def _createTargetDirs():
"""
Create the output directory.
"""
if not os.path.isdir(paths.POCSUITE_OUTPUT_PATH):
try:
if not os.path.isdir(paths.POCSUITE_OUTPUT_PATH):
os.makedirs(paths.POCSUITE_OUTPUT_PATH, 0755)
warnMsg = "using '%s' as the output directory" % paths.POCSUITE_OUTPUT_PATH
logger.log(CUSTOM_LOGGING.WARNING, warnMsg)
except (OSError, IOError), ex:
try:
tempDir = tempfile.mkdtemp(prefix="pocsuiteoutput")
except Exception, _:
errMsg = "unable to write to the temporary directory ('%s'). " % _
errMsg += "Please make sure that your disk is not full and "
errMsg += "that you have sufficient write permissions to "
errMsg += "create temporary files and/or directories"
raise PocsuiteSystemException(errMsg)
warnMsg = "unable to create regular output directory "
warnMsg += "'%s' (%s). " % (paths.POCSUITE_OUTPUT_PATH, getUnicode(ex))
warnMsg += "Using temporary directory '%s' instead" % getUnicode(tempDir)
logger.log(CUSTOM_LOGGING.WARNING, warnMsg)
paths.POCUSITE_OUTPUT_PATH = tempDir
def main():
try:
paths['ROOT_PATH'] = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
setPaths()
parse_args()
if IS_WIN:
win_color_init()
banner()
if conf['DEBUG']:
showDebugData()
if conf['UPDATE']:
update()
load_payloads()
if conf['ENGINE'] is 't':
from lib.controller.threads import ThreadsEngine
ThreadsEngine().run()
elif conf['ENGINE'] is 'c':
from lib.controller.coroutine import CoroutineEngine
CoroutineEngine().run()
except KeyboardInterrupt, e:
logger.log(CUSTOM_LOGGING.ERROR, 'User quit!')
def common_http_redirect(self, result, headers, code, content, msg):
content = decodePage(content, headers.get(HTTPHEADER.CONTENT_ENCODING), headers.get(HTTPHEADER.CONTENT_TYPE))
threadData = getCurrentThreadData()
threadData.lastRedirectMsg = (threadData.lastRequestUID, content)
responseMsg = "HTTP response "
responseMsg += "[#%d] (%d %s):\n" % (threadData.lastRequestUID, code, getUnicode(msg))
if headers:
logHeaders = "\n".join(["%s: %s" % (key.capitalize() if isinstance(key, basestring) else key, getUnicode(value)) for (key, value) in headers.items()])
else:
logHeaders = ""
logHTTPTraffic(threadData.lastRequestMsg, "%s%s" % (responseMsg, logHeaders))
responseMsg += getUnicode(logHeaders)
logger.log(7, responseMsg)
if result:
if self._get_header_redirect(headers):
result.redurl = self._get_header_redirect(headers)
if hasattr(result, 'redurl'):
if not urlparse.urlsplit(result.redurl).netloc:
result.redurl = urlparse.urljoin(conf.url, result.redurl)
if "set-cookie" in headers:
result.setcookie = headers["set-cookie"].split("; path")[0]
result.redcode = code
return result
def _process_http_redirect(self, result, headers, code, content, msg, redurl):
content = decodePage(content, headers.get(HTTPHEADER.CONTENT_ENCODING), headers.get(HTTPHEADER.CONTENT_TYPE))
threadData = getCurrentThreadData()
threadData.lastRedirectMsg = (threadData.lastRequestUID, content)
responseMsg = "HTTP response "
responseMsg += "[#%d] (%d %s):\n" % (threadData.lastRequestUID, code, getUnicode(msg))
if headers:
logHeaders = "\n".join("%s: %s" % (key.capitalize() if isinstance(key, basestring) else key, getUnicode(value)) for (key, value) in headers.items())
else:
logHeaders = ""
logHTTPTraffic(threadData.lastRequestMsg, "%s%s" % (responseMsg, logHeaders))
responseMsg += getUnicode(logHeaders)
logger.log(7, responseMsg)
if "set-cookie" in headers:
kb.redirectSetCookie = headers["set-cookie"].split("; path")[0]
result.redcode = code
result.redurl = redurl
return result
def pocThreads():
"""
@function multiThread executing
"""
kb.pCollect = set()
while not kb.targets.empty() and kb.threadContinue:
