def _generateShell( self, vuln_obj ):
'''
@parameter vuln_obj: The vuln to exploit, as it was saved in the kb or supplied by the user with set commands.
@return: A sql_webshell shell object if sql_webshell could fingerprint the database.
'''
bsql = blind_sqli_response_diff()
bsql.setEqualLimit( self._equalLimit )
bsql.setEquAlgorithm( self._equAlgorithm )
dbBuilder = dbDriverBuilder( self._urlOpener, bsql.equal )
driver = dbBuilder.getDriverForVuln( vuln_obj )
if driver is None:
return None
else:
# We have a driver, now, using this driver, we have to create the webshell in the
# target's webroot!
webshell_url = self._upload_webshell( driver, vuln_obj )
if webshell_url:
# Define the corresponding cut...
response = self._urlOpener.GET( webshell_url )
self._define_exact_cut( response.getBody(), shell_handler.SHELL_IDENTIFIER )
# Create the shell object
# Set shell parameters
shell_obj = sql_web_shell( vuln_obj )
shell_obj.setUrlOpener( self._urlOpener )
shell_obj.setWebShellURL( webshell_url )
shell_obj.set_cut( self._header_length, self._footer_length )
kb.kb.append( self, 'shell', shell_obj )
return shell_obj
else:
# Sad face :(
return None
def __init__(self):
baseAuditPlugin.__init__(self)
self._bsqli_response_diff = blind_sqli_response_diff()
self._blind_sqli_time_delay = blind_sqli_time_delay()
# User configured variables
self._equalLimit = 0.9
self._equAlgorithm = 'setIntersection'
def exploit(self, vulnToExploit=None):
"""
Exploits a [blind] sql injections vulns that was found and stored in the kb.
@return: True if the shell is working and the user can start calling specific_user_input
"""
if not self.canExploit():
return []
else:
vulns = kb.kb.getData("blindSqli", "blindSqli")
vulns.extend(kb.kb.getData("sqli", "sqli"))
bsql = blind_sqli_response_diff()
bsql.setUrlOpener(self._urlOpener)
bsql.setEqualLimit(self._equalLimit)
bsql.setEquAlgorithm(self._equAlgorithm)
tmp_vuln_list = []
for v in vulns:
# Filter the vuln that was selected by the user
if vulnToExploit is not None:
if vulnToExploit != v.getId():
continue
mutant = v.getMutant()
mutant.setModValue(mutant.getOriginalValue())
v.setMutant(mutant)
# The user didn't selected anything, or we are in the selected vuln!
om.out.debug('Verifying vulnerability in URL: "' + v.getURL() + '".')
vuln_obj = bsql.is_injectable(v.getMutant().getFuzzableReq(), v.getVar())
if vuln_obj:
tmp_vuln_list.append(vuln_obj)
# Ok, go to the next stage with the filtered vulnerabilities
vulns = tmp_vuln_list
if len(vulns) == 0:
om.out.debug("is_injectable failed for all vulnerabilities.")
return []
else:
for vuln_obj in vulns:
# Try to get a shell using all vuln
msg = "Trying to exploit using vulnerability with id: " + str(vuln_obj.getId())
msg += ". Please wait..."
om.out.console(msg)
shell_obj = self._generateShell(vuln_obj)
if shell_obj:
if self._generateOnlyOne:
# A shell was generated, I only need one point of exec.
return [shell_obj]
else:
# Keep adding all shells to the kb
pass
# FIXME: Am I really saving anything here ?!?!
return kb.kb.getData(self.getName(), "shell")
def exploit( self, vulnToExploit=None ):
'''
Exploits a [blind] sql injections vulns that was found and stored in the kb.
@return: True if the shell is working and the user can start calling specific_user_input
'''
if not self.canExploit():
return []
else:
vulns = list(kb.kb.getData( 'blindSqli' , 'blindSqli'))
vulns.extend(kb.kb.getData( 'sqli' , 'sqli' ))
bsql = blind_sqli_response_diff(self._uri_opener)
bsql.set_eq_limit( self._eq_limit )
tmp_vuln_list = []
for v in vulns:
# Filter the vuln that was selected by the user
if vulnToExploit is not None:
if vulnToExploit != v.getId():
continue
mutant = v.getMutant()
mutant.setModValue( mutant.getOriginalValue() )
v.setMutant( mutant )
# The user didn't selected anything, or we are in the selected vuln!
om.out.debug('Verifying vulnerability in URL: "' + v.getURL() + '".')
vuln_obj = bsql.is_injectable( v.getMutant() )
if vuln_obj:
tmp_vuln_list.append( vuln_obj )
# Ok, go to the next stage with the filtered vulnerabilities
vulns = tmp_vuln_list
if len(vulns) == 0:
om.out.debug('is_injectable failed for all vulnerabilities.')
