def connect(self):
self.initConnection()
self.__dsn = cx_Oracle.makedsn(self.hostname, self.port, self.db)
self.__dsn = getBytes(self.__dsn)
self.user = getBytes(self.user)
self.password = getBytes(self.password)
try:
self.connector = cx_Oracle.connect(dsn=self.__dsn,
user=self.user,
password=self.password,
mode=cx_Oracle.SYSDBA)
logger.info("successfully connected as SYSDBA")
except (cx_Oracle.OperationalError, cx_Oracle.DatabaseError,
cx_Oracle.InterfaceError) as ex:
if "Oracle Client library" in getSafeExString(ex):
msg = re.sub(r"DPI-\d+:\s+", "", getSafeExString(ex))
msg = re.sub(r': ("[^"]+")', r" (\g<1>)", msg)
msg = re.sub(r". See (http[^ ]+)", r'. See "\g<1>"', msg)
raise SqlmapConnectionException(msg)
try:
self.connector = cx_Oracle.connect(dsn=self.__dsn,
user=self.user,
password=self.password)
except (cx_Oracle.OperationalError, cx_Oracle.DatabaseError,
cx_Oracle.InterfaceError) as ex:
raise SqlmapConnectionException(ex)
self.initCursor()
self.printConnected()
def joomla_passwd(password, salt, **kwargs):
"""
Reference: https://stackoverflow.com/a/10428239
>>> joomla_passwd(password='******', salt='6GGlnaquVXI80b3HRmSyE3K1wEFFaBIf')
'e3d5794da74e917637332e0d21b76328:6GGlnaquVXI80b3HRmSyE3K1wEFFaBIf'
"""
return "%s:%s" % (md5(b"%s%s" % (getBytes(password), getBytes(salt))).hexdigest(), salt)
def django_md5_passwd(password, salt, **kwargs):
"""
Reference: https://github.com/jay0lee/GAM/blob/master/src/passlib/handlers/django.py
>>> django_md5_passwd(password='******', salt='salt')
'md5$salt$972141bcbcb6a0acc96e92309175b3c5'
"""
return "md5$%s$%s" % (salt, md5(b"%s%s" % (getBytes(salt), getBytes(password))).hexdigest())
def django_sha1_passwd(password, salt, **kwargs):
"""
Reference: https://github.com/jay0lee/GAM/blob/master/src/passlib/handlers/django.py
>>> django_sha1_passwd(password='******', salt='salt')
'sha1$salt$6ce0e522aba69d8baa873f01420fccd0250fc5b2'
"""
return "sha1$%s$%s" % (salt, sha1(b"%s%s" % (getBytes(salt), getBytes(password))).hexdigest())
def vbulletin_passwd(password, salt, **kwargs):
"""
Reference: https://stackoverflow.com/a/2202810
>>> vbulletin_passwd(password='******', salt='salt')
'85c4d8ea77ebef2236fb7e9d24ba9482:salt'
"""
return "%s:%s" % (md5(binascii.hexlify(md5(getBytes(password)).digest()) + getBytes(salt)).hexdigest(), salt)
def wordpress_passwd(password, salt, count, prefix, **kwargs):
"""
Reference(s):
http://packetstormsecurity.org/files/74448/phpassbrute.py.txt
http://scriptserver.mainframe8.com/wordpress_password_hasher.php
>>> wordpress_passwd(password='******', salt='aD9ZLmkp', count=2048, prefix='$P$9aD9ZLmkp')
'$P$9aD9ZLmkpsN4A83G8MefaaP888gVKX0'
"""
def _encode64(input_, count):
output = ''
i = 0
while i < count:
value = (input_[i]
if isinstance(input_[i], int) else ord(input_[i]))
i += 1
output = output + ITOA64[value & 0x3f]
if i < count:
value = value | ((input_[i] if isinstance(input_[i], int) else
ord(input_[i])) << 8)
output = output + ITOA64[(value >> 6) & 0x3f]
i += 1
if i >= count:
break
if i < count:
value = value | ((input_[i] if isinstance(input_[i], int) else
ord(input_[i])) << 16)
output = output + ITOA64[(value >> 12) & 0x3f]
i += 1
if i >= count:
break
output = output + ITOA64[(value >> 18) & 0x3f]
return output
password = getBytes(password)
salt = getBytes(salt)
cipher = md5(salt)
cipher.update(password)
hash_ = cipher.digest()
for i in xrange(count):
_ = md5(hash_)
_.update(password)
hash_ = _.digest()