target, poc, pocname = kb.targets.get()
infoMsg = "poc:'%s' target:'%s'" % (pocname, target)
logger.log(CUSTOM_LOGGING.SYSINFO, infoMsg)
# TODO json
if isinstance(poc, dict):
pocInfo = poc['pocInfo']
result = execReq(poc, conf.mode, target)
output = (target, pocname, pocInfo["vulID"], pocInfo["appName"], pocInfo["appVersion"], "success" if result else "failed", time.strftime("%Y-%m-%d %X", time.localtime()), str(result.result))
else:
kb.pCollect.add(poc.__module__)
result = poc.execute(target, headers=conf.httpHeaders, mode=conf.mode, params=conf.params, verbose=True)
if not result:
continue
output = (target, pocname, result.vulID, result.appName, result.appVersion, "success" if result.is_success() else result.error, time.strftime("%Y-%m-%d %X", time.localtime()), str(result.result))
result.show_result()
kb.results.add(output)
if isinstance(conf.delay, (int, float)) and conf.delay > 0:
time.sleep(conf.delay / 1000)
def crawlerThread():
global countVisitedUrls
while visitQueue.qsize() > 0:
url = visitQueue.get()
try:
hashData = hashUrl(url)
if hashData not in visited:
headers[HTTP_HEADER.USER_AGENT] = randomUserAgents()
response = requests.get(url, timeout=10, headers=headers)
crawlMsg = 'crawled %s depth: %d count: %d' % (url, currentDepth, countVisitedUrls)
logger.log(CUSTOM_LOGGING.SYSINFO, crawlMsg)
content = response.text
kb.pageEncoding = response.encoding
conf.cookie = str(response.cookies.get_dict())
try:
lock.acquire()
visited.add(hashData)
countVisitedUrls += 1
fp.write(url + '\n')
lock.release()
except Exception, ex:
logger.log(CUSTOM_LOGGING.ERROR, ex)
if lock.locked():
lock.release()
continue
else:
continue
def start():
if kb.targets and kb.targets.qsize() > 1:
infoMsg = "penework got a total of %d targets" % kb.targets.qsize()
logger.log(CUSTOM_LOGGING.SYSINFO, infoMsg)
runThreads(conf.threads, pocThreads)
resultTable = PrettyTable(["target-url", "poc-name", "poc-id", "component", "version", "status"])
resultTable.padding_width = 1
if not kb.results:
return
toNum, sucNum = 0, 0
for row in kb.results:
resultTable.add_row(list(row)[:-2])
toNum += 1
if row[5] == 'success':
sucNum += 1
if not conf.quiet:
print resultTable
# infoMsg = "{} of {} success !".format(sucNum, toNum)
# logger.log(CUSTOM_LOGGING.SYSINFO, infoMsg)
print "success : {} / {}".format(sucNum, toNum)
_createTargetDirs()
_setRecordFiles()
if conf.report:
_setReport()
def loadPoc(pocFile):
if pocFile.endswith(".pyc"):
conf.isPycFile = True
if conf.isPocString:
poc = conf.pocFile
if not conf.pocname:
if conf.pocFile:
conf.pocname = os.path.split(conf.pocFile)[1]
else:
errMsg = "Use pocString must provide pocname"
logger.log(CUSTOM_LOGGING.ERROR, errMsg)
pocname = conf.pocname
else:
pocname = os.path.split(pocFile)[1]
poc = readFile(pocFile)
if not conf.isPycFile:
if not re.search(POC_REGISTER_REGEX, poc):
warnMsg = "poc: %s register is missing" % pocname
logger.log(CUSTOM_LOGGING.WARNING, warnMsg)
className = getPocClassName(poc)
poc += POC_REGISTER_STRING.format(className)
retVal = multipleReplace(poc, POC_IMPORTDICT)
else:
retVal = poc
return {pocname: retVal}
def showResult(tag):
for key1, value1 in resultJson[tag].iteritems():
for key2, value2 in value1.iteritems():
if key1 != 'verifyInfo':
logger.log(CUSTOM_LOGGING.SUCCESS, key2 + " : " + resultJson[tag][key1][key2])
pass
def execReq(poc, mode, targetUrl):
pocInfo, devilJson = poc['pocInfo'], poc["pocExecute"]
result = False
infoMsg = "poc-%s '%s' has already been detected against '%s'." % (pocInfo["vulID"], pocInfo["name"], targetUrl)
logger.log(CUSTOM_LOGGING.SUCCESS, infoMsg)
for targetJson in devilJson[mode]:
if mode == 'verify':
result = _executeVerify(pocInfo, targetJson, targetUrl, 'verify')
if targetJson['step'] == '0' and result:
return True
elif targetJson['step'] != '0' and not result:
return False
else:
result = _executeAttack(pocInfo, targetJson, targetUrl)
if targetJson['step'] == '0' and result:
showResult(targetUrl + pocInfo['vulID'])
return True
elif targetJson['step'] != '0' and not result:
return False
if result:
showResult(targetUrl + pocInfo['vulID'])
return result
def setPoc():
"""
@function 重新设置conf.pocFile
"""
if conf.isPocString:
retVal = loadPoc(conf.pocFile)
kb.pocs.update(retVal)
elif len(conf.pocFile.split(",")) > 1:
for pocFile in conf.pocFile.split(","):
pocFile = os.path.abspath(pocFile)
retVal = loadPoc(pocFile)
kb.pocs.update(retVal)
else:
conf.pocFile = os.path.abspath(conf.pocFile)
if os.path.isfile(conf.pocFile):
retVal = loadPoc(conf.pocFile)
kb.pocs.update(retVal)
elif os.path.isdir(conf.pocFile):
pyFiles = glob.glob(os.path.join(conf.pocFile, "*.py"))
jsonFiles = glob.glob(os.path.join(conf.pocFile, "*.json"))
pocFiles = pyFiles + jsonFiles
for pocFile in pocFiles:
retVal = loadPoc(pocFile)
kb.pocs.update(retVal)
else:
errMsg = "can't find any valid PoCs"
logger.log(CUSTOM_LOGGING.ERROR, errMsg)
conf.pocFile = None
def common_http_redirect(self, result, headers, code, content, msg):
content = decodePage(content, headers.get(HTTPHEADER.CONTENT_ENCODING), headers.get(HTTPHEADER.CONTENT_TYPE))
threadData = getCurrentThreadData()
threadData.lastRedirectMsg = (threadData.lastRequestUID, content)
responseMsg = "HTTP response "
responseMsg += "[#%d] (%d %s):\n" % (threadData.lastRequestUID, code, getUnicode(msg))
if headers:
logHeaders = "\n".join(["%s: %s" % (key.capitalize() if isinstance(key, basestring) else key, getUnicode(value)) for (key, value) in headers.items()])
else:
logHeaders = ""
if conf.verbose <= 5:
responseMsg += getUnicode(logHeaders)
elif conf.verbose > 5:
responseMsg += "%s\n\n%s\n" % (logHeaders, content)
logger.log(7, responseMsg)
if "location" in headers:
result.redurl = headers.getheaders("location")[0].split("?")[0]
elif "uri" in headers:
result.redurl = headers.getheaders("uri")[0].split("?")[0]
if "set-cookie" in headers:
result.setcookie = headers["set-cookie"].split("; path")[0]
result.redcode = code
return result
def crawl(url, currentDepth, countUrls):
redisCon = Redis(host=conf.REDIS_HOST,
port=conf.REDIS_PORT,
password=conf.REDIS_PASSWD)
try:
headers = dict()
headers[HTTP_HEADER.USER_AGENT] = randomUserAgents()
response = requests.get(url, timeout=10, headers=headers)
# crawlMsg = 'crawled %s depth: %d count: %d' % (url, currentDepth, countVisitedUrls)
# logger.log(CUSTOM_LOGGING.SYSINFO, crawlMsg)
content = response.text
kb.pageEncoding = response.encoding
conf.cookie = str(response.cookies.get_dict())
hashData = hashUrl(url)
redisCon.sadd('visited', hashData)
redisCon.lpush('visitedList', url)
getDB().insert({'url':url, 'depth': currentDepth, 'count':countUrls})
except Exception, ex:
logger.log(CUSTOM_LOGGING.ERROR, ex)
# print traceback.print_exc()
return
def execute(self, query):
try:
self.cursor = self.connector.execute(query)
except (_sqlalchemy.exc.OperationalError, _sqlalchemy.exc.ProgrammingError) as ex:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % ex.message if hasattr(ex, "message") else ex)
except _sqlalchemy.exc.InternalError as ex:
raise SqlmapConnectionException(ex[1])
def execute(self, target, headers=None, params=None, mode='verify', verbose=True):
"""
:param url: the target url
:param headers: a :class dict include some fields for request header.
