset=")[-1])
|
||||||
|
|
||||||
|
|
|
@ -21,7 +21,7 @@ class HTTPSCertAuthHandler(urllib2.HTTPSHandler):
|
||||||
return self.do_open(self.getConnection, req)
|
return self.do_open(self.getConnection, req)
|
||||||
|
|
||||||
def getConnection(self, host):
|
def getConnection(self, host):
|
||||||
if sys.version_info >= (2,6):
|
if sys.version_info >= (2, 6):
|
||||||
retVal = httplib.HTTPSConnection(host, key_file=self.key_file, cert_file=self.cert_file, timeout=conf.timeout)
|
retVal = httplib.HTTPSConnection(host, key_file=self.key_file, cert_file=self.cert_file, timeout=conf.timeout)
|
||||||
else:
|
else:
|
||||||
retVal = httplib.HTTPSConnection(host, key_file=self.key_file, cert_file=self.cert_file)
|
retVal = httplib.HTTPSConnection(host, key_file=self.key_file, cert_file=self.cert_file)
|
||||||
|
|
|
@ -398,7 +398,7 @@ class Connect(object):
|
||||||
if url.lower().startswith('http://'):
|
if url.lower().startswith('http://'):
|
||||||
kwargs['url'] = url
|
kwargs['url'] = url
|
||||||
else:
|
else:
|
||||||
kwargs['url'] = conf.url[:conf.url.rfind('/')+1] + url
|
kwargs['url'] = conf.url[:conf.url.rfind('/') + 1] + url
|
||||||
|
|
||||||
threadData.lastRedirectMsg = (threadData.lastRequestUID, page)
|
threadData.lastRedirectMsg = (threadData.lastRequestUID, page)
|
||||||
kwargs['refreshing'] = True
|
kwargs['refreshing'] = True
|
||||||
|
|
|
@ -32,7 +32,7 @@ class DNSQuery(object):
|
||||||
j = ord(raw[i])
|
j = ord(raw[i])
|
||||||
|
|
||||||
while j != 0:
|
while j != 0:
|
||||||
self._query += raw[i+1:i+j+1] + '.'
|
self._query += raw[i + 1:i + j + 1] + '.'
|
||||||
i = i + j + 1
|
i = i + j + 1
|
||||||
j = ord(raw[i])
|
j = ord(raw[i])
|
||||||
|
|
||||||
|
@ -137,4 +137,3 @@ if __name__ == "__main__":
|
||||||
finally:
|
finally:
|
||||||
if server:
|
if server:
|
||||||
server._running = False
|
server._running = False
|
||||||
|
|
||||||
|
|
|
@ -361,7 +361,7 @@ def getValue(expression, blind=True, union=True, error=True, time=True, fromUser
|
||||||
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
|
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
|
||||||
|
|
||||||
if found and conf.dnsName:
|
if found and conf.dnsName:
|
||||||
_ = "".join(filter(None, (key if isTechniqueAvailable(value) else None for key, value in {"E":PAYLOAD.TECHNIQUE.ERROR, "Q":PAYLOAD.TECHNIQUE.QUERY, "U":PAYLOAD.TECHNIQUE.UNION}.items())))
|
_ = "".join(filter(None, (key if isTechniqueAvailable(value) else None for key, value in {"E": PAYLOAD.TECHNIQUE.ERROR, "Q": PAYLOAD.TECHNIQUE.QUERY, "U": PAYLOAD.TECHNIQUE.UNION}.items())))
|
||||||
warnMsg = "option '--dns-domain' will be ignored "
|
warnMsg = "option '--dns-domain' will be ignored "
|
||||||
warnMsg += "as faster techniques are usable "
|
warnMsg += "as faster techniques are usable "
|
||||||
warnMsg += "(%s) " % _
|
warnMsg += "(%s) " % _
|
||||||
|
|
|
@ -17,7 +17,7 @@ if PYVERSION >= "2.6":
|
||||||
import ssl
|
import ssl
|
||||||
|
|
||||||
class ProxyHTTPConnection(httplib.HTTPConnection):
|
class ProxyHTTPConnection(httplib.HTTPConnection):
|
||||||
_ports = {"http" : 80, "https" : 443}
|
_ports = {"http": 80, "https": 443}
|
||||||
|
|
||||||
def request(self, method, url, body=None, headers={}):
|
def request(self, method, url, body=None, headers={}):
|
||||||
# Request is called before connect, so can interpret url and get
|
# Request is called before connect, so can interpret url and get
|
||||||
|
|
|
@ -93,7 +93,7 @@ class Web:
|
||||||
return self._webFileStreamUpload(stream, destFileName, directory)
|
return self._webFileStreamUpload(stream, destFileName, directory)
|
||||||
|
|
||||||
def _webFileStreamUpload(self, stream, destFileName, directory):
|
def _webFileStreamUpload(self, stream, destFileName, directory):
|
||||||
stream.seek(0) # Rewind
|
stream.seek(0) # Rewind
|
||||||
|
|
||||||
try:
|
try:
|
||||||
setattr(stream, "name", destFileName)
|
setattr(stream, "name", destFileName)
|
||||||
|
|
|
@ -157,16 +157,16 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
|
||||||
|
|
||||||
if hintValue is not None and len(hintValue) >= idx:
|
if hintValue is not None and len(hintValue) >= idx:
|
||||||
if Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.MAXDB, DBMS.DB2):
|
if Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.MAXDB, DBMS.DB2):
|
||||||
posValue = hintValue[idx-1]
|
posValue = hintValue[idx - 1]
|
||||||
else:
|
else:
|
||||||
posValue = ord(hintValue[idx-1])
|
posValue = ord(hintValue[idx - 1])
|
||||||
|
|
||||||
forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_EQUALS_CHAR), (expressionUnescaped, idx, posValue))
|
forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_EQUALS_CHAR), (expressionUnescaped, idx, posValue))
|
||||||
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
|
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
|
||||||
incrementCounter(kb.technique)
|
incrementCounter(kb.technique)
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
return hintValue[idx-1]
|
return hintValue[idx - 1]
|
||||||
|
|
||||||
with hintlock:
|
with hintlock:
|
||||||
kb.hintValue = None
|
kb.hintValue = None
|
||||||
|
@ -406,7 +406,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
|
||||||
if startCharIndex > 0:
|
if startCharIndex > 0:
|
||||||
output = '..' + output[2:]
|
output = '..' + output[2:]
|
||||||
|
|
||||||
if (endCharIndex - startCharIndex == conf.progressWidth) and (endCharIndex < length-1):
|
if (endCharIndex - startCharIndex == conf.progressWidth) and (endCharIndex < length - 1):
|
||||||
output = output[:-2] + '..'
