def _verify_vuln(self, vuln_obj):
"""
This command verifies a vuln. This is really hard work! :P
:return : True if vuln can be exploited.
"""
uri = vuln_obj.get_uri()
dc = vuln_obj.get_dc()
fuzzable_request = vuln_obj.get_mutant().get_fuzzable_req()
m = vuln_obj.get_mutant()
orig_value = m.get_original_value()
# When the original value of the parameter was empty, mostly when it
# was an HTML form, sqlmap can't find the vulnerability (and w3af does)
# so we're adding a '1' here just in case.
parameter_values = {orig_value, '1'}
for pvalue in parameter_values:
dc[vuln_obj.get_var()][m.get_var_index()] = pvalue
post_data = None
if isinstance(fuzzable_request, HTTPQSRequest):
uri.set_querystring(dc)
else:
post_data = str(dc) or None
target = Target(uri, post_data)
sqlmap = SQLMapWrapper(target, self._uri_opener)
if sqlmap.is_vulnerable():
self._sqlmap = sqlmap
return True
return False
def _verify_vuln(self, vuln_obj):
"""
This command verifies a vuln. This is really hard work! :P
:return : True if vuln can be exploited.
"""
mutant = vuln_obj.get_mutant()
orig_value = mutant.get_token().get_original_value()
# When the original value of the parameter was empty, mostly when it
# was an HTML form, sqlmap can't find the vulnerability (and w3af does)
# so we're adding a '1' here just in case.
parameter_values = {orig_value, '1'}
for pvalue in parameter_values:
mutant = copy.deepcopy(mutant)
mutant.set_token_value(pvalue)
post_data = mutant.get_data() or None
target = Target(mutant.get_uri(), post_data)
sqlmap = SQLMapWrapper(target, self._uri_opener)
if sqlmap.is_vulnerable():
self._sqlmap = sqlmap
return True
return False
def _verify_vuln(self, vuln_obj):
"""
This command verifies a vuln. This is really hard work! :P
:return : True if vuln can be exploited.
"""
uri = vuln_obj.get_uri()
dc = vuln_obj.get_dc()
fuzzable_request = vuln_obj.get_mutant().get_fuzzable_req()
m = vuln_obj.get_mutant()
orig_value = m.get_original_value()
# When the original value of the parameter was empty, mostly when it
# was an HTML form, sqlmap can't find the vulnerability (and w3af does)
# so we're adding a '1' here just in case.
parameter_values = {orig_value, '1'}
for pvalue in parameter_values:
dc[vuln_obj.get_var()][m.get_var_index()] = pvalue
post_data = None
if isinstance(fuzzable_request, HTTPQSRequest):
uri.set_querystring(dc)
else:
post_data = str(dc) or None
target = Target(uri, post_data)
sqlmap = SQLMapWrapper(target, self._uri_opener)
if sqlmap.is_vulnerable():
self._sqlmap = sqlmap
return True
return False
def _verify_vuln(self, vuln_obj):
"""
This command verifies a vuln. This is really hard work! :P
:return : True if vuln can be exploited.
"""
mutant = vuln_obj.get_mutant()
orig_value = mutant.get_token().get_original_value()
# When the original value of the parameter was empty, mostly when it
# was an HTML form, sqlmap can't find the vulnerability (and w3af does)
# so we're adding a '1' here just in case.
parameter_values = {orig_value, '1'}
for pvalue in parameter_values:
mutant = copy.deepcopy(mutant)
mutant.set_token_value(pvalue)
post_data = mutant.get_data() or None
target = Target(mutant.get_uri(), post_data)
sqlmap = SQLMapWrapper(target, self._uri_opener)
if sqlmap.is_vulnerable():
self._sqlmap = sqlmap
return True
return False
def _verify_vuln(self, vuln_obj):
"""
This command verifies a vuln. This is really hard work! :P
:return : True if vuln can be exploited.
"""
uri = vuln_obj.get_uri()
dc = vuln_obj.get_dc()
orig_value = vuln_obj.get_mutant().get_original_value()
dc[vuln_obj.get_var()] = orig_value
post_data = None
if isinstance(dc, Form):
post_data = str(dc) or None
else:
uri.set_querystring(dc)
target = Target(uri, post_data)
sqlmap = SQLMapWrapper(target, self._uri_opener)
if sqlmap.is_vulnerable():
self._sqlmap = sqlmap
return True
return False
def _verify_vuln(self, vuln_obj):
"""
This command verifies a vuln. This is really hard work! :P
:return : True if vuln can be exploited.