:param params: a instance of Params, includ extra params
:return: A instance of Output
"""
self.target = target
self.url = parseTargetUrl(target)
self.headers = headers
self.params = params
self.mode = mode
self.verbose = verbose
# TODO
output = None
try:
if self.mode == 'attack':
output = self._attack()
else:
output = self._verify()
except NotImplementedError:
logger.log(CUSTOM_LOGGING.ERROR, 'POC: %s not defined ' '%s mode' % (self.name, self.mode))
output = Output(self)
except Exception, e:
logger.log(CUSTOM_LOGGING.ERROR, str(e))
output = Output(self)
def run(self):
threads = []
try:
for thread_num in xrange(self.threads_num):
thread = threading.Thread(target=self.brute_names, name=str(thread_num))
thread.setDaemon(True)
thread.start()
threads.append(thread)
alive = True
while alive:
alive = False
for thread in threads:
if thread.isAlive():
alive = True
time.sleep(0.1)
except KeyboardInterrupt:
if self.threads_num > 1:
logger.log(CUSTOM_LOGGING.SYSINFO, "waiting for threads to finish (Ctrl+C was pressed)")
try:
while threading.activeCount() > 1:
pass
except KeyboardInterrupt:
raise PeneworkThreadException("user aborted (Ctrl+C was pressed multiple times)")
def execute(self, target, headers=None, params=None, mode='verify', verbose=True):
"""
:param url: the target url
:param headers: a :class dict include some fields for request header.
:param params: a instance of Params, includ extra params
:return: A instance of Output
"""
self.target = target
self.url = parseTargetUrl(target)
self.headers = headers
self.params = strToDict(params) if params else {}
self.mode = mode
self.verbose = verbose
self.expt = 'None'
# TODO
output = None
try:
if self.mode == 'attack':
output = self._attack()
else:
output = self._verify()
except NotImplementedError, e:
self.expt = (ERROR_TYPE_ID.NOTIMPLEMENTEDERROR, e)
logger.log(CUSTOM_LOGGING.ERROR, 'POC: %s not defined ' '%s mode' % (self.name, self.mode))
output = Output(self)
def registerPoc(self):
pocString = multipleReplace(self.pocString, POC_IMPORTDICT)
_, self.moduleName = filepathParser(self.pocName)
try:
importer = StringImporter(self.moduleName, pocString)
importer.load_module(self.moduleName)
except ImportError, ex:
logger.log(CUSTOM_LOGGING.ERROR, ex)
def execute(self, query):
retVal = False
try:
self.cursor.execute(query)
retVal = True
except (pymysql.OperationalError, pymysql.ProgrammingError), msg:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg[1])
def execute(self, query):
retVal = False
try:
self.cursor.execute(utf8encode(query))
retVal = True
except cx_Oracle.DatabaseError, msg:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg)
def check_header(self, *args):
poc_name = getattr(self, "name")
headers = getattr(self, "headers")
if field.lower() not in map(str.lower, headers.keys()):
errMsg = "poc: %s need headers \"%s\"" % (poc_name, field)
logger.log(CUSTOM_LOGGING.ERROR, errMsg)
return
return function(self, *args)
def check_param(self, *args):
poc_name = getattr(self, "name")
params = getattr(self, "params")
if field not in params:
errMsg = "poc: %s need params \"%s\"" % (poc_name, field)
logger.log(CUSTOM_LOGGING.ERROR, errMsg)
return
return function(self, *args)
def execute(self, query):
try:
self.cursor = self.connector.execute(query)
except (_sqlalchemy.exc.OperationalError, _sqlalchemy.exc.ProgrammingError), msg:
logger.log(
logging.WARN if conf.dbmsHandler else logging.DEBUG,
"(remote) %s" % msg.message if hasattr(msg, "message") else msg,
)
def execute(self, query):
retVal = False
try:
self.cursor.execute(utf8encode(query))
retVal = True
except (pymssql.OperationalError, pymssql.ProgrammingError), msg:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % str(msg).replace("\n", " "))
def execute(self, query):
retVal = False
try:
self.cursor.execute(query)
retVal = True
except Exception, msg: #todo fix with specific error
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg[1])
def run(self):
try:
self.result = func(*args, **kwargs)
self.timeout_state = TIMEOUT_STATE.NORMAL
except Exception as ex:
logger.log(CUSTOM_LOGGING.TRAFFIC_IN, ex)
self.result = default
self.timeout_state = TIMEOUT_STATE.EXCEPTION
def execute(self, query):
try:
self.cursor.execute(query)
except (pyodbc.OperationalError, pyodbc.ProgrammingError) as msg:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg[1])
except pyodbc.Error as msg:
raise SqlmapConnectionException(msg[1])
self.connector.commit()
def fetchall(self):
try:
retVal = []
for row in self.cursor.fetchall():
retVal.append(tuple(row))
return retVal
except _sqlalchemy.exc.ProgrammingError, msg:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg[1])
return None
def execute(self, query):
try:
self.cursor.execute(query)
except (ibm_db_dbi.OperationalError, ibm_db_dbi.ProgrammingError) as ex:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) '%s'" % getSafeExString(ex))
except ibm_db_dbi.InternalError as ex:
raise SqlmapConnectionException(getSafeExString(ex))
self.connector.commit()
def execute(self, query):
try:
self.cursor = self.connector.execute(query)
except (_sqlalchemy.exc.OperationalError,
_sqlalchemy.exc.ProgrammingError), msg:
logger.log(
logging.WARN if conf.dbmsHandler else logging.DEBUG,
"(remote) %s" %
msg.message if hasattr(msg, "message") else msg)
def execute(self, query):
retVal = False
try:
self.cursor.execute(utf8encode(query))
retVal = True
except (pymssql.OperationalError, pymssql.ProgrammingError), msg:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG,
"(remote) %s" % str(msg).replace("\n", " "))
def execute(self, query):
try:
self.cursor.execute(query)
except (ibm_db_dbi.OperationalError, ibm_db_dbi.ProgrammingError) as ex:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % getSafeExString(ex))
except ibm_db_dbi.InternalError as ex:
raise SqlmapConnectionException(getSafeExString(ex))
self.connector.commit()
def execute(self, query):
retVal = False
try:
self.cursor.execute(query)
retVal = True
except (pymysql.OperationalError, pymysql.ProgrammingError), msg:
logger.log(logging.WARNING if conf.dbmsHandler else logging.DEBUG,
"(remote) %s" % msg[1])
def fetchall(self):
try:
retVal = []
for row in self.cursor.fetchall():
retVal.append(tuple(row))
return retVal
except _sqlalchemy.exc.ProgrammingError, msg:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg.message if hasattr(msg, "message") else msg)
return None
def _initModule(args):
if not args.m:
msg = 'Use -m to select a module name. Example: -m spider'
sys.exit(logger.log(CUSTOM_LOGGING.ERROR, msg))
if args.m and not os.path.isfile(os.path.join(paths.MODULES_PATH, args.m + ".py")):
msg = 'module not exist. Use --show to view all available module names.'