|
output = output[:-2] + '..'
|
||||||
|
|
||||||
if conf.verbose in (1, 2) and not showEta:
|
if conf.verbose in (1, 2) and not showEta:
|
||||||
|
@ -471,7 +471,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
|
||||||
if showEta:
|
if showEta:
|
||||||
etaProgressUpdate(time.time() - charStart, len(commonValue))
|
etaProgressUpdate(time.time() - charStart, len(commonValue))
|
||||||
elif conf.verbose in (1, 2):
|
elif conf.verbose in (1, 2):
|
||||||
dataToStdout(filterControlChars(commonValue[index-1:]))
|
dataToStdout(filterControlChars(commonValue[index - 1:]))
|
||||||
|
|
||||||
finalValue = commonValue
|
finalValue = commonValue
|
||||||
|
|
||||||
|
@ -490,8 +490,8 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
|
||||||
|
|
||||||
# Did we have luck?
|
# Did we have luck?
|
||||||
if result:
|
if result:
|
||||||
val = commonPattern[index-1:]
|
val = commonPattern[index - 1:]
|
||||||
index += len(val)-1
|
index += len(val) - 1
|
||||||
|
|
||||||
# Otherwise if there is no commonValue (single match from
|
# Otherwise if there is no commonValue (single match from
|
||||||
# txt/common-outputs.txt) and no commonPattern
|
# txt/common-outputs.txt) and no commonPattern
|
||||||
|
|
|
@ -100,7 +100,7 @@ def _findUnionCharCount(comment, place, parameter, value, prefix, suffix, where=
|
||||||
min_, max_ = MAX_RATIO, MIN_RATIO
|
min_, max_ = MAX_RATIO, MIN_RATIO
|
||||||
pages = {}
|
pages = {}
|
||||||
|
|
||||||
for count in xrange(lowerCount, upperCount+1):
|
for count in xrange(lowerCount, upperCount + 1):
|
||||||
query = agent.forgeUnionQuery('', -1, count, comment, prefix, suffix, kb.uChar, where)
|
query = agent.forgeUnionQuery('', -1, count, comment, prefix, suffix, kb.uChar, where)
|
||||||
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
|
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
|
||||||
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
|
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
|
||||||
|
|
|
@ -95,19 +95,19 @@ def security_headers():
|
||||||
# HTTP Status Code functions #
|
# HTTP Status Code functions #
|
||||||
##############################
|
##############################
|
||||||
|
|
||||||
@error(401) # Access Denied
|
@error(401) # Access Denied
|
||||||
def error401(error=None):
|
def error401(error=None):
|
||||||
return "Access denied"
|
return "Access denied"
|
||||||
|
|
||||||
@error(404) # Not Found
|
@error(404) # Not Found
|
||||||
def error404(error=None):
|
def error404(error=None):
|
||||||
return "Nothing here"
|
return "Nothing here"
|
||||||
|
|
||||||
@error(405) # Method Not Allowed (e.g. when requesting a POST method via GET)
|
@error(405) # Method Not Allowed (e.g. when requesting a POST method via GET)
|
||||||
def error405(error=None):
|
def error405(error=None):
|
||||||
return "Method not allowed"
|
return "Method not allowed"
|
||||||
|
|
||||||
@error(500) # Internal Server Error
|
@error(500) # Internal Server Error
|
||||||
def error500(error=None):
|
def error500(error=None):
|
||||||
return "Internal server error"
|
return "Internal server error"
|
||||||
|
|
||||||
|
@ -324,7 +324,7 @@ def scan_log_limited(taskid, start, end):
|
||||||
if not start.isdigit() or not end.isdigit() or end <= start:
|
if not start.isdigit() or not end.isdigit() or end <= start:
|
||||||
abort(500, "Invalid start or end value, must be digits")
|
abort(500, "Invalid start or end value, must be digits")
|
||||||
|
|
||||||
start = max(0, int(start)-1)
|
start = max(0, int(start) - 1)
|
||||||
end = max(1, int(end))
|
end = max(1, int(end))
|
||||||
pickledLog = os.read(pipes[taskid][0], 100000)
|
pickledLog = os.read(pipes[taskid][0], 100000)
|
||||||
|
|
||||||
|
|
|
@ -88,7 +88,7 @@ def crawl(target):
|
||||||
threadData.shared.deeper.add(url)
|
threadData.shared.deeper.add(url)
|
||||||
if re.search(r"(.*?)\?(.+)", url):
|
if re.search(r"(.*?)\?(.+)", url):
|
||||||
threadData.shared.value.add(url)
|
threadData.shared.value.add(url)
|
||||||
except UnicodeEncodeError: # for non-HTML files
|
except UnicodeEncodeError: # for non-HTML files
|
||||||
pass
|
pass
|
||||||
finally:
|
finally:
|
||||||
if conf.forms:
|
if conf.forms:
|
||||||
|
|
|
@ -19,7 +19,8 @@ class _Getch(object):
|
||||||
except(AttributeError, ImportError):
|
except(AttributeError, ImportError):
|
||||||
self.impl = _GetchUnix()
|
self.impl = _GetchUnix()
|
||||||
|
|