return "%s%s" % (prefix, _encode64(hash_, 16))
def ssha_passwd(password, salt, **kwargs):
"""
>>> ssha_passwd(password='******', salt='salt')
'{SSHA}mU1HPTvnmoXOhE4ROHP6sWfbfoRzYWx0'
"""
password = getBytes(password)
salt = getBytes(salt)
return "{SSHA}%s" % getText(base64.b64encode(sha1(password + salt).digest() + salt))
def ssha512_passwd(password, salt, **kwargs):
"""
>>> ssha512_passwd(password='******', salt='salt')
'{SSHA512}mCUSLfPMhXCQOJl9WHW/QMn9v9sjq7Ht/Wk7iVau8vLOfh+PeynkGMikqIE8sStFd0khdfcCD8xZmC6UyjTxsHNhbHQ='
"""
password = getBytes(password)
salt = getBytes(salt)
return "{SSHA512}%s" % getText(base64.b64encode(sha512(password + salt).digest() + salt))
def ssha256_passwd(password, salt, **kwargs):
"""
>>> ssha256_passwd(password='******', salt='salt')
'{SSHA256}hhubsLrO/Aje9F/kJrgv5ZLE40UmTrVWvI7Dt6InP99zYWx0'
"""
password = getBytes(password)
salt = getBytes(salt)
return "{SSHA256}%s" % getText(base64.b64encode(sha256(password + salt).digest() + salt))
def __init__(self,
request,
response,
startTime=None,
endTime=None,
extendedArguments=None):
self.request = getBytes(request)
self.response = getBytes(response)
self.startTime = startTime
self.endTime = endTime
self.extendedArguments = extendedArguments or {}
def postgres_passwd(password, username, uppercase=False):
"""
Reference(s):
http://pentestmonkey.net/blog/cracking-postgres-hashes/
>>> postgres_passwd(password='******', username='******', uppercase=False)
'md599e5ea7a6f7c3269995cba3927fd0093'
"""
username = getBytes(username)
password = getBytes(password)
retVal = "md5%s" % md5(password + username).hexdigest()
return retVal.upper() if uppercase else retVal.lower()
def parse(cls, raw):
altered = raw
comment = b""
if altered.startswith(b"HTTP response [") or altered.startswith(b"HTTP redirect ["):
stream = io.BytesIO(raw)
first_line = stream.readline()
parts = cls.extract_status.search(first_line)
status_line = "HTTP/1.0 %s %s" % (getText(parts.group(1)), getText(parts.group(2)))
remain = stream.read()
altered = getBytes(status_line) + b"\r\n" + remain
comment = first_line
response = _http_client.HTTPResponse(FakeSocket(altered))
response.begin()
try:
content = response.read()
except _http_client.IncompleteRead:
content = raw[raw.find("\r\n\r\n") + 4:].rstrip("\r\n")
return cls(httpVersion="HTTP/1.1" if response.version == 11 else "HTTP/1.0",
status=response.status,
statusText=response.reason,
headers=response.msg,
content=content,
comment=comment,
raw=raw)
def _escape(expression, quote=True, escaper=None):
retVal = expression
if quote:
for item in re.findall(r"'[^']*'+", expression):
original = item[1:-1]
if original:
if Backend.isDbms(
DBMS.SQLITE) and "X%s" % item in expression:
continue
if re.search(
r"\[(SLEEPTIME|RAND)",
original) is None: # e.g. '[SLEEPTIME]' marker
replacement = escaper(
original) if not conf.noEscape else original
if replacement != original:
retVal = retVal.replace(item, replacement)
elif len(original) != len(
getBytes(original)
) and "n'%s'" % original not in retVal and Backend.getDbms(
) in (DBMS.MYSQL, DBMS.PGSQL, DBMS.ORACLE, DBMS.MSSQL):
retVal = retVal.replace("'%s'" % original,
"n'%s'" % original)
else:
retVal = escaper(expression)
return retVal
def hashKey(key):
key = getBytes(key if isinstance(key, six.text_type) else repr(key),
errors="xmlcharrefreplace")
retVal = int(
hashlib.md5(key).hexdigest(), 16
) & 0x7fffffffffffffff # Reference: http://stackoverflow.com/a/4448400
return retVal
def _(self, length=None):
