def unescape(expression, quote=True):
"""
Note: PostgreSQL has a general problem with concenation operator (||) precedence (hence the parentheses enclosing)
e.g. SELECT 1 WHERE 'a'!='a'||'b' will trigger error ("argument of WHERE must be type boolean, not type text")
"""
if quote:
while True:
index = expression.find("'")
if index == -1:
break
firstIndex = index + 1
index = expression[firstIndex:].find("'")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ' in '%s'" %
expression)
lastIndex = firstIndex + index
old = "'%s'" % expression[firstIndex:lastIndex]
unescaped = "(%s)" % "||".join(
"CHR(%d)" % (ord(expression[i]))
for i in xrange(firstIndex, lastIndex)
) # Postgres CHR() function already accepts Unicode code point of character(s)
expression = expression.replace(old, unescaped)
else:
expression = "(%s)" % "||".join("CHR(%d)" % ord(c)
for c in expression)
return expression
def unescape(expression, quote=True):
if quote:
while True:
index = expression.find("'")
if index == -1:
break
firstIndex = index + 1
index = expression[firstIndex:].find("'")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ' in '%s'" %
expression)
lastIndex = firstIndex + index
old = "'%s'" % expression[firstIndex:lastIndex]
unescaped = "+".join(
"%s(%d)" %
("CHAR" if ord(expression[i]) < 256 else "NCHAR",
ord(expression[i]))
for i in xrange(firstIndex, lastIndex))
expression = expression.replace(old, unescaped)
else:
expression = "+".join("CHAR(%d)" % ord(c) for c in expression)
return expression
def escape(expression):
while True:
index = expression.find("CHAR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find(")")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" %
expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.lstrip("CHAR(").rstrip(")")
oldUpper = oldUpper.split(",")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped)
original = expression
for item in re.findall(r"0x[0-9a-fA-F]+", original, re.S):
expression = expression.replace(
item, "'%s'" % binascii.unhexlify(item[2:]))
return expression
def configFileProxy(section, option, datatype):
"""
Parse configuration file and save settings into the configuration
advanced dictionary.
"""
global config
if config.has_option(section, option):
try:
if datatype == OPTION_TYPE.BOOLEAN:
value = config.getboolean(section, option) if config.get(
section, option) else False
elif datatype == OPTION_TYPE.INTEGER:
value = config.getint(section, option) if config.get(
section, option) else 0
elif datatype == OPTION_TYPE.FLOAT:
value = config.getfloat(section, option) if config.get(
section, option) else 0.0
else:
value = config.get(section, option)
except ValueError, ex:
errMsg = "error occurred while processing the option "
errMsg += "'%s' in provided configuration file ('%s')" % (
option, getUnicode(ex))
raise SqlmapSyntaxException(errMsg)
if value:
conf[option] = value
else:
conf[option] = None
def unescape(expression, quote=True):
if isDBMSVersionAtLeast('2.1'):
if quote:
while True:
index = expression.find("'")
if index == -1:
break
firstIndex = index + 1
index = expression[firstIndex:].find("'")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ' in '%s'" %
expression)
lastIndex = firstIndex + index
old = "'%s'" % expression[firstIndex:lastIndex]
unescaped = ""
for i in xrange(firstIndex, lastIndex):
unescaped += "ASCII_CHAR(%d)" % (ord(expression[i]))
if i < lastIndex - 1:
unescaped += "||"
expression = expression.replace(old, unescaped)
else:
unescaped = "".join("ASCII_CHAR(%d)||" % ord(c)
for c in expression)
if unescaped[-1] == "||":
unescaped = unescaped[:-1]
expression = unescaped
return expression
def configFileProxy(section, option, datatype):
"""
Parse configuration file and save settings into the configuration
advanced dictionary.
"""
if config.has_option(section, option):
try:
if datatype == OPTION_TYPE.BOOLEAN:
value = config.getboolean(section, option) if config.get(
section, option) else False
elif datatype == OPTION_TYPE.INTEGER:
value = config.getint(section, option) if config.get(
section, option) else 0
elif datatype == OPTION_TYPE.FLOAT:
value = config.getfloat(section, option) if config.get(
section, option) else 0.0
else:
value = config.get(section, option)
except ValueError as ex:
errMsg = "error occurred while processing the option "
errMsg += "'%s' in provided configuration file ('%s')" % (
option, getUnicode(ex))
raise SqlmapSyntaxException(errMsg)
if value:
conf[option] = value
else:
conf[option] = None
else:
debugMsg = "missing requested option '%s' (section " % option
debugMsg += "'%s') into the configuration file, " % section
debugMsg += "ignoring. Skipping to next."
logger.debug(debugMsg)
def escape(expression):
# Example on SQLite 3, not supported on SQLite 2:
# select X'48'||X'656c6c6f20576f726c6400'; -- Hello World
while True:
index = expression.find("X'")
if index == -1:
break
firstIndex = index
index = expression[firstIndex + 2:].find("'")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ' in '%s'" % expression)
lastIndex = firstIndex + index + 3
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.replace("X'", "").replace("'", "")
for i in xrange(len(oldUpper) / 2):
char = oldUpper[i * 2:i * 2 + 2]
escaped = "'%s'" % chr(int(char, 16))
expression = expression.replace(old, escaped)
return expression
def configFileProxy(section, option, boolean=False, integer=False):
"""
Parse configuration file and save settings into the configuration
advanced dictionary.
"""
global config
if config.has_option(section, option):
try:
if boolean:
value = config.getboolean(section, option) if config.get(section, option) else False
elif integer:
value = config.getint(section, option) if config.get(section, option) else 0
else:
value = config.get(section, option)
except ValueError, ex:
errMsg = "error occurred while processing the option "
errMsg += "'%s' in provided configuration file ('%s')" % (option, str(ex))
raise SqlmapSyntaxException(errMsg)
if value:
conf[option] = value
else:
conf[option] = None
def escape(expression):
logMsg = "escaping %s" % expression
logger.info(logMsg)
while True:
index = expression.find("CHR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find(")")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" %
expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.lstrip("CHR(").rstrip(")")
oldUpper = oldUpper.split("||")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped)
return expression
def _configUnionCols(columns):
if not isinstance(columns, six.string_types):
return
columns = columns.replace(" ", "")
if "-" in columns:
colsStart, colsStop = columns.split("-")
else:
colsStart, colsStop = columns, columns
if not colsStart.isdigit() or not colsStop.isdigit():
raise SqlmapSyntaxException("--union-cols must be a range of integers")
conf.uColsStart, conf.uColsStop = int(colsStart), int(colsStop)
if conf.uColsStart > conf.uColsStop:
errMsg = "--union-cols range has to be from lower to "
errMsg += "higher number of columns"
raise SqlmapSyntaxException(errMsg)
def configFileParser(configFile):
"""
Parse configuration file and save settings into the configuration
advanced dictionary.
"""
global config
debugMsg = "parsing configuration file"
logger.debug(debugMsg)
checkFile(configFile)
configFP = codecs.open(configFile, "rb", UNICODE_ENCODING)
try:
config = UnicodeRawConfigParser()
config.readfp(configFP)
except MissingSectionHeaderError:
errMsg = "you have provided an invalid configuration file"
raise SqlmapSyntaxException(errMsg)
if not config.has_section("Target"):
errMsg = "missing a mandatory section 'Target' in the configuration file"
raise SqlmapMissingMandatoryOptionException(errMsg)
condition = not config.has_option("Target", "url")
condition &= not config.has_option("Target", "logFile")
condition &= not config.has_option("Target", "bulkFile")
condition &= not config.has_option("Target", "googleDork")
condition &= not config.has_option("Target", "requestFile")
condition &= not config.has_option("Target", "wizard")
if condition:
errMsg = "missing a mandatory option in the configuration file "
errMsg += "(url, logFile, bulkFile, googleDork, requestFile or wizard)"
raise SqlmapMissingMandatoryOptionException(errMsg)
for family, optionData in optDict.items():
for option, datatype in optionData.items():
datatype = unArrayizeValue(datatype)
boolean = datatype == "boolean"
integer = datatype == "integer"
configFileProxy(family, option, boolean, integer)
def configFileParser(configFile):
"""
Parse configuration file and save settings into the configuration
advanced dictionary.
"""
global config
debugMsg = "parsing configuration file"
logger.debug(debugMsg)
checkFile(configFile)
configFP = openFile(configFile, "rb")
try:
config = UnicodeRawConfigParser()
config.readfp(configFP)
except Exception as ex:
errMsg = "you have provided an invalid and/or unreadable configuration file ('%s')" % getSafeExString(
ex)
raise SqlmapSyntaxException(errMsg)
if not config.has_section("Target"):
errMsg = "missing a mandatory section 'Target' in the configuration file"
raise SqlmapMissingMandatoryOptionException(errMsg)
mandatory = False
for option in ("direct", "url", "logFile", "bulkFile", "googleDork",
"requestFile", "sitemapUrl", "wizard"):
if config.has_option("Target", option) and config.get(
"Target", option) or cmdLineOptions.get(option):
mandatory = True
break
if not mandatory:
errMsg = "missing a mandatory option in the configuration file "
errMsg += "(direct, url, logFile, bulkFile, googleDork, requestFile, sitemapUrl or wizard)"
raise SqlmapMissingMandatoryOptionException(errMsg)
for family, optionData in list(optDict.items()):
for option, datatype in list(optionData.items()):
datatype = unArrayizeValue(datatype)
configFileProxy(family, option, datatype)
def configFileParser(configFile):
"""
Parse configuration file and save settings into the configuration
advanced dictionary.
"""
global config
debugMsg = "parsing configuration file"
logger.debug(debugMsg)
checkFile(configFile)
configFP = codecs.open(configFile, "rb", UNICODE_ENCODING)
try:
config = UnicodeRawConfigParser()
config.readfp(configFP)
except (MissingSectionHeaderError, ParsingError), ex:
errMsg = "you have provided an invalid configuration file ('%s')" % str(ex)
raise SqlmapSyntaxException(errMsg)
def configFileParser(configFile):
"""
Parse configuration file and save settings into the configuration
advanced dictionary.
"""
global config
debugMsg = "parsing configuration file"
logger.debug(debugMsg)
checkFile(configFile)
configFP = openFile(configFile, "rb")
try:
config = UnicodeRawConfigParser()
config.readfp(configFP)
except Exception, ex:
errMsg = "you have provided an invalid and/or unreadable configuration file ('%s')" % ex.message
raise SqlmapSyntaxException(errMsg)
def parseSitemap(url, retVal=None):
global abortedFlag
if retVal is not None:
logger.debug("parsing sitemap '%s'" % url)
try:
if retVal is None:
abortedFlag = False
retVal = OrderedSet()
try:
content = Request.getPage(
url=url, raise404=True)[0] if not abortedFlag else ""
except _http_client.InvalidURL:
errMsg = "invalid URL given for sitemap ('%s')" % url
raise SqlmapSyntaxException(errMsg)
for match in re.finditer(r"<loc>\s*([^<]+)", content or ""):
if abortedFlag:
break
url = match.group(1).strip()
if url.endswith(".xml") and "sitemap" in url.lower():
if kb.followSitemapRecursion is None:
message = "sitemap recursion detected. Do you want to follow? [y/N] "
kb.followSitemapRecursion = readInput(message,
default='N',
boolean=True)
if kb.followSitemapRecursion:
parseSitemap(url, retVal)
else:
retVal.add(url)
except KeyboardInterrupt:
abortedFlag = True
warnMsg = "user aborted during sitemap parsing. sqlmap "
warnMsg += "will use partial list"
logger.warn(warnMsg)
return retVal
def escape(expression):
while True:
index = expression.find("CHAR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find(")")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" %
expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.replace("CHAR(", "").replace(")", "")
escaped = "'%s'" % chr(int(oldUpper))
expression = expression.replace(old, escaped)
expression = expression.replace("'+'", "")
return expression
def escape(expression):
while True:
index = expression.find("ASCII_CHAR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find(")")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" %
expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.lstrip("ASCII_CHAR(").rstrip(")")
oldUpper = oldUpper.split("||")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped).replace("'||'", "")
return expression
def _setRequestParams():
"""
Check and set the parameters and perform checks on 'data' option for
HTTP method POST.