||||||
def __call__(self): return self.impl()
|
def __call__(self):
|
||||||
|
return self.impl()
|
||||||
|
|
||||||
|
|
||||||
class _GetchUnix(object):
|
class _GetchUnix(object):
|
||||||
|
@ -56,11 +57,11 @@ class _GetchMacCarbon(object):
|
||||||
"""
|
"""
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
import Carbon
|
import Carbon
|
||||||
Carbon.Evt #see if it has this (in Unix, it doesn't)
|
Carbon.Evt # see if it has this (in Unix, it doesn't)
|
||||||
|
|
||||||
def __call__(self):
|
def __call__(self):
|
||||||
import Carbon
|
import Carbon
|
||||||
if Carbon.Evt.EventAvail(0x0008)[0]==0: # 0x0008 is the keyDownMask
|
if Carbon.Evt.EventAvail(0x0008)[0] == 0: # 0x0008 is the keyDownMask
|
||||||
return ''
|
return ''
|
||||||
else:
|
else:
|
||||||
#
|
#
|
||||||
|
@ -72,8 +73,9 @@ class _GetchMacCarbon(object):
|
||||||
# number is converted to an ASCII character with chr() and
|
# number is converted to an ASCII character with chr() and
|
||||||
# returned
|
# returned
|
||||||
#
|
#
|
||||||
(what,msg,when,where,mod)=Carbon.Evt.GetNextEvent(0x0008)[1]
|
(what, msg, when, where, mod) = Carbon.Evt.GetNextEvent(0x0008)[1]
|
||||||
return chr(msg & 0x000000FF)
|
return chr(msg & 0x000000FF)
|
||||||
|
|
||||||
|
|
||||||
getch = _Getch()
|
getch = _Getch()
|
||||||
|
|
||||||
|
|
|
@ -61,7 +61,7 @@ class Google(object):
|
||||||
url = "http://www.google.com/search?"
|
url = "http://www.google.com/search?"
|
||||||
url += "q=%s&" % urlencode(dork, convall=True)
|
url += "q=%s&" % urlencode(dork, convall=True)
|
||||||
url += "num=100&hl=en&complete=0&safe=off&filter=0&btnG=Search"
|
url += "num=100&hl=en&complete=0&safe=off&filter=0&btnG=Search"
|
||||||
url += "&start=%d" % ((gpage-1) * 100)
|
url += "&start=%d" % ((gpage - 1) * 100)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
conn = self.opener.open(url)
|
conn = self.opener.open(url)
|
||||||
|
|
|
@ -81,7 +81,7 @@ def mysql_passwd(password, uppercase=True):
|
||||||
|
|
||||||
return retVal.upper() if uppercase else retVal.lower()
|
return retVal.upper() if uppercase else retVal.lower()
|
||||||
|
|
||||||
def mysql_old_passwd(password, uppercase=True): # prior to version '4.1'
|
def mysql_old_passwd(password, uppercase=True): # prior to version '4.1'
|
||||||
"""
|
"""
|
||||||
Reference(s):
|
Reference(s):
|
||||||
http://www.sfr-fresh.com/unix/privat/tpop3d-1.5.5.tar.gz:a/tpop3d-1.5.5/password.c
|
http://www.sfr-fresh.com/unix/privat/tpop3d-1.5.5.tar.gz:a/tpop3d-1.5.5/password.c
|
||||||
|
@ -136,7 +136,7 @@ def mssql_passwd(password, salt, uppercase=False):
|
||||||
|
|
||||||
return "0x%s" % (retVal.upper() if uppercase else retVal.lower())
|
return "0x%s" % (retVal.upper() if uppercase else retVal.lower())
|
||||||
|
|
||||||
def mssql_old_passwd(password, salt, uppercase=True): # prior to version '2005'
|
def mssql_old_passwd(password, salt, uppercase=True): # prior to version '2005'
|
||||||
"""
|
"""
|
||||||
Reference(s):
|
Reference(s):
|
||||||
www.exploit-db.com/download_pdf/15537/
|
www.exploit-db.com/download_pdf/15537/
|
||||||
|
@ -167,11 +167,11 @@ def oracle_passwd(password, salt, uppercase=True):
|
||||||
|
|
||||||
binsalt = hexdecode(salt)
|
binsalt = hexdecode(salt)
|
||||||
|
|
||||||
retVal="s:%s%s" % (sha1(utf8encode(password) + binsalt).hexdigest(), salt)
|
retVal = "s:%s%s" % (sha1(utf8encode(password) + binsalt).hexdigest(), salt)
|
||||||
|
|
||||||
return retVal.upper() if uppercase else retVal.lower()
|
return retVal.upper() if uppercase else retVal.lower()
|
||||||
|
|
||||||
def oracle_old_passwd(password, username, uppercase=True): # prior to version '11g'
|
def oracle_old_passwd(password, username, uppercase=True): # prior to version '11g'
|
||||||
"""
|
"""
|
||||||
Reference(s):
|
Reference(s):
|
||||||
http://www.notesbit.com/index.php/scripts-oracle/oracle-11g-new-password-algorithm-is-revealed-by-seclistsorg/
|
http://www.notesbit.com/index.php/scripts-oracle/oracle-11g-new-password-algorithm-is-revealed-by-seclistsorg/
|
||||||
|
@ -180,10 +180,10 @@ def oracle_old_passwd(password, username, uppercase=True): # prior to version '1
|
||||||
'F894844C34402B67'
|
'F894844C34402B67'
|
||||||
"""
|
"""
|
||||||
|
|
||||||
IV, pad = "\0"*8, "\0"
|
IV, pad = "\0" * 8, "\0"
|
||||||
|
|
||||||
if isinstance(username, unicode):
|
if isinstance(username, unicode):
|
||||||
