def test_target_post_data(self):
target = Target(URL(self.SQLI_GET), self.DATA_POST)
params = target.to_params()
self.assertEqual(
params, ["--url=%s" % self.SQLI_GET,
"--data=%s" % self.DATA_POST])
def _verify_vuln(self, vuln_obj):
'''
This command verifies a vuln. This is really hard work! :P
:return : True if vuln can be exploited.
'''
uri = vuln_obj.get_uri()
dc = vuln_obj.get_dc()
orig_value = vuln_obj.get_mutant().get_original_value()
dc[vuln_obj.get_var()] = orig_value
post_data = None
if isinstance(dc, Form):
post_data = str(dc) or None
else:
uri.set_querystring(dc)
target = Target(uri, post_data)
sqlmap = SQLMapWrapper(target, self._uri_opener)
if sqlmap.is_vulnerable():
self._sqlmap = sqlmap
return True
return False
def test_verify_vulnerability_POST(self):
target = Target(URL(self.SQLI_POST), self.DATA_POST)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
def setUp(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
def test_enable_coloring(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
sqlmap = SQLMapWrapper(target, self.uri_opener, coloring=True)
params = sqlmap.get_wrapper_params()
self.assertNotIn('--disable-coloring', params)
def test_verify_vulnerability_ssl(self):
uri = URL(self.SSL_SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
def test_verify_vulnerability_false(self):
not_vuln = 'http://moth/w3af/audit/sql_injection/select/'\
'sql_injection_string.php?fake=invalid'
uri = URL(not_vuln)
target = Target(uri)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertFalse(vulnerable)
def test_stds(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
prms = [
'--batch',
]
cmd, process = self.sqlmap.run_sqlmap_with_pipes(prms)
self.assertIsInstance(process.stdout, file)
self.assertIsInstance(process.stderr, file)
self.assertIsInstance(process.stdin, file)
self.assertIsInstance(cmd, basestring)
self.assertIn('sqlmap.py', cmd)
def test_target_post_data(self):
target = Target(URL(self.SQLI_GET), self.DATA_POST)
params = target.to_params()
self.assertEqual(params, ["--url=%s" % self.SQLI_GET,
"--data=%s" % self.DATA_POST])
def test_target_basic(self):
target = Target(URL(self.SQLI_GET))
params = target.to_params()
self.assertEqual(params, ["--url=%s" % self.SQLI_GET])
def test_target_basic(self):
target = Target(URL(self.SQLI_GET))
params = target.to_params()
self.assertEqual(params, ["--url=%s" % self.SQLI_GET])