return []
else:
for vuln_obj in vulns:
# Try to get a shell using all vuln
msg = 'Trying to exploit using vulnerability with id: ' + str( vuln_obj.getId() )
msg += '. Please wait...'
om.out.console( msg )
shell_obj = self._generateShell( vuln_obj )
if shell_obj:
if self._generateOnlyOne:
# A shell was generated, I only need one point of exec.
return [shell_obj, ]
else:
# Keep adding all shells to the kb
pass
return kb.kb.getData( self.getName(), 'shell' )
def fastExploit(self):
"""
Exploits a web app with [blind] sql injections vulns.
The options are configured using the plugin options and setOptions() method.
"""
om.out.debug("Starting sqlmap fastExploit.")
om.out.console(SQLMAPCREATORS)
if self._url is None or self._method is None or self._data is None or self._injvar is None:
raise w3afException("You have to configure the plugin parameters")
else:
freq = None
if self._method == "POST":
freq = httpPostDataRequest.httpPostDataRequest()
elif self._method == "GET":
freq = httpQsRequest.httpQsRequest()
else:
raise w3afException("Method not supported.")
freq.setURL(self._url)
freq.setDc(urlParser.getQueryString("http://a/a.txt?" + self._data))
freq.setHeaders({})
bsql = blind_sqli_response_diff()
bsql.setUrlOpener(self._urlOpener)
bsql.setEqualLimit(self._equalLimit)
bsql.setEquAlgorithm(self._equAlgorithm)
vuln_obj = bsql.is_injectable(freq, self._injvar)
if not vuln_obj:
raise w3afException("Could not verify SQL injection " + str(vuln))
else:
om.out.console("SQL injection could be verified, trying to create the DB driver.")
# Try to get a shell using all vuln
msg = "Trying to exploit using vulnerability with id: " + str(vuln_obj.getId())
msg += ". Please wait..."
om.out.console(msg)
shell_obj = self._generateShell(vuln_obj)
if shell_obj is not None:
kb.kb.append(self, "shell", shell_obj)
return [shell_obj]
raise w3afException("No exploitable vulnerabilities found.")
def fastExploit( self ):
'''
Exploits a web app with [blind] sql injections vulns.
The options are configured using the plugin options and setOptions() method.
'''
om.out.debug( 'Starting sqlmap fastExploit.' )
om.out.console( SQLMAPCREATORS )
if self._url is None or self._method is None or self._data is None or self._injvar is None:
raise w3afException('You have to configure the plugin parameters')
else:
freq = None
if self._method == 'POST':
freq = httpPostDataRequest.httpPostDataRequest()
elif self._method == 'GET':
freq = httpQsRequest.httpQsRequest()
else:
raise w3afException('Method not supported.')
freq.setURL( self._url )
freq.setDc( parse_qs( self._data ) )
freq.setHeaders( {} )
bsql = blind_sqli_response_diff()
bsql.setUrlOpener( self._urlOpener )
bsql.setEqualLimit( self._equalLimit )
bsql.setEquAlgorithm( self._equAlgorithm )
vuln_obj = bsql.is_injectable( freq, self._injvar )
if not vuln_obj:
raise w3afException('Could not verify SQL injection ' + str(vuln) )
else:
om.out.console('SQL injection could be verified, trying to create the DB driver.')
# Try to get a shell using all vuln
msg = 'Trying to exploit using vulnerability with id: ' + str( vuln_obj.getId() )
msg += '. Please wait...'
om.out.console( msg )
shell_obj = self._generateShell( vuln_obj )
if shell_obj is not None:
kb.kb.append( self, 'shell', shell_obj )
return [shell_obj, ]
raise w3afException('No exploitable vulnerabilities found.')
def audit(self, freq):
'''
Tests an URL for blind SQL injection vulnerabilities.
@param freq: A fuzzableRequest
'''
om.out.debug('blindSqli plugin is testing: ' + freq.getURL())
#
# Setup blind SQL injection detector objects
#
self._bsqli_response_diff = blind_sqli_response_diff(self._uri_opener)
bsqli_resp_diff = self._bsqli_response_diff
bsqli_resp_diff.set_eq_limit(self._eq_limit)
self._blind_sqli_time_delay = blind_sqli_time_delay(self._uri_opener)
bsqli_time_delay = self._blind_sqli_time_delay
method_list = [bsqli_resp_diff, bsqli_time_delay]
#
# Use the objects to identify the vulnerabilities
#
fake_mutants = createMutants(freq, ['',])
for mutant in fake_mutants:
if self._has_sql_injection( mutant ):
#
# If sqli.py was enabled and already detected a vulnerability
# in this parameter, then it makes no sense to test it again
# and report a duplicate to the user
#
continue
for method in method_list:
found_vuln = method.is_injectable( mutant )
if found_vuln is not None and \
self._has_no_bug(freq, varname=found_vuln.getVar()):
om.out.vulnerability(found_vuln.getDesc())
kb.kb.append(self, 'blindSqli', found_vuln)
break
def _generateShell(self, vuln_obj):
"""
@parameter vuln_obj: The vuln to exploit, as it was saved in the kb or supplied by the user with set commands.
