def test_from_template(self):
sqlit = SQLiTemplate()
options = sqlit.get_options()
path = '/mysql/get_int.php'
options['url'].set_value(get_sqlmap_testenv_http(path))
options['data'].set_value('id=2')
options['vulnerable_parameter'].set_value('id')
sqlit.set_options(options)
sqlit.store_in_kb()
vuln = self.kb.get(*sqlit.get_kb_location())[0]
vuln_to_exploit_id = vuln.get_id()
self._exploit_vuln(vuln_to_exploit_id, 'sqlmap')
def test_proxy_gzip_encoding(self):
"""
When we perform a request to a site which returns gzip encoded data, the
ExtendedUrllib will automatically decode that and set it as the body,
this test makes sure that we're also changing the header to reflect
that change.
Not doing this will make the browser (or any other http client) fail to
decode the body (it will try to gunzip it and fail).
"""
url = get_sqlmap_testenv_http('/sqlmap/mysql/get_int.php?id=1')
resp = self.proxy_opener.open(url)
headers = dict(resp.headers)
content_encoding = headers.get('content-encoding')
self.assertIn('luther', resp.read())
self.assertEqual('identity', content_encoding)
def test_proxy_gzip_encoding(self):
"""
When we perform a request to a site which returns gzip encoded data, the
ExtendedUrllib will automatically decode that and set it as the body,
this test makes sure that we're also changing the header to reflect
that change.
Not doing this will make the browser (or any other http client) fail to
decode the body (it will try to gunzip it and fail).
"""
url = get_sqlmap_testenv_http('/sqlmap/mysql/get_int.php?id=1')
resp = self.proxy_opener.open(url)
headers = dict(resp.headers)
content_encoding = headers.get('content-encoding')
self.assertIn('luther', resp.read())
self.assertEqual('identity', content_encoding)
class TestSQLMapShell(ReadExploitTest):
SQLI = get_sqlmap_testenv_http('/mysql/get_int.php?id=2')
BSQLI = get_sqlmap_testenv_http('/mysql/get_int_noerror.php?id=3')
_run_configs = {
'sqli': {
'target': SQLI,
'plugins': {
'audit': (PluginConfig('sqli'),),
}
},
'blind_sqli': {
'target': BSQLI,
'plugins': {
'audit': (PluginConfig('blind_sqli'),),
'crawl': (PluginConfig('web_spider',
('only_forward', True, PluginConfig.BOOL)),)
}
}
}
def test_found_exploit_sqlmap_sqli(self):
# Run the scan
cfg = self._run_configs['sqli']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('sqli', 'sqli')
self.assertEquals(1, len(vulns), vulns)
self.assertTrue(all(["SQL injection" == v.get_name() for v in vulns]))
# Verify the specifics about the vulnerabilities
EXPECTED = [('get_int.php', 'id')]
found_vulns = [(v.get_url().get_file_name(),
v.get_mutant().get_token_name()) for v in vulns]
self.assertEquals(set(EXPECTED),
set(found_vulns))
vuln_to_exploit_id = [v.get_id() for v in vulns
if v.get_url().get_file_name() == EXPECTED[0][0]][0]
self._exploit_vuln(vuln_to_exploit_id, 'sqlmap')
def test_found_exploit_sqlmap_blind_sqli(self):
# Run the scan
cfg = self._run_configs['blind_sqli']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('blind_sqli', 'blind_sqli')
self.assertEquals(1, len(vulns))
vuln = vulns[0]
self.assertEquals("Blind SQL injection vulnerability", vuln.get_name())
self.assertEquals('id', vuln.get_mutant().get_token_name())
self.assertEquals('get_int_noerror.php', vuln.get_url().get_file_name())
vuln_to_exploit_id = vuln.get_id()
self._exploit_vuln(vuln_to_exploit_id, 'sqlmap')
def test_from_template(self):
sqlit = SQLiTemplate()
options = sqlit.get_options()
path = '/mysql/get_int.php'
options['url'].set_value(get_sqlmap_testenv_http(path))
options['data'].set_value('id=2')
options['vulnerable_parameter'].set_value('id')
sqlit.set_options(options)
sqlit.store_in_kb()
vuln = self.kb.get(*sqlit.get_kb_location())[0]
vuln_to_exploit_id = vuln.get_id()
self._exploit_vuln(vuln_to_exploit_id, 'sqlmap')
def test_found_exploit_blind_sqli_form_GET(self):
"""
Reproduce bug https://github.com/andresriancho/w3af/issues/262
"it appears that you have provided tainted parameter values"
"""
target = get_moth_http('/audit/blind_sqli/blind_where_integer_form_get.py')
cfg = self._run_configs['blind_sqli']
self._scan(target, cfg['plugins'])
# Assert the general results
vulns = self.kb.get('blind_sqli', 'blind_sqli')
self.assertEquals(1, len(vulns))
vuln = vulns[0]
self.assertEquals("Blind SQL injection vulnerability", vuln.get_name())
self.assertEquals('q', vuln.get_mutant().get_token_name())
self.assertEquals('blind_where_integer_form_get.py',
vuln.get_url().get_file_name())
vuln_to_exploit_id = vuln.get_id()
