def checkPayload(payload): """ This method checks if the generated payload is detectable by the PHPIDS filter rules """ if not payload: return global rules detected = False payload = urldecode(payload, convall=True) if not rules: xmlrules = readXmlFile(paths.PHPIDS_RULES_XML) rules = [] for xmlrule in xmlrules.getElementsByTagName("filter"): rule = "(?i)%s" % xmlrule.getElementsByTagName('rule')[0].childNodes[0].nodeValue desc = __adjustGrammar(xmlrule.getElementsByTagName('description')[0].childNodes[0].nodeValue) rules.append((rule, desc)) if payload: for rule, desc in rules: if re.search(rule, payload): detected = True logger.warn("highly probable IDS/IPS detection: '%s: %s'" % (desc, payload)) if not detected: logger.warn("payload '%s' possibly gone undetected" % payload)
def liveTest(): """ This will run the test of a program against the live testing environment """ retVal = True count = 0 global_ = {} vars_ = {} livetests = readXmlFile(paths.LIVE_TESTS_XML) length = len(livetests.getElementsByTagName("case")) element = livetests.getElementsByTagName("global") if element: for item in element: for child in item.childNodes: if child.nodeType == child.ELEMENT_NODE and child.hasAttribute("value"): global_[child.tagName] = adjustValueType(child.tagName, child.getAttribute("value")) element = livetests.getElementsByTagName("vars") if element: for item in element: for child in item.childNodes: if child.nodeType == child.ELEMENT_NODE and child.hasAttribute("value"): vars_[child.tagName] = child.getAttribute("value") for case in livetests.getElementsByTagName("case"): count += 1 if conf.runCase and conf.runCase != count: continue name = None log = [] switches = dict(global_) if case.hasAttribute("name"): name = case.getAttribute("name") if case.getElementsByTagName("switches"): for child in case.getElementsByTagName("switches")[0].childNodes: if child.nodeType == child.ELEMENT_NODE and child.hasAttribute("value"): value = replaceVars(child.getAttribute("value"), vars_) switches[child.tagName] = adjustValueType(child.tagName, value)
def checkPayload(payload): """ This method checks if the generated payload is detectable by the PHPIDS filter rules """ global rules payload = urldecode(payload) if not rules: xmlrules = readXmlFile(paths.PHPIDS_RULES_XML) rules = [] for xmlrule in xmlrules.getElementsByTagName("filter"): rule = "(?i)%s" % xmlrule.getElementsByTagName('rule')[0].childNodes[0].nodeValue desc = __adjustGrammar(xmlrule.getElementsByTagName('description')[0].childNodes[0].nodeValue) rules.append((rule, desc)) if payload: for rule, desc in rules: regObj = getCompiledRegex(rule) if regObj.search(payload): logger.warn("highly probable IDS/IPS detection: '%s: %s'" % (desc, payload))
def liveTest(): """ This will run the test of a program against the live testing environment """ retVal = True count = 0 global_ = {} vars_ = {} livetests = readXmlFile(paths.LIVE_TESTS_XML) length = len(livetests.getElementsByTagName("case")) element = livetests.getElementsByTagName("global") if element: for item in element: for child in item.childNodes: if child.nodeType == child.ELEMENT_NODE and child.hasAttribute("value"): global_[child.tagName] = adjustValueType(child.tagName, child.getAttribute("value")) element = livetests.getElementsByTagName("vars") if element: for item in element: for child in item.childNodes: if child.nodeType == child.ELEMENT_NODE and child.hasAttribute("value"): vars_[child.tagName] = child.getAttribute("value") for case in livetests.getElementsByTagName("case"): name = None log = [] session = [] switches = dict(global_) if case.hasAttribute("name"): name = case.getAttribute("name") if case.getElementsByTagName("switches"): for child in case.getElementsByTagName("switches")[0].childNodes: if child.nodeType == child.ELEMENT_NODE and child.hasAttribute("value"): value = replaceVars(child.getAttribute("value"), vars_) switches[child.tagName] = adjustValueType(child.tagName, value) if case.getElementsByTagName("log"): for item in case.getElementsByTagName("log")[0].getElementsByTagName("item"): if item.hasAttribute("value"): log.append(replaceVars(item.getAttribute("value"), vars_)) if case.getElementsByTagName("session"): for item in case.getElementsByTagName("session")[0].getElementsByTagName("item"): if item.hasAttribute("value"): session.append(replaceVars(item.getAttribute("value"), vars_)) count += 1 msg = "running live test case '%s' (%d/%d)" % (name, count, length) logger.info(msg) result = runCase(name, switches, log, session) if result: logger.info("test passed") else: logger.error("test failed") retVal &= result dataToStdout("\n") if retVal: logger.info("live test final result: PASSED") else: logger.error("live test final result: FAILED") return retVal