@return: A sqlmap shell object if sqlmap could fingerprint the database.
"""
bsql = blind_sqli_response_diff()
bsql.setEqualLimit(self._equalLimit)
bsql.setEquAlgorithm(self._equAlgorithm)
dbBuilder = dbDriverBuilder(self._urlOpener, bsql.equal)
driver = dbBuilder.getDriverForVuln(vuln_obj)
if driver is None:
return None
else:
# Create the shell object
shell_obj = sqlShellObj(vuln_obj)
shell_obj.setGoodSamaritan(self._goodSamaritan)
shell_obj.setDriver(driver)
kb.kb.append(self, "shells", shell_obj)
return shell_obj
def fastExploit( self ):
'''
Exploits a web app with [blind] sql injections vulns.
The options are configured using the plugin options and setOptions() method.
'''
om.out.debug( 'Starting sql_webshell fastExploit.' )
if any(
lambda attr: attr is None,
(self._url, self._method, self._data, self._injvar)
):
raise w3afException('You have to configure the plugin parameters')
else:
if self._method == 'POST':
freq = httpPostDataRequest(self._url)
elif self._method == 'GET':
freq = HTTPQSRequest(self._url)
else:
raise w3afException('Method not supported.')
freq.setDc(parse_qs(self._data))
bsql = blind_sqli_response_diff(self._uri_opener)
bsql.set_eq_limit(self._eq_limit)
fake_mutants = createMutants(freq, [''], fuzzableParamList=[self._injvar,])
for mutant in fake_mutants:
vuln_obj = bsql.is_injectable(mutant)
if vuln_obj is not None:
om.out.console('SQL injection verified, trying to create the DB driver.')
# Try to get a shell using all vuln
msg = 'Trying to exploit using vulnerability with id: ' + str(vuln_obj.getId())
msg += '. Please wait...'
om.out.console(msg)
shell_obj = self._generateShell(vuln_obj)
if shell_obj is not None:
kb.kb.append(self, 'shell', shell_obj)
return [shell_obj, ]
else:
raise w3afException('No exploitable vulnerabilities found.')
def audit(self, freq, orig_response):
'''
Tests an URL for blind SQL injection vulnerabilities.
:param freq: A FuzzableRequest
'''
#
# Setup blind SQL injection detector objects
#
bsqli_resp_diff = blind_sqli_response_diff(self._uri_opener)
bsqli_resp_diff.set_eq_limit(self._eq_limit)
bsqli_time_delay = blind_sqli_time_delay(self._uri_opener)
method_list = [bsqli_resp_diff, bsqli_time_delay]
#
# Use the objects to identify the vulnerabilities
#
fake_mutants = create_mutants(freq, [
'',
])
for mutant in fake_mutants:
if self._has_sql_injection(mutant):
#
# If sqli.py was enabled and already detected a vulnerability
# in this parameter, then it makes no sense to test it again
# and report a duplicate to the user
#
continue
for method in method_list:
found_vuln = method.is_injectable(mutant)
if found_vuln is not None:
self.kb_append_uniq(self, 'blind_sqli', found_vuln)
break
def audit(self, freq, orig_response):
'''
Tests an URL for blind SQL injection vulnerabilities.
:param freq: A FuzzableRequest
'''
#
# Setup blind SQL injection detector objects
#
bsqli_resp_diff = blind_sqli_response_diff(self._uri_opener)
bsqli_resp_diff.set_eq_limit(self._eq_limit)
bsqli_time_delay = blind_sqli_time_delay(self._uri_opener)
method_list = [bsqli_resp_diff, bsqli_time_delay]
#
# Use the objects to identify the vulnerabilities
#
fake_mutants = create_mutants(freq, ['', ])
for mutant in fake_mutants:
if self._has_sql_injection(mutant):
#
# If sqli.py was enabled and already detected a vulnerability
# in this parameter, then it makes no sense to test it again
# and report a duplicate to the user
#
continue
for method in method_list:
found_vuln = method.is_injectable(mutant)
if found_vuln is not None:
self.kb_append_uniq(self, 'blind_sqli', found_vuln)
break