#
# Execute the exploit.
#
plugin = self.w3afcore.plugins.get_plugin_inst('attack', 'sqlmap')
# Assert success
self.assertTrue(plugin.can_exploit(vuln_to_exploit_id))
exploit_result = plugin.exploit(vuln_to_exploit_id)
self.assertEqual(len(exploit_result), 1, exploit_result)
class TestSQLMapShell(ReadExploitTest):
SQLI = get_sqlmap_testenv_http('/mysql/get_int.php?id=2')
BSQLI = get_sqlmap_testenv_http('/mysql/get_int_noerror.php?id=3')
_run_configs = {
'sqli': {
'target': SQLI,
'plugins': {
'audit': (PluginConfig('sqli'), ),
}
},
'blind_sqli': {
'target': BSQLI,
'plugins': {
'audit': (PluginConfig('blind_sqli'), ),
}
}
}
def test_found_exploit_sqlmap_sqli(self):
# Run the scan
cfg = self._run_configs['sqli']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('sqli', 'sqli')
self.assertEquals(1, len(vulns), vulns)
self.assertEquals(
all(["SQL injection" == v.get_name() for v in vulns]), True)
# Verify the specifics about the vulnerabilities
EXPECTED = [
('get_int.php', 'id'),
]
found_vulns = [(v.get_url().get_file_name(), v.get_mutant().get_var())
for v in vulns]
self.assertEquals(set(EXPECTED), set(found_vulns))
vuln_to_exploit_id = [
v.get_id() for v in vulns
if v.get_url().get_file_name() == EXPECTED[0][0]
][0]
self._exploit_vuln(vuln_to_exploit_id, 'sqlmap')
def test_found_exploit_sqlmap_blind_sqli(self):
# Run the scan
cfg = self._run_configs['blind_sqli']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('blind_sqli', 'blind_sqli')
self.assertEquals(1, len(vulns))
vuln = vulns[0]
self.assertEquals("Blind SQL injection vulnerability", vuln.get_name())
self.assertEquals('id', vuln.get_mutant().get_var())
self.assertEquals('get_int_noerror.php',
vuln.get_url().get_file_name())
vuln_to_exploit_id = vuln.get_id()
self._exploit_vuln(vuln_to_exploit_id, 'sqlmap')
def test_from_template(self):
sqlit = SQLiTemplate()
options = sqlit.get_options()
path = '/mysql/get_int.php'
options['url'].set_value(get_sqlmap_testenv_http(path))
options['data'].set_value('id=2')
options['vulnerable_parameter'].set_value('id')
sqlit.set_options(options)
sqlit.store_in_kb()
vuln = self.kb.get(*sqlit.get_kb_location())[0]
vuln_to_exploit_id = vuln.get_id()
self._exploit_vuln(vuln_to_exploit_id, 'sqlmap')
class TestSQLMapTestEnv(PluginTest):
base_path = '/sqlmap/mysql/'
target_url = get_sqlmap_testenv_http(base_path)
config = {
'audit': (PluginConfig('sqli'), ),
'crawl':
(PluginConfig('web_spider', ('only_forward', True, PluginConfig.BOOL),
('ignore_regex', '.*(asp|aspx)', PluginConfig.STR)), ),
}
def test_found_sqli_in_testenv(self):
"""
SqlMap's testenv is a rather strange test application since it doesn't
have an index.html that defines the HTML forms to talk to the scripts
which expect a POST request, so don't worry too much if those post_*
are not found.