"""
uri = vuln_obj.get_uri()
dc = vuln_obj.get_dc()
orig_value = vuln_obj.get_mutant().get_original_value()
dc[vuln_obj.get_var()] = orig_value
post_data = None
if isinstance(dc, Form):
post_data = str(dc) or None
else:
uri.set_querystring(dc)
target = Target(uri, post_data)
sqlmap = SQLMapWrapper(target, self._uri_opener)
if sqlmap.is_vulnerable():
self._sqlmap = sqlmap
return True
return False
def _verify_vuln(self, vuln_obj):
"""
This command verifies a vuln. This is really hard work! :P
:return : True if vuln can be exploited.
"""
mutant = vuln_obj.get_mutant()
if not isinstance(mutant, (QSMutant, PostDataMutant)):
msg = ('The SQL injection vulnerability at %s can not be exploited'
' by w3af\'s sqlmap wrapper because it can only handle'
' query string and url-encoded post data parameters.')
om.out.console(msg % (mutant.get_url(),))
return False
orig_value = mutant.get_token().get_original_value()
# When the original value of the parameter was empty, mostly when it
# was an HTML form, sqlmap can't find the vulnerability (and w3af does)
# so we're adding a '1' here just in case.
parameter_values = {orig_value, '1'}
for pvalue in parameter_values:
mutant = copy.deepcopy(mutant)
mutant.set_token_value(pvalue)
post_data = mutant.get_data() or None
target = Target(mutant.get_uri(), post_data)
try:
sqlmap = SQLMapWrapper(target, self._uri_opener)
except TypeError:
issue_url = 'https://github.com/andresriancho/w3af/issues/6439'
msg = 'w3af\'s sqlmap wrapper has some limitations, and you' \
' just found one of them. For more information please' \
' visit %s .'
om.out.console(msg % issue_url)
return False
else:
if sqlmap.is_vulnerable():
self._sqlmap = sqlmap
return True
else:
self._sqlmap = None
sqlmap.cleanup()
return False
def _verify_vuln(self, vuln_obj):
"""
This command verifies a vuln. This is really hard work! :P
:return : True if vuln can be exploited.
"""
mutant = vuln_obj.get_mutant()
if not isinstance(mutant, (QSMutant, PostDataMutant)):
msg = ('The SQL injection vulnerability at %s can not be exploited'
' by w3af\'s sqlmap wrapper because it can only handle'
' query string and url-encoded post data parameters.')
om.out.console(msg % (mutant.get_url(), ))
return False
orig_value = mutant.get_token().get_original_value()
# When the original value of the parameter was empty, mostly when it
# was an HTML form, sqlmap can't find the vulnerability (and w3af does)
# so we're adding a '1' here just in case.
parameter_values = {orig_value, '1'}
for pvalue in parameter_values:
mutant = copy.deepcopy(mutant)
mutant.set_token_value(pvalue)
self._sqlmap = None
post_data = mutant.get_data() or None
target = Target(mutant.get_uri(), post_data)
try:
sqlmap = SQLMapWrapper(target, self._uri_opener)
except TypeError:
issue_url = 'https://github.com/andresriancho/w3af/issues/6439'
msg = ('w3af\'s sqlmap wrapper has some limitations, and you'
' just found one of them. For more information please'
' visit %s .')
om.out.console(msg % issue_url)
return False
try:
is_vuln = sqlmap.is_vulnerable()
except:
sqlmap.cleanup()
if sqlmap.last_stdout is None or sqlmap.last_stderr is None:
# Not sure when we get here
return False
taint_error = 'provided tainted parameter'
if not (taint_error in sqlmap.last_stdout
or taint_error in sqlmap.last_stderr):
# Some error that we don't have a special handling for
return False
issue_url = 'https://github.com/andresriancho/w3af/issues/1989'
msg = ('w3af\'s sqlmap wrapper has some limitations, and you'
' just found one of them. For more information please'
' visit %s and add the steps required to reproduce this'
' issue which will help us debug and fix it.')