username = unicode.encode(username, UNICODE_ENCODING) #pyDes has issues with unicode strings
|
username = unicode.encode(username, UNICODE_ENCODING) # pyDes has issues with unicode strings
|
||||||
|
|
||||||
unistr = "".join("\0%s" % c for c in (username + password).upper())
|
unistr = "".join("\0%s" % c for c in (username + password).upper())
|
||||||
|
|
||||||
|
@ -255,7 +255,7 @@ def wordpress_passwd(password, salt, count, prefix, uppercase=False):
|
||||||
if i < count:
|
if i < count:
|
||||||
value = value | (ord(input_[i]) << 8)
|
value = value | (ord(input_[i]) << 8)
|
||||||
|
|
||||||
output = output + ITOA64[(value>>6) & 0x3f]
|
output = output + ITOA64[(value >> 6) & 0x3f]
|
||||||
|
|
||||||
i += 1
|
i += 1
|
||||||
if i >= count:
|
if i >= count:
|
||||||
|
@ -264,13 +264,13 @@ def wordpress_passwd(password, salt, count, prefix, uppercase=False):
|
||||||
if i < count:
|
if i < count:
|
||||||
value = value | (ord(input_[i]) << 16)
|
value = value | (ord(input_[i]) << 16)
|
||||||
|
|
||||||
output = output + ITOA64[(value>>12) & 0x3f]
|
output = output + ITOA64[(value >> 12) & 0x3f]
|
||||||
|
|
||||||
i += 1
|
i += 1
|
||||||
if i >= count:
|
if i >= count:
|
||||||
break
|
break
|
||||||
|
|
||||||
output = output + ITOA64[(value>>18) & 0x3f]
|
output = output + ITOA64[(value >> 18) & 0x3f]
|
||||||
|
|
||||||
return output
|
return output
|
||||||
|
|
||||||
|
@ -463,7 +463,7 @@ def _bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, proc_id, proc
|
||||||
word = word + suffix
|
word = word + suffix
|
||||||
|
|
||||||
try:
|
try:
|
||||||
current = __functions__[hash_regex](password = word, uppercase = False)
|
current = __functions__[hash_regex](password=word, uppercase=False)
|
||||||
|
|
||||||
count += 1
|
count += 1
|
||||||
|
|
||||||
|
@ -498,7 +498,7 @@ def _bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, proc_id, proc
|
||||||
raise
|
raise
|
||||||
|
|
||||||
except (UnicodeEncodeError, UnicodeDecodeError):
|
except (UnicodeEncodeError, UnicodeDecodeError):
|
||||||
pass # ignore possible encoding problems caused by some words in custom dictionaries
|
pass # ignore possible encoding problems caused by some words in custom dictionaries
|
||||||
|
|
||||||
except Exception:
|
except Exception:
|
||||||
warnMsg = "there was a problem while hashing entry: %s. " % repr(word)
|
warnMsg = "there was a problem while hashing entry: %s. " % repr(word)
|
||||||
|
@ -523,7 +523,7 @@ def _bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found
|
||||||
if found.value:
|
if found.value:
|
||||||
break
|
break
|
||||||
|
|
||||||
current = __functions__[hash_regex](password = word, uppercase = False, **kwargs)
|
current = __functions__[hash_regex](password=word, uppercase=False, **kwargs)
|
||||||
count += 1
|
count += 1
|
||||||
|
|
||||||
if not isinstance(word, basestring):
|
if not isinstance(word, basestring):
|
||||||
|
@ -534,7 +534,7 @@ def _bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found
|
||||||
|
|
||||||
try:
|
try:
|
||||||
if hash_ == current:
|
if hash_ == current:
|
||||||
if hash_regex == HASH.ORACLE_OLD: #only for cosmetic purposes
|
if hash_regex == HASH.ORACLE_OLD: # only for cosmetic purposes
|
||||||
word = word.upper()
|
word = word.upper()
|
||||||
|
|
||||||
retVal.put((user, hash_, word))
|
retVal.put((user, hash_, word))
|
||||||
|
@ -565,7 +565,7 @@ def _bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found
|
||||||
raise
|
raise
|
||||||
|
|
||||||
except (UnicodeEncodeError, UnicodeDecodeError):
|
except (UnicodeEncodeError, UnicodeDecodeError):
|
||||||
pass # ignore possible encoding problems caused by some words in custom dictionaries
|
pass # ignore possible encoding problems caused by some words in custom dictionaries
|
||||||
|
|
||||||
except Exception, e:
|
except Exception, e:
|
||||||
warnMsg = "there was a problem while hashing entry: %s (%s). " % (repr(word), e)
|
warnMsg = "there was a problem while hashing entry: %s (%s). " % (repr(word), e)
|
||||||
|
@ -629,7 +629,7 @@ def dictionaryAttack(attack_dict):
|
||||||
elif hash_regex in (HASH.CRYPT_GENERIC):
|
elif hash_regex in (HASH.CRYPT_GENERIC):
|
||||||
item = [(user, hash_), {'salt': hash_[0:2]}]
|
item = [(user, hash_), {'salt': hash_[0:2]}]
|
||||||
elif hash_regex in (HASH.WORDPRESS):
|
elif hash_regex in (HASH.WORDPRESS):
|
||||||
item = [(user, hash_), {'salt': hash_[4:12], 'count': 1<<ITOA64.index(hash_[3]), 'prefix': hash_[:12]}]