try:
retVal = getSafeExString(
ex
) # Note: pyflakes mistakenly marks 'ex' as undefined (NOTE: tested in both Python2 and Python3)
except:
retVal = ""
return getBytes(retVal)
def multipart_encode(self, vars, files, boundary=None, buf=None):
if boundary is None:
boundary = choose_boundary()
if buf is None:
buf = b""
for (key, value) in vars:
if key is not None and value is not None:
buf += b"--%s\r\n" % getBytes(boundary)
buf += b"Content-Disposition: form-data; name=\"%s\"" % getBytes(key)
buf += b"\r\n\r\n" + getBytes(value) + b"\r\n"
for (key, fd) in files:
file_size = fd.len if hasattr(fd, "len") else os.fstat(fd.fileno())[stat.ST_SIZE]
filename = fd.name.split("/")[-1] if "/" in fd.name else fd.name.split("\\")[-1]
try:
contenttype = mimetypes.guess_type(filename)[0] or b"application/octet-stream"
except:
# Reference: http://bugs.python.org/issue9291
contenttype = b"application/octet-stream"
buf += b"--%s\r\n" % getBytes(boundary)
buf += b"Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"\r\n" % (getBytes(key), getBytes(filename))
buf += b"Content-Type: %s\r\n" % getBytes(contenttype)
# buf += b"Content-Length: %s\r\n" % file_size
fd.seek(0)
buf += b"\r\n%s\r\n" % fd.read()
buf += b"--%s--\r\n\r\n" % getBytes(boundary)
buf = getBytes(buf)
return boundary, buf
def hashKey(self, key):
# from sqlmap/lib/utils/hashdb.py
import six #pylint: disable=import-error,bad-option-value,import-outside-toplevel
from lib.core.convert import getBytes #pylint: disable=import-error,bad-option-value,import-outside-toplevel
key = getBytes(key if isinstance(key, six.text_type) else repr(key))
retVal = int(
hashlib.md5(key).hexdigest(), 16
) & 0x7fffffffffffffff # Reference: http://stackoverflow.com/a/4448400
return retVal
def sha512_generic_passwd(password, uppercase=False):
"""
>>> sha512_generic_passwd(password='******', uppercase=False)
'78ddc8555bb1677ff5af75ba5fc02cb30bb592b0610277ae15055e189b77fe3fda496e5027a3d99ec85d54941adee1cc174b50438fdc21d82d0a79f85b58cf44'
"""
retVal = sha512(getBytes(password)).hexdigest()
return retVal.upper() if uppercase else retVal.lower()
def uploadShellcodeexec(self, web=False):
self.shellcodeexecLocal = os.path.join(paths.SQLMAP_EXTRAS_PATH,
"shellcodeexec")
if Backend.isOs(OS.WINDOWS):
self.shellcodeexecLocal = os.path.join(
self.shellcodeexecLocal, "windows",
"shellcodeexec.x%s.exe_" % "32")
content = decloak(self.shellcodeexecLocal)
if SHELLCODEEXEC_RANDOM_STRING_MARKER in content:
content = content.replace(
SHELLCODEEXEC_RANDOM_STRING_MARKER,
getBytes(randomStr(
len(SHELLCODEEXEC_RANDOM_STRING_MARKER))))
_ = cloak(data=content)
handle, self.shellcodeexecLocal = tempfile.mkstemp(
suffix="%s.exe_" % "32")
os.close(handle)
with open(self.shellcodeexecLocal, "w+b") as f:
f.write(_)
else:
self.shellcodeexecLocal = os.path.join(
self.shellcodeexecLocal, "linux",
"shellcodeexec.x%s_" % Backend.getArch())
__basename = "tmpse%s%s" % (self._randStr,
".exe" if Backend.isOs(OS.WINDOWS) else "")
self.shellcodeexecRemote = "%s/%s" % (conf.tmpPath, __basename)
self.shellcodeexecRemote = ntToPosixSlashes(
normalizePath(self.shellcodeexecRemote))
logger.info("uploading shellcodeexec to '%s'" %
self.shellcodeexecRemote)
if web:
written = self.webUpload(self.shellcodeexecRemote,
os.path.split(
self.shellcodeexecRemote)[0],
filepath=self.shellcodeexecLocal)
else:
written = self.writeFile(self.shellcodeexecLocal,
self.shellcodeexecRemote,
"binary",
forceCheck=True)
if written is not True:
errMsg = "there has been a problem uploading shellcodeexec. It "
errMsg += "looks like the binary file has not been written "
errMsg += "on the database underlying file system or an AV has "
errMsg += "flagged it as malicious and removed it"
logger.error(errMsg)
return False
else:
logger.info("shellcodeexec successfully uploaded")
return True
def sha384_generic_passwd(password, uppercase=False):
"""
>>> sha384_generic_passwd(password='******', uppercase=False)
'6823546e56adf46849343be991d4b1be9b432e42ed1b4bb90635a0e4b930e49b9ca007bc3e04bf0a4e0df6f1f82769bf'
"""
retVal = sha384(getBytes(password)).hexdigest()
return retVal.upper() if uppercase else retVal.lower()
def sha256_generic_passwd(password, uppercase=False):
"""
>>> sha256_generic_passwd(password='******', uppercase=False)
'13d249f2cb4127b40cfa757866850278793f814ded3c587fe5889e889a7a9f6c'
"""
retVal = sha256(getBytes(password)).hexdigest()
return retVal.upper() if uppercase else retVal.lower()
def sha224_generic_passwd(password, uppercase=False):
"""
>>> sha224_generic_passwd(password='******', uppercase=False)
'648db6019764b598f75ab6b7616d2e82563a00eb1531680e19ac4c6f'
"""
retVal = sha224(getBytes(password)).hexdigest()
return retVal.upper() if uppercase else retVal.lower()
def apache_sha1_passwd(password, **kwargs):
"""
>>> apache_sha1_passwd(password='******')
'{SHA}IGyAQTualsExLMNGt9JRe4RGPt0='
"""
password = getBytes(password)
return "{SHA}%s" % getText(base64.b64encode(sha1(password).digest()))
def execute(self, query):
try:
self.cursor.execute(getBytes(query))
except self.__sqlite.OperationalError as ex:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG,
"(remote) '%s'" % getSafeExString(ex))
except self.__sqlite.DatabaseError as ex:
raise SqlmapConnectionException(getSafeExString(ex))
self.connector.commit()
def md4_generic_passwd(password, uppercase=False):
"""
>>> md4_generic_passwd(password='******', uppercase=False)
'5b4d300688f19c8fd65b8d6ccf98e0ae'
"""
password = getBytes(password)
retVal = hashlib.new("md4", password).hexdigest()
return retVal.upper() if uppercase else retVal.lower()
def send_all(p, data):
if not data:
return
data = getBytes(data)
while len(data):
sent = p.send(data)
if not isinstance(sent, int):
break
data = buffer(data[sent:])
def md5_generic_passwd(password, uppercase=False):
"""
>>> md5_generic_passwd(password='******', uppercase=False)
'179ad45c6ce2cb97cf1029e212046e81'
"""
password = getBytes(password)
retVal = md5(password).hexdigest()
return retVal.upper() if uppercase else retVal.lower()
def sha1_generic_passwd(password, uppercase=False):
"""
>>> sha1_generic_passwd(password='******', uppercase=False)
'206c80413b9a96c1312cc346b7d2517b84463edd'
"""
password = getBytes(password)
retVal = sha1(password).hexdigest()
return retVal.upper() if uppercase else retVal.lower()
def execute(self, query):
retVal = False
try:
self.cursor.execute(getBytes(query))
retVal = True
except (pymssql.OperationalError, pymssql.ProgrammingError) as ex:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) '%s'" % getSafeExString(ex).replace("\n", " "))
except pymssql.InternalError as ex:
raise SqlmapConnectionException(getSafeExString(ex))
return retVal
def execute(self, query):
retVal = False
try:
self.cursor.execute(getBytes(query))
retVal = True
except cx_Oracle.DatabaseError as ex:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG,
"(remote) '%s'" % getSafeExString(ex))
self.connector.commit()
return retVal