om.out.console(msg % issue_url)
return False
if is_vuln:
self._sqlmap = sqlmap
return True
else:
sqlmap.cleanup()
return False
class TestSQLMapWrapper(unittest.TestCase):
SQLI_GET = get_moth_http('/audit/sql_injection/'
'where_string_single_qs.py?uname=pablo')
SSL_SQLI_GET = get_moth_https('/audit/sql_injection/'
'where_string_single_qs.py?uname=pablo')
SQLI_POST = get_moth_http('/audit/sql_injection/where_integer_form.py')
DATA_POST = 'text=1'
def setUp(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener, debug=True)
def tearDown(self):
self.uri_opener.end()
self.sqlmap.cleanup()
@classmethod
def setUpClass(cls):
output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output')
if os.path.exists(output_dir):
shutil.rmtree(output_dir)
@classmethod
def tearDownClass(cls):
# Doing this in both setupclass and teardownclass in order to be sure
# that a ctrl+c doesn't break it
output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output')
if os.path.exists(output_dir):
shutil.rmtree(output_dir)
def test_verify_vulnerability(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
def test_verify_vulnerability_ssl(self):
uri = URL(self.SSL_SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable, self.sqlmap.last_stdout)
def test_verify_vulnerability_false(self):
not_vuln = get_moth_http('/audit/sql_injection/'
'where_string_single_qs.py?fake=pablo')
uri = URL(not_vuln)
target = Target(uri)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertFalse(vulnerable)
def test_verify_vulnerability_POST(self):
target = Target(URL(self.SQLI_POST), self.DATA_POST)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable, self.sqlmap.last_stdout)
def test_wrapper_invalid_url(self):
self.assertRaises(TypeError, SQLMapWrapper, self.SQLI_GET,
self.uri_opener)
def test_stds(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
prms = [
'--batch',
]
cmd, process = self.sqlmap.run_sqlmap_with_pipes(prms)
self.assertIsInstance(process.stdout, file)
self.assertIsInstance(process.stderr, file)
self.assertIsInstance(process.stdin, file)
self.assertIsInstance(cmd, basestring)
self.assertIn('sqlmap.py', cmd)
def test_target_basic(self):
target = Target(URL(self.SQLI_GET))
params = target.to_params()
self.assertEqual(params, ["--url=%s" % self.SQLI_GET])
def test_target_post_data(self):
target = Target(URL(self.SQLI_GET), self.DATA_POST)
params = target.to_params()
self.assertEqual(
params, ["--url=%s" % self.SQLI_GET,
"--data=%s" % self.DATA_POST])
def test_no_coloring(self):
params = self.sqlmap.get_wrapper_params()
self.assertIn('--disable-coloring', params)
def test_always_batch(self):
params = self.sqlmap.get_wrapper_params()
self.assertIn('--batch', params)
def test_use_proxy(self):
params = self.sqlmap.get_wrapper_params()
self.assertTrue(
any(i.startswith('--proxy=http://127.0.0.1:') for i in params))
def test_enable_coloring(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
sqlmap = SQLMapWrapper(target, self.uri_opener, coloring=True)
params = sqlmap.get_wrapper_params()
self.assertNotIn('--disable-coloring', params)
def test_dbs(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.dbs()
output = process.stdout.read()
self.assertIn('on SQLite it is not possible to enumerate databases',
output)
def test_tables(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.tables()
output = process.stdout.read()
self.assertIn('auth_group_permissions', output)
self.assertIn('Database: SQLite_masterdb', output)
self.assertIn('django_content_type', output)
def test_users(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.users()
output = process.stdout.read()
self.assertIn('on SQLite it is not possible to enumerate the users',
output)
def test_dump(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.dump()
output = process.stdout.read()
self.assertIn('django_session', output)
self.assertIn('auth_user_user_permissions', output)
def test_sqlmap(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable, self.sqlmap.last_stdout)
cmd, process = self.sqlmap.direct('--tables')
output = process.stdout.read()
self.assertIn('django_session', output)
self.assertIn('auth_user_user_permissions', output)
self.assertNotIn('COLUMN_PRIVILEGES', output)
def _verify_vuln(self, vuln_obj):
"""
This command verifies a vuln. This is really hard work! :P
:return : True if vuln can be exploited.
"""
mutant = vuln_obj.get_mutant()
if not isinstance(mutant, (QSMutant, PostDataMutant)):
msg = ('The SQL injection vulnerability at %s can not be exploited'
' by w3af\'s sqlmap wrapper because it can only handle'
' query string and url-encoded post data parameters.')
om.out.console(msg % (mutant.get_url(),))
return False
orig_value = mutant.get_token().get_original_value()
# When the original value of the parameter was empty, mostly when it
# was an HTML form, sqlmap can't find the vulnerability (and w3af does)
# so we're adding a '1' here just in case.
parameter_values = {orig_value, '1'}
for pvalue in parameter_values:
mutant = copy.deepcopy(mutant)
mutant.set_token_value(pvalue)
self._sqlmap = None
post_data = mutant.get_data() or None
target = Target(mutant.get_uri(), post_data)
try:
sqlmap = SQLMapWrapper(target, self._uri_opener)
except TypeError:
issue_url = 'https://github.com/andresriancho/w3af/issues/6439'
msg = ('w3af\'s sqlmap wrapper has some limitations, and you'
' just found one of them. For more information please'
' visit %s .')
