def _verify_vuln(self, vuln_obj): """ This command verifies a vuln. This is really hard work! :P :return : True if vuln can be exploited. """ mutant = vuln_obj.get_mutant() if not isinstance(mutant, (QSMutant, PostDataMutant)): msg = ('The SQL injection vulnerability at %s can not be exploited' ' by w3af\'s sqlmap wrapper because it can only handle' ' query string and url-encoded post data parameters.') om.out.console(msg % (mutant.get_url(),)) return False orig_value = mutant.get_token().get_original_value() # When the original value of the parameter was empty, mostly when it # was an HTML form, sqlmap can't find the vulnerability (and w3af does) # so we're adding a '1' here just in case. parameter_values = {orig_value, '1'} for pvalue in parameter_values: mutant = copy.deepcopy(mutant) mutant.set_token_value(pvalue) post_data = mutant.get_data() or None target = Target(mutant.get_uri(), post_data) try: sqlmap = SQLMapWrapper(target, self._uri_opener) except TypeError: issue_url = 'https://github.com/andresriancho/w3af/issues/6439' msg = 'w3af\'s sqlmap wrapper has some limitations, and you' \ ' just found one of them. For more information please' \ ' visit %s .' om.out.console(msg % issue_url) return False else: if sqlmap.is_vulnerable(): self._sqlmap = sqlmap return True else: self._sqlmap = None sqlmap.cleanup() return False
def _verify_vuln(self, vuln_obj): """ This command verifies a vuln. This is really hard work! :P :return : True if vuln can be exploited. """ mutant = vuln_obj.get_mutant() if not isinstance(mutant, (QSMutant, PostDataMutant)): msg = ('The SQL injection vulnerability at %s can not be exploited' ' by w3af\'s sqlmap wrapper because it can only handle' ' query string and url-encoded post data parameters.') om.out.console(msg % (mutant.get_url(), )) return False orig_value = mutant.get_token().get_original_value() # When the original value of the parameter was empty, mostly when it # was an HTML form, sqlmap can't find the vulnerability (and w3af does) # so we're adding a '1' here just in case. parameter_values = {orig_value, '1'} for pvalue in parameter_values: mutant = copy.deepcopy(mutant) mutant.set_token_value(pvalue) self._sqlmap = None post_data = mutant.get_data() or None target = Target(mutant.get_uri(), post_data) try: sqlmap = SQLMapWrapper(target, self._uri_opener) except TypeError: issue_url = 'https://github.com/andresriancho/w3af/issues/6439' msg = ('w3af\'s sqlmap wrapper has some limitations, and you' ' just found one of them. For more information please' ' visit %s .') om.out.console(msg % issue_url) return False try: is_vuln = sqlmap.is_vulnerable() except: sqlmap.cleanup() if sqlmap.last_stdout is None or sqlmap.last_stderr is None: # Not sure when we get here return False taint_error = 'provided tainted parameter' if not (taint_error in sqlmap.last_stdout or taint_error in sqlmap.last_stderr): # Some error that we don't have a special handling for return False issue_url = 'https://github.com/andresriancho/w3af/issues/1989' msg = ('w3af\'s sqlmap wrapper has some limitations, and you' ' just found one of them. For more information please' ' visit %s and add the steps required to reproduce this' ' issue which will help us debug and fix it.') om.out.console(msg % issue_url) return False if is_vuln: self._sqlmap = sqlmap return True else: sqlmap.cleanup() return False
class TestSQLMapWrapper(unittest.TestCase): SQLI_GET = get_moth_http('/audit/sql_injection/' 'where_string_single_qs.py?uname=pablo') SSL_SQLI_GET = get_moth_https('/audit/sql_injection/' 'where_string_single_qs.py?uname=pablo') SQLI_POST = get_moth_http('/audit/sql_injection/where_integer_form.py') DATA_POST = 'text=1' def setUp(self): uri = URL(self.SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener, debug=True) def tearDown(self): self.uri_opener.end() self.sqlmap.cleanup() @classmethod def setUpClass(cls): output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output') if os.path.exists(output_dir): shutil.rmtree(output_dir) @classmethod def tearDownClass(cls): # Doing this in both setupclass and teardownclass in order to be sure # that a ctrl+c doesn't break it output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output') if os.path.exists(output_dir): shutil.rmtree(output_dir) def test_verify_vulnerability(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) def test_verify_vulnerability_ssl(self): uri = URL(self.SSL_SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable, self.sqlmap.last_stdout) def test_verify_vulnerability_false(self): not_vuln = get_moth_http('/audit/sql_injection/' 'where_string_single_qs.py?fake=pablo') uri = URL(not_vuln) target = Target(uri) self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertFalse(vulnerable) def test_verify_vulnerability_POST(self): target = Target(URL(self.SQLI_POST), self.DATA_POST) self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable, self.sqlmap.last_stdout) def test_wrapper_invalid_url(self): self.assertRaises(TypeError, SQLMapWrapper, self.SQLI_GET, self.uri_opener) def test_stds(self): uri = URL(self.SQLI_GET) target = Target(uri) self.sqlmap = SQLMapWrapper(target, self.uri_opener) prms = [ '--batch', ] cmd, process = self.sqlmap.run_sqlmap_with_pipes(prms) self.assertIsInstance(process.stdout, file) self.assertIsInstance(process.stderr, file) self.assertIsInstance(process.stdin, file) self.assertIsInstance(cmd, basestring) self.assertIn('sqlmap.py', cmd) def test_target_basic(self): target = Target(URL(self.SQLI_GET)) params = target.to_params() self.assertEqual(params, ["--url=%s" % self.SQLI_GET]) def test_target_post_data(self): target = Target(URL(self.SQLI_GET), self.DATA_POST) params = target.to_params() self.assertEqual( params, ["--url=%s" % self.SQLI_GET, "--data=%s" % self.DATA_POST]) def test_no_coloring(self): params = self.sqlmap.get_wrapper_params() self.assertIn('--disable-coloring', params) def test_always_batch(self): params = self.sqlmap.get_wrapper_params() self.assertIn('--batch', params) def test_use_proxy(self): params = self.sqlmap.get_wrapper_params() self.assertTrue( any(i.startswith('--proxy=http://127.0.0.1:') for i in params)) def test_enable_coloring(self): uri = URL(self.SQLI_GET) target = Target(uri) sqlmap = SQLMapWrapper(target, self.uri_opener, coloring=True) params = sqlmap.get_wrapper_params() self.assertNotIn('--disable-coloring', params) def test_dbs(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.dbs() output = process.stdout.read() self.assertIn('on SQLite it is not possible to enumerate databases', output) def test_tables(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.tables() output = process.stdout.read() self.assertIn('auth_group_permissions', output) self.assertIn('Database: SQLite_masterdb', output) self.assertIn('django_content_type', output) def test_users(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.users() output = process.stdout.read() self.assertIn('on SQLite it is not possible to enumerate the users', output) def test_dump(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.dump() output = process.stdout.read() self.assertIn('django_session', output) self.assertIn('auth_user_user_permissions', output) def test_sqlmap(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable, self.sqlmap.last_stdout) cmd, process = self.sqlmap.direct('--tables') output = process.stdout.read() self.assertIn('django_session', output) self.assertIn('auth_user_user_permissions', output) self.assertNotIn('COLUMN_PRIVILEGES', output)
def _verify_vuln(self, vuln_obj): """ This command verifies a vuln. This is really hard work! :P :return : True if vuln can be exploited. """ mutant = vuln_obj.get_mutant() if not isinstance(mutant, (QSMutant, PostDataMutant)): msg = ('The SQL injection vulnerability at %s can not be exploited' ' by w3af\'s sqlmap wrapper because it can only handle' ' query string and url-encoded post data parameters.') om.out.console(msg % (mutant.get_url(),)) return False orig_value = mutant.get_token().get_original_value() # When the original value of the parameter was empty, mostly when it # was an HTML form, sqlmap can't find the vulnerability (and w3af does) # so we're adding a '1' here just in case. parameter_values = {orig_value, '1'} for pvalue in parameter_values: mutant = copy.deepcopy(mutant) mutant.set_token_value(pvalue) self._sqlmap = None post_data = mutant.get_data() or None target = Target(mutant.get_uri(), post_data) try: sqlmap = SQLMapWrapper(target, self._uri_opener) except TypeError: issue_url = 'https://github.com/andresriancho/w3af/issues/6439' msg = ('w3af\'s sqlmap wrapper has some limitations, and you' ' just found one of them. For more information please' ' visit %s .') om.out.console(msg % issue_url) return False try: is_vuln = sqlmap.is_vulnerable() except: sqlmap.cleanup() if sqlmap.last_stdout is None or sqlmap.last_stderr is None: # Not sure when we get here return False taint_error = 'provided tainted parameter' if not (taint_error in sqlmap.last_stdout or taint_error in sqlmap.last_stderr): # Some error that we don't have a special handling for return False issue_url = 'https://github.com/andresriancho/w3af/issues/1989' msg = ('w3af\'s sqlmap wrapper has some limitations, and you' ' just found one of them. For more information please' ' visit %s and add the steps required to reproduce this' ' issue which will help us debug and fix it.') om.out.console(msg % issue_url) return False if is_vuln: self._sqlmap = sqlmap return True else: sqlmap.cleanup() return False