sys.exit(logger.log(CUSTOM_LOGGING.ERROR, msg))
conf.MODULE_NAME = args.m
conf.MODULE_FILE_PATH = os.path.join(paths.MODULES_PATH, conf.MODULE_NAME + ".py")
def execute(self, query):
retVal = False
try:
self.cursor.execute(utf8encode(query))
retVal = True
except cx_Oracle.DatabaseError, msg:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG,
"(remote) %s" % msg)
def execute(self, query):
try:
self.cursor.execute(query)
except kinterbasdb.OperationalError as ex:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % getSafeExString(ex))
except kinterbasdb.Error as ex:
raise SqlmapConnectionException(getSafeExString(ex))
self.connector.commit()
def direct(query, content=True):
select = True
query = agent.payloadDirect(query)
query = agent.adjustLateValues(query)
threadData = getCurrentThreadData()
if Backend.isDbms(DBMS.ORACLE) and query.upper().startswith("SELECT ") and " FROM " not in query.upper():
query = "%s FROM DUAL" % query
for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
for sqlStatement in sqlStatements:
if query.lower().startswith(sqlStatement) and sqlTitle != "SQL SELECT statement":
select = False
break
if select:
if re.search(r"(?i)\ASELECT ", query) is None:
query = "SELECT %s" % query
if conf.binaryFields:
for field in conf.binaryFields:
field = field.strip()
if re.search(r"\b%s\b" % re.escape(field), query):
query = re.sub(r"\b%s\b" % re.escape(field), agent.hexConvertField(field), query)
logger.log(CUSTOM_LOGGING.PAYLOAD, query)
output = hashDBRetrieve(query, True, True)
start = time.time()
if not select and re.search(r"(?i)\bEXEC ", query) is None:
timeout(func=conf.dbmsConnector.execute, args=(query,), duration=conf.timeout, default=None)
elif not (output and ("%soutput" % conf.tablePrefix) not in query and ("%sfile" % conf.tablePrefix) not in query):
output, state = timeout(func=conf.dbmsConnector.select, args=(query,), duration=conf.timeout, default=None)
if state == TIMEOUT_STATE.NORMAL:
hashDBWrite(query, output, True)
elif state == TIMEOUT_STATE.TIMEOUT:
conf.dbmsConnector.close()
conf.dbmsConnector.connect()
elif output:
infoMsg = "resumed: %s..." % getUnicode(output, UNICODE_ENCODING)[:20]
logger.info(infoMsg)
threadData.lastQueryDuration = calculateDeltaSeconds(start)
if not output:
return output
elif content:
if output and isListLike(output):
if len(output[0]) == 1:
output = [_[0] for _ in output]
retVal = getUnicode(output, noneToNull=True)
return safecharencode(retVal) if kb.safeCharEncode else retVal
else:
return extractExpectedValue(output, EXPECTED.BOOL)
def execute(self, query):
try:
self.cursor = self.connector.execute(query)
except (_sqlalchemy.exc.OperationalError,
_sqlalchemy.exc.ProgrammingError) as ex:
logger.log(
logging.WARN if conf.dbmsHandler else logging.DEBUG,
"(remote) %s" % ex.message if hasattr(ex, "message") else ex)
except _sqlalchemy.exc.InternalError as ex:
raise SqlmapConnectionException(ex[1])
def execute(self, query):
try:
self.cursor.execute(query)
except kinterbasdb.OperationalError as ex:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG,
"(remote) %s" % getSafeExString(ex))
except kinterbasdb.Error as ex:
raise SqlmapConnectionException(getSafeExString(ex))
self.connector.commit()
def urlDecode(url):
url = url.strip()
try:
url = str(url)
except Exception, ex:
logger.log(CUSTOM_LOGGING.ERROR, ex)
try:
url = url.encode('utf-8')
except Exception, ex:
logger.log(CUSTOM_LOGGING.ERROR, ex)
def _initModule(args):
if not args.m:
msg = 'Use -m to select a module name. Example: -m spider'
sys.exit(logger.log(CUSTOM_LOGGING.ERROR, msg))
if args.m and not os.path.isfile("./module/" + args.m + ".py"):
msg = 'module not exist. Use --show to view all available module names.'
