Exemple #1
0
 def execute(self, mole, params):
     if len(params) != 2:
         raise CommandException('Expected type and filename as parameter')
     if params[0] not in ['xml']:
         raise CommandException('Unknown export format.')
     try:
         mole.export_xml(params[1])
         output_manager.advance('Exportation successful').line_break()
     except FileOpenException:
         raise CommandException('The file given could not be opened', False)
     except NotInitializedException:
         raise CommandException(
             'Mole must be initialized in order to export', False)
Exemple #2
0
 def execute(self, mole, params):
     if len(params) < 2:
         raise CommandException(
             "Auth method and user credentials required.")
     if params[0] == 'basic':
         params = ' '.join(params[1:]).split(':')
         if len(params) < 2:
             raise CommandException("Missing password.")
         username = params[0]
         password = '******'.join(params[1:])
         mole.requester.headers["Authorization"] = "Basic " + b64encode(
             (username + ':' + password).encode()).decode()
     else:
         raise CommandException("Invalid method")
Exemple #3
0
 def execute(self, mole, params):
     if len(params) != 2:
         raise CommandException('Expected type and filename as parameter')
     if params[0] not in ['xml']:
         raise CommandException('Unknown import format.')
     try:
         mole.import_xml(params[1])
         output_manager.advance('Importation successful').line_break()
     except FileOpenException:
         raise CommandException('The file given could not be opened', False)
     except InvalidFormatException:
         raise CommandException('The file given has an invalid format',
                                False)
     except InvalidDataException:
         raise CommandException('The file given has invalid data', False)
Exemple #4
0
 def execute(self, mole, params):
     if not mole.requester:
         raise CommandException('URL must be set first.')
     if len(params) == 1:
         mole.requester.cookie_parameters = ' '.join(params)
     elif len(params) > 1:
         raise CommandException(
             'Too many arguments(remember to use quotes when setting the cookie).'
         )
     else:
         try:
             output_manager.normal(
                 urlencode(mole.requester.cookie_parameters)).line_break()
         except KeyError:
             output_manager.normal('No cookie set yet.').line_break()
Exemple #5
0
 def execute(self, mole, params):
     self.check_initialization(mole)
     if len(params) < 2:
         raise CommandException(
             "DB name and table names to bruteforce required.")
     else:
         mole.brute_force_tables(params[0], params[1:])
Exemple #6
0
    def execute(self, mole, params):
        if len(params) == 0:
            method = mole.requester.method
            if method == 'POST':
                params = mole.requester.post_parameters
            else:
                params = mole.requester.get_parameters
            params = urlencode(params, True)
            if len(params) == 0:
                params = 'No parameters have been set.'
            output_manager.normal('{0}: {1}'.format(method,
                                                    params)).line_break()
        elif len(params) >= 1:
            try:
                mole.set_method(params[0])
            except InvalidMethodException:
                raise CommandException('The method ' + params[0] +
                                       ' is not supported!')

            if len(params) >= 2:
                if params[0] == 'POST':
                    mole.set_post_params(params[1])
                elif params[0] == 'GET':
                    mole.set_get_params(params[1])

            if len(params) == 3:
                mole.set_vulnerable_param(params[0], params[2])
Exemple #7
0
 def execute(self, mole, params):
     self.check_initialization(mole)
     if len(params) != 1:
         raise CommandException('Expected filename as parameter')
     data = mole.read_file(params[0])
     if len(data) == 0:
         output_manager.error(
             'Error reading file or file is empty.').line_break()
     else:
         output_manager.normal(data).line_break()
Exemple #8
0
 def execute(self, mole, params):
     if len(params) == 0:
         method, param = mole.requester.get_vulnerable_param()
         if method is not None and param is not None:
             output_manager.normal('{0} {1}'.format(method,
                                                    param)).line_break()
         else:
             output_manager.normal(
                 'Vulnerable parameter not set yet.').line_break()
     elif len(params) == 2:
         if params[0] not in self.accepted_methods:
             raise CommandException('The method ' + params[0] +
                                    ' is not supported!')
         try:
             mole.set_vulnerable_param(params[0], params[1])
         except InvalidParamException:
             raise CommandException('Parameter given is not valid')
     else:
         raise CommandException('Expected vulnerable parameter')
Exemple #9
0
    def execute(self, mole, params):
        if len(params) == 0:
            raise CommandException(
                'Recursive command needs at least an argument')
        if len(params) == 1 and params[0] not in self.first_param:
            raise CommandException(
                'The first argument for the recursive command must be schemas or tables!'
