def _generateShell( self, vuln_obj ): ''' @parameter vuln_obj: The vuln to exploit, as it was saved in the kb or supplied by the user with set commands. @return: A sql_webshell shell object if sql_webshell could fingerprint the database. ''' bsql = blind_sqli_response_diff() bsql.setEqualLimit( self._equalLimit ) bsql.setEquAlgorithm( self._equAlgorithm ) dbBuilder = dbDriverBuilder( self._urlOpener, bsql.equal ) driver = dbBuilder.getDriverForVuln( vuln_obj ) if driver is None: return None else: # We have a driver, now, using this driver, we have to create the webshell in the # target's webroot! webshell_url = self._upload_webshell( driver, vuln_obj ) if webshell_url: # Define the corresponding cut... response = self._urlOpener.GET( webshell_url ) self._define_exact_cut( response.getBody(), shell_handler.SHELL_IDENTIFIER ) # Create the shell object # Set shell parameters shell_obj = sql_web_shell( vuln_obj ) shell_obj.setUrlOpener( self._urlOpener ) shell_obj.setWebShellURL( webshell_url ) shell_obj.set_cut( self._header_length, self._footer_length ) kb.kb.append( self, 'shell', shell_obj ) return shell_obj else: # Sad face :( return None
def __init__(self): baseAuditPlugin.__init__(self) self._bsqli_response_diff = blind_sqli_response_diff() self._blind_sqli_time_delay = blind_sqli_time_delay() # User configured variables self._equalLimit = 0.9 self._equAlgorithm = 'setIntersection'
def exploit(self, vulnToExploit=None): """ Exploits a [blind] sql injections vulns that was found and stored in the kb. @return: True if the shell is working and the user can start calling specific_user_input """ if not self.canExploit(): return [] else: vulns = kb.kb.getData("blindSqli", "blindSqli") vulns.extend(kb.kb.getData("sqli", "sqli")) bsql = blind_sqli_response_diff() bsql.setUrlOpener(self._urlOpener) bsql.setEqualLimit(self._equalLimit) bsql.setEquAlgorithm(self._equAlgorithm) tmp_vuln_list = [] for v in vulns: # Filter the vuln that was selected by the user if vulnToExploit is not None: if vulnToExploit != v.getId(): continue mutant = v.getMutant() mutant.setModValue(mutant.getOriginalValue()) v.setMutant(mutant) # The user didn't selected anything, or we are in the selected vuln! om.out.debug('Verifying vulnerability in URL: "' + v.getURL() + '".') vuln_obj = bsql.is_injectable(v.getMutant().getFuzzableReq(), v.getVar()) if vuln_obj: tmp_vuln_list.append(vuln_obj) # Ok, go to the next stage with the filtered vulnerabilities vulns = tmp_vuln_list if len(vulns) == 0: om.out.debug("is_injectable failed for all vulnerabilities.") return [] else: for vuln_obj in vulns: # Try to get a shell using all vuln msg = "Trying to exploit using vulnerability with id: " + str(vuln_obj.getId()) msg += ". Please wait..." om.out.console(msg) shell_obj = self._generateShell(vuln_obj) if shell_obj: if self._generateOnlyOne: # A shell was generated, I only need one point of exec. return [shell_obj] else: # Keep adding all shells to the kb pass # FIXME: Am I really saving anything here ?!?! return kb.kb.getData(self.getName(), "shell")
def exploit( self, vulnToExploit=None ): ''' Exploits a [blind] sql injections vulns that was found and stored in the kb. @return: True if the shell is working and the user can start calling specific_user_input ''' if not self.canExploit(): return [] else: vulns = list(kb.kb.getData( 'blindSqli' , 'blindSqli')) vulns.extend(kb.kb.getData( 'sqli' , 'sqli' )) bsql = blind_sqli_response_diff(self._uri_opener) bsql.set_eq_limit( self._eq_limit ) tmp_vuln_list = [] for v in vulns: # Filter the vuln that was selected by the user if vulnToExploit is not None: if vulnToExploit != v.getId(): continue mutant = v.getMutant() mutant.setModValue( mutant.getOriginalValue() ) v.setMutant( mutant ) # The user didn't selected anything, or we are in the selected vuln! om.out.debug('Verifying vulnerability in URL: "' + v.getURL() + '".') vuln_obj = bsql.is_injectable( v.getMutant() ) if vuln_obj: tmp_vuln_list.append( vuln_obj ) # Ok, go to the next stage with the filtered vulnerabilities vulns = tmp_vuln_list if len(vulns) == 0: om.out.debug('is_injectable failed for all vulnerabilities.') return [] else: for vuln_obj in vulns: # Try to get a shell using all vuln msg = 'Trying to exploit using vulnerability with id: ' + str( vuln_obj.getId() ) msg += '. Please wait...' om.out.console( msg ) shell_obj = self._generateShell( vuln_obj ) if shell_obj: if self._generateOnlyOne: # A shell was generated, I only need one point of exec. return [shell_obj, ] else: # Keep adding all shells to the kb pass return kb.kb.getData( self.getName(), 'shell' )
def fastExploit(self): """ Exploits a web app with [blind] sql injections vulns. The options are configured using the plugin options and setOptions() method. """ om.out.debug("Starting sqlmap fastExploit.") om.out.console(SQLMAPCREATORS) if self._url is None or self._method is None or self._data is None or self._injvar is None: raise w3afException("You have to configure the plugin parameters") else: freq = None if self._method == "POST": freq = httpPostDataRequest.httpPostDataRequest() elif self._method == "GET": freq = httpQsRequest.httpQsRequest() else: raise w3afException("Method not supported.") freq.setURL(self._url) freq.setDc(urlParser.getQueryString("http://a/a.txt?" + self._data)) freq.setHeaders({}) bsql = blind_sqli_response_diff() bsql.setUrlOpener(self._urlOpener) bsql.setEqualLimit(self._equalLimit) bsql.setEquAlgorithm(self._equAlgorithm) vuln_obj = bsql.is_injectable(freq, self._injvar) if not vuln_obj: raise w3afException("Could not verify SQL injection " + str(vuln)) else: om.out.console("SQL injection could be verified, trying to create the DB driver.") # Try to get a shell using all vuln msg = "Trying to exploit using vulnerability with id: " + str(vuln_obj.getId()) msg += ". Please wait..." om.out.console(msg) shell_obj = self._generateShell(vuln_obj) if shell_obj is not None: kb.kb.append(self, "shell", shell_obj) return [shell_obj] raise w3afException("No exploitable vulnerabilities found.")
def fastExploit( self ): ''' Exploits a web app with [blind] sql injections vulns. The options are configured using the plugin options and setOptions() method. ''' om.out.debug( 'Starting sqlmap fastExploit.' ) om.out.console( SQLMAPCREATORS ) if self._url is None or self._method is None or self._data is None or self._injvar is None: raise w3afException('You have to configure the plugin parameters') else: freq = None if self._method == 'POST': freq = httpPostDataRequest.httpPostDataRequest() elif self._method == 'GET': freq = httpQsRequest.httpQsRequest() else: raise w3afException('Method not supported.') freq.setURL( self._url ) freq.setDc( parse_qs( self._data ) ) freq.setHeaders( {} ) bsql = blind_sqli_response_diff() bsql.setUrlOpener( self._urlOpener ) bsql.setEqualLimit( self._equalLimit ) bsql.setEquAlgorithm( self._equAlgorithm ) vuln_obj = bsql.is_injectable( freq, self._injvar ) if not vuln_obj: raise w3afException('Could not verify SQL injection ' + str(vuln) ) else: om.out.console('SQL injection could be verified, trying to create the DB driver.') # Try to get a shell using all vuln msg = 'Trying to exploit using vulnerability with id: ' + str( vuln_obj.getId() ) msg += '. Please wait...' om.out.console( msg ) shell_obj = self._generateShell( vuln_obj ) if shell_obj is not None: kb.kb.append( self, 'shell', shell_obj ) return [shell_obj, ] raise w3afException('No exploitable vulnerabilities found.')