"""
if conf.direct:
conf.parameters[None] = "direct connection"
return
testableParameters = False
# Perform checks on GET parameters
if conf.parameters.get(PLACE.GET):
parameters = conf.parameters[PLACE.GET]
paramDict = paramToDict(PLACE.GET, parameters)
if paramDict:
conf.paramDict[PLACE.GET] = paramDict
testableParameters = True
# Perform checks on POST parameters
if conf.method == HTTPMETHOD.POST and conf.data is None:
errMsg = "HTTP POST method depends on HTTP data value to be posted"
raise SqlmapSyntaxException(errMsg)
if conf.data is not None:
conf.method = HTTPMETHOD.POST
if CUSTOM_INJECTION_MARK_CHAR in conf.data: # later processed
pass
elif re.search(JSON_RECOGNITION_REGEX, conf.data):
message = "JSON like data found in POST data. "
message += "Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
elif test[0] not in ("n", "N"):
conf.data = re.sub(r'("[^"]+"\s*:\s*"[^"]+)"', r'\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR, conf.data)
conf.data = re.sub(r'("[^"]+"\s*:\s*)(-?\d[\d\.]*\b)', r'\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR, conf.data)
kb.postHint = POST_HINT.JSON
elif re.search(SOAP_RECOGNITION_REGEX, conf.data):
message = "SOAP/XML like data found in POST data. "
message += "Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
elif test[0] not in ("n", "N"):
conf.data = re.sub(r"(<([^>]+)( [^<]*)?>)([^<]+)(</\2)", r"\g<1>\g<4>%s\g<5>" % CUSTOM_INJECTION_MARK_CHAR, conf.data)
kb.postHint = POST_HINT.SOAP if "soap" in conf.data.lower() else POST_HINT.XML
elif re.search(MULTIPART_RECOGNITION_REGEX, conf.data):
message = "Multipart like data found in POST data. "
message += "Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
elif test[0] not in ("n", "N"):
conf.data = re.sub(r"(?si)(Content-Disposition.+?)((\r)?\n--)", r"\g<1>%s\g<2>" % CUSTOM_INJECTION_MARK_CHAR, conf.data)
kb.postHint = POST_HINT.MULTIPART
else:
place = PLACE.POST
conf.parameters[place] = conf.data
paramDict = paramToDict(place, conf.data)
if paramDict:
conf.paramDict[place] = paramDict
testableParameters = True
kb.processUserMarks = True if kb.postHint else kb.processUserMarks
if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(place in conf.parameters for place in (PLACE.GET, PLACE.POST)):
warnMsg = "you've provided target url without any GET "
warnMsg += "parameters (e.g. www.site.com/article.php?id=1) "
warnMsg += "and without providing any POST parameters "
warnMsg += "through --data option"
logger.warn(warnMsg)
message = "do you want to try URI injections "
message += "in the target url itself? [Y/n/q] "
test = readInput(message, default="Y")
if not test or test[0] not in ("n", "N"):
conf.url = "%s%s" % (conf.url, CUSTOM_INJECTION_MARK_CHAR)
kb.processUserMarks = True
elif test[0] in ("q", "Q"):
raise SqlmapUserQuitException
for place, value in ((PLACE.URI, conf.url), (PLACE.CUSTOM_POST, conf.data), (PLACE.CUSTOM_HEADER, re.sub(r"\bq=[^;']+", "", str(conf.httpHeaders)))):
if CUSTOM_INJECTION_MARK_CHAR in (value or ""):
if kb.processUserMarks is None:
_ = {PLACE.URI: '-u', PLACE.CUSTOM_POST: '--data', PLACE.CUSTOM_HEADER: '--headers/--user-agent/--referer'}
message = "custom injection marking character ('%s') found in option " % CUSTOM_INJECTION_MARK_CHAR
message += "'%s'. Do you want to process it? [Y/n/q] " % _[place]
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
else:
kb.processUserMarks = not test or test[0] not in ("n", "N")
if not kb.processUserMarks:
if place == PLACE.URI:
query = urlparse.urlsplit(value).query
if query:
parameters = conf.parameters[PLACE.GET] = query
paramDict = paramToDict(PLACE.GET, parameters)
if paramDict:
conf.url = conf.url.split('?')[0]
conf.paramDict[PLACE.GET] = paramDict
testableParameters = True
else:
conf.parameters[place] = value
conf.paramDict[place] = OrderedDict()
if place == PLACE.CUSTOM_HEADER:
for index in xrange(len(conf.httpHeaders)):
header, value = conf.httpHeaders[index]
if CUSTOM_INJECTION_MARK_CHAR in re.sub(r"\bq=[^;']+", "", value):
conf.paramDict[place][header] = "%s,%s" % (header, value)
conf.httpHeaders[index] = (header, value.replace(CUSTOM_INJECTION_MARK_CHAR, ""))
else:
parts = value.split(CUSTOM_INJECTION_MARK_CHAR)
for i in xrange(len(parts) - 1):
conf.paramDict[place]["%s#%d%s" % (("%s " % kb.postHint) if kb.postHint else "", i + 1, CUSTOM_INJECTION_MARK_CHAR)] = "".join("%s%s" % (parts[j], CUSTOM_INJECTION_MARK_CHAR if i == j else "") for j in xrange(len(parts)))
if place == PLACE.URI and PLACE.GET in conf.paramDict:
del conf.paramDict[PLACE.GET]
elif place == PLACE.CUSTOM_POST and PLACE.POST in conf.paramDict:
del conf.paramDict[PLACE.POST]
testableParameters = True
if kb.processUserMarks:
conf.url = conf.url.replace(CUSTOM_INJECTION_MARK_CHAR, "")
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, "") if conf.data else conf.data
# Perform checks on Cookie parameters
if conf.cookie:
conf.parameters[PLACE.COOKIE] = conf.cookie
paramDict = paramToDict(PLACE.COOKIE, conf.cookie)
if paramDict:
conf.paramDict[PLACE.COOKIE] = paramDict
testableParameters = True
# Perform checks on header values
if conf.httpHeaders:
for httpHeader, headerValue in conf.httpHeaders:
# Url encoding of the header values should be avoided
# Reference: http://stackoverflow.com/questions/5085904/is-ok-to-urlencode-the-value-in-headerlocation-value
httpHeader = httpHeader.title()
if httpHeader == HTTPHEADER.USER_AGENT:
conf.parameters[PLACE.USER_AGENT] = urldecode(headerValue)
condition = any((not conf.testParameter, intersect(conf.testParameter, USER_AGENT_ALIASES)))
if condition:
conf.paramDict[PLACE.USER_AGENT] = {PLACE.USER_AGENT: headerValue}
testableParameters = True
elif httpHeader == HTTPHEADER.REFERER:
conf.parameters[PLACE.REFERER] = urldecode(headerValue)
condition = any((not conf.testParameter, intersect(conf.testParameter, REFERER_ALIASES)))
if condition:
conf.paramDict[PLACE.REFERER] = {PLACE.REFERER: headerValue}
testableParameters = True
elif httpHeader == HTTPHEADER.HOST:
conf.parameters[PLACE.HOST] = urldecode(headerValue)
condition = any((not conf.testParameter, intersect(conf.testParameter, HOST_ALIASES)))
if condition:
conf.paramDict[PLACE.HOST] = {PLACE.HOST: headerValue}
testableParameters = True
if not conf.parameters:
errMsg = "you did not provide any GET, POST and Cookie "
errMsg += "parameter, neither an User-Agent, Referer or Host header value"
raise SqlmapGenericException(errMsg)
elif not testableParameters:
errMsg = "all testable parameters you provided are not present "
errMsg += "within the GET, POST and Cookie parameters"
raise SqlmapGenericException(errMsg)
def _setRequestParams():
"""
Check and set the parameters and perform checks on 'data' option for
HTTP method POST.
"""
if conf.direct:
conf.parameters[None] = "direct connection"
return
testableParameters = False
# Perform checks on GET parameters
if conf.parameters.get(PLACE.GET):
parameters = conf.parameters[PLACE.GET]
paramDict = paramToDict(PLACE.GET, parameters)
if paramDict:
conf.paramDict[PLACE.GET] = paramDict
testableParameters = True
# Perform checks on POST parameters
if conf.method == HTTPMETHOD.POST and conf.data is None:
errMsg = "HTTP POST method depends on HTTP data value to be posted"
raise SqlmapSyntaxException(errMsg)
if conf.data is not None:
conf.method = HTTPMETHOD.POST if not conf.method or conf.method == HTTPMETHOD.GET else conf.method
def process(match, repl):
retVal = match.group(0)
if not (conf.testParameter
and match.group("name") not in conf.testParameter):
retVal = repl
while True:
_ = re.search(r"\\g<([^>]+)>", retVal)
if _:
retVal = retVal.replace(
_.group(0),
match.group(
int(_.group(1)) if _.group(1).isdigit() else _.
group(1)))
else:
break
return retVal
if kb.processUserMarks is None and CUSTOM_INJECTION_MARK_CHAR in conf.data:
message = "custom injection marking character ('%s') found in option " % CUSTOM_INJECTION_MARK_CHAR
message += "'--data'. Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
else:
kb.processUserMarks = not test or test[0] not in ("n", "N")
if not (kb.processUserMarks
and CUSTOM_INJECTION_MARK_CHAR in conf.data):
if re.search(JSON_RECOGNITION_REGEX, conf.data):
message = "JSON data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
elif test[0] not in ("n", "N"):
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR,
ASTERISK_MARKER)
conf.data = re.sub(
r'("(?P<name>[^"]+)"\s*:\s*"[^"]+)"',
functools.partial(process,
repl=r'\g<1>%s"' %
CUSTOM_INJECTION_MARK_CHAR),
conf.data)
conf.data = re.sub(
r'("(?P<name>[^"]+)"\s*:\s*)(-?\d[\d\.]*\b)',
functools.partial(process,
repl=r'\g<0>%s' %
CUSTOM_INJECTION_MARK_CHAR),
conf.data)
kb.postHint = POST_HINT.JSON
elif re.search(JSON_LIKE_RECOGNITION_REGEX, conf.data):
message = "JSON-like data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
elif test[0] not in ("n", "N"):
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR,
ASTERISK_MARKER)
conf.data = re.sub(
r"('(?P<name>[^']+)'\s*:\s*'[^']+)'",
functools.partial(process,
repl=r"\g<1>%s'" %
CUSTOM_INJECTION_MARK_CHAR),
conf.data)
conf.data = re.sub(
r"('(?P<name>[^']+)'\s*:\s*)(-?\d[\d\.]*\b)",
functools.partial(process,
repl=r"\g<0>%s" %
CUSTOM_INJECTION_MARK_CHAR),
conf.data)
kb.postHint = POST_HINT.JSON_LIKE
elif re.search(SOAP_RECOGNITION_REGEX, conf.data):
message = "SOAP/XML data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
elif test[0] not in ("n", "N"):
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR,
ASTERISK_MARKER)
conf.data = re.sub(
r"(<(?P<name>[^>]+)( [^<]*)?>)([^<]+)(</\2)",
functools.partial(process,
repl=r"\g<1>\g<4>%s\g<5>" %
CUSTOM_INJECTION_MARK_CHAR),
conf.data)
kb.postHint = POST_HINT.SOAP if "soap" in conf.data.lower(
) else POST_HINT.XML
elif re.search(MULTIPART_RECOGNITION_REGEX, conf.data):
message = "Multipart like data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
elif test[0] not in ("n", "N"):
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR,
ASTERISK_MARKER)
conf.data = re.sub(
r"(?si)((Content-Disposition[^\n]+?name\s*=\s*[\"'](?P<name>[^\n]+?)[\"']).+?)(((\r)?\n)+--)",
functools.partial(process,
repl=r"\g<1>%s\g<4>" %
CUSTOM_INJECTION_MARK_CHAR),
conf.data)
kb.postHint = POST_HINT.MULTIPART
if not kb.postHint:
if CUSTOM_INJECTION_MARK_CHAR in conf.data: # later processed
pass
else:
place = PLACE.POST
conf.parameters[place] = conf.data
paramDict = paramToDict(place, conf.data)
if paramDict:
conf.paramDict[place] = paramDict
testableParameters = True
else:
if CUSTOM_INJECTION_MARK_CHAR not in conf.data: # in case that no usable parameter values has been found
conf.parameters[PLACE.POST] = conf.data
kb.processUserMarks = True if (kb.postHint and CUSTOM_INJECTION_MARK_CHAR
in conf.data) else kb.processUserMarks
if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(
place in conf.parameters for place in (PLACE.GET, PLACE.POST)
) and not kb.postHint and not CUSTOM_INJECTION_MARK_CHAR in (conf.data
or ""):
warnMsg = "you've provided target URL without any GET "
warnMsg += "parameters (e.g. www.site.com/article.php?id=1) "
warnMsg += "and without providing any POST parameters "
warnMsg += "through --data option"
logger.warn(warnMsg)
message = "do you want to try URI injections "
message += "in the target URL itself? [Y/n/q] "
test = readInput(message, default="Y")
if not test or test[0] not in ("n", "N"):
conf.url = "%s%s" % (conf.url, CUSTOM_INJECTION_MARK_CHAR)
kb.processUserMarks = True
elif test[0] in ("q", "Q"):
raise SqlmapUserQuitException
for place, value in ((PLACE.URI, conf.url), (PLACE.CUSTOM_POST, conf.data),
(PLACE.CUSTOM_HEADER, str(conf.httpHeaders))):
_ = re.sub(PROBLEMATIC_CUSTOM_INJECTION_PATTERNS, "", value