|
item = [(user, hash_), {'salt': hash_[4:12], 'count': 1 << ITOA64.index(hash_[3]), 'prefix': hash_[:12]}]
|
||||||
|
|
||||||
if item and hash_ not in keys:
|
if item and hash_ not in keys:
|
||||||
resumed = hashDBRetrieve(hash_)
|
resumed = hashDBRetrieve(hash_)
|
||||||
|
|
|
@ -18,3 +18,4 @@ class Enumeration(GenericEnumeration):
|
||||||
logger.warn(warnMsg)
|
logger.warn(warnMsg)
|
||||||
|
|
||||||
return {}
|
return {}
|
||||||
|
|
||||||
|
|
|
@ -47,7 +47,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
return None
|
return None
|
||||||
|
|
||||||
def getFingerprint(self):
|
def getFingerprint(self):
|
||||||
value = ""
|
value = ""
|
||||||
wsOsFp = Format.getOs("web server", kb.headersFp)
|
wsOsFp = Format.getOs("web server", kb.headersFp)
|
||||||
|
|
||||||
if wsOsFp:
|
if wsOsFp:
|
||||||
|
|
|
@ -40,7 +40,7 @@ class Connector(GenericConnector):
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.connector = kinterbasdb.connect(host=self.hostname.encode(UNICODE_ENCODING), database=self.db.encode(UNICODE_ENCODING), \
|
self.connector = kinterbasdb.connect(host=self.hostname.encode(UNICODE_ENCODING), database=self.db.encode(UNICODE_ENCODING), \
|
||||||
user=self.user.encode(UNICODE_ENCODING), password=self.password.encode(UNICODE_ENCODING), charset="UTF8") #http://www.daniweb.com/forums/thread248499.html
|
user=self.user.encode(UNICODE_ENCODING), password=self.password.encode(UNICODE_ENCODING), charset="UTF8") # Reference: http://www.daniweb.com/forums/thread248499.html
|
||||||
except kinterbasdb.OperationalError, msg:
|
except kinterbasdb.OperationalError, msg:
|
||||||
raise SqlmapConnectionException(msg[1])
|
raise SqlmapConnectionException(msg[1])
|
||||||
self.setCursor()
|
self.setCursor()
|
||||||
|
|
|
@ -70,16 +70,16 @@ class Fingerprint(GenericFingerprint):
|
||||||
def _sysTablesCheck(self):
|
def _sysTablesCheck(self):
|
||||||
retVal = None
|
retVal = None
|
||||||
table = (
|
table = (
|
||||||
("1.0", ["EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)"]),
|
("1.0", ("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)",)),
|
||||||
("1.5", ["NULLIF(%d,%d) IS NULL", "EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)"]),
|
("1.5", ("NULLIF(%d,%d) IS NULL", "EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)")),
|
||||||
("2.0", ["EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "BIT_LENGTH(%d)>0", "CHAR_LENGTH(%d)>0"]),
|
("2.0", ("EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "BIT_LENGTH(%d)>0", "CHAR_LENGTH(%d)>0")),
|
||||||
("2.1", ["BIN_XOR(%d,%d)=0", "PI()>0.%d", "RAND()<1.%d", "FLOOR(1.%d)>=0"])
|
("2.1", ("BIN_XOR(%d,%d)=0", "PI()>0.%d", "RAND()<1.%d", "FLOOR(1.%d)>=0"))
|
||||||
)
|
)
|
||||||
|
|
||||||
for i in xrange(len(table)):
|
for i in xrange(len(table)):
|
||||||
version, checks = table[i]
|
version, checks = table[i]
|
||||||
failed = False
|
failed = False
|
||||||
check = checks[randomRange(0, len(checks)-1)].replace("%d", getUnicode(randomRange(1,100)))
|
check = checks[randomRange(0, len(checks) - 1)].replace("%d", getUnicode(randomRange(1, 100)))
|
||||||
result = inject.checkBooleanExpression(check)
|
result = inject.checkBooleanExpression(check)
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
|
|
|
@ -148,7 +148,7 @@ class Enumeration(GenericEnumeration):
|
||||||
|
|
||||||
randStr = randomStr()
|
randStr = randomStr()
|
||||||
query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), ("'%s'" % unsafeSQLIdentificatorNaming(conf.db)) if unsafeSQLIdentificatorNaming(conf.db) != "USER" else 'USER')
|
query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), ("'%s'" % unsafeSQLIdentificatorNaming(conf.db)) if unsafeSQLIdentificatorNaming(conf.db) != "USER" else 'USER')
|
||||||
retVal = pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.columnname' % randStr,'%s.datatype' % randStr,'%s.len' % randStr], blind=True)
|
retVal = pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.columnname' % randStr, '%s.datatype' % randStr, '%s.len' % randStr], blind=True)
|
||||||
|
|
||||||
if retVal:
|
if retVal:
|
||||||
table = {}
|
table = {}
|
||||||
|
|
|
@ -44,7 +44,7 @@ class Filesystem(GenericFilesystem):
|
||||||
for fileLine in xrange(0, len(fileContent), lineLen):
|
for fileLine in xrange(0, len(fileContent), lineLen):
|
||||||
scrString = ""
|
scrString = ""
|
||||||
|
|
||||||