sys.exit(logger.log(CUSTOM_LOGGING.ERROR, msg))
conf.MODULE_NAME = args.m
conf.MODULE_FILE_PATH = os.path.join(paths.MODULES_PATH,
conf.MODULE_NAME + ".py")
def execute(self, query):
try:
self.cursor.execute(getText(query))
except self.__sqlite.OperationalError as ex:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG,
"(remote) '%s'" % getSafeExString(ex))
except self.__sqlite.DatabaseError as ex:
raise SqlmapConnectionException(getSafeExString(ex))
self.connector.commit()
def exceptionHandledFunction(threadFunction):
try:
threadFunction()
except KeyboardInterrupt:
kb.threadContinue = False
kb.threadException = True
raise
except Exception, errMsg:
# thread is just going to be silently killed
logger.log(CUSTOM_LOGGING.ERROR, "thread %s: %s" % (threading.currentThread().getName(), errMsg))
def get_random_agent(path=paths.UA_LIST_PATH):
if not th.has_key("UA_LIST"):
_init_UAlist(path)
try:
return random.sample(th.UA_LIST, 1)[0]
except IOError, e:
warnMsg = "unable to read HTTP User-Agent header "
warnMsg += "file '%s'" % path
logger.log(CUSTOM_LOGGING.WARNING, warnMsg)
return
def check_type(self, *args):
poc_name = getattr(self, "name")
require_type = getattr(self, type)
fields = [field] if isinstance(field, basestring) else field
for _ in fields:
if (not require_type) or (_.lower() not in map(
str.lower, require_type.keys())):
errMsg = "poc: %s need %s \"%s\"" % (poc_name, type, _)
logger.log(CUSTOM_LOGGING.ERROR, errMsg)
return
return function(self, *args)
def run(self):
try:
poc = kb.registeredPocs[self.moduleName]
result = poc.execute(self.target, headers=conf.httpHeaders, mode=self.mode, params=self.params)
output = (self.target, self.pocName, result.vulID, result.appName, result.appVersion, (1, "success") if result.is_success() else result.error, time.strftime("%Y-%m-%d %X", time.localtime()), str(result.result))
if self.delmodule:
delModule(self.moduleName)
return output
except Exception, ex:
logger.log(CUSTOM_LOGGING.ERROR, ex)
def fetchall(self):
try:
retVal = []
for row in self.cursor.fetchall():
retVal.append(tuple(row))
return retVal
except _sqlalchemy.exc.ProgrammingError as ex:
logger.log(
logging.WARN if conf.dbmsHandler else logging.DEBUG,
"(remote) %s" % ex.message if hasattr(ex, "message") else ex)
return None
def runZoomEyeApi():
logger.log(CUSTOM_LOGGING.SYSINFO, 'Enable ZoomEye API.')
anslist = dorkSearch(query=conf.zoomeye_dork, type=conf.zoomeye_search_type, page=conf.zoomeye_max_page)
tmpIpFile = os.path.join(conf.ZOOMEYE_OUTPUT_PATH, '%s_%s.txt' % (
conf.zoomeye_dork.replace(':', '-').replace(' ', '-').strip(), time.strftime('%Y_%m_%d_%H_%M_%S')))
with open(tmpIpFile, 'w') as fp:
for each in anslist:
if isinstance(each, list):
each = each[0]
fp.write(each + '\n')
return tmpIpFile
def execute(self, query):
retVal = False
try:
self.cursor.execute(getBytes(query))
retVal = True
except (pymssql.OperationalError, pymssql.ProgrammingError) as ex:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) '%s'" % getSafeExString(ex).replace("\n", " "))
except pymssql.InternalError as ex:
raise SqlmapConnectionException(getSafeExString(ex))
return retVal
def execute(self, query):
retVal = False
try:
self.cursor.execute(query)
retVal = True
except Exception as ex:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) '%s'" % getSafeExString(ex))
self.connector.commit()
return retVal
def _init_UAlist(path):
infoMsg = "loading HTTP User-Agent header(s) from "
infoMsg += "file '%s'" % path
logger.log(CUSTOM_LOGGING.SYSINFO, infoMsg)
# TODO 此处 conf.RANDOM_UA 在其他地方暂时没有用到
conf.RANDOM_UA = True
th.UA_LIST = getFileItems(path)
successMsg = "Total: %d" % len(th.UA_LIST)
logger.log(CUSTOM_LOGGING.SUCCESS, successMsg)
debugPause()
def openerHeaders(op):
headers = {}
try:
assert isinstance(op, urllib2.OpenerDirector)