def liveTest(): """ Runs the test of a program against the live testing environment """ retVal = True count = 0 global_ = {} vars_ = {} livetests = readXmlFile(paths.LIVE_TESTS_XML) length = len(livetests.getElementsByTagName("case")) element = livetests.getElementsByTagName("global") if element: for item in element: for child in item.childNodes: if child.nodeType == child.ELEMENT_NODE and child.hasAttribute("value"): global_[child.tagName] = adjustValueType(child.tagName, child.getAttribute("value")) element = livetests.getElementsByTagName("vars") if element: for item in element: for child in item.childNodes: if child.nodeType == child.ELEMENT_NODE and child.hasAttribute("value"): var = child.getAttribute("value") vars_[child.tagName] = randomStr(6) if var == "random" else var for case in livetests.getElementsByTagName("case"): parse_from_console_output = False count += 1 name = None parse = [] switches = dict(global_) value = "" vulnerable = True result = None if case.hasAttribute("name"): name = case.getAttribute("name") if conf.runCase and ((conf.runCase.isdigit() and conf.runCase != count) or not re.search(conf.runCase, name, re.DOTALL)): continue if case.getElementsByTagName("switches"): for child in case.getElementsByTagName("switches")[0].childNodes: if child.nodeType == child.ELEMENT_NODE and child.hasAttribute("value"): value = replaceVars(child.getAttribute("value"), vars_) switches[child.tagName] = adjustValueType(child.tagName, value) if case.getElementsByTagName("parse"): for item in case.getElementsByTagName("parse")[0].getElementsByTagName("item"): if item.hasAttribute("value"): value = replaceVars(item.getAttribute("value"), vars_) if item.hasAttribute("console_output"): parse_from_console_output = bool(item.getAttribute("console_output")) parse.append((value, parse_from_console_output)) conf.verbose = global_.get("verbose", 1) setVerbosity() #设置sqlmap输出信息的显示等级 msg = "running live test case: %s (%d/%d)" % (name, count, length) logger.info(msg) initCase(switches, count) test_case_fd = codecs.open(os.path.join(paths.SQLMAP_OUTPUT_PATH, "test_case"), "wb", UNICODE_ENCODING) test_case_fd.write("%s\n" % name) try: result = runCase(parse) except SqlmapNotVulnerableException: vulnerable = False finally: conf.verbose = global_.get("verbose", 1) setVerbosity() if result is True: logger.info("test passed") cleanCase() else: errMsg = "test failed" if Failures.failedItems: errMsg += " at parsing items: %s" % ", ".join(i for i in Failures.failedItems) errMsg += " - scan folder: %s" % paths.SQLMAP_OUTPUT_PATH errMsg += " - traceback: %s" % bool(Failures.failedTraceBack) if not vulnerable: errMsg += " - SQL injection not detected" logger.error(errMsg) test_case_fd.write("%s\n" % errMsg) if Failures.failedParseOn: console_output_fd = codecs.open(os.path.join(paths.SQLMAP_OUTPUT_PATH, "console_output"), "wb", UNICODE_ENCODING) console_output_fd.write(Failures.failedParseOn) console_output_fd.close() if Failures.failedTraceBack: traceback_fd = codecs.open(os.path.join(paths.SQLMAP_OUTPUT_PATH, "traceback"), "wb", UNICODE_ENCODING) traceback_fd.write(Failures.failedTraceBack) traceback_fd.close() beep() if conf.stopFail is True: return retVal test_case_fd.close() retVal &= bool(result) dataToStdout("\n") if retVal: logger.info("live test final result: PASSED") else: logger.error("live test final result: FAILED") return retVal