for lineChar in fileContent[fileLine:fileLine+lineLen]:
|
for lineChar in fileContent[fileLine:fileLine + lineLen]:
|
||||||
strLineChar = hexencode(lineChar)
|
strLineChar = hexencode(lineChar)
|
||||||
|
|
||||||
if not scrString:
|
if not scrString:
|
||||||
|
|
|
@ -68,7 +68,7 @@ class Takeover(GenericTakeover):
|
||||||
hexStr = binascii.hexlify(self.shellcodeString[:-1])
|
hexStr = binascii.hexlify(self.shellcodeString[:-1])
|
||||||
|
|
||||||
for hexPair in xrange(0, len(hexStr), 2):
|
for hexPair in xrange(0, len(hexStr), 2):
|
||||||
shellcodeChar += "CHAR(0x%s)+" % hexStr[hexPair:hexPair+2]
|
shellcodeChar += "CHAR(0x%s)+" % hexStr[hexPair:hexPair + 2]
|
||||||
|
|
||||||
shellcodeChar = shellcodeChar[:-1]
|
shellcodeChar = shellcodeChar[:-1]
|
||||||
|
|
||||||
|
|
|
@ -206,7 +206,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
elif inject.checkBooleanExpression("@@table_open_cache=@@table_open_cache"):
|
elif inject.checkBooleanExpression("@@table_open_cache=@@table_open_cache"):
|
||||||
if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.GLOBAL_STATUS LIMIT 0, 1)" % (randInt, randInt)):
|
if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.GLOBAL_STATUS LIMIT 0, 1)" % (randInt, randInt)):
|
||||||
Backend.setVersionList([">= 5.1.12", "< 5.5.0"])
|
Backend.setVersionList([">= 5.1.12", "< 5.5.0"])
|
||||||
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1)" % (randInt,randInt)):
|
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1)" % (randInt, randInt)):
|
||||||
Backend.setVersionList([">= 5.1.7", "< 5.1.12"])
|
Backend.setVersionList([">= 5.1.7", "< 5.1.12"])
|
||||||
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PARTITIONS LIMIT 0, 1)" % (randInt, randInt)):
|
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PARTITIONS LIMIT 0, 1)" % (randInt, randInt)):
|
||||||
Backend.setVersion("= 5.1.6")
|
Backend.setVersion("= 5.1.6")
|
||||||
|
|
|
@ -39,7 +39,7 @@ class Syntax(GenericSyntax):
|
||||||
break
|
break
|
||||||
|
|
||||||
firstIndex = index
|
firstIndex = index
|
||||||
index = expression[firstIndex+2:].find("'")
|
index = expression[firstIndex + 2:].find("'")
|
||||||
|
|
||||||
if index == -1:
|
if index == -1:
|
||||||
raise SqlmapSyntaxException("Unenclosed ' in '%s'" % expression)
|
raise SqlmapSyntaxException("Unenclosed ' in '%s'" % expression)
|
||||||
|
@ -49,8 +49,8 @@ class Syntax(GenericSyntax):
|
||||||
oldUpper = old.upper()
|
oldUpper = old.upper()
|
||||||
oldUpper = oldUpper.replace("X'", "").replace("'", "")
|
oldUpper = oldUpper.replace("X'", "").replace("'", "")
|
||||||
|
|
||||||
for i in xrange(len(oldUpper)/2):
|
for i in xrange(len(oldUpper) / 2):
|
||||||
char = oldUpper[i*2:i*2+2]
|
char = oldUpper[i * 2:i * 2 + 2]
|
||||||
escaped = "'%s'" % chr(int(char, 16))
|
escaped = "'%s'" % chr(int(char, 16))
|
||||||
expression = expression.replace(old, escaped)
|
expression = expression.replace(old, escaped)
|
||||||
|
|
||||||
|
|
|
@ -233,7 +233,7 @@ class Enumeration(GenericEnumeration):
|
||||||
for blind in blinds:
|
for blind in blinds:
|
||||||
randStr = randomStr()
|
randStr = randomStr()
|
||||||
query = rootQuery.inband.query % (conf.db, conf.db, conf.db, conf.db, conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl))
|
query = rootQuery.inband.query % (conf.db, conf.db, conf.db, conf.db, conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl))
|
||||||
retVal = pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr,'%s.usertype' % randStr], blind=blind)
|
retVal = pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr, '%s.usertype' % randStr], blind=blind)
|
||||||
|
|
||||||
if retVal:
|
if retVal:
|
||||||
table = {}
|
table = {}
|
||||||
|
|
|
@ -115,7 +115,7 @@ class Filesystem:
|
||||||
if not single:
|
if not single:
|
||||||
if len(content) > 256:
|
if len(content) > 256:
|
||||||
for i in xrange(0, len(content), 256):
|
for i in xrange(0, len(content), 256):
|
||||||
_ = content[i:i+256]
|
_ = content[i:i + 256]
|
||||||
|
|
||||||
if encoding == "hex":
|
if encoding == "hex":
|
||||||
_ = "0x%s" % _
|
_ = "0x%s" % _
|
||||||
|
|
|
@ -184,9 +184,9 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
|
||||||
goUdf = True
|
goUdf = True
|
||||||
|
|
||||||
if goUdf:
|
if goUdf:
|
||||||
exitfunc="thread"
|
exitfunc = "thread"
|
||||||
else:
|
else:
|
||||||
exitfunc="process"
|
exitfunc = "process"
|
||||||
|
|
||||||