or "") if place == PLACE.CUSTOM_HEADER else value or ""
if CUSTOM_INJECTION_MARK_CHAR in _:
if kb.processUserMarks is None:
lut = {
PLACE.URI:
'-u',
PLACE.CUSTOM_POST:
'--data',
PLACE.CUSTOM_HEADER:
'--headers/--user-agent/--referer/--cookie'
}
message = "custom injection marking character ('%s') found in option " % CUSTOM_INJECTION_MARK_CHAR
message += "'%s'. Do you want to process it? [Y/n/q] " % lut[
place]
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
else:
kb.processUserMarks = not test or test[0] not in ("n", "N")
if not kb.processUserMarks:
if place == PLACE.URI:
query = urlparse.urlsplit(value).query
if query:
parameters = conf.parameters[PLACE.GET] = query
paramDict = paramToDict(PLACE.GET, parameters)
if paramDict:
conf.url = conf.url.split('?')[0]
conf.paramDict[PLACE.GET] = paramDict
testableParameters = True
elif place == PLACE.CUSTOM_POST:
conf.parameters[PLACE.POST] = conf.data
paramDict = paramToDict(PLACE.POST, conf.data)
if paramDict:
conf.paramDict[PLACE.POST] = paramDict
testableParameters = True
else:
conf.parameters[place] = value
conf.paramDict[place] = OrderedDict()
if place == PLACE.CUSTOM_HEADER:
for index in xrange(len(conf.httpHeaders)):
header, value = conf.httpHeaders[index]
if CUSTOM_INJECTION_MARK_CHAR in re.sub(
PROBLEMATIC_CUSTOM_INJECTION_PATTERNS, "",
value):
parts = value.split(CUSTOM_INJECTION_MARK_CHAR)
for i in xrange(len(parts) - 1):
conf.paramDict[place][
"%s #%d%s" %
(header, i + 1, CUSTOM_INJECTION_MARK_CHAR
)] = "%s,%s" % (header, "".join(
"%s%s" %
(parts[j], CUSTOM_INJECTION_MARK_CHAR
if i == j else "")
for j in xrange(len(parts))))
conf.httpHeaders[index] = (
header,
value.replace(CUSTOM_INJECTION_MARK_CHAR, ""))
else:
parts = value.split(CUSTOM_INJECTION_MARK_CHAR)
for i in xrange(len(parts) - 1):
conf.paramDict[place]["%s#%d%s" % (
("%s " % kb.postHint) if kb.postHint else "",
i + 1, CUSTOM_INJECTION_MARK_CHAR)] = "".join(
"%s%s" %
(parts[j],
CUSTOM_INJECTION_MARK_CHAR if i == j else "")
for j in xrange(len(parts)))
if place == PLACE.URI and PLACE.GET in conf.paramDict:
del conf.paramDict[PLACE.GET]
elif place == PLACE.CUSTOM_POST and PLACE.POST in conf.paramDict:
del conf.paramDict[PLACE.POST]
testableParameters = True
if kb.processUserMarks:
for item in ("url", "data", "agent", "referer", "cookie"):
if conf.get(item):
conf[item] = conf[item].replace(CUSTOM_INJECTION_MARK_CHAR, "")
# Perform checks on Cookie parameters
if conf.cookie:
conf.parameters[PLACE.COOKIE] = conf.cookie
paramDict = paramToDict(PLACE.COOKIE, conf.cookie)
if paramDict:
conf.paramDict[PLACE.COOKIE] = paramDict
testableParameters = True
# Perform checks on header values
if conf.httpHeaders:
for httpHeader, headerValue in conf.httpHeaders:
# Url encoding of the header values should be avoided
# Reference: http://stackoverflow.com/questions/5085904/is-ok-to-urlencode-the-value-in-headerlocation-value
httpHeader = httpHeader.title()
if httpHeader == HTTP_HEADER.USER_AGENT:
conf.parameters[PLACE.USER_AGENT] = urldecode(headerValue)
condition = any((not conf.testParameter,
intersect(conf.testParameter,
USER_AGENT_ALIASES)))
if condition:
conf.paramDict[PLACE.USER_AGENT] = {
PLACE.USER_AGENT: headerValue
}
testableParameters = True
elif httpHeader == HTTP_HEADER.REFERER:
conf.parameters[PLACE.REFERER] = urldecode(headerValue)
condition = any((not conf.testParameter,
intersect(conf.testParameter,
REFERER_ALIASES)))
if condition:
conf.paramDict[PLACE.REFERER] = {
PLACE.REFERER: headerValue
}
testableParameters = True
elif httpHeader == HTTP_HEADER.HOST:
conf.parameters[PLACE.HOST] = urldecode(headerValue)
condition = any((not conf.testParameter,
intersect(conf.testParameter, HOST_ALIASES)))
if condition:
conf.paramDict[PLACE.HOST] = {PLACE.HOST: headerValue}
testableParameters = True
if not conf.parameters:
errMsg = "you did not provide any GET, POST and Cookie "
errMsg += "parameter, neither an User-Agent, Referer or Host header value"
raise SqlmapGenericException(errMsg)
elif not testableParameters:
errMsg = "all testable parameters you provided are not present "
errMsg += "within the given request data"
raise SqlmapGenericException(errMsg)
class Connect(object):
"""
This class defines methods used to perform HTTP requests
"""
@staticmethod
def _getPageProxy(**kwargs):
return Connect.getPage(**kwargs)
@staticmethod
def _retryProxy(**kwargs):
threadData = getCurrentThreadData()
threadData.retriesCount += 1
if conf.proxyList and threadData.retriesCount >= conf.retries:
warnMsg = "changing proxy"
logger.warn(warnMsg)
conf.proxy = conf.proxyList[0]
conf.proxyList = conf.proxyList[1:] + conf.proxyList[:1]
setHTTPProxy()
if kb.testMode and kb.previousMethod == PAYLOAD.METHOD.TIME:
# timed based payloads can cause web server unresponsiveness
# if the injectable piece of code is some kind of JOIN-like query
warnMsg = "most probably web server instance hasn't recovered yet "
warnMsg += "from previous timed based payload. If the problem "
warnMsg += "persists please wait for few minutes and rerun "
warnMsg += "without flag T in option '--technique' "
warnMsg += "(e.g. '--flush-session --technique=BEUS') or try to "
warnMsg += "lower the value of option '--time-sec' (e.g. '--time-sec=2')"
singleTimeWarnMessage(warnMsg)
elif kb.originalPage is None:
if conf.tor:
warnMsg = "please make sure that you have "
warnMsg += "Tor installed and running so "
warnMsg += "you could successfully use "
warnMsg += "switch '--tor' "
if IS_WIN:
warnMsg += "(e.g. 'https://www.torproject.org/download/download.html.en')"
else:
warnMsg += "(e.g. 'https://help.ubuntu.com/community/Tor')"
else:
warnMsg = "if the problem persists please check that the provided "
warnMsg += "target URL is valid. In case that it is, you can try to rerun "
warnMsg += "with the switch '--random-agent' turned on "
warnMsg += "and/or proxy switches ('--ignore-proxy', '--proxy',...)"
singleTimeWarnMessage(warnMsg)
elif conf.threads > 1:
warnMsg = "if the problem persists please try to lower "
warnMsg += "the number of used threads (option '--threads')"
singleTimeWarnMessage(warnMsg)
time.sleep(1)
kwargs['retrying'] = True
return Connect._getPageProxy(**kwargs)
@staticmethod
def _connReadProxy(conn):
retVal = ""
if not kb.dnsMode and conn:
headers = conn.info()
if headers and (headers.getheader(HTTP_HEADER.CONTENT_ENCODING, "").lower() in ("gzip", "deflate")\
or "text" not in headers.getheader(HTTP_HEADER.CONTENT_TYPE, "").lower()):
retVal = conn.read(MAX_CONNECTION_TOTAL_SIZE)
if len(retVal) == MAX_CONNECTION_TOTAL_SIZE:
warnMsg = "large compressed response detected. Disabling compression"
singleTimeWarnMessage(warnMsg)
kb.pageCompress = False
else:
while True:
_ = conn.read(MAX_CONNECTION_CHUNK_SIZE)
if len(_) == MAX_CONNECTION_CHUNK_SIZE:
warnMsg = "large response detected. This could take a while"
singleTimeWarnMessage(warnMsg)
_ = re.sub(
r"(?si)%s.+?%s" % (kb.chars.stop, kb.chars.start),
"%s%s%s" % (kb.chars.stop, LARGE_CHUNK_TRIM_MARKER,
kb.chars.start), _)
retVal += _
else:
retVal += _
break
if len(retVal) > MAX_CONNECTION_TOTAL_SIZE:
warnMsg = "too large response detected. Automatically trimming it"
singleTimeWarnMessage(warnMsg)
break
return retVal
@staticmethod
def getPage(**kwargs):
"""
This method connects to the target URL or proxy and returns
the target URL page content
"""
if conf.delay is not None and isinstance(
conf.delay, (int, float)) and conf.delay > 0:
time.sleep(conf.delay)
elif conf.cpuThrottle:
cpuThrottle(conf.cpuThrottle)
if conf.dummy:
return randomStr(int(randomInt()),
alphabet=[chr(_) for _ in xrange(256)
]), {}, int(randomInt())
threadData = getCurrentThreadData()
with kb.locks.request:
kb.requestCounter += 1
threadData.lastRequestUID = kb.requestCounter
url = kwargs.get("url", None) or conf.url
get = kwargs.get("get", None)
post = kwargs.get("post", None)
method = kwargs.get("method", None)
cookie = kwargs.get("cookie", None)
ua = kwargs.get("ua", None) or conf.agent
referer = kwargs.get("referer", None) or conf.referer
host = kwargs.get("host", None) or conf.host
direct_ = kwargs.get("direct", False)
multipart = kwargs.get("multipart", False)
silent = kwargs.get("silent", False)
raise404 = kwargs.get("raise404", True)
timeout = kwargs.get("timeout", None) or conf.timeout
auxHeaders = kwargs.get("auxHeaders", None)
response = kwargs.get("response", False)
ignoreTimeout = kwargs.get("ignoreTimeout", False) or kb.ignoreTimeout
refreshing = kwargs.get("refreshing", False)
retrying = kwargs.get("retrying", False)
crawling = kwargs.get("crawling", False)
skipRead = kwargs.get("skipRead", False)
if not urlparse.urlsplit(url).netloc:
url = urlparse.urljoin(conf.url, url)
# flag to know if we are dealing with the same target host
target = reduce(
lambda x, y: x == y,
map(lambda x: urlparse.urlparse(x).netloc.split(':')[0],
[url, conf.url or ""]))
if not retrying:
# Reset the number of connection retries
threadData.retriesCount = 0
# fix for known issue when urllib2 just skips the other part of provided
# url splitted with space char while urlencoding it in the later phase
url = url.replace(" ", "%20")
conn = None
code = None
page = None
_ = urlparse.urlsplit(url)
requestMsg = u"HTTP request [#%d]:\n%s " % (
threadData.lastRequestUID, method or
(HTTPMETHOD.POST if post is not None else HTTPMETHOD.GET))
requestMsg += ("%s%s" %
(_.path or "/",
("?%s" % _.query) if _.query else "")) if not any(
(refreshing, crawling)) else url
responseMsg = u"HTTP response "
requestHeaders = u""
responseHeaders = None
logHeaders = u""
skipLogTraffic = False
raise404 = raise404 and not kb.ignoreNotFound
# support for non-latin (e.g. cyrillic) URLs as urllib/urllib2 doesn't
# support those by default
url = asciifyUrl(url)
# fix for known issues when using url in unicode format
# (e.g. UnicodeDecodeError: "url = url + '?' + query" in redirect case)
url = unicodeencode(url)
try:
socket.setdefaulttimeout(timeout)
if direct_:
if '?' in url:
url, params = url.split('?', 1)
params = urlencode(params)
url = "%s?%s" % (url, params)
requestMsg += "?%s" % params
elif multipart:
# Needed in this form because of potential circle dependency
# problem (option -> update -> connect -> option)
from lib.core.option import proxyHandler
multipartOpener = urllib2.build_opener(
proxyHandler, multipartpost.MultipartPostHandler)
conn = multipartOpener.open(unicodeencode(url), multipart)
page = Connect._connReadProxy(conn) if not skipRead else None
responseHeaders = conn.info()
responseHeaders[URI_HTTP_HEADER] = conn.geturl()
page = decodePage(
page, responseHeaders.get(HTTP_HEADER.CONTENT_ENCODING),
responseHeaders.get(HTTP_HEADER.CONTENT_TYPE))
return page
elif any((refreshing, crawling)):
pass
elif target:
if conf.forceSSL and urlparse.urlparse(url).scheme != "https":
url = re.sub("\Ahttp:", "https:", url, re.I)
url = re.sub(":80/", ":443/", url, re.I)
if PLACE.GET in conf.parameters and not get:
get = conf.parameters[PLACE.GET]
if not conf.skipUrlEncode:
get = urlencode(get, limit=True)
if get:
url = "%s?%s" % (url, get)
requestMsg += "?%s" % get
if PLACE.POST in conf.parameters and not post and method in (
None, HTTPMETHOD.POST):
post = conf.parameters[PLACE.POST]
elif get:
url = "%s?%s" % (url, get)
requestMsg += "?%s" % get
requestMsg += " %s" % httplib.HTTPConnection._http_vsn_str
# Prepare HTTP headers
headers = forgeHeaders({
HTTP_HEADER.COOKIE: cookie,
HTTP_HEADER.USER_AGENT: ua,
HTTP_HEADER.REFERER: referer
})
if kb.authHeader:
headers[HTTP_HEADER.AUTHORIZATION] = kb.authHeader
if kb.proxyAuthHeader:
headers[HTTP_HEADER.PROXY_AUTHORIZATION] = kb.proxyAuthHeader
headers[HTTP_HEADER.ACCEPT] = HTTP_ACCEPT_HEADER_VALUE
headers[
HTTP_HEADER.
