def setUp(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener, debug=True)
def test_verify_vulnerability_POST(self):
target = Target(URL(self.SQLI_POST), self.DATA_POST)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable, self.sqlmap.last_stdout)
def _verify_vuln(self, vuln_obj):
"""
This command verifies a vuln. This is really hard work! :P
:return : True if vuln can be exploited.
"""
uri = vuln_obj.get_uri()
dc = vuln_obj.get_dc()
fuzzable_request = vuln_obj.get_mutant().get_fuzzable_req()
m = vuln_obj.get_mutant()
orig_value = m.get_original_value()
# When the original value of the parameter was empty, mostly when it
# was an HTML form, sqlmap can't find the vulnerability (and w3af does)
# so we're adding a '1' here just in case.
parameter_values = {orig_value, '1'}
for pvalue in parameter_values:
dc[vuln_obj.get_var()][m.get_var_index()] = pvalue
post_data = None
if isinstance(fuzzable_request, HTTPQSRequest):
uri.set_querystring(dc)
else:
post_data = str(dc) or None
target = Target(uri, post_data)
sqlmap = SQLMapWrapper(target, self._uri_opener)
if sqlmap.is_vulnerable():
self._sqlmap = sqlmap
return True
return False
def test_enable_coloring(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
sqlmap = SQLMapWrapper(target, self.uri_opener, coloring=True)
params = sqlmap.get_wrapper_params()
self.assertNotIn('--disable-coloring', params)
def _verify_vuln(self, vuln_obj):
"""
This command verifies a vuln. This is really hard work! :P
:return : True if vuln can be exploited.
"""
mutant = vuln_obj.get_mutant()
orig_value = mutant.get_token().get_original_value()
# When the original value of the parameter was empty, mostly when it
# was an HTML form, sqlmap can't find the vulnerability (and w3af does)
# so we're adding a '1' here just in case.
parameter_values = {orig_value, '1'}
for pvalue in parameter_values:
mutant = copy.deepcopy(mutant)
mutant.set_token_value(pvalue)
post_data = mutant.get_data() or None
target = Target(mutant.get_uri(), post_data)
sqlmap = SQLMapWrapper(target, self._uri_opener)
if sqlmap.is_vulnerable():
self._sqlmap = sqlmap
return True
return False
def _verify_vuln(self, vuln_obj):
"""
This command verifies a vuln. This is really hard work! :P
:return : True if vuln can be exploited.
"""
uri = vuln_obj.get_uri()
dc = vuln_obj.get_dc()
orig_value = vuln_obj.get_mutant().get_original_value()
dc[vuln_obj.get_var()] = orig_value
post_data = None
if isinstance(dc, Form):
post_data = str(dc) or None
else:
uri.set_querystring(dc)
target = Target(uri, post_data)
sqlmap = SQLMapWrapper(target, self._uri_opener)
if sqlmap.is_vulnerable():
self._sqlmap = sqlmap
return True
return False
def test_verify_vulnerability_ssl(self):
uri = URL(self.SSL_SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable, self.sqlmap.last_stdout)
def test_verify_vulnerability_false(self):
not_vuln = get_moth_http('/audit/sql_injection/'
'where_string_single_qs.py?fake=pablo')
uri = URL(not_vuln)
target = Target(uri)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertFalse(vulnerable)
def test_stds(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
prms = ['--batch',]
cmd, process = self.sqlmap.run_sqlmap_with_pipes(prms)
self.assertIsInstance(process.stdout, file)
self.assertIsInstance(process.stderr, file)
self.assertIsInstance(process.stdin, file)
self.assertIsInstance(cmd, basestring)
self.assertIn('sqlmap.py', cmd)
def _verify_vuln(self, vuln_obj):
"""
This command verifies a vuln. This is really hard work! :P
:return : True if vuln can be exploited.