self.createMsfShellcode(exitfunc=exitfunc, format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed")
|
self.createMsfShellcode(exitfunc=exitfunc, format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed")
|
||||||
|
|
||||||
|
|
|
@ -55,9 +55,9 @@ def tamper(payload, **kwargs):
|
||||||
doublequote = not doublequote
|
doublequote = not doublequote
|
||||||
|
|
||||||
elif payload[i] == ">" and not doublequote and not quote:
|
elif payload[i] == ">" and not doublequote and not quote:
|
||||||
retVal += " " if i > 0 and not payload[i-1].isspace() else ""
|
retVal += " " if i > 0 and not payload[i - 1].isspace() else ""
|
||||||
retVal += "NOT BETWEEN %s AND" % ('0' if re.search(r"\A[^\w]*\d", payload[i+1:]) else "NULL")
|
retVal += "NOT BETWEEN %s AND" % ('0' if re.search(r"\A[^\w]*\d", payload[i + 1:]) else "NULL")
|
||||||
retVal += " " if i < len(payload) - 1 and not payload[i+1:i+2].isspace() else ""
|
retVal += " " if i < len(payload) - 1 and not payload[i + 1:i + 2].isspace() else ""
|
||||||
|
|
||||||
continue
|
continue
|
||||||
|
|
||||||
|
|
|
@ -36,8 +36,8 @@ def tamper(payload, **kwargs):
|
||||||
i = 0
|
i = 0
|
||||||
|
|
||||||
while i < len(payload):
|
while i < len(payload):
|
||||||
if payload[i] == '%' and (i < len(payload) - 2) and payload[i+1:i+2] in string.hexdigits and payload[i+2:i+3] in string.hexdigits:
|
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
|
||||||
retVal += payload[i:i+3]
|
retVal += payload[i:i + 3]
|
||||||
i += 3
|
i += 3
|
||||||
else:
|
else:
|
||||||
retVal += '%%25%.2X' % ord(payload[i])
|
retVal += '%%25%.2X' % ord(payload[i])
|
||||||
|
|
|
@ -43,8 +43,8 @@ def tamper(payload, **kwargs):
|
||||||
i = 0
|
i = 0
|
||||||
|
|
||||||
while i < len(payload):
|
while i < len(payload):
|
||||||
if payload[i] == '%' and (i < len(payload) - 2) and payload[i+1:i+2] in string.hexdigits and payload[i+2:i+3] in string.hexdigits:
|
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
|
||||||
retVal += payload[i:i+3]
|
retVal += payload[i:i + 3]
|
||||||
i += 3
|
i += 3
|
||||||
else:
|
else:
|
||||||
retVal += '%%%.2X' % ord(payload[i])
|
retVal += '%%%.2X' % ord(payload[i])
|
||||||
|
|
|
@ -48,8 +48,8 @@ def tamper(payload, **kwargs):
|
||||||
i = 0
|
i = 0
|
||||||
|
|
||||||
while i < len(payload):
|
while i < len(payload):
|
||||||
if payload[i] == '%' and (i < len(payload) - 2) and payload[i+1:i+2] in string.hexdigits and payload[i+2:i+3] in string.hexdigits:
|
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
|
||||||
retVal += "%%u00%s" % payload[i+1:i+3]
|
retVal += "%%u00%s" % payload[i + 1:i + 3]
|
||||||
i += 3
|
i += 3
|
||||||
else:
|
else:
|
||||||
retVal += '%%u%.4X' % ord(payload[i])
|
retVal += '%%u%.4X' % ord(payload[i])
|
||||||
|
|
|
@ -57,7 +57,7 @@ def tamper(payload, **kwargs):
|
||||||
_ = payload[index + len("IFNULL("):comma]
|
_ = payload[index + len("IFNULL("):comma]
|
||||||
__ = payload[comma + 1:end]
|
__ = payload[comma + 1:end]
|
||||||
newVal = "IF(ISNULL(%s),%s,%s)" % (_, __, _)
|
newVal = "IF(ISNULL(%s),%s,%s)" % (_, __, _)
|
||||||
payload = payload[:index] + newVal + payload[end+1:]
|
payload = payload[:index] + newVal + payload[end + 1:]
|
||||||
else:
|
else:
|
||||||
break
|
break
|
||||||
|
|
||||||
|
|
|
@ -43,7 +43,7 @@ def tamper(payload, **kwargs):
|
||||||
words.add(word)
|
words.add(word)
|
||||||
|
|
||||||
for word in words:
|
for word in words:
|
||||||
retVal = re.sub("(?<=\W)%s(?=[^A-Za-z_(]|\Z)" % word, "%s%s%s" % (' '*random.randrange(1,4), word, ' '*random.randrange(1,4)), retVal)
|
retVal = re.sub("(?<=\W)%s(?=[^A-Za-z_(]|\Z)" % word, "%s%s%s" % (' ' * random.randrange(1, 4), word, ' ' * random.randrange(1, 4)), retVal)
|
||||||
retVal = re.sub("(?<=\W)%s(?=[(])" % word, "%s%s" % (' '*random.randrange(1,4), word), retVal)
|
retVal = re.sub("(?<=\W)%s(?=[(])" % word, "%s%s" % (' ' * random.randrange(1, 4), word), retVal)
|
||||||
|
|
||||||
return retVal
|
return retVal
|
||||||
|
|
|
@ -41,8 +41,8 @@ def tamper(payload, **kwargs):
|
||||||
i = 0
|
i = 0
|
||||||
|
|
||||||
while i < len(payload):
|
while i < len(payload):
|
||||||
if payload[i] == '%' and (i < len(payload) - 2) and payload[i+1:i+2] in string.hexdigits and payload[i+2:i+3] in string.hexdigits:
|
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
|
||||||
retVal += payload[i:i+3]
|
retVal += payload[i:i + 3]
|
||||||
i += 3
|
i += 3
|