ACCEPT_ENCODING] = HTTP_ACCEPT_ENCODING_HEADER_VALUE if kb.pageCompress else "identity"
headers[HTTP_HEADER.HOST] = host or getHostHeader(url)
if post is not None and HTTP_HEADER.CONTENT_TYPE not in headers:
headers[
HTTP_HEADER.CONTENT_TYPE] = POST_HINT_CONTENT_TYPES.get(
kb.postHint, DEFAULT_CONTENT_TYPE)
if headers.get(
HTTP_HEADER.CONTENT_TYPE) == POST_HINT_CONTENT_TYPES[
POST_HINT.MULTIPART]:
warnMsg = "missing 'boundary parameter' in '%s' header. " % HTTP_HEADER.CONTENT_TYPE
warnMsg += "Will try to reconstruct"
singleTimeWarnMessage(warnMsg)
boundary = findMultipartPostBoundary(conf.data)
if boundary:
headers[HTTP_HEADER.CONTENT_TYPE] = "%s; boundary=%s" % (
headers[HTTP_HEADER.CONTENT_TYPE], boundary)
if auxHeaders:
for key, item in auxHeaders.items():
headers[key] = item
for key, item in headers.items():
del headers[key]
headers[unicodeencode(key, kb.pageEncoding)] = unicodeencode(
item, kb.pageEncoding)
post = unicodeencode(post, kb.pageEncoding)
if method:
req = MethodRequest(url, post, headers)
req.set_method(method)
else:
req = urllib2.Request(url, post, headers)
requestHeaders += "\n".join(
"%s: %s" %
(key.capitalize() if isinstance(key, basestring) else key,
getUnicode(value)) for (key, value) in req.header_items())
if not getRequestHeader(req, HTTP_HEADER.COOKIE) and conf.cj:
conf.cj._policy._now = conf.cj._now = int(time.time())
cookies = conf.cj._cookies_for_request(req)
requestHeaders += "\n%s" % ("Cookie: %s" % ";".join(
"%s=%s" %
(getUnicode(cookie.name), getUnicode(cookie.value))
for cookie in cookies))
if post is not None:
if not getRequestHeader(req, HTTP_HEADER.CONTENT_LENGTH):
requestHeaders += "\n%s: %d" % (string.capwords(
HTTP_HEADER.CONTENT_LENGTH), len(post))
if not getRequestHeader(req, HTTP_HEADER.CONNECTION):
requestHeaders += "\n%s: close" % HTTP_HEADER.CONNECTION
requestMsg += "\n%s" % requestHeaders
if post is not None:
requestMsg += "\n\n%s" % getUnicode(post)
requestMsg += "\n"
threadData.lastRequestMsg = requestMsg
logger.log(CUSTOM_LOGGING.TRAFFIC_OUT, requestMsg)
conn = urllib2.urlopen(req)
if not kb.authHeader and getRequestHeader(
req, HTTP_HEADER.AUTHORIZATION
) and conf.authType == AUTH_TYPE.BASIC:
kb.authHeader = getRequestHeader(req,
HTTP_HEADER.AUTHORIZATION)
if not kb.proxyAuthHeader and getRequestHeader(
req, HTTP_HEADER.PROXY_AUTHORIZATION):
kb.proxyAuthHeader = getRequestHeader(
req, HTTP_HEADER.PROXY_AUTHORIZATION)
# Return response object
if response:
return conn, None, None
# Get HTTP response
if hasattr(conn, 'redurl'):
page = (threadData.lastRedirectMsg[1] if kb.redirectChoice == REDIRECTION.NO\
else Connect._connReadProxy(conn)) if not skipRead else None
skipLogTraffic = kb.redirectChoice == REDIRECTION.NO
code = conn.redcode
else:
page = Connect._connReadProxy(conn) if not skipRead else None
code = code or conn.code
responseHeaders = conn.info()
responseHeaders[URI_HTTP_HEADER] = conn.geturl()
page = decodePage(
page, responseHeaders.get(HTTP_HEADER.CONTENT_ENCODING),
responseHeaders.get(HTTP_HEADER.CONTENT_TYPE))
status = getUnicode(conn.msg)
if extractRegexResult(META_REFRESH_REGEX, page) and not refreshing:
url = extractRegexResult(META_REFRESH_REGEX, page)
debugMsg = "got HTML meta refresh header"
logger.debug(debugMsg)
if kb.alwaysRefresh is None:
msg = "sqlmap got a refresh request "
msg += "(redirect like response common to login pages). "
msg += "Do you want to apply the refresh "
msg += "from now on (or stay on the original page)? [Y/n]"
choice = readInput(msg, default="Y")
kb.alwaysRefresh = choice not in ("n", "N")
if kb.alwaysRefresh:
if url.lower().startswith('http://'):
kwargs['url'] = url
else:
kwargs['url'] = conf.url[:conf.url.rfind('/') +
1] + url
threadData.lastRedirectMsg = (threadData.lastRequestUID,
page)
kwargs['refreshing'] = True
kwargs['get'] = None
kwargs['post'] = None
try:
return Connect._getPageProxy(**kwargs)
except SqlmapSyntaxException:
pass
# Explicit closing of connection object
if not conf.keepAlive:
try:
if hasattr(conn.fp, '_sock'):
conn.fp._sock.close()
conn.close()
except Exception, msg:
warnMsg = "problem occurred during connection closing ('%s')" % msg
logger.warn(warnMsg)
except urllib2.HTTPError, e:
page = None
responseHeaders = None
try:
page = e.read() if not skipRead else None
responseHeaders = e.info()
responseHeaders[URI_HTTP_HEADER] = e.geturl()
page = decodePage(
page, responseHeaders.get(HTTP_HEADER.CONTENT_ENCODING),
responseHeaders.get(HTTP_HEADER.CONTENT_TYPE))
except socket.timeout:
warnMsg = "connection timed out while trying "
warnMsg += "to get error page information (%d)" % e.code
logger.warn(warnMsg)
return None, None, None
except KeyboardInterrupt:
raise
except:
pass
finally:
page = page if isinstance(page, unicode) else getUnicode(page)
code = e.code
threadData.lastHTTPError = (threadData.lastRequestUID, code)
kb.httpErrorCodes[code] = kb.httpErrorCodes.get(code, 0) + 1
status = getUnicode(e.msg)
responseMsg += "[#%d] (%d %s):\n" % (threadData.lastRequestUID,
code, status)
if responseHeaders:
logHeaders = "\n".join("%s: %s" % (getUnicode(key.capitalize(
) if isinstance(key, basestring) else key), getUnicode(value))
for (key,
value) in responseHeaders.items())
logHTTPTraffic(
requestMsg,
"%s%s\n\n%s" % (responseMsg, logHeaders,
(page or "")[:MAX_CONNECTION_CHUNK_SIZE]))
skipLogTraffic = True
if conf.verbose <= 5:
responseMsg += getUnicode(logHeaders)
elif conf.verbose > 5:
responseMsg += "%s\n\n%s" % (logHeaders,
(page or
"")[:MAX_CONNECTION_CHUNK_SIZE])
logger.log(CUSTOM_LOGGING.TRAFFIC_IN, responseMsg)
if e.code == httplib.UNAUTHORIZED:
errMsg = "not authorized, try to provide right HTTP "
errMsg += "authentication type and valid credentials (%d)" % code
raise SqlmapConnectionException(errMsg)
elif e.code == httplib.NOT_FOUND:
if raise404:
errMsg = "page not found (%d)" % code
raise SqlmapConnectionException(errMsg)
else:
debugMsg = "page not found (%d)" % code
singleTimeLogMessage(debugMsg, logging.DEBUG)
processResponse(page, responseHeaders)
elif e.code == httplib.GATEWAY_TIMEOUT:
if ignoreTimeout:
return None, None, None
else:
warnMsg = "unable to connect to the target URL (%d - %s)" % (
e.code, httplib.responses[e.code])
if threadData.retriesCount < conf.retries and not kb.threadException:
warnMsg += ". sqlmap is going to retry the request"
logger.critical(warnMsg)
return Connect._retryProxy(**kwargs)
elif kb.testMode:
logger.critical(warnMsg)
return None, None, None
else:
raise SqlmapConnectionException(warnMsg)
else:
debugMsg = "got HTTP error code: %d (%s)" % (code, status)
logger.debug(debugMsg)
except (urllib2.URLError, socket.error, socket.timeout,
httplib.BadStatusLine, httplib.IncompleteRead, ProxyError,
SqlmapCompressionException), e:
tbMsg = traceback.format_exc()
if "no host given" in tbMsg:
warnMsg = "invalid URL address used (%s)" % repr(url)
raise SqlmapSyntaxException(warnMsg)
elif "forcibly closed" in tbMsg:
warnMsg = "connection was forcibly closed by the target URL"
elif "timed out" in tbMsg:
warnMsg = "connection timed out to the target URL"
elif "URLError" in tbMsg or "error" in tbMsg:
warnMsg = "unable to connect to the target URL"
elif "BadStatusLine" in tbMsg:
warnMsg = "connection dropped or unknown HTTP "
warnMsg += "status code received. Try to force the HTTP User-Agent "
warnMsg += "header with option '--user-agent' or switch '--random-agent'"
elif "IncompleteRead" in tbMsg:
warnMsg = "there was an incomplete read error while retrieving data "
warnMsg += "from the target URL"
else:
warnMsg = "unable to connect to the target URL"
if "BadStatusLine" not in tbMsg:
warnMsg += " or proxy"
if silent:
return None, None, None
elif "forcibly closed" in tbMsg:
logger.critical(warnMsg)
return None, None, None
elif ignoreTimeout and any(
_ in tbMsg for _ in ("timed out", "IncompleteRead")):
return None, None, None
elif threadData.retriesCount < conf.retries and not kb.threadException:
warnMsg += ". sqlmap is going to retry the request"
logger.critical(warnMsg)
return Connect._retryProxy(**kwargs)
elif kb.testMode:
logger.critical(warnMsg)
return None, None, None
else:
raise SqlmapConnectionException(warnMsg)
def cmdLineParser(argv=None):
"""
This function parses the command line parameters and arguments
"""
if not argv:
argv = sys.argv
checkSystemEncoding()
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
_ = getUnicode(os.path.basename(argv[0]), encoding=sys.stdin.encoding)
usage = "%s%s [options]" % ("%s " % os.path.basename(sys.executable) if not IS_WIN else "", "\"%s\"" % _ if " " in _ else _)
parser = ArgumentParser(usage=usage)
try:
parser.add_argument("--hh", dest="advancedHelp", action="store_true",
help="Show advanced help message and exit")
parser.add_argument("--version", dest="showVersion", action="store_true",
help="Show program's version number and exit")
parser.add_argument("-v", dest="verbose", type=int,
help="Verbosity level: 0-6 (default %d)" % defaults.verbose)
# Target options
target = parser.add_argument_group("Target", "At least one of these options has to be provided to define the target(s)")
target.add_argument("-d", dest="direct",
help="Connection string for direct database connection")
target.add_argument("-u", "--url", dest="url",
help="Target URL (e.g. \"http://www.site.com/vuln.php?id=1\")")
target.add_argument("-l", dest="logFile",
help="Parse target(s) from Burp or WebScarab proxy log file")
target.add_argument("-m", dest="bulkFile",
help="Scan multiple targets given in a textual file ")
target.add_argument("-r", dest="requestFile",
help="Load HTTP request from a file")
target.add_argument("-g", dest="googleDork",
help="Process Google dork results as target URLs")
target.add_argument("-c", dest="configFile",
help="Load options from a configuration INI file")
# Request options
request = parser.add_argument_group("Request", "These options can be used to specify how to connect to the target URL")
request.add_argument("-A", "--user-agent", dest="agent",
help="HTTP User-Agent header value")
request.add_argument("-H", "--header", dest="header",
help="Extra header (e.g. \"X-Forwarded-For: 127.0.0.1\")")
request.add_argument("--method", dest="method",
help="Force usage of given HTTP method (e.g. PUT)")
request.add_argument("--data", dest="data",
help="Data string to be sent through POST (e.g. \"id=1\")")
request.add_argument("--param-del", dest="paramDel",
help="Character used for splitting parameter values (e.g. &)")
request.add_argument("--cookie", dest="cookie",
help="HTTP Cookie header value (e.g. \"PHPSESSID=a8d127e..\")")
request.add_argument("--cookie-del", dest="cookieDel",
help="Character used for splitting cookie values (e.g. ;)")
request.add_argument("--load-cookies", dest="loadCookies",
help="File containing cookies in Netscape/wget format")
request.add_argument("--drop-set-cookie", dest="dropSetCookie", action="store_true",
help="Ignore Set-Cookie header from response")
request.add_argument("--mobile", dest="mobile", action="store_true",
help="Imitate smartphone through HTTP User-Agent header")
request.add_argument("--random-agent", dest="randomAgent", action="store_true",
help="Use randomly selected HTTP User-Agent header value")
request.add_argument("--host", dest="host",
help="HTTP Host header value")
request.add_argument("--referer", dest="referer",
help="HTTP Referer header value")
request.add_argument("--headers", dest="headers",
help="Extra headers (e.g. \"Accept-Language: fr\\nETag: 123\")")
request.add_argument("--auth-type", dest="authType",
help="HTTP authentication type (Basic, Digest, NTLM or PKI)")
request.add_argument("--auth-cred", dest="authCred",
help="HTTP authentication credentials (name:password)")
request.add_argument("--auth-file", dest="authFile",
help="HTTP authentication PEM cert/private key file")
request.add_argument("--ignore-code", dest="ignoreCode",
help="Ignore (problematic) HTTP error code (e.g. 401)")
request.add_argument("--ignore-proxy", dest="ignoreProxy", action="store_true",
help="Ignore system default proxy settings")
request.add_argument("--ignore-redirects", dest="ignoreRedirects", action="store_true",
help="Ignore redirection attempts")
request.add_argument("--ignore-timeouts", dest="ignoreTimeouts", action="store_true",
help="Ignore connection timeouts")
request.add_argument("--proxy", dest="proxy",
help="Use a proxy to connect to the target URL")
request.add_argument("--proxy-cred", dest="proxyCred",
help="Proxy authentication credentials (name:password)")
request.add_argument("--proxy-file", dest="proxyFile",
help="Load proxy list from a file")
request.add_argument("--tor", dest="tor", action="store_true",
help="Use Tor anonymity network")
request.add_argument("--tor-port", dest="torPort",
help="Set Tor proxy port other than default")
request.add_argument("--tor-type", dest="torType",
help="Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))")
request.add_argument("--check-tor", dest="checkTor", action="store_true",
help="Check to see if Tor is used properly")
request.add_argument("--delay", dest="delay", type=float,
help="Delay in seconds between each HTTP request")
request.add_argument("--timeout", dest="timeout", type=float,
help="Seconds to wait before timeout connection (default %d)" % defaults.timeout)
request.add_argument("--retries", dest="retries", type=int,
help="Retries when the connection timeouts (default %d)" % defaults.retries)
request.add_argument("--randomize", dest="rParam",
help="Randomly change value for given parameter(s)")
request.add_argument("--safe-url", dest="safeUrl",
help="URL address to visit frequently during testing")
request.add_argument("--safe-post", dest="safePost",
help="POST data to send to a safe URL")
request.add_argument("--safe-req", dest="safeReqFile",
help="Load safe HTTP request from a file")
request.add_argument("--safe-freq", dest="safeFreq", type=int,
help="Test requests between two visits to a given safe URL")
request.add_argument("--skip-urlencode", dest="skipUrlEncode", action="store_true",
help="Skip URL encoding of payload data")
request.add_argument("--csrf-token", dest="csrfToken",
help="Parameter used to hold anti-CSRF token")