class TestSQLMapWrapper(unittest.TestCase): SQLI_GET = get_moth_http('/audit/sql_injection/' 'where_string_single_qs.py?uname=pablo') SSL_SQLI_GET = get_moth_https('/audit/sql_injection/' 'where_string_single_qs.py?uname=pablo') SQLI_POST = get_moth_http('/audit/sql_injection/where_integer_form.py') DATA_POST = 'text=1' def setUp(self): uri = URL(self.SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener, debug=True) def tearDown(self): self.uri_opener.end() self.sqlmap.cleanup() @classmethod def setUpClass(cls): output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output') if os.path.exists(output_dir): shutil.rmtree(output_dir) @classmethod def tearDownClass(cls): # Doing this in both setupclass and teardownclass in order to be sure # that a ctrl+c doesn't break it output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output') if os.path.exists(output_dir): shutil.rmtree(output_dir) def test_verify_vulnerability(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) def test_verify_vulnerability_ssl(self): uri = URL(self.SSL_SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable, self.sqlmap.last_stdout) def test_verify_vulnerability_false(self): not_vuln = get_moth_http('/audit/sql_injection/' 'where_string_single_qs.py?fake=pablo') uri = URL(not_vuln) target = Target(uri) self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertFalse(vulnerable) def test_verify_vulnerability_POST(self): target = Target(URL(self.SQLI_POST), self.DATA_POST) self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable, self.sqlmap.last_stdout) def test_wrapper_invalid_url(self): self.assertRaises(TypeError, SQLMapWrapper, self.SQLI_GET, self.uri_opener) def test_stds(self): uri = URL(self.SQLI_GET) target = Target(uri) self.sqlmap = SQLMapWrapper(target, self.uri_opener) prms = ['--batch',] cmd, process = self.sqlmap.run_sqlmap_with_pipes(prms) self.assertIsInstance(process.stdout, file) self.assertIsInstance(process.stderr, file) self.assertIsInstance(process.stdin, file) self.assertIsInstance(cmd, basestring) self.assertIn('sqlmap.py', cmd) def test_target_basic(self): target = Target(URL(self.SQLI_GET)) params = target.to_params() self.assertEqual(params, ["--url=%s" % self.SQLI_GET]) def test_target_post_data(self): target = Target(URL(self.SQLI_GET), self.DATA_POST) params = target.to_params() self.assertEqual(params, ["--url=%s" % self.SQLI_GET, "--data=%s" % self.DATA_POST]) def test_no_coloring(self): params = self.sqlmap.get_wrapper_params() self.assertIn('--disable-coloring', params) def test_always_batch(self): params = self.sqlmap.get_wrapper_params() self.assertIn('--batch', params) def test_use_proxy(self): params = self.sqlmap.get_wrapper_params() self.assertTrue(any(i.startswith('--proxy=http://127.0.0.1:') for i in params)) def test_enable_coloring(self): uri = URL(self.SQLI_GET) target = Target(uri) sqlmap = SQLMapWrapper(target, self.uri_opener, coloring=True) params = sqlmap.get_wrapper_params() self.assertNotIn('--disable-coloring', params) def test_dbs(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.dbs() output = process.stdout.read() self.assertIn('on SQLite it is not possible to enumerate databases', output) def test_tables(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.tables() output = process.stdout.read() self.assertIn('auth_group_permissions', output) self.assertIn('Database: SQLite_masterdb', output) self.assertIn('django_content_type', output) def test_users(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.users() output = process.stdout.read() self.assertIn('on SQLite it is not possible to enumerate the users', output) def test_dump(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.dump() output = process.stdout.read() self.assertIn('django_session', output) self.assertIn('auth_user_user_permissions', output) def test_sqlmap(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.direct('--tables') output = process.stdout.read() self.assertIn('django_session', output) self.assertIn('auth_user_user_permissions', output) self.assertNotIn('information_schema', output) self.assertNotIn('COLUMN_PRIVILEGES', output)