||||||
elif payload[i] != ' ':
|
elif payload[i] != ' ':
|
||||||
retVal += '%%%s' % payload[i]
|
retVal += '%%%s' % payload[i]
|
||||||
|
|
|
@ -49,7 +49,7 @@ def tamper(payload, **kwargs):
|
||||||
elif payload[i] == '"':
|
elif payload[i] == '"':
|
||||||
doublequote = not doublequote
|
doublequote = not doublequote
|
||||||
|
|
||||||
elif payload[i]==" " and not doublequote and not quote:
|
elif payload[i] == " " and not doublequote and not quote:
|
||||||
retVal += "/**/"
|
retVal += "/**/"
|
||||||
continue
|
continue
|
||||||
|
|
||||||
|
|
|
@ -40,7 +40,7 @@ def tamper(payload, **kwargs):
|
||||||
if payload[i].isspace():
|
if payload[i].isspace():
|
||||||
randomStr = ''.join(random.choice(string.ascii_uppercase + string.lowercase) for _ in xrange(random.randint(6, 12)))
|
randomStr = ''.join(random.choice(string.ascii_uppercase + string.lowercase) for _ in xrange(random.randint(6, 12)))
|
||||||
retVal += "--%s%%0A" % randomStr
|
retVal += "--%s%%0A" % randomStr
|
||||||
elif payload[i] == '#' or payload[i:i+3] == '-- ':
|
elif payload[i] == '#' or payload[i:i + 3] == '-- ':
|
||||||
retVal += payload[i:]
|
retVal += payload[i:]
|
||||||
break
|
break
|
||||||
else:
|
else:
|
||||||
|
|
|
@ -46,7 +46,7 @@ def tamper(payload, **kwargs):
|
||||||
if payload[i].isspace():
|
if payload[i].isspace():
|
||||||
randomStr = ''.join(random.choice(string.ascii_uppercase + string.lowercase) for _ in xrange(random.randint(6, 12)))
|
randomStr = ''.join(random.choice(string.ascii_uppercase + string.lowercase) for _ in xrange(random.randint(6, 12)))
|
||||||
retVal += "%%23%s%%0A" % randomStr
|
retVal += "%%23%s%%0A" % randomStr
|
||||||
elif payload[i] == '#' or payload[i:i+3] == '-- ':
|
elif payload[i] == '#' or payload[i:i + 3] == '-- ':
|
||||||
retVal += payload[i:]
|
retVal += payload[i:]
|
||||||
break
|
break
|
||||||
else:
|
else:
|
||||||
|
|
|
@ -60,7 +60,7 @@ def tamper(payload, **kwargs):
|
||||||
if payload[i].isspace():
|
if payload[i].isspace():
|
||||||
randomStr = ''.join(random.choice(string.ascii_uppercase + string.lowercase) for _ in xrange(random.randint(6, 12)))
|
randomStr = ''.join(random.choice(string.ascii_uppercase + string.lowercase) for _ in xrange(random.randint(6, 12)))
|
||||||
retVal += "%%23%s%%0A" % randomStr
|
retVal += "%%23%s%%0A" % randomStr
|
||||||
elif payload[i] == '#' or payload[i:i+3] == '-- ':
|
elif payload[i] == '#' or payload[i:i + 3] == '-- ':
|
||||||
retVal += payload[i:]
|
retVal += payload[i:]
|
||||||
break
|
break
|
||||||
else:
|
else:
|
||||||
|
|
|
@ -73,7 +73,7 @@ def tamper(payload, **kwargs):
|
||||||
elif payload[i] == '"':
|
elif payload[i] == '"':
|
||||||
doublequote = not doublequote
|
doublequote = not doublequote
|
||||||
|
|
||||||
elif payload[i] == '#' or payload[i:i+3] == '-- ':
|
elif payload[i] == '#' or payload[i:i + 3] == '-- ':
|
||||||
end = True
|
end = True
|
||||||
|
|
||||||
elif payload[i] == " " and not doublequote and not quote:
|
elif payload[i] == " " and not doublequote and not quote:
|
||||||
|
|
|
@ -32,7 +32,7 @@ def tamper(payload, **kwargs):
|
||||||
for i in xrange(len(payload)):
|
for i in xrange(len(payload)):
|
||||||
if payload[i].isspace():
|
if payload[i].isspace():
|
||||||
retVal += "%23%0A"
|
retVal += "%23%0A"
|
||||||
elif payload[i] == '#' or payload[i:i+3] == '-- ':
|
elif payload[i] == '#' or payload[i:i + 3] == '-- ':
|
||||||
retVal += payload[i:]
|
retVal += payload[i:]
|
||||||
break
|
break
|
||||||
else:
|
else:
|
||||||
|
|
|
@ -41,7 +41,7 @@ def tamper(payload, **kwargs):
|
||||||
for i in xrange(len(payload)):
|
for i in xrange(len(payload)):
|
||||||
if payload[i].isspace():
|
if payload[i].isspace():
|
||||||
retVal += "--%0A"
|
retVal += "--%0A"
|
||||||
elif payload[i] == '#' or payload[i:i+3] == '-- ':
|
elif payload[i] == '#' or payload[i:i + 3] == '-- ':
|
||||||
retVal += payload[i:]
|
retVal += payload[i:]
|
||||||
break
|
break
|
||||||
else:
|
else:
|
||||||
|
|
|
@ -45,7 +45,7 @@ def tamper(payload, **kwargs):
|
||||||
elif payload[i] == '"':
|
elif payload[i] == '"':
|
||||||
doublequote = not doublequote
|
doublequote = not doublequote
|
||||||
|
|
||||||
elif payload[i]==" " and not doublequote and not quote:
|
elif payload[i] == " " and not doublequote and not quote:
|
||||||
retVal += "+"
|
retVal += "+"
|
||||||
continue
|
continue
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user