"""
expected_path_param = {(u'get_str_like_par2.php', u'id'),
(u'get_dstr.php', u'id'),
(u'get_int_orderby.php', u'id'),
(u'get_str_brackets.php', u'id'),
(u'get_str.php', u'id'),
(u'get_int_inline.php', u'id'),
(u'get_str_like_par.php', u'id'),
(u'get_int.php', u'id'),
(u'get_int_rand.php', u'id'),
(u'get_int_having.php', u'id'),
(u'get_int_nolimit.php', u'id'),
(u'get_str_union.php', u'id'),
(u'get_str_like_par3.php', u'id'),
(u'get_int_user.php', u'id'),
(u'get_int_groupby.php', u'id'),
(u'get_int_blob.php', u'id'),
(u'get_dstr_like_par.php', u'id'),
(u'get_str_like.php', u'id'),
(u'get_dstr_like_par2.php', u'id'),
(u'get_int_filtered.php', u'id'),
(u'get_brackets.php', u'id'),
(u'get_int_limit.php', u'id'),
(u'get_int_limit_second.php', u'id')}
#
# Now we assert the unknowns
#
ok_to_miss = {
# Blind SQL injection
u'get_int_noerror.php',
u'get_str_noout.php',
u'get_int_nooutput.php',
u'get_str2.php',
u'get_str_or.php',
u'get_int_reflective.php',
u'get_int_partialunion.php',
# Blind SQL (time delay)
u'get_int_benchmark.php',
# Can't connect to local MySQL server through socket
# '/var/run/mysqld/mysqld.sock' (2)
u'get_int_substr.php',
u'get_int_redirected.php',
u'get_int_international.php',
u'get_int_img.php',
u'get_int_redirected_true.php',
# Directories are OK to miss, they don't have vulns
u'csrf/',
u'csrf',
u'iis',
u'iis/',
u'basic',
u'digest',
u'',
# This one is not OK to miss, but we're missing it anyways
# https://github.com/andresriancho/w3af/issues/12257
u'csrf/post.php',
}
skip_startwith = {'post_', 'header_', 'referer_', 'cookie_'}
kb_addresses = {('sqli', 'sqli')}
self._scan_assert(self.config, expected_path_param, ok_to_miss,
kb_addresses, skip_startwith)
class TestSQLMapTestEnv(PluginTest):
target_url = get_sqlmap_testenv_http('/sqlmap/mysql/')
_run_configs = {
'cfg': {
'target': target_url,
'plugins': {
'audit': (PluginConfig('sqli'),),
'crawl': (PluginConfig('web_spider',
('only_forward', True, PluginConfig.BOOL),
('ignore_regex', '.*(asp|aspx)', PluginConfig.STR)),),
}
}
}
def test_found_sqli_in_testenv(self):
"""
SqlMap's testenv is a rather strange test application since it doesn't
have an index.html that defines the HTML forms to talk to the scripts
which expect a POST request, so don't worry too much if those post_*
are not found.
"""
cfg = self._run_configs['cfg']
self._scan(cfg['target'], cfg['plugins'])
vulns = self.kb.get('sqli', 'sqli')
expected_path_param = {(u'get_str_like_par2.php', u'id'),
(u'get_dstr.php', u'id'),
(u'get_int_orderby.php', u'id'),
(u'get_str_brackets.php', u'id'),
(u'get_str.php', u'id'),
(u'get_int_inline.php', u'id'),
(u'get_str_like_par.php', u'id'),
(u'get_int.php', u'id'),
(u'get_int_rand.php', u'id'),
(u'get_int_having.php', u'id'),
(u'get_int_nolimit.php', u'id'),
(u'get_str_union.php', u'id'),
(u'get_str_like_par3.php', u'id'),
(u'get_int_user.php', u'id'),
(u'get_int_groupby.php', u'id'),
(u'get_int_blob.php', u'id'),
(u'get_dstr_like_par.php', u'id'),
(u'get_str_like.php', u'id'),
(u'get_dstr_like_par2.php', u'id'),
(u'get_int_filtered.php', u'id'),
(u'get_brackets.php', u'id'),
(u'get_int_limit.php', u'id'),
(u'get_int_limit_second.php', u'id')}
found_path_param = set()
for vuln in vulns:
path = vuln.get_url().get_path().replace('/sqlmap/mysql/', '')
found_path_param.add((path, vuln.get_token_name()))
self.assertEqual(expected_path_param, found_path_param)
#
# Now we assert the unknowns
#
ok_to_miss = {
# Blind SQL injection
u'get_int_noerror.php',
u'get_str_noout.php',
u'get_int_nooutput.php',
u'get_str2.php',
u'get_str_or.php',
u'get_int_reflective.php',
u'get_int_partialunion.php',
# Blind SQL (time delay)
u'get_int_benchmark.php',
# Can't connect to local MySQL server through socket
# '/var/run/mysqld/mysqld.sock' (2)
u'get_int_substr.php',
u'get_int_redirected.php',
u'get_int_international.php',
u'get_int_img.php',
u'get_int_redirected_true.php',
# Directories are OK to miss, they don't have vulns
u'csrf/',
u'csrf',
u'iis',
u'iis/',
u'basic',
u'digest',
u'',
# This one is not OK to miss, but we're missing it anyways
#
u'csrf/post.php',
}
all_known_urls = self.kb.get_all_known_urls()
all_known_files = [u.get_path().replace('/sqlmap/mysql/', '') for u in all_known_urls]
skip_startwith = {'post_', 'header_', 'referer_', 'cookie_'}
expected = [path for path, param in expected_path_param]
missing = []
self.maxDiff = None
for path in all_known_files:
should_continue = False
for skip_start in skip_startwith:
if path.startswith(skip_start):
should_continue = True
break
if should_continue:
continue
if path in ok_to_miss:
continue
if path in expected:
# Already checked this one
continue
missing.append(path)
missing.sort()
self.assertEqual(missing, [])