request.add_argument("--csrf-url", dest="csrfUrl",
help="URL address to visit for extraction of anti-CSRF token")
request.add_argument("--csrf-method", dest="csrfMethod",
help="HTTP method to use during anti-CSRF token page visit")
request.add_argument("--force-ssl", dest="forceSSL", action="store_true",
help="Force usage of SSL/HTTPS")
request.add_argument("--chunked", dest="chunked", action="store_true",
help="Use HTTP chunked transfer encoded (POST) requests")
request.add_argument("--hpp", dest="hpp", action="store_true",
help="Use HTTP parameter pollution method")
request.add_argument("--eval", dest="evalCode",
help="Evaluate provided Python code before the request (e.g. \"import hashlib;id2=hashlib.md5(id).hexdigest()\")")
# Optimization options
optimization = parser.add_argument_group("Optimization", "These options can be used to optimize the performance of sqlmap")
optimization.add_argument("-o", dest="optimize", action="store_true",
help="Turn on all optimization switches")
optimization.add_argument("--predict-output", dest="predictOutput", action="store_true",
help="Predict common queries output")
optimization.add_argument("--keep-alive", dest="keepAlive", action="store_true",
help="Use persistent HTTP(s) connections")
optimization.add_argument("--null-connection", dest="nullConnection", action="store_true",
help="Retrieve page length without actual HTTP response body")
optimization.add_argument("--threads", dest="threads", type=int,
help="Max number of concurrent HTTP(s) requests (default %d)" % defaults.threads)
# Injection options
injection = parser.add_argument_group("Injection", "These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts")
injection.add_argument("-p", dest="testParameter",
help="Testable parameter(s)")
injection.add_argument("--skip", dest="skip",
help="Skip testing for given parameter(s)")
injection.add_argument("--skip-static", dest="skipStatic", action="store_true",
help="Skip testing parameters that not appear to be dynamic")
injection.add_argument("--param-exclude", dest="paramExclude",
help="Regexp to exclude parameters from testing (e.g. \"ses\")")
injection.add_argument("--param-filter", dest="paramFilter",
help="Select testable parameter(s) by place (e.g. \"POST\")")
injection.add_argument("--dbms", dest="dbms",
help="Force back-end DBMS to provided value")
injection.add_argument("--dbms-cred", dest="dbmsCred",
help="DBMS authentication credentials (user:password)")
injection.add_argument("--os", dest="os",
help="Force back-end DBMS operating system to provided value")
injection.add_argument("--invalid-bignum", dest="invalidBignum", action="store_true",
help="Use big numbers for invalidating values")
injection.add_argument("--invalid-logical", dest="invalidLogical", action="store_true",
help="Use logical operations for invalidating values")
injection.add_argument("--invalid-string", dest="invalidString", action="store_true",
help="Use random strings for invalidating values")
injection.add_argument("--no-cast", dest="noCast", action="store_true",
help="Turn off payload casting mechanism")
injection.add_argument("--no-escape", dest="noEscape", action="store_true",
help="Turn off string escaping mechanism")
injection.add_argument("--prefix", dest="prefix",
help="Injection payload prefix string")
injection.add_argument("--suffix", dest="suffix",
help="Injection payload suffix string")
injection.add_argument("--tamper", dest="tamper",
help="Use given script(s) for tampering injection data")
# Detection options
detection = parser.add_argument_group("Detection", "These options can be used to customize the detection phase")
detection.add_argument("--level", dest="level", type=int,
help="Level of tests to perform (1-5, default %d)" % defaults.level)
detection.add_argument("--risk", dest="risk", type=int,
help="Risk of tests to perform (1-3, default %d)" % defaults.risk)
detection.add_argument("--string", dest="string",
help="String to match when query is evaluated to True")
detection.add_argument("--not-string", dest="notString",
help="String to match when query is evaluated to False")
detection.add_argument("--regexp", dest="regexp",
help="Regexp to match when query is evaluated to True")
detection.add_argument("--code", dest="code", type=int,
help="HTTP code to match when query is evaluated to True")
detection.add_argument("--smart", dest="smart", action="store_true",
help="Perform thorough tests only if positive heuristic(s)")
detection.add_argument("--text-only", dest="textOnly", action="store_true",
help="Compare pages based only on the textual content")
detection.add_argument("--titles", dest="titles", action="store_true",
help="Compare pages based only on their titles")
# Techniques options
techniques = parser.add_argument_group("Techniques", "These options can be used to tweak testing of specific SQL injection techniques")
techniques.add_argument("--technique", dest="technique",
help="SQL injection techniques to use (default \"%s\")" % defaults.technique)
techniques.add_argument("--time-sec", dest="timeSec", type=int,
help="Seconds to delay the DBMS response (default %d)" % defaults.timeSec)
techniques.add_argument("--union-cols", dest="uCols",
help="Range of columns to test for UNION query SQL injection")
techniques.add_argument("--union-char", dest="uChar",
help="Character to use for bruteforcing number of columns")
techniques.add_argument("--union-from", dest="uFrom",
help="Table to use in FROM part of UNION query SQL injection")
techniques.add_argument("--dns-domain", dest="dnsDomain",
help="Domain name used for DNS exfiltration attack")
techniques.add_argument("--second-url", dest="secondUrl",
help="Resulting page URL searched for second-order response")
techniques.add_argument("--second-req", dest="secondReq",
help="Load second-order HTTP request from file")
# Fingerprint options
fingerprint = parser.add_argument_group("Fingerprint")
fingerprint.add_argument("-f", "--fingerprint", dest="extensiveFp", action="store_true",
help="Perform an extensive DBMS version fingerprint")
# Enumeration options
enumeration = parser.add_argument_group("Enumeration", "These options can be used to enumerate the back-end database management system information, structure and data contained in the tables")
enumeration.add_argument("-a", "--all", dest="getAll", action="store_true",
help="Retrieve everything")
enumeration.add_argument("-b", "--banner", dest="getBanner", action="store_true",
help="Retrieve DBMS banner")
enumeration.add_argument("--current-user", dest="getCurrentUser", action="store_true",
help="Retrieve DBMS current user")
enumeration.add_argument("--current-db", dest="getCurrentDb", action="store_true",
help="Retrieve DBMS current database")
enumeration.add_argument("--hostname", dest="getHostname", action="store_true",
help="Retrieve DBMS server hostname")
enumeration.add_argument("--is-dba", dest="isDba", action="store_true",
help="Detect if the DBMS current user is DBA")
enumeration.add_argument("--users", dest="getUsers", action="store_true",
help="Enumerate DBMS users")
enumeration.add_argument("--passwords", dest="getPasswordHashes", action="store_true",
help="Enumerate DBMS users password hashes")
enumeration.add_argument("--privileges", dest="getPrivileges", action="store_true",
help="Enumerate DBMS users privileges")
enumeration.add_argument("--roles", dest="getRoles", action="store_true",
help="Enumerate DBMS users roles")
enumeration.add_argument("--dbs", dest="getDbs", action="store_true",
help="Enumerate DBMS databases")
enumeration.add_argument("--tables", dest="getTables", action="store_true",
help="Enumerate DBMS database tables")
enumeration.add_argument("--columns", dest="getColumns", action="store_true",
help="Enumerate DBMS database table columns")
enumeration.add_argument("--schema", dest="getSchema", action="store_true",
help="Enumerate DBMS schema")
enumeration.add_argument("--count", dest="getCount", action="store_true",
help="Retrieve number of entries for table(s)")
enumeration.add_argument("--dump", dest="dumpTable", action="store_true",
help="Dump DBMS database table entries")
enumeration.add_argument("--dump-all", dest="dumpAll", action="store_true",
help="Dump all DBMS databases tables entries")
enumeration.add_argument("--search", dest="search", action="store_true",
help="Search column(s), table(s) and/or database name(s)")
enumeration.add_argument("--comments", dest="getComments", action="store_true",
help="Check for DBMS comments during enumeration")
enumeration.add_argument("--statements", dest="getStatements", action="store_true",
help="Retrieve SQL statements being run on DBMS")
enumeration.add_argument("-D", dest="db",
help="DBMS database to enumerate")
enumeration.add_argument("-T", dest="tbl",
help="DBMS database table(s) to enumerate")
enumeration.add_argument("-C", dest="col",
help="DBMS database table column(s) to enumerate")
enumeration.add_argument("-X", dest="exclude",
help="DBMS database identifier(s) to not enumerate")
enumeration.add_argument("-U", dest="user",
help="DBMS user to enumerate")
enumeration.add_argument("--exclude-sysdbs", dest="excludeSysDbs", action="store_true",
help="Exclude DBMS system databases when enumerating tables")
enumeration.add_argument("--pivot-column", dest="pivotColumn",
help="Pivot column name")
enumeration.add_argument("--where", dest="dumpWhere",
help="Use WHERE condition while table dumping")
enumeration.add_argument("--start", dest="limitStart", type=int,
help="First dump table entry to retrieve")
enumeration.add_argument("--stop", dest="limitStop", type=int,
help="Last dump table entry to retrieve")
enumeration.add_argument("--first", dest="firstChar", type=int,
help="First query output word character to retrieve")
enumeration.add_argument("--last", dest="lastChar", type=int,
help="Last query output word character to retrieve")
enumeration.add_argument("--sql-query", dest="sqlQuery",
help="SQL statement to be executed")
enumeration.add_argument("--sql-shell", dest="sqlShell", action="store_true",
help="Prompt for an interactive SQL shell")
enumeration.add_argument("--sql-file", dest="sqlFile",
help="Execute SQL statements from given file(s)")
# Brute force options
brute = parser.add_argument_group("Brute force", "These options can be used to run brute force checks")
brute.add_argument("--common-tables", dest="commonTables", action="store_true",
help="Check existence of common tables")
brute.add_argument("--common-columns", dest="commonColumns", action="store_true",
help="Check existence of common columns")
brute.add_argument("--common-files", dest="commonFiles", action="store_true",
help="Check existence of common files")
# User-defined function options
udf = parser.add_argument_group("User-defined function injection", "These options can be used to create custom user-defined functions")
udf.add_argument("--udf-inject", dest="udfInject", action="store_true",
help="Inject custom user-defined functions")
udf.add_argument("--shared-lib", dest="shLib",
help="Local path of the shared library")
# File system options
filesystem = parser.add_argument_group("File system access", "These options can be used to access the back-end database management system underlying file system")
filesystem.add_argument("--file-read", dest="fileRead",
help="Read a file from the back-end DBMS file system")
filesystem.add_argument("--file-write", dest="fileWrite",
help="Write a local file on the back-end DBMS file system")
filesystem.add_argument("--file-dest", dest="fileDest",
help="Back-end DBMS absolute filepath to write to")
# Takeover options
takeover = parser.add_argument_group("Operating system access", "These options can be used to access the back-end database management system underlying operating system")
takeover.add_argument("--os-cmd", dest="osCmd",
help="Execute an operating system command")
takeover.add_argument("--os-shell", dest="osShell", action="store_true",
help="Prompt for an interactive operating system shell")
takeover.add_argument("--os-pwn", dest="osPwn", action="store_true",
help="Prompt for an OOB shell, Meterpreter or VNC")
takeover.add_argument("--os-smbrelay", dest="osSmb", action="store_true",
help="One click prompt for an OOB shell, Meterpreter or VNC")
takeover.add_argument("--os-bof", dest="osBof", action="store_true",
help="Stored procedure buffer overflow "
"exploitation")
takeover.add_argument("--priv-esc", dest="privEsc", action="store_true",
help="Database process user privilege escalation")
takeover.add_argument("--msf-path", dest="msfPath",
help="Local path where Metasploit Framework is installed")
takeover.add_argument("--tmp-path", dest="tmpPath",
help="Remote absolute path of temporary files directory")
# Windows registry options
windows = parser.add_argument_group("Windows registry access", "These options can be used to access the back-end database management system Windows registry")
windows.add_argument("--reg-read", dest="regRead", action="store_true",
help="Read a Windows registry key value")
windows.add_argument("--reg-add", dest="regAdd", action="store_true",
help="Write a Windows registry key value data")
windows.add_argument("--reg-del", dest="regDel", action="store_true",
help="Delete a Windows registry key value")
windows.add_argument("--reg-key", dest="regKey",
help="Windows registry key")
windows.add_argument("--reg-value", dest="regVal",
help="Windows registry key value")
windows.add_argument("--reg-data", dest="regData",
help="Windows registry key value data")
windows.add_argument("--reg-type", dest="regType",
help="Windows registry key value type")
# General options
general = parser.add_argument_group("General", "These options can be used to set some general working parameters")
general.add_argument("-s", dest="sessionFile",
help="Load session from a stored (.sqlite) file")
general.add_argument("-t", dest="trafficFile",
help="Log all HTTP traffic into a textual file")
general.add_argument("--answers", dest="answers",
help="Set predefined answers (e.g. \"quit=N,follow=N\")")
general.add_argument("--batch", dest="batch", action="store_true",
help="Never ask for user input, use the default behavior")