_ = op.addheaders
for pair in _:
# pair_copy = [part for part in pair]
headers.update({pair[0]: pair[1]})
except:
errMsg = 'unable to fetch headers from given opener'
logger.log(CUSTOM_LOGGING.ERROR, errMsg)
return headers
def writeBinary(fileName, content, encoding='utf8'):
"""
write file with given fileName and encoding
"""
try:
fp = codecs.open(fileName, mode='wb+', encoding=encoding)
fp.write(content)
fp.close()
logger.log(CUSTOM_LOGGING.SYSINFO,
'"%s" write to Text file "%s"' % (content, fileName))
except Exception as e:
logger.log(CUSTOM_LOGGING.WARNING, e)
def direct(query, content=True):
select = True
query = agent.payloadDirect(query)
query = agent.adjustLateValues(query)
threadData = getCurrentThreadData()
if Backend.isDbms(DBMS.ORACLE) and query.upper().startswith(
"SELECT ") and " FROM " not in query.upper():
query = "%s FROM DUAL" % query
for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
for sqlStatement in sqlStatements:
if query.lower().startswith(
sqlStatement) and sqlTitle != "SQL SELECT statement":
select = False
break
if select and not query.upper().startswith("SELECT "):
query = "SELECT %s" % query
logger.log(CUSTOM_LOGGING.PAYLOAD, query)
output = hashDBRetrieve(query, True, True)
start = time.time()
if not select and "EXEC " not in query.upper():
_ = timeout(func=conf.dbmsConnector.execute,
args=(query, ),
duration=conf.timeout,
default=None)
elif not (output and "sqlmapoutput" not in query
and "sqlmapfile" not in query):
output = timeout(func=conf.dbmsConnector.select,
args=(query, ),
duration=conf.timeout,
default=None)
hashDBWrite(query, output, True)
elif output:
infoMsg = "resumed: %s..." % getUnicode(output, UNICODE_ENCODING)[:20]
logger.info(infoMsg)
threadData.lastQueryDuration = calculateDeltaSeconds(start)
if not output:
return output
elif content:
if output and isListLike(output):
if len(output[0]) == 1:
output = [_[0] for _ in output]
retVal = getUnicode(output, noneToNull=True)
return safecharencode(retVal) if kb.safeCharEncode else retVal
else:
return extractExpectedValue(output, EXPECTED.BOOL)
def run(self):
self.start_time = time.time()
msg = 'Set the number of concurrent: %d' % self.threads_num
logger.log(CUSTOM_LOGGING.SUCCESS, msg)
while self.queue.qsize() > 0 and self.is_continue:
gevent.joinall([gevent.spawn(self._scan) for i in xrange(0, self.threads_num) if
self.queue.qsize() > 0])
if self.found_single:
msg = "[single-mode] found!"
sys.stdout.write('\n')
sys.stdout.flush()
logger.log(CUSTOM_LOGGING.SYSINFO, msg)
def initOptions(args):
if '--debug' in sys.argv: # cannot use dataToStdout before init
infoMsg = '---args---\n%s' % args
logger.log(CUSTOM_LOGGING.SYSINFO, infoMsg)
_checkCNhelp(args)
_checkUpdate(args)
_checkShow(args)
_initEngine(args)
_initModule(args)
_initTargetMode(args)
_initOutput(args)
_initSafeOptions(args)
def execute(self, query):
retVal = False
try:
self.cursor.execute(utf8encode(query))
retVal = True
except cx_Oracle.DatabaseError as ex:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) '%s'" % getSafeExString(ex))
self.connector.commit()
return retVal
def execute(self, query):
retVal = False
try:
self.cursor = self.connector.execute(query)
retVal = True
except (_sqlalchemy.exc.OperationalError, _sqlalchemy.exc.ProgrammingError) as ex:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % getSafeExString(ex))
except _sqlalchemy.exc.InternalError as ex:
raise SqlmapConnectionException(getSafeExString(ex))
return retVal
def loadText(fileName, encoding='utf8'):
"""
read file with given fileName and encoding
"""
try:
fp = codecs.open(fileName, mode='r', encoding=encoding)
content = fp.readlines()
fp.close()
logger.log(CUSTOM_LOGGING.SYSINFO,
'return file "%s" content .' % fileName)
return content
except Exception as e:
logger.log(CUSTOM_LOGGING.WARNING, e)