def liveTest(): """ This will run the test of a program against the live testing environment """ global failedItem global failedParseOn retVal = True count = 0 global_ = {} vars_ = {} livetests = readXmlFile(paths.LIVE_TESTS_XML) length = len(livetests.getElementsByTagName("case")) element = livetests.getElementsByTagName("global") if element: for item in element: for child in item.childNodes: if child.nodeType == child.ELEMENT_NODE and child.hasAttribute("value"): global_[child.tagName] = adjustValueType(child.tagName, child.getAttribute("value")) element = livetests.getElementsByTagName("vars") if element: for item in element: for child in item.childNodes: if child.nodeType == child.ELEMENT_NODE and child.hasAttribute("value"): var = child.getAttribute("value") vars_[child.tagName] = randomStr(6) if var == "random" else var for case in livetests.getElementsByTagName("case"): console_output = False count += 1 name = None parse = [] switches = dict(global_) value = "" if case.hasAttribute("name"): name = case.getAttribute("name") if conf.runCase and ((conf.runCase.isdigit() and conf.runCase != count) or not re.search(conf.runCase, name, re.DOTALL)): continue if case.getElementsByTagName("switches"): for child in case.getElementsByTagName("switches")[0].childNodes: if child.nodeType == child.ELEMENT_NODE and child.hasAttribute("value"): value = replaceVars(child.getAttribute("value"), vars_) switches[child.tagName] = adjustValueType(child.tagName, value) if case.getElementsByTagName("parse"): for item in case.getElementsByTagName("parse")[0].getElementsByTagName("item"): if item.hasAttribute("value"): value = replaceVars(item.getAttribute("value"), vars_) if item.hasAttribute("console_output"): console_output = bool(item.getAttribute("console_output")) parse.append((value, console_output)) msg = "running live test case '%s' (%d/%d)" % (name, count, length) logger.info(msg) result = runCase(switches, parse) if result: logger.info("test passed") cleanCase() else: errMsg = "test failed " if failedItem: errMsg += "at parsing item: %s - scan folder is %s" % (failedItem, paths.SQLMAP_OUTPUT_PATH) console_output_fd = codecs.open("%s%sconsole_output" % (paths.SQLMAP_OUTPUT_PATH, os.sep), "wb", UNICODE_ENCODING) console_output_fd.write(failedParseOn) console_output_fd.close() logger.error(errMsg) beep() if conf.stopFail is True: return retVal retVal &= result dataToStdout("\n") if retVal: logger.info("live test final result: PASSED") else: logger.error("live test final result: FAILED") return retVal
def liveTest(): """ This will run the test of a program against the live testing environment """ global failedItem retVal = True count = 0 global_ = {} vars_ = {} livetests = readXmlFile(paths.LIVE_TESTS_XML) length = len(livetests.getElementsByTagName("case")) element = livetests.getElementsByTagName("global") if element: for item in element: for child in item.childNodes: if child.nodeType == child.ELEMENT_NODE and child.hasAttribute("value"): global_[child.tagName] = adjustValueType(child.tagName, child.getAttribute("value")) element = livetests.getElementsByTagName("vars") if element: for item in element: for child in item.childNodes: if child.nodeType == child.ELEMENT_NODE and child.hasAttribute("value"): vars_[child.tagName] = child.getAttribute("value") for case in livetests.getElementsByTagName("case"): count += 1 name = None parse = [] switches = dict(global_) if case.hasAttribute("name"): name = case.getAttribute("name") if conf.runCase and ( (conf.runCase.isdigit() and conf.runCase != count) or not re.search(conf.runCase, name, re.DOTALL) ): continue if case.getElementsByTagName("switches"): for child in case.getElementsByTagName("switches")[0].childNodes: if child.nodeType == child.ELEMENT_NODE and child.hasAttribute("value"): value = replaceVars(child.getAttribute("value"), vars_) switches[child.tagName] = adjustValueType(child.tagName, value) if case.getElementsByTagName("parse"): for item in case.getElementsByTagName("parse")[0].getElementsByTagName("item"): if item.hasAttribute("value"): parse.append(replaceVars(item.getAttribute("value"), vars_)) msg = "running live test case '%s' (%d/%d)" % (name, count, length) logger.info(msg) result = runCase(switches, parse) if result: logger.info("test passed") else: logger.error("test failed at parsing item: %s" % failedItem) beep() if conf.stopFail is True: return retVal retVal &= result dataToStdout("\n") if retVal: logger.info("live test final result: PASSED") else: logger.error("live test final result: FAILED") return retVal