general.add_argument("--binary-fields", dest="binaryFields",
help="Result fields having binary values (e.g. \"digest\")")
general.add_argument("--check-internet", dest="checkInternet", action="store_true",
help="Check Internet connection before assessing the target")
general.add_argument("--cleanup", dest="cleanup", action="store_true",
help="Clean up the DBMS from sqlmap specific UDF and tables")
general.add_argument("--crawl", dest="crawlDepth", type=int,
help="Crawl the website starting from the target URL")
general.add_argument("--crawl-exclude", dest="crawlExclude",
help="Regexp to exclude pages from crawling (e.g. \"logout\")")
general.add_argument("--csv-del", dest="csvDel",
help="Delimiting character used in CSV output (default \"%s\")" % defaults.csvDel)
general.add_argument("--charset", dest="charset",
help="Blind SQL injection charset (e.g. \"0123456789abcdef\")")
general.add_argument("--dump-format", dest="dumpFormat",
help="Format of dumped data (CSV (default), HTML or SQLITE)")
general.add_argument("--encoding", dest="encoding",
help="Character encoding used for data retrieval (e.g. GBK)")
general.add_argument("--eta", dest="eta", action="store_true",
help="Display for each output the estimated time of arrival")
general.add_argument("--flush-session", dest="flushSession", action="store_true",
help="Flush session files for current target")
general.add_argument("--forms", dest="forms", action="store_true",
help="Parse and test forms on target URL")
general.add_argument("--fresh-queries", dest="freshQueries", action="store_true",
help="Ignore query results stored in session file")
general.add_argument("--gpage", dest="googlePage", type=int,
help="Use Google dork results from specified page number")
general.add_argument("--har", dest="harFile",
help="Log all HTTP traffic into a HAR file")
general.add_argument("--hex", dest="hexConvert", action="store_true",
help="Use hex conversion during data retrieval")
general.add_argument("--output-dir", dest="outputDir", action="store",
help="Custom output directory path")
general.add_argument("--parse-errors", dest="parseErrors", action="store_true",
help="Parse and display DBMS error messages from responses")
general.add_argument("--preprocess", dest="preprocess",
help="Use given script(s) for preprocessing of response data")
general.add_argument("--repair", dest="repair", action="store_true",
help="Redump entries having unknown character marker (%s)" % INFERENCE_UNKNOWN_CHAR)
general.add_argument("--save", dest="saveConfig",
help="Save options to a configuration INI file")
general.add_argument("--scope", dest="scope",
help="Regexp to filter targets from provided proxy log")
general.add_argument("--skip-waf", dest="skipWaf", action="store_true",
help="Skip heuristic detection of WAF/IPS protection")
general.add_argument("--table-prefix", dest="tablePrefix",
help="Prefix used for temporary tables (default: \"%s\")" % defaults.tablePrefix)
general.add_argument("--test-filter", dest="testFilter",
help="Select tests by payloads and/or titles (e.g. ROW)")
general.add_argument("--test-skip", dest="testSkip",
help="Skip tests by payloads and/or titles (e.g. BENCHMARK)")
general.add_argument("--web-root", dest="webRoot",
help="Web server document root directory (e.g. \"/var/www\")")
# Miscellaneous options
miscellaneous = parser.add_argument_group("Miscellaneous", "These options do not fit into any other category")
miscellaneous.add_argument("-z", dest="mnemonics",
help="Use short mnemonics (e.g. \"flu,bat,ban,tec=EU\")")
miscellaneous.add_argument("--alert", dest="alert",
help="Run host OS command(s) when SQL injection is found")
miscellaneous.add_argument("--beep", dest="beep", action="store_true",
help="Beep on question and/or when SQL injection is found")
miscellaneous.add_argument("--dependencies", dest="dependencies", action="store_true",
help="Check for missing (optional) sqlmap dependencies")
miscellaneous.add_argument("--disable-coloring", dest="disableColoring", action="store_true",
help="Disable console output coloring")
miscellaneous.add_argument("--list-tampers", dest="listTampers", action="store_true",
help="Display list of available tamper scripts")
miscellaneous.add_argument("--offline", dest="offline", action="store_true",
help="Work in offline mode (only use session data)")
miscellaneous.add_argument("--purge", dest="purge", action="store_true",
help="Safely remove all content from sqlmap data directory")
miscellaneous.add_argument("--results-file", dest="resultsFile",
help="Location of CSV results file in multiple targets mode")
miscellaneous.add_argument("--sqlmap-shell", dest="sqlmapShell", action="store_true",
help="Prompt for an interactive sqlmap shell")
miscellaneous.add_argument("--tmp-dir", dest="tmpDir",
help="Local directory for storing temporary files")
miscellaneous.add_argument("--unstable", dest="unstable", action="store_true",
help="Adjust options for unstable connections")
miscellaneous.add_argument("--update", dest="updateAll", action="store_true",
help="Update sqlmap")
miscellaneous.add_argument("--wizard", dest="wizard", action="store_true",
help="Simple wizard interface for beginner users")
# Hidden and/or experimental options
parser.add_argument("--base64", dest="base64Parameter",
help=SUPPRESS) # "Parameter(s) containing Base64 encoded values"
parser.add_argument("--crack", dest="hashFile",
help=SUPPRESS) # "Load and crack hashes from a file (standalone)"
parser.add_argument("--dummy", dest="dummy", action="store_true",
help=SUPPRESS)
parser.add_argument("--murphy-rate", dest="murphyRate", type=int,
help=SUPPRESS)
parser.add_argument("--debug", dest="debug", action="store_true",
help=SUPPRESS)
parser.add_argument("--disable-precon", dest="disablePrecon", action="store_true",
help=SUPPRESS)
parser.add_argument("--disable-stats", dest="disableStats", action="store_true",
help=SUPPRESS)
parser.add_argument("--profile", dest="profile", action="store_true",
help=SUPPRESS)
parser.add_argument("--force-dbms", dest="forceDbms",
help=SUPPRESS)
parser.add_argument("--force-dns", dest="forceDns", action="store_true",
help=SUPPRESS)
parser.add_argument("--force-partial", dest="forcePartial", action="store_true",
help=SUPPRESS)
parser.add_argument("--force-pivoting", dest="forcePivoting", action="store_true",
help=SUPPRESS)
parser.add_argument("--gui", dest="gui", action="store_true",
help=SUPPRESS)
parser.add_argument("--smoke-test", dest="smokeTest", action="store_true",
help=SUPPRESS)
parser.add_argument("--live-test", dest="liveTest", action="store_true",
help=SUPPRESS)
parser.add_argument("--vuln-test", dest="vulnTest", action="store_true",
help=SUPPRESS)
parser.add_argument("--stop-fail", dest="stopFail", action="store_true",
help=SUPPRESS)
parser.add_argument("--run-case", dest="runCase",
help=SUPPRESS)
# API options
parser.add_argument("--api", dest="api", action="store_true",
help=SUPPRESS)
parser.add_argument("--taskid", dest="taskid",
help=SUPPRESS)
parser.add_argument("--database", dest="database",
help=SUPPRESS)
# Dirty hack to display longer options without breaking into two lines
if hasattr(parser, "formatter"):
def _(self, *args):
retVal = parser.formatter._format_option_strings(*args)
if len(retVal) > MAX_HELP_OPTION_LENGTH:
retVal = ("%%.%ds.." % (MAX_HELP_OPTION_LENGTH - parser.formatter.indent_increment)) % retVal
return retVal
parser.formatter._format_option_strings = parser.formatter.format_option_strings
parser.formatter.format_option_strings = type(parser.formatter.format_option_strings)(_, parser)
else:
def _format_action_invocation(self, action):
retVal = self.__format_action_invocation(action)
if len(retVal) > MAX_HELP_OPTION_LENGTH:
retVal = ("%%.%ds.." % (MAX_HELP_OPTION_LENGTH - self._indent_increment)) % retVal
return retVal
parser.formatter_class.__format_action_invocation = parser.formatter_class._format_action_invocation
parser.formatter_class._format_action_invocation = _format_action_invocation
# Dirty hack for making a short option '-hh'
if hasattr(parser, "get_option"):
option = parser.get_option("--hh")
option._short_opts = ["-hh"]
option._long_opts = []
else:
for action in get_actions(parser):
if action.option_strings == ["--hh"]:
action.option_strings = ["-hh"]
break
# Dirty hack for inherent help message of switch '-h'
if hasattr(parser, "get_option"):
option = parser.get_option("-h")
option.help = option.help.capitalize().replace("this help", "basic help")
else:
for action in get_actions(parser):
if action.option_strings == ["-h", "--help"]:
action.help = action.help.capitalize().replace("this help", "basic help")
break
_ = []
advancedHelp = True
extraHeaders = []
tamperIndex = None
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
for arg in argv:
_.append(getUnicode(arg, encoding=sys.stdin.encoding))
argv = _
checkOldOptions(argv)
if "--gui" in argv:
runGui(parser)
elif "--sqlmap-shell" in argv:
_createHomeDirectories()
parser.usage = ""
cmdLineOptions.sqlmapShell = True
commands = set(("x", "q", "exit", "quit", "clear"))
commands.update(get_all_options(parser))
autoCompletion(AUTOCOMPLETE_TYPE.SQLMAP, commands=commands)
while True:
command = None
try:
# Note: in Python2 command should not be converted to Unicode before passing to shlex (Reference: https://bugs.python.org/issue1170)
command = _input("sqlmap-shell> ").strip()
except (KeyboardInterrupt, EOFError):
print()
raise SqlmapShellQuitException
if not command:
continue
elif command.lower() == "clear":
clearHistory()
dataToStdout("[i] history cleared\n")
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
elif command.lower() in ("x", "q", "exit", "quit"):
raise SqlmapShellQuitException
elif command[0] != '-':
dataToStdout("[!] invalid option(s) provided\n")
dataToStdout("[i] proper example: '-u http://www.site.com/vuln.php?id=1 --banner'\n")
else:
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
loadHistory(AUTOCOMPLETE_TYPE.SQLMAP)
break
try:
for arg in shlex.split(command):
argv.append(getUnicode(arg, encoding=sys.stdin.encoding))
except ValueError as ex:
raise SqlmapSyntaxException("something went wrong during command line parsing ('%s')" % getSafeExString(ex))
for i in xrange(len(argv)):
longOptions = set(re.findall(r"\-\-([^= ]+?)=", parser.format_help()))
if argv[i] == "-hh":
argv[i] = "-h"
elif i == 1 and re.search(r"\A(http|www\.|\w[\w.-]+\.\w{2,})", argv[i]) is not None:
argv[i] = "--url=%s" % argv[i]
elif len(argv[i]) > 1 and all(ord(_) in xrange(0x2018, 0x2020) for _ in ((argv[i].split('=', 1)[-1].strip() or ' ')[0], argv[i][-1])):
dataToStdout("[!] copy-pasting illegal (non-console) quote characters from Internet is, well, illegal (%s)\n" % argv[i])
raise SystemExit
elif len(argv[i]) > 1 and u"\uff0c" in argv[i].split('=', 1)[-1]:
dataToStdout("[!] copy-pasting illegal (non-console) comma characters from Internet is, well, illegal (%s)\n" % argv[i])
raise SystemExit
elif re.search(r"\A-\w=.+", argv[i]):
dataToStdout("[!] potentially miswritten (illegal '=') short option detected ('%s')\n" % argv[i])
raise SystemExit
elif argv[i] in DEPRECATED_OPTIONS:
argv[i] = ""
elif argv[i].startswith("--tamper"):
if tamperIndex is None:
tamperIndex = i if '=' in argv[i] else (i + 1 if i + 1 < len(argv) and not argv[i + 1].startswith('-') else None)
else:
argv[tamperIndex] = "%s,%s" % (argv[tamperIndex], argv[i].split('=')[1] if '=' in argv[i] else (argv[i + 1] if i + 1 < len(argv) and not argv[i + 1].startswith('-') else ""))
argv[i] = ""
elif argv[i] == "-H":
if i + 1 < len(argv):
extraHeaders.append(argv[i + 1])
elif argv[i] == "-r":
for j in xrange(i + 2, len(argv)):
value = argv[j]
if os.path.isfile(value):
argv[i + 1] += ",%s" % value
argv[j] = ''
else:
break
elif re.match(r"\A\d+!\Z", argv[i]) and argv[max(0, i - 1)] == "--threads" or re.match(r"\A--threads.+\d+!\Z", argv[i]):
argv[i] = argv[i][:-1]
conf.skipThreadCheck = True
elif argv[i] == "--version":
print(VERSION_STRING.split('/')[-1])
raise SystemExit
elif argv[i] in ("-h", "--help"):
advancedHelp = False
for group in get_groups(parser)[:]:
found = False
for option in get_actions(group):
if option.dest not in BASIC_HELP_ITEMS:
option.help = SUPPRESS
else:
found = True
if not found:
get_groups(parser).remove(group)
elif '=' in argv[i] and not argv[i].startswith('-') and argv[i].split('=')[0] in longOptions and re.search(r"\A-\w\Z", argv[i - 1]) is None:
dataToStdout("[!] detected usage of long-option without a starting hyphen ('%s')\n" % argv[i])
raise SystemExit
for verbosity in (_ for _ in argv if re.search(r"\A\-v+\Z", _)):
try:
if argv.index(verbosity) == len(argv) - 1 or not argv[argv.index(verbosity) + 1].isdigit():
conf.verbose = verbosity.count('v') + 1
del argv[argv.index(verbosity)]
except (IndexError, ValueError):
pass
try:
(args, _) = parser.parse_known_args(argv) if hasattr(parser, "parse_known_args") else parser.parse_args(argv)
except UnicodeEncodeError as ex:
dataToStdout("\n[!] %s\n" % getUnicode(ex.object.encode("unicode-escape")))
raise SystemExit
except SystemExit:
if "-h" in argv and not advancedHelp:
dataToStdout("\n[!] to see full list of options run with '-hh'\n")
raise
if extraHeaders:
if not args.headers:
args.headers = ""
delimiter = "\\n" if "\\n" in args.headers else "\n"
args.headers += delimiter + delimiter.join(extraHeaders)
# Expand given mnemonic options (e.g. -z "ign,flu,bat")
for i in xrange(len(argv) - 1):
if argv[i] == "-z":
expandMnemonics(argv[i + 1], parser, args)
if args.dummy:
args.url = args.url or DUMMY_URL
if not any((args.direct, args.url, args.logFile, args.bulkFile, args.googleDork, args.configFile, args.requestFile, args.updateAll, args.smokeTest, args.vulnTest, args.liveTest, args.wizard, args.dependencies, args.purge, args.listTampers, args.hashFile)):
errMsg = "missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, --list-tampers, --wizard, --update, --purge or --dependencies). "
errMsg += "Use -h for basic and -hh for advanced help\n"
parser.error(errMsg)
return args
except (ArgumentError, TypeError) as ex:
parser.error(ex)
except SystemExit:
# Protection against Windows dummy double clicking
if IS_WIN:
dataToStdout("\nPress Enter to continue...")