            )
        if len(params) == 1 and params[0] == 'tables':
            raise CommandException(
                'Recursive command needs schema name if you are retrieving tables!'
            )

        self.check_initialization(mole)

        if params[0] == 'schemas':
            self.__get_schemas(mole)
        elif params[0] == 'tables':
            self.__get_tables(mole, params[1])
Exemple #10
0
 def execute(self, mole, params):
     if len(params) == 0:
         output_manager.normal(mole.delay).line_break()
     else:
         try:
             mole.delay = float(params[0])
         except ValueError:
             raise CommandException("Expected float number as argument")
         if mole.requester:
             mole.requester.delay = mole.delay
Exemple #11
0
 def execute(self, mole, params):
     if len(params) == 0:
         max_len = max(map(len, mole.requester.headers.keys()))
         for key in mole.requester.headers:
             output_manager.normal('{0}{1}-> {2}'.format(
                 key, ' ' * (max_len - len(key)),
                 mole.requester.headers[key])).line_break()
     elif params[0] == 'set':
         if len(params) < 3:
             raise CommandException(
                 '"set" expects header key and value as arguments.')
         if params[1] == 'Cookie':
             CookieCommand().execute(mole, params[2:])
         else:
             mole.requester.headers[params[1]] = ' '.join(params[2:])
     elif params[0] == 'del':
         if len(params) != 2:
             raise CommandException('"del" expects header key as argument.')
         del mole.requester.headers[params[1]]
     else:
         raise CommandException("Invalid argument.")
Exemple #12
0
 def execute(self, mole, params):
     if len(params) == 0:
         if mole.requester.encoding is not None:
             output_manager.normal(mole.requester.encoding).line_break()
         else:
             output_manager.normal('No encoding set yet.').line_break()
     else:
         try:
             codecs.lookup(params[0])
         except LookupError:
             raise CommandException(
                 'Encoding ' + params[0] + ' does not exist.', False)
         mole.requester.encoding = params[0]
Exemple #13
0
 def execute(self, mole, params):
     if len(params) != 1:
         raise CommandException('Database name required')
     try:
         self.check_initialization(mole)
         tables = mole.get_tables(params[0], self.force_fetch)
     except QueryError as ex:
         output_manager.error('Query error: {0}'.format(ex)).line_break()
         return
     parser = output_manager.results_output(['Tables'])
     tables.sort()
     for i in tables:
         parser.put([i])
     parser.end_sequence()
Exemple #14
0
 def execute(self, mole, params):
     if len(params) != 2:
         raise CommandException('Database and table filter required.')
     try:
         self.check_initialization(mole)
         tables = mole.find_tables_like(params[0],
                                        "'" + ' '.join(params[1:]) + "'")
     except QueryError as ex:
         output_manager.error('Query error: {0}'.format(ex)).line_break()
         return
     parser = output_manager.results_output(['Tables'])
     tables.sort()
     for i in tables:
         parser.put([i])
     parser.end_sequence()
Exemple #15
0
 def check_initialization(self, mole):
     if not mole.initialized:
         try:
             mole.initialize()
         except MoleAttributeRequired as ex:
             raise CommandException('Mole not ready: ' + str(ex), False)
         except PageNotFound as ex:
             raise CommandException(
                 'Could not detect SQL Injection: Page not found (' +
                 str(ex) + ')', False)
         except NeedleNotFound as ex:
             raise CommandException(
                 'Could not detect SQL Injection: Needle not found (' +
                 str(ex) + ')', False)
         except SeparatorNotFound as ex:
             raise CommandException(
                 'Could not exploit SQL Injection: Separator not found (' +
                 str(ex) + ')', False)
         except CommentNotFound as ex:
             raise CommandException(
                 'Could not exploit SQL Injection: Comment marker not found ('
                 + str(ex) + ')', False)
         except ColumnNumberNotFound as ex:
             raise CommandException(
                 'Could not exploit SQL Injection: Number of columns not found ('
                 + str(ex) + ')', False)
         except InjectableFieldNotFound as ex:
             raise CommandException(
                 'Could not exploit SQL Injection: Injectable field not found ('
                 + str(ex) + ')', False)
         except DbmsDetectionFailed as ex:
             raise CommandException(
                 'Could not exploit SQL Injection: DBMS detection failed ('
                 + str(ex) + ')', False)
         except EncodingNotFound as ex:
             raise CommandException(
                 'Could not exploit SQL Injection: HTML encoding not found ('
                 + str(ex) + ')', False)
         except StoppedQueryException:
             raise QuietCommandException()
Exemple #16
0
 def execute(self, mole, params):
     if len(params) < 3:
         raise CommandException('Database name required')
     try:
         self.check_initialization(mole)
         if len(params) == 4:
             raise CommandException(
                 'Expected 3 or at least 5 parameters, got 4.')