"""
mutant = vuln_obj.get_mutant()
if not isinstance(mutant, (QSMutant, PostDataMutant)):
msg = ('The SQL injection vulnerability at %s can not be exploited'
' by w3af\'s sqlmap wrapper because it can only handle'
' query string and url-encoded post data parameters.')
om.out.console(msg % (mutant.get_url(),))
return False
orig_value = mutant.get_token().get_original_value()
# When the original value of the parameter was empty, mostly when it
# was an HTML form, sqlmap can't find the vulnerability (and w3af does)
# so we're adding a '1' here just in case.
parameter_values = {orig_value, '1'}
for pvalue in parameter_values:
mutant = copy.deepcopy(mutant)
mutant.set_token_value(pvalue)
post_data = mutant.get_data() or None
target = Target(mutant.get_uri(), post_data)
try:
sqlmap = SQLMapWrapper(target, self._uri_opener)
except TypeError:
issue_url = 'https://github.com/andresriancho/w3af/issues/6439'
msg = 'w3af\'s sqlmap wrapper has some limitations, and you' \
' just found one of them. For more information please' \
' visit %s .'
om.out.console(msg % issue_url)
return False
else:
if sqlmap.is_vulnerable():
self._sqlmap = sqlmap
return True
else:
self._sqlmap = None
sqlmap.cleanup()
return False
def test_kb_list_shells_sqlmap_2181(self):
"""
Also very related with test_pickleable_shells
:see: https://github.com/andresriancho/w3af/issues/2181
"""
w3af_core = w3afCore()
target = Target(URL('http://w3af.org/'))
sqlmap_wrapper = SQLMapWrapper(target, w3af_core.uri_opener)
sqlmap_shell = SQLMapShell(MockVuln(), w3af_core.uri_opener,
w3af_core.worker_pool, sqlmap_wrapper)
kb.append('a', 'b', sqlmap_shell)
shells = kb.get_all_shells(w3af_core=w3af_core)
self.assertEqual(len(shells), 1)
unpickled_shell = shells[0]
self.assertEqual(sqlmap_shell, unpickled_shell)
self.assertIs(unpickled_shell._uri_opener, w3af_core.uri_opener)
self.assertIs(unpickled_shell.worker_pool, w3af_core.worker_pool)
self.assertIs(unpickled_shell.sqlmap.proxy._uri_opener,
w3af_core.uri_opener)
w3af_core.quit()
def _verify_vuln(self, vuln_obj):
"""
This command verifies a vuln. This is really hard work! :P
:return : True if vuln can be exploited.
"""
mutant = vuln_obj.get_mutant()
if not isinstance(mutant, (QSMutant, PostDataMutant)):
msg = ('The SQL injection vulnerability at %s can not be exploited'
' by w3af\'s sqlmap wrapper because it can only handle'
' query string and url-encoded post data parameters.')
om.out.console(msg % (mutant.get_url(), ))
return False
orig_value = mutant.get_token().get_original_value()
# When the original value of the parameter was empty, mostly when it
# was an HTML form, sqlmap can't find the vulnerability (and w3af does)
# so we're adding a '1' here just in case.
parameter_values = {orig_value, '1'}
for pvalue in parameter_values:
mutant = copy.deepcopy(mutant)
mutant.set_token_value(pvalue)
self._sqlmap = None
post_data = mutant.get_data() or None
target = Target(mutant.get_uri(), post_data)
try:
sqlmap = SQLMapWrapper(target, self._uri_opener)
except TypeError:
issue_url = 'https://github.com/andresriancho/w3af/issues/6439'
msg = ('w3af\'s sqlmap wrapper has some limitations, and you'
' just found one of them. For more information please'
' visit %s .')
om.out.console(msg % issue_url)
return False
try:
is_vuln = sqlmap.is_vulnerable()
except:
sqlmap.cleanup()
if sqlmap.last_stdout is None or sqlmap.last_stderr is None:
# Not sure when we get here
return False
taint_error = 'provided tainted parameter'
if not (taint_error in sqlmap.last_stdout
or taint_error in sqlmap.last_stderr):
# Some error that we don't have a special handling for
return False
issue_url = 'https://github.com/andresriancho/w3af/issues/1989'
msg = ('w3af\'s sqlmap wrapper has some limitations, and you'
' just found one of them. For more information please'
' visit %s and add the steps required to reproduce this'
' issue which will help us debug and fix it.')
om.out.console(msg % issue_url)
return False
if is_vuln:
self._sqlmap = sqlmap
return True
else:
sqlmap.cleanup()
return False