_input()
raise
debugMsg = "parsing command line"
logger.debug(debugMsg)
def cmdLineParser(argv=None):
"""
This function parses the command line parameters and arguments
# 该函数用于处理命令行的选项和参数
"""
# 如果没有传入参数 则使用系统命令行的参数
if not argv:
argv = sys.argv
# 检查系统命令行的编码格式
checkSystemEncoding()
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
# stackoverflow中告诉我们sys.argv是由sys.stdin.encoding编码的 而不是"...sys.getfilesystemencoding() 或 UNICODE_ENCODING"
# basename从路径提取文件名,再记性unicode编码
_ = getUnicode(os.path.basename(argv[0]), encoding=sys.stdin.encoding)
usage = "%s%s [options]" % ("python " if not IS_WIN else "",
"\"%s\"" % _ if " " in _ else _)
parser = OptionParser(usage=usage)
try:
parser.add_option("--hh",
dest="advancedHelp",
action="store_true",
help="Show advanced help message and exit")
parser.add_option("--version",
dest="showVersion",
action="store_true",
help="Show program's version number and exit")
parser.add_option("-v",
dest="verbose",
type="int",
help="Verbosity level: 0-6 (default %d)" %
defaults.verbose)
# Target options
target = OptionGroup(
parser, "Target", "At least one of these "
"options has to be provided to define the target(s)")
target.add_option("-d",
dest="direct",
help="Connection string "
"for direct database connection")
target.add_option(
"-u",
"--url",
dest="url",
help="Target URL (e.g. \"http://www.site.com/vuln.php?id=1\")")
target.add_option("-l",
dest="logFile",
help="Parse target(s) from Burp "
"or WebScarab proxy log file")
target.add_option(
"-x",
dest="sitemapUrl",
help="Parse target(s) from remote sitemap(.xml) file")
target.add_option("-m",
dest="bulkFile",
help="Scan multiple targets given "
"in a textual file ")
target.add_option("-r",
dest="requestFile",
help="Load HTTP request from a file")
target.add_option("-g",
dest="googleDork",
help="Process Google dork results as target URLs")
target.add_option("-c",
dest="configFile",
help="Load options from a configuration INI file")
# Request options
request = OptionGroup(
parser, "Request", "These options can be used "
"to specify how to connect to the target URL")
request.add_option("--method",
dest="method",
help="Force usage of given HTTP method (e.g. PUT)")
request.add_option("--data",
dest="data",
help="Data string to be sent through POST")
request.add_option(
"--param-del",
dest="paramDel",
help="Character used for splitting parameter values")
request.add_option("--cookie",
dest="cookie",
help="HTTP Cookie header value")
request.add_option("--cookie-del",
dest="cookieDel",
help="Character used for splitting cookie values")
request.add_option(
"--load-cookies",
dest="loadCookies",
help="File containing cookies in Netscape/wget format")
request.add_option("--drop-set-cookie",
dest="dropSetCookie",
action="store_true",
help="Ignore Set-Cookie header from response")
request.add_option("--user-agent",
dest="agent",
help="HTTP User-Agent header value")
request.add_option(
"--random-agent",
dest="randomAgent",
action="store_true",
help="Use randomly selected HTTP User-Agent header value")
request.add_option("--host",
dest="host",
help="HTTP Host header value")
request.add_option("--referer",
dest="referer",
help="HTTP Referer header value")
request.add_option(
"-H",
"--header",
dest="header",
help="Extra header (e.g. \"X-Forwarded-For: 127.0.0.1\")")
request.add_option(
"--headers",
dest="headers",
help="Extra headers (e.g. \"Accept-Language: fr\\nETag: 123\")")
request.add_option(
"--auth-type",
dest="authType",
help="HTTP authentication type (Basic, Digest, NTLM or PKI)")
request.add_option(
"--auth-cred",
dest="authCred",
help="HTTP authentication credentials (name:password)")
request.add_option(
"--auth-file",
dest="authFile",
help="HTTP authentication PEM cert/private key file")
request.add_option("--ignore-code",
dest="ignoreCode",
type="int",
help="Ignore HTTP error code (e.g. 401)")
request.add_option("--ignore-proxy",
dest="ignoreProxy",
action="store_true",
help="Ignore system default proxy settings")
request.add_option("--ignore-redirects",
dest="ignoreRedirects",
action="store_true",
help="Ignore redirection attempts")
request.add_option("--ignore-timeouts",
dest="ignoreTimeouts",
action="store_true",
help="Ignore connection timeouts")
request.add_option("--proxy",
dest="proxy",
help="Use a proxy to connect to the target URL")
request.add_option(
"--proxy-cred",
dest="proxyCred",
help="Proxy authentication credentials (name:password)")
request.add_option("--proxy-file",
dest="proxyFile",
help="Load proxy list from a file")
request.add_option("--tor",
dest="tor",
action="store_true",
help="Use Tor anonymity network")
request.add_option("--tor-port",
dest="torPort",
help="Set Tor proxy port other than default")
request.add_option(
"--tor-type",
dest="torType",
help="Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))")
request.add_option("--check-tor",
dest="checkTor",
action="store_true",
help="Check to see if Tor is used properly")
request.add_option("--delay",
dest="delay",
type="float",
help="Delay in seconds between each HTTP request")
request.add_option(
"--timeout",
dest="timeout",
type="float",
help="Seconds to wait before timeout connection (default %d)" %
defaults.timeout)
request.add_option(
"--retries",
dest="retries",
type="int",
help="Retries when the connection timeouts (default %d)" %
defaults.retries)
request.add_option("--randomize",
dest="rParam",
help="Randomly change value for given parameter(s)")
request.add_option(
"--safe-url",
dest="safeUrl",
help="URL address to visit frequently during testing")
request.add_option("--safe-post",
dest="safePost",
help="POST data to send to a safe URL")
request.add_option("--safe-req",
dest="safeReqFile",
help="Load safe HTTP request from a file")
request.add_option(
"--safe-freq",
dest="safeFreq",
type="int",
help="Test requests between two visits to a given safe URL")
request.add_option("--skip-urlencode",
dest="skipUrlEncode",
action="store_true",
help="Skip URL encoding of payload data")
request.add_option("--csrf-token",
dest="csrfToken",
help="Parameter used to hold anti-CSRF token")
request.add_option(
"--csrf-url",
dest="csrfUrl",
help="URL address to visit to extract anti-CSRF token")
request.add_option("--force-ssl",
dest="forceSSL",
action="store_true",
help="Force usage of SSL/HTTPS")
request.add_option("--hpp",
dest="hpp",
action="store_true",
help="Use HTTP parameter pollution method")
request.add_option(
"--eval",
dest="evalCode",
help=
"Evaluate provided Python code before the request (e.g. \"import hashlib;id2=hashlib.md5(id).hexdigest()\")"
)
# Optimization options
optimization = OptionGroup(
parser, "Optimization",
"These options can be used to optimize the performance of sqlmap")
optimization.add_option("-o",
dest="optimize",
action="store_true",
help="Turn on all optimization switches")
optimization.add_option("--predict-output",
dest="predictOutput",
action="store_true",
help="Predict common queries output")
optimization.add_option("--keep-alive",
dest="keepAlive",
action="store_true",
help="Use persistent HTTP(s) connections")
optimization.add_option(
"--null-connection",
dest="nullConnection",
action="store_true",
help="Retrieve page length without actual HTTP response body")
optimization.add_option("--threads",
dest="threads",
type="int",
help="Max number of concurrent HTTP(s) "
"requests (default %d)" % defaults.threads)
# Injection options
injection = OptionGroup(
parser, "Injection",
"These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts"
)
injection.add_option("-p",
dest="testParameter",
help="Testable parameter(s)")
injection.add_option("--skip",
dest="skip",
help="Skip testing for given parameter(s)")
injection.add_option(
"--skip-static",
dest="skipStatic",
action="store_true",
help="Skip testing parameters that not appear to be dynamic")
injection.add_option(
"--param-exclude",
dest="paramExclude",
help="Regexp to exclude parameters from testing (e.g. \"ses\")")
injection.add_option("--dbms",
dest="dbms",
help="Force back-end DBMS to provided value")
injection.add_option(
"--dbms-cred",
dest="dbmsCred",
help="DBMS authentication credentials (user:password)")
injection.add_option(
"--os",
dest="os",
help="Force back-end DBMS operating system to provided value")
injection.add_option("--invalid-bignum",
dest="invalidBignum",
action="store_true",
help="Use big numbers for invalidating values")
injection.add_option(
"--invalid-logical",
dest="invalidLogical",
action="store_true",
help="Use logical operations for invalidating values")
injection.add_option("--invalid-string",
dest="invalidString",
action="store_true",
help="Use random strings for invalidating values")
injection.add_option("--no-cast",
dest="noCast",
action="store_true",
help="Turn off payload casting mechanism")
injection.add_option("--no-escape",
dest="noEscape",
action="store_true",
help="Turn off string escaping mechanism")
injection.add_option("--prefix",
dest="prefix",
help="Injection payload prefix string")
injection.add_option("--suffix",
dest="suffix",
help="Injection payload suffix string")
injection.add_option(
"--tamper",
dest="tamper",
help="Use given script(s) for tampering injection data")
# Detection options
detection = OptionGroup(
parser, "Detection",
"These options can be used to customize the detection phase")
detection.add_option(
"--level",
dest="level",
type="int",
help="Level of tests to perform (1-5, default %d)" %
defaults.level)
detection.add_option(
"--risk",
dest="risk",
type="int",
help="Risk of tests to perform (1-3, default %d)" % defaults.risk)
detection.add_option(
"--string",
dest="string",
help="String to match when query is evaluated to True")
detection.add_option(
"--not-string",
dest="notString",
help="String to match when query is evaluated to False")
detection.add_option(
"--regexp",
dest="regexp",
help="Regexp to match when query is evaluated to True")
detection.add_option(
"--code",
dest="code",
type="int",
help="HTTP code to match when query is evaluated to True")
detection.add_option(
"--text-only",
dest="textOnly",
action="store_true",
help="Compare pages based only on the textual content")
detection.add_option("--titles",
dest="titles",
action="store_true",
help="Compare pages based only on their titles")
# Techniques options
techniques = OptionGroup(
parser, "Techniques",
"These options can be used to tweak testing of specific SQL injection techniques"
)
techniques.add_option(
"--technique",
dest="tech",
help="SQL injection techniques to use (default \"%s\")" %
defaults.tech)
techniques.add_option(
"--time-sec",
dest="timeSec",
type="int",
help="Seconds to delay the DBMS response (default %d)" %
defaults.timeSec)
techniques.add_option(
"--union-cols",
dest="uCols",
help="Range of columns to test for UNION query SQL injection")
techniques.add_option(
"--union-char",
dest="uChar",
help="Character to use for bruteforcing number of columns")
techniques.add_option(
"--union-from",
dest="uFrom",
help="Table to use in FROM part of UNION query SQL injection")
techniques.add_option(
"--dns-domain",
dest="dnsDomain",
help="Domain name used for DNS exfiltration attack")
techniques.add_option(
"--second-url",
dest="secondUrl",
help="Resulting page URL searched for second-order response")
techniques.add_option("--second-req",
dest="secondReq",
help="Load second-order HTTP request from file")
# Fingerprint options
fingerprint = OptionGroup(parser, "Fingerprint")
fingerprint.add_option(
"-f",
"--fingerprint",
dest="extensiveFp",
action="store_true",
help="Perform an extensive DBMS version fingerprint")
# Enumeration options
enumeration = OptionGroup(
parser, "Enumeration",
"These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements"
)
enumeration.add_option("-a",
"--all",
dest="getAll",
action="store_true",
help="Retrieve everything")
enumeration.add_option("-b",
"--banner",
dest="getBanner",
action="store_true",
help="Retrieve DBMS banner")
enumeration.add_option("--current-user",
dest="getCurrentUser",
action="store_true",
help="Retrieve DBMS current user")
enumeration.add_option("--current-db",
dest="getCurrentDb",
action="store_true",
help="Retrieve DBMS current database")
enumeration.add_option("--hostname",
dest="getHostname",
action="store_true",
help="Retrieve DBMS server hostname")
enumeration.add_option("--is-dba",
dest="isDba",
action="store_true",
help="Detect if the DBMS current user is DBA")
enumeration.add_option("--users",
dest="getUsers",
action="store_true",
help="Enumerate DBMS users")
enumeration.add_option("--passwords",
dest="getPasswordHashes",
action="store_true",
help="Enumerate DBMS users password hashes")
enumeration.add_option("--privileges",
dest="getPrivileges",
action="store_true",
help="Enumerate DBMS users privileges")
enumeration.add_option("--roles",
dest="getRoles",
action="store_true",
help="Enumerate DBMS users roles")
enumeration.add_option("--dbs",
dest="getDbs",
action="store_true",
help="Enumerate DBMS databases")
enumeration.add_option("--tables",
dest="getTables",
action="store_true",
help="Enumerate DBMS database tables")
enumeration.add_option("--columns",
dest="getColumns",
action="store_true",
help="Enumerate DBMS database table columns")
enumeration.add_option("--schema",
dest="getSchema",
action="store_true",
help="Enumerate DBMS schema")
enumeration.add_option("--count",
dest="getCount",
action="store_true",
help="Retrieve number of entries for table(s)")
enumeration.add_option("--dump",
dest="dumpTable",
action="store_true",
help="Dump DBMS database table entries")
enumeration.add_option("--dump-all",
dest="dumpAll",
action="store_true",
help="Dump all DBMS databases tables entries")
enumeration.add_option(
"--search",
dest="search",
action="store_true",
help="Search column(s), table(s) and/or database name(s)")
enumeration.add_option(
"--comments",
dest="getComments",
action="store_true",
help="Check for DBMS comments during enumeration")
enumeration.add_option("-D",
dest="db",
help="DBMS database to enumerate")
enumeration.add_option("-T",
dest="tbl",
help="DBMS database table(s) to enumerate")
enumeration.add_option(
"-C",
dest="col",
help="DBMS database table column(s) to enumerate")
enumeration.add_option(
"-X",
dest="exclude",
help="DBMS database identifier(s) to not enumerate")
enumeration.add_option("-U",
dest="user",
help="DBMS user to enumerate")
enumeration.add_option(
"--exclude-sysdbs",
dest="excludeSysDbs",
action="store_true",
help="Exclude DBMS system databases when enumerating tables")
enumeration.add_option("--pivot-column",
dest="pivotColumn",
help="Pivot column name")
enumeration.add_option("--where",
dest="dumpWhere",
help="Use WHERE condition while table dumping")
enumeration.add_option("--start",
dest="limitStart",
type="int",
help="First dump table entry to retrieve")
enumeration.add_option("--stop",
dest="limitStop",
type="int",
help="Last dump table entry to retrieve")
enumeration.add_option(
"--first",
dest="firstChar",
type="int",