         index_limit = params.index('limit') if 'limit' in params else -1
         index_where = params.index('where') if 'where' in params else -1
         index_offset = params.index('offset') if 'offset' in params else -1
         min_end = min(index_limit if index_limit != -1 else 0x7fffff,
                       index_offset if index_offset != -1 else 0x7fffff)
         if min_end == 0x7fffff:
             min_end = -1
         where_end = min_end if min_end != -1 and min_end > index_where else len(
             params) + 1
         condition = ' '.join(
             params[index_where +
                    1:where_end]) if index_where != -1 else '1=1'
         if index_limit == len(params) - 1:
             raise CommandException('Limit argument requires row numbers.')
         if index_offset == len(params) - 1:
             raise CommandException('Offset argument requires row index.')
         try:
             limit = int(params[index_limit +
                                1]) if index_limit != -1 else 0x7fffffff
             limit = max(limit, 0)
             offset = int(params[index_offset +
                                 1]) if index_offset != -1 else 0
             offset = max(offset, 0)
         except ValueError:
             raise CommandException("Non-int value given.")
         if params[2] != '*':
             columns = params[2].strip("'").strip('"').split(',')
         else:
             columns = mole.poll_columns(params[0], params[1])
             if columns is None:
                 raise CommandException(
                     "Columns must be dumped first in order to use '*'.",
                     False)
             columns.sort()
         result = mole.get_fields(params[0],
                                  params[1],
                                  columns,
                                  condition,
                                  start=offset,
                                  limit=limit)
     except themole.QueryError as ex:
         output_manager.error('Query error: {0}'.format(ex)).line_break()
         return
     res_out = output_manager.results_output(columns)
     for i in result:
         res_out.put(i)
     res_out.end_sequence()
Exemple #17
0
 def execute(self, mole, params):
     if len(params) != 2:
         raise CommandException('Database name required')
     try:
         self.check_initialization(mole)
         columns = mole.get_columns(params[0],
                                    params[1],
                                    force_fetch=self.force_fetch)
     except QueryError as ex:
         output_manager.error('Query error: {0}'.format(ex)).line_break()
         return
     columns.sort()
     parser = output_manager.results_output(
         ['Columns for table ' + params[1]])
     for i in columns:
         parser.put([i])
     parser.end_sequence()
Exemple #18
0
 def execute(self, mole, params):
     if len(params) == 0:
         inj_field = mole.injectable_field
         if inj_field is None:
             output_manager.normal(
                 'No injectable field has been set yet').line_break()
         else:
             output_manager.normal(str(inj_field)).line_break()
     else:
         try:
             inj = int(params[0]) - 1
         except:
             raise CommandException('Expected integer as argument')
         if mole.set_injectable_field(inj):
             output_manager.advance(
                 'Injectable field changed successfully').line_break()
         else:
             output_manager.normal(
                 'Could not set the injectable field').line_break()
Exemple #19
0
 def execute(self, mole, params):
     self.check_initialization(mole)
     if len(params) == 0:
         raise CommandException('At least one parameter is required!')
     self.cmds[params[0]].execute(mole, params[1:])
Exemple #20
0
 def add_filter(self, mole, name, params):
     try:
         self.functor(mole).add_filter(name, params)
     except FilterCreationError as ex:
         raise CommandException(
             'Filter {0} failed to initialize({1})'.format(name, str(ex)))
Exemple #21
0
 def execute(self, mole, params):
     self.check_initialization(mole)
     if len(params) == 0:
         raise CommandException("DB name expected as argument.")
     else:
         mole.brute_force_users_tables(params[0])