om.out.console(msg % issue_url)
return False
try:
is_vuln = sqlmap.is_vulnerable()
except:
sqlmap.cleanup()
if sqlmap.last_stdout is None or sqlmap.last_stderr is None:
# Not sure when we get here
return False
taint_error = 'provided tainted parameter'
if not (taint_error in sqlmap.last_stdout or
taint_error in sqlmap.last_stderr):
# Some error that we don't have a special handling for
return False
issue_url = 'https://github.com/andresriancho/w3af/issues/1989'
msg = ('w3af\'s sqlmap wrapper has some limitations, and you'
' just found one of them. For more information please'
' visit %s and add the steps required to reproduce this'
' issue which will help us debug and fix it.')
om.out.console(msg % issue_url)
return False
if is_vuln:
self._sqlmap = sqlmap
return True
else:
sqlmap.cleanup()
return False
class TestSQLMapWrapper(unittest.TestCase):
SQLI_GET = get_moth_http('/audit/sql_injection/'
'where_string_single_qs.py?uname=pablo')
SSL_SQLI_GET = get_moth_https('/audit/sql_injection/'
'where_string_single_qs.py?uname=pablo')
SQLI_POST = get_moth_http('/audit/sql_injection/where_integer_form.py')
DATA_POST = 'text=1'
def setUp(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener, debug=True)
def tearDown(self):
self.uri_opener.end()
self.sqlmap.cleanup()
@classmethod
def setUpClass(cls):
output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output')
if os.path.exists(output_dir):
shutil.rmtree(output_dir)
@classmethod
def tearDownClass(cls):
# Doing this in both setupclass and teardownclass in order to be sure
# that a ctrl+c doesn't break it
output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output')
if os.path.exists(output_dir):
shutil.rmtree(output_dir)
def test_verify_vulnerability(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
def test_verify_vulnerability_ssl(self):
uri = URL(self.SSL_SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable, self.sqlmap.last_stdout)
def test_verify_vulnerability_false(self):
not_vuln = get_moth_http('/audit/sql_injection/'
'where_string_single_qs.py?fake=pablo')
uri = URL(not_vuln)
target = Target(uri)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertFalse(vulnerable)
def test_verify_vulnerability_POST(self):
target = Target(URL(self.SQLI_POST), self.DATA_POST)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable, self.sqlmap.last_stdout)
def test_wrapper_invalid_url(self):
self.assertRaises(TypeError, SQLMapWrapper, self.SQLI_GET, self.uri_opener)
def test_stds(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
prms = ['--batch',]
cmd, process = self.sqlmap.run_sqlmap_with_pipes(prms)
self.assertIsInstance(process.stdout, file)
self.assertIsInstance(process.stderr, file)
self.assertIsInstance(process.stdin, file)
self.assertIsInstance(cmd, basestring)
self.assertIn('sqlmap.py', cmd)
def test_target_basic(self):
target = Target(URL(self.SQLI_GET))
params = target.to_params()
self.assertEqual(params, ["--url=%s" % self.SQLI_GET])
def test_target_post_data(self):
target = Target(URL(self.SQLI_GET), self.DATA_POST)
params = target.to_params()
self.assertEqual(params, ["--url=%s" % self.SQLI_GET,
"--data=%s" % self.DATA_POST])
def test_no_coloring(self):
params = self.sqlmap.get_wrapper_params()
self.assertIn('--disable-coloring', params)
def test_always_batch(self):
params = self.sqlmap.get_wrapper_params()
self.assertIn('--batch', params)
def test_use_proxy(self):
params = self.sqlmap.get_wrapper_params()
self.assertTrue(any(i.startswith('--proxy=http://127.0.0.1:') for i in params))
def test_enable_coloring(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
sqlmap = SQLMapWrapper(target, self.uri_opener, coloring=True)
params = sqlmap.get_wrapper_params()
self.assertNotIn('--disable-coloring', params)
def test_dbs(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.dbs()
output = process.stdout.read()
self.assertIn('on SQLite it is not possible to enumerate databases', output)
def test_tables(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.tables()
output = process.stdout.read()
self.assertIn('auth_group_permissions', output)
self.assertIn('Database: SQLite_masterdb', output)
self.assertIn('django_content_type', output)
def test_users(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.users()
output = process.stdout.read()
self.assertIn('on SQLite it is not possible to enumerate the users',
output)
def test_dump(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.dump()
output = process.stdout.read()
self.assertIn('django_session', output)
self.assertIn('auth_user_user_permissions', output)
def test_sqlmap(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.direct('--tables')
output = process.stdout.read()
self.assertIn('django_session', output)
self.assertIn('auth_user_user_permissions', output)
self.assertNotIn('information_schema', output)
self.assertNotIn('COLUMN_PRIVILEGES', output)