help="First query output word character to retrieve")
enumeration.add_option(
"--last",
dest="lastChar",
type="int",
help="Last query output word character to retrieve")
enumeration.add_option("--sql-query",
dest="query",
help="SQL statement to be executed")
enumeration.add_option("--sql-shell",
dest="sqlShell",
action="store_true",
help="Prompt for an interactive SQL shell")
enumeration.add_option(
"--sql-file",
dest="sqlFile",
help="Execute SQL statements from given file(s)")
# Brute force options
brute = OptionGroup(
parser, "Brute force",
"These options can be used to run brute force checks")
brute.add_option("--common-tables",
dest="commonTables",
action="store_true",
help="Check existence of common tables")
brute.add_option("--common-columns",
dest="commonColumns",
action="store_true",
help="Check existence of common columns")
# User-defined function options
udf = OptionGroup(
parser, "User-defined function injection",
"These options can be used to create custom user-defined functions"
)
udf.add_option("--udf-inject",
dest="udfInject",
action="store_true",
help="Inject custom user-defined functions")
udf.add_option("--shared-lib",
dest="shLib",
help="Local path of the shared library")
# File system options
filesystem = OptionGroup(
parser, "File system access",
"These options can be used to access the back-end database management system underlying file system"
)
filesystem.add_option(
"--file-read",
dest="rFile",
help="Read a file from the back-end DBMS file system")
filesystem.add_option(
"--file-write",
dest="wFile",
help="Write a local file on the back-end DBMS file system")
filesystem.add_option(
"--file-dest",
dest="dFile",
help="Back-end DBMS absolute filepath to write to")
# Takeover options
takeover = OptionGroup(
parser, "Operating system access",
"These options can be used to access the back-end database management system underlying operating system"
)
takeover.add_option("--os-cmd",
dest="osCmd",
help="Execute an operating system command")
takeover.add_option(
"--os-shell",
dest="osShell",
action="store_true",
help="Prompt for an interactive operating system shell")
takeover.add_option("--os-pwn",
dest="osPwn",
action="store_true",
help="Prompt for an OOB shell, Meterpreter or VNC")
takeover.add_option(
"--os-smbrelay",
dest="osSmb",
action="store_true",
help="One click prompt for an OOB shell, Meterpreter or VNC")
takeover.add_option("--os-bof",
dest="osBof",
action="store_true",
help="Stored procedure buffer overflow "
"exploitation")
takeover.add_option("--priv-esc",
dest="privEsc",
action="store_true",
help="Database process user privilege escalation")
takeover.add_option(
"--msf-path",
dest="msfPath",
help="Local path where Metasploit Framework is installed")
takeover.add_option(
"--tmp-path",
dest="tmpPath",
help="Remote absolute path of temporary files directory")
# Windows registry options
windows = OptionGroup(
parser, "Windows registry access",
"These options can be used to access the back-end database management system Windows registry"
)
windows.add_option("--reg-read",
dest="regRead",
action="store_true",
help="Read a Windows registry key value")
windows.add_option("--reg-add",
dest="regAdd",
action="store_true",
help="Write a Windows registry key value data")
windows.add_option("--reg-del",
dest="regDel",
action="store_true",
help="Delete a Windows registry key value")
windows.add_option("--reg-key",
dest="regKey",
help="Windows registry key")
windows.add_option("--reg-value",
dest="regVal",
help="Windows registry key value")
windows.add_option("--reg-data",
dest="regData",
help="Windows registry key value data")
windows.add_option("--reg-type",
dest="regType",
help="Windows registry key value type")
# General options
general = OptionGroup(
parser, "General",
"These options can be used to set some general working parameters")
general.add_option("-s",
dest="sessionFile",
help="Load session from a stored (.sqlite) file")
general.add_option("-t",
dest="trafficFile",
help="Log all HTTP traffic into a textual file")
general.add_option(
"--batch",
dest="batch",
action="store_true",
help="Never ask for user input, use the default behavior")
general.add_option(
"--binary-fields",
dest="binaryFields",
help="Result fields having binary values (e.g. \"digest\")")
general.add_option(
"--check-internet",
dest="checkInternet",
action="store_true",
help="Check Internet connection before assessing the target")
general.add_option(
"--crawl",
dest="crawlDepth",
type="int",
help="Crawl the website starting from the target URL")
general.add_option(
"--crawl-exclude",
dest="crawlExclude",
help="Regexp to exclude pages from crawling (e.g. \"logout\")")
general.add_option(
"--csv-del",
dest="csvDel",
help="Delimiting character used in CSV output (default \"%s\")" %
defaults.csvDel)
general.add_option(
"--charset",
dest="charset",
help="Blind SQL injection charset (e.g. \"0123456789abcdef\")")
general.add_option(
"--dump-format",
dest="dumpFormat",
help="Format of dumped data (CSV (default), HTML or SQLITE)")
general.add_option(
"--encoding",
dest="encoding",
help="Character encoding used for data retrieval (e.g. GBK)")
general.add_option(
"--eta",
dest="eta",
action="store_true",
help="Display for each output the estimated time of arrival")
general.add_option("--flush-session",
dest="flushSession",
action="store_true",
help="Flush session files for current target")
general.add_option("--forms",
dest="forms",
action="store_true",
help="Parse and test forms on target URL")
general.add_option("--fresh-queries",
dest="freshQueries",
action="store_true",
help="Ignore query results stored in session file")
general.add_option("--har",
dest="harFile",
help="Log all HTTP traffic into a HAR file")
general.add_option("--hex",
dest="hexConvert",
action="store_true",
help="Use hex conversion during data retrieval")
general.add_option("--output-dir",
dest="outputDir",
action="store",
help="Custom output directory path")
general.add_option(
"--parse-errors",
dest="parseErrors",
action="store_true",
help="Parse and display DBMS error messages from responses")
general.add_option("--save",
dest="saveConfig",
help="Save options to a configuration INI file")
general.add_option(
"--scope",
dest="scope",
help="Regexp to filter targets from provided proxy log")
general.add_option(
"--test-filter",
dest="testFilter",
help="Select tests by payloads and/or titles (e.g. ROW)")
general.add_option(
"--test-skip",
dest="testSkip",
help="Skip tests by payloads and/or titles (e.g. BENCHMARK)")
general.add_option("--update",
dest="updateAll",
action="store_true",
help="Update sqlmap")
# Miscellaneous options
miscellaneous = OptionGroup(parser, "Miscellaneous")
miscellaneous.add_option(
"-z",
dest="mnemonics",
help="Use short mnemonics (e.g. \"flu,bat,ban,tec=EU\")")
miscellaneous.add_option(
"--alert",
dest="alert",
help="Run host OS command(s) when SQL injection is found")
miscellaneous.add_option(
"--answers",
dest="answers",
help="Set question answers (e.g. \"quit=N,follow=N\")")
miscellaneous.add_option(
"--beep",
dest="beep",
action="store_true",
help="Beep on question and/or when SQL injection is found")
miscellaneous.add_option(
"--cleanup",
dest="cleanup",
action="store_true",
help="Clean up the DBMS from sqlmap specific UDF and tables")
miscellaneous.add_option(
"--dependencies",
dest="dependencies",
action="store_true",
help="Check for missing (non-core) sqlmap dependencies")
miscellaneous.add_option("--disable-coloring",
dest="disableColoring",
action="store_true",
help="Disable console output coloring")
miscellaneous.add_option(
"--gpage",
dest="googlePage",
type="int",
help="Use Google dork results from specified page number")
miscellaneous.add_option(
"--identify-waf",
dest="identifyWaf",
action="store_true",
help="Make a thorough testing for a WAF/IPS/IDS protection")
miscellaneous.add_option(
"--mobile",
dest="mobile",
action="store_true",
help="Imitate smartphone through HTTP User-Agent header")
miscellaneous.add_option(
"--offline",
dest="offline",
action="store_true",
help="Work in offline mode (only use session data)")
miscellaneous.add_option(
"--purge",
dest="purge",
action="store_true",
help="Safely remove all content from sqlmap data directory")
miscellaneous.add_option(
"--skip-waf",
dest="skipWaf",
action="store_true",
help="Skip heuristic detection of WAF/IPS/IDS protection")
miscellaneous.add_option(
"--smart",
dest="smart",
action="store_true",
help="Conduct thorough tests only if positive heuristic(s)")
miscellaneous.add_option("--sqlmap-shell",
dest="sqlmapShell",
action="store_true",
help="Prompt for an interactive sqlmap shell")
miscellaneous.add_option(
"--tmp-dir",
dest="tmpDir",
help="Local directory for storing temporary files")
miscellaneous.add_option(
"--web-root",
dest="webRoot",
help="Web server document root directory (e.g. \"/var/www\")")
miscellaneous.add_option(
"--wizard",
dest="wizard",
action="store_true",
help="Simple wizard interface for beginner users")
# Hidden and/or experimental options
parser.add_option("--dummy",
dest="dummy",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--murphy-rate",
dest="murphyRate",
type="int",
help=SUPPRESS_HELP)
parser.add_option("--disable-precon",
dest="disablePrecon",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--disable-stats",
dest="disableStats",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--profile",
dest="profile",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--force-dbms", dest="forceDbms", help=SUPPRESS_HELP)
parser.add_option("--force-dns",
dest="forceDns",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--force-pivoting",
dest="forcePivoting",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--force-threads",
dest="forceThreads",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--smoke-test",
dest="smokeTest",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--live-test",
dest="liveTest",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--stop-fail",
dest="stopFail",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--run-case", dest="runCase", help=SUPPRESS_HELP)
# API options
parser.add_option("--api",
dest="api",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--taskid", dest="taskid", help=SUPPRESS_HELP)
parser.add_option("--database", dest="database", help=SUPPRESS_HELP)
parser.add_option_group(target)
parser.add_option_group(request)
parser.add_option_group(optimization)
parser.add_option_group(injection)
parser.add_option_group(detection)
parser.add_option_group(techniques)
parser.add_option_group(fingerprint)
parser.add_option_group(enumeration)
parser.add_option_group(brute)
parser.add_option_group(udf)
parser.add_option_group(filesystem)
parser.add_option_group(takeover)
parser.add_option_group(windows)
parser.add_option_group(general)
parser.add_option_group(miscellaneous)
# Dirty hack to display longer options without breaking into two lines
def _(self, *args):
retVal = parser.formatter._format_option_strings(*args)
if len(retVal) > MAX_HELP_OPTION_LENGTH:
retVal = ("%%.%ds.." %
(MAX_HELP_OPTION_LENGTH -
parser.formatter.indent_increment)) % retVal
return retVal
parser.formatter._format_option_strings = parser.formatter.format_option_strings
parser.formatter.format_option_strings = type(
parser.formatter.format_option_strings)(_, parser, type(parser))
# Dirty hack for making a short option '-hh'
option = parser.get_option("--hh")
option._short_opts = ["-hh"]
option._long_opts = []
# Dirty hack for inherent help message of switch '-h'
option = parser.get_option("-h")
option.help = option.help.capitalize().replace("this help",
"basic help")
_ = []
prompt = False
advancedHelp = True
extraHeaders = []
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
for arg in argv:
_.append(getUnicode(arg, encoding=sys.stdin.encoding))
argv = _
checkDeprecatedOptions(argv)
prompt = "--sqlmap-shell" in argv
if prompt:
parser.usage = ""
cmdLineOptions.sqlmapShell = True
_ = ["x", "q", "exit", "quit", "clear"]
for option in parser.option_list:
_.extend(option._long_opts)
_.extend(option._short_opts)
for group in parser.option_groups:
for option in group.option_list:
_.extend(option._long_opts)
_.extend(option._short_opts)
autoCompletion(AUTOCOMPLETE_TYPE.SQLMAP, commands=_)
while True:
command = None
try:
command = raw_input("sqlmap-shell> ").strip()
command = getUnicode(command, encoding=sys.stdin.encoding)
except (KeyboardInterrupt, EOFError):
print
raise SqlmapShellQuitException
if not command:
continue
elif command.lower() == "clear":
clearHistory()
dataToStdout("[i] history cleared\n")
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
elif command.lower() in ("x", "q", "exit", "quit"):
raise SqlmapShellQuitException
elif command[0] != '-':
dataToStdout("[!] invalid option(s) provided\n")
dataToStdout(
"[i] proper example: '-u http://www.site.com/vuln.php?id=1 --banner'\n"
)
else:
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
loadHistory(AUTOCOMPLETE_TYPE.SQLMAP)
break
try:
for arg in shlex.split(command):
argv.append(getUnicode(arg, encoding=sys.stdin.encoding))
except ValueError, ex:
raise SqlmapSyntaxException(
"something went wrong during command line parsing ('%s')" %
ex.message)
for i in xrange(len(argv)):
if argv[i] == "-hh":
argv[i] = "-h"
elif len(argv[i]) > 1 and all(
ord(_) in xrange(0x2018, 0x2020)
for _ in ((argv[i].split('=', 1)[-1].strip() or ' ')[0],
argv[i][-1])):
dataToStdout(
"[!] copy-pasting illegal (non-console) quote characters from Internet is, well, illegal (%s)\n"
% argv[i])
raise SystemExit
elif len(argv[i]) > 1 and u"\uff0c" in argv[i].split('=', 1)[-1]:
dataToStdout(
"[!] copy-pasting illegal (non-console) comma characters from Internet is, well, illegal (%s)\n"
% argv[i])
raise SystemExit
elif re.search(r"\A-\w=.+", argv[i]):
dataToStdout(
"[!] potentially miswritten (illegal '=') short option detected ('%s')\n"
% argv[i])
raise SystemExit
elif argv[i] == "-H":
if i + 1 < len(argv):
extraHeaders.append(argv[i + 1])
elif re.match(r"\A\d+!\Z", argv[i]) and argv[max(
0, i - 1)] == "--threads" or re.match(
r"\A--threads.+\d+!\Z", argv[i]):
argv[i] = argv[i][:-1]
conf.skipThreadCheck = True
elif argv[i] == "--version":
print VERSION_STRING.split('/')[-1]
raise SystemExit
elif argv[i] in ("-h", "--help"):
advancedHelp = False
for group in parser.option_groups[:]:
found = False
for option in group.option_list:
if option.dest not in BASIC_HELP_ITEMS:
option.help = SUPPRESS_HELP
else:
found = True
if not found:
parser.option_groups.remove(group)
for verbosity in (_ for _ in argv if re.search(r"\A\-v+\Z", _)):
try:
if argv.index(verbosity) == len(argv) - 1 or not argv[
argv.index(verbosity) + 1].isdigit():
conf.verbose = verbosity.count('v') + 1
del argv[argv.index(verbosity)]
except (IndexError, ValueError):
pass
try:
(args, _) = parser.parse_args(argv)
except UnicodeEncodeError, ex:
dataToStdout("\n[!] %s\n" % ex.object.encode("unicode-escape"))
raise SystemExit