def audit(self, freq): ''' Tests an URL for blind SQL injection vulnerabilities. @param freq: A fuzzableRequest ''' om.out.debug('blindSqli plugin is testing: ' + freq.getURL()) # # Setup blind SQL injection detector objects # self._bsqli_response_diff = blind_sqli_response_diff(self._uri_opener) bsqli_resp_diff = self._bsqli_response_diff bsqli_resp_diff.set_eq_limit(self._eq_limit) self._blind_sqli_time_delay = blind_sqli_time_delay(self._uri_opener) bsqli_time_delay = self._blind_sqli_time_delay method_list = [bsqli_resp_diff, bsqli_time_delay] # # Use the objects to identify the vulnerabilities # fake_mutants = createMutants(freq, ['',]) for mutant in fake_mutants: if self._has_sql_injection( mutant ): # # If sqli.py was enabled and already detected a vulnerability # in this parameter, then it makes no sense to test it again # and report a duplicate to the user # continue for method in method_list: found_vuln = method.is_injectable( mutant ) if found_vuln is not None and \ self._has_no_bug(freq, varname=found_vuln.getVar()): om.out.vulnerability(found_vuln.getDesc()) kb.kb.append(self, 'blindSqli', found_vuln) break
def _generateShell(self, vuln_obj): """ @parameter vuln_obj: The vuln to exploit, as it was saved in the kb or supplied by the user with set commands. @return: A sqlmap shell object if sqlmap could fingerprint the database. """ bsql = blind_sqli_response_diff() bsql.setEqualLimit(self._equalLimit) bsql.setEquAlgorithm(self._equAlgorithm) dbBuilder = dbDriverBuilder(self._urlOpener, bsql.equal) driver = dbBuilder.getDriverForVuln(vuln_obj) if driver is None: return None else: # Create the shell object shell_obj = sqlShellObj(vuln_obj) shell_obj.setGoodSamaritan(self._goodSamaritan) shell_obj.setDriver(driver) kb.kb.append(self, "shells", shell_obj) return shell_obj
def fastExploit( self ): ''' Exploits a web app with [blind] sql injections vulns. The options are configured using the plugin options and setOptions() method. ''' om.out.debug( 'Starting sql_webshell fastExploit.' ) if any( lambda attr: attr is None, (self._url, self._method, self._data, self._injvar) ): raise w3afException('You have to configure the plugin parameters') else: if self._method == 'POST': freq = httpPostDataRequest(self._url) elif self._method == 'GET': freq = HTTPQSRequest(self._url) else: raise w3afException('Method not supported.') freq.setDc(parse_qs(self._data)) bsql = blind_sqli_response_diff(self._uri_opener) bsql.set_eq_limit(self._eq_limit) fake_mutants = createMutants(freq, [''], fuzzableParamList=[self._injvar,]) for mutant in fake_mutants: vuln_obj = bsql.is_injectable(mutant) if vuln_obj is not None: om.out.console('SQL injection verified, trying to create the DB driver.') # Try to get a shell using all vuln msg = 'Trying to exploit using vulnerability with id: ' + str(vuln_obj.getId()) msg += '. Please wait...' om.out.console(msg) shell_obj = self._generateShell(vuln_obj) if shell_obj is not None: kb.kb.append(self, 'shell', shell_obj) return [shell_obj, ] else: raise w3afException('No exploitable vulnerabilities found.')
def audit(self, freq, orig_response): ''' Tests an URL for blind SQL injection vulnerabilities. :param freq: A FuzzableRequest ''' # # Setup blind SQL injection detector objects # bsqli_resp_diff = blind_sqli_response_diff(self._uri_opener) bsqli_resp_diff.set_eq_limit(self._eq_limit) bsqli_time_delay = blind_sqli_time_delay(self._uri_opener) method_list = [bsqli_resp_diff, bsqli_time_delay] # # Use the objects to identify the vulnerabilities # fake_mutants = create_mutants(freq, [ '', ]) for mutant in fake_mutants: if self._has_sql_injection(mutant): # # If sqli.py was enabled and already detected a vulnerability # in this parameter, then it makes no sense to test it again # and report a duplicate to the user # continue for method in method_list: found_vuln = method.is_injectable(mutant) if found_vuln is not None: self.kb_append_uniq(self, 'blind_sqli', found_vuln) break
def audit(self, freq, orig_response): ''' Tests an URL for blind SQL injection vulnerabilities. :param freq: A FuzzableRequest ''' # # Setup blind SQL injection detector objects # bsqli_resp_diff = blind_sqli_response_diff(self._uri_opener) bsqli_resp_diff.set_eq_limit(self._eq_limit) bsqli_time_delay = blind_sqli_time_delay(self._uri_opener) method_list = [bsqli_resp_diff, bsqli_time_delay] # # Use the objects to identify the vulnerabilities # fake_mutants = create_mutants(freq, ['', ]) for mutant in fake_mutants: if self._has_sql_injection(mutant): # # If sqli.py was enabled and already detected a vulnerability # in this parameter, then it makes no sense to test it again # and report a duplicate to the user # continue for method in method_list: found_vuln = method.is_injectable(mutant) if found_vuln is not None: self.kb_append_uniq(self, 'blind_sqli', found_vuln) break