def connect(self): self.initConnection() self.__dsn = cx_Oracle.makedsn(self.hostname, self.port, self.db) self.__dsn = getBytes(self.__dsn) self.user = getBytes(self.user) self.password = getBytes(self.password) try: self.connector = cx_Oracle.connect(dsn=self.__dsn, user=self.user, password=self.password, mode=cx_Oracle.SYSDBA) logger.info("successfully connected as SYSDBA") except (cx_Oracle.OperationalError, cx_Oracle.DatabaseError, cx_Oracle.InterfaceError) as ex: if "Oracle Client library" in getSafeExString(ex): msg = re.sub(r"DPI-\d+:\s+", "", getSafeExString(ex)) msg = re.sub(r': ("[^"]+")', r" (\g<1>)", msg) msg = re.sub(r". See (http[^ ]+)", r'. See "\g<1>"', msg) raise SqlmapConnectionException(msg) try: self.connector = cx_Oracle.connect(dsn=self.__dsn, user=self.user, password=self.password) except (cx_Oracle.OperationalError, cx_Oracle.DatabaseError, cx_Oracle.InterfaceError) as ex: raise SqlmapConnectionException(ex) self.initCursor() self.printConnected()
def joomla_passwd(password, salt, **kwargs): """ Reference: https://stackoverflow.com/a/10428239 >>> joomla_passwd(password='******', salt='6GGlnaquVXI80b3HRmSyE3K1wEFFaBIf') 'e3d5794da74e917637332e0d21b76328:6GGlnaquVXI80b3HRmSyE3K1wEFFaBIf' """ return "%s:%s" % (md5(b"%s%s" % (getBytes(password), getBytes(salt))).hexdigest(), salt)
def django_md5_passwd(password, salt, **kwargs): """ Reference: https://github.com/jay0lee/GAM/blob/master/src/passlib/handlers/django.py >>> django_md5_passwd(password='******', salt='salt') 'md5$salt$972141bcbcb6a0acc96e92309175b3c5' """ return "md5$%s$%s" % (salt, md5(b"%s%s" % (getBytes(salt), getBytes(password))).hexdigest())
def django_sha1_passwd(password, salt, **kwargs): """ Reference: https://github.com/jay0lee/GAM/blob/master/src/passlib/handlers/django.py >>> django_sha1_passwd(password='******', salt='salt') 'sha1$salt$6ce0e522aba69d8baa873f01420fccd0250fc5b2' """ return "sha1$%s$%s" % (salt, sha1(b"%s%s" % (getBytes(salt), getBytes(password))).hexdigest())
def vbulletin_passwd(password, salt, **kwargs): """ Reference: https://stackoverflow.com/a/2202810 >>> vbulletin_passwd(password='******', salt='salt') '85c4d8ea77ebef2236fb7e9d24ba9482:salt' """ return "%s:%s" % (md5(binascii.hexlify(md5(getBytes(password)).digest()) + getBytes(salt)).hexdigest(), salt)
def wordpress_passwd(password, salt, count, prefix, **kwargs): """ Reference(s): http://packetstormsecurity.org/files/74448/phpassbrute.py.txt http://scriptserver.mainframe8.com/wordpress_password_hasher.php >>> wordpress_passwd(password='******', salt='aD9ZLmkp', count=2048, prefix='$P$9aD9ZLmkp') '$P$9aD9ZLmkpsN4A83G8MefaaP888gVKX0' """ def _encode64(input_, count): output = '' i = 0 while i < count: value = (input_[i] if isinstance(input_[i], int) else ord(input_[i])) i += 1 output = output + ITOA64[value & 0x3f] if i < count: value = value | ((input_[i] if isinstance(input_[i], int) else ord(input_[i])) << 8) output = output + ITOA64[(value >> 6) & 0x3f] i += 1 if i >= count: break if i < count: value = value | ((input_[i] if isinstance(input_[i], int) else ord(input_[i])) << 16) output = output + ITOA64[(value >> 12) & 0x3f] i += 1 if i >= count: break output = output + ITOA64[(value >> 18) & 0x3f] return output password = getBytes(password) salt = getBytes(salt) cipher = md5(salt) cipher.update(password) hash_ = cipher.digest() for i in xrange(count): _ = md5(hash_) _.update(password) hash_ = _.digest() return "%s%s" % (prefix, _encode64(hash_, 16))
def ssha_passwd(password, salt, **kwargs): """ >>> ssha_passwd(password='******', salt='salt') '{SSHA}mU1HPTvnmoXOhE4ROHP6sWfbfoRzYWx0' """ password = getBytes(password) salt = getBytes(salt) return "{SSHA}%s" % getText(base64.b64encode(sha1(password + salt).digest() + salt))
def ssha512_passwd(password, salt, **kwargs): """ >>> ssha512_passwd(password='******', salt='salt') '{SSHA512}mCUSLfPMhXCQOJl9WHW/QMn9v9sjq7Ht/Wk7iVau8vLOfh+PeynkGMikqIE8sStFd0khdfcCD8xZmC6UyjTxsHNhbHQ=' """ password = getBytes(password) salt = getBytes(salt) return "{SSHA512}%s" % getText(base64.b64encode(sha512(password + salt).digest() + salt))
def ssha256_passwd(password, salt, **kwargs): """ >>> ssha256_passwd(password='******', salt='salt') '{SSHA256}hhubsLrO/Aje9F/kJrgv5ZLE40UmTrVWvI7Dt6InP99zYWx0' """ password = getBytes(password) salt = getBytes(salt) return "{SSHA256}%s" % getText(base64.b64encode(sha256(password + salt).digest() + salt))
def __init__(self, request, response, startTime=None, endTime=None, extendedArguments=None): self.request = getBytes(request) self.response = getBytes(response) self.startTime = startTime self.endTime = endTime self.extendedArguments = extendedArguments or {}
def postgres_passwd(password, username, uppercase=False): """ Reference(s): http://pentestmonkey.net/blog/cracking-postgres-hashes/ >>> postgres_passwd(password='******', username='******', uppercase=False) 'md599e5ea7a6f7c3269995cba3927fd0093' """ username = getBytes(username) password = getBytes(password) retVal = "md5%s" % md5(password + username).hexdigest() return retVal.upper() if uppercase else retVal.lower()
def parse(cls, raw): altered = raw comment = b"" if altered.startswith(b"HTTP response [") or altered.startswith(b"HTTP redirect ["): stream = io.BytesIO(raw) first_line = stream.readline() parts = cls.extract_status.search(first_line) status_line = "HTTP/1.0 %s %s" % (getText(parts.group(1)), getText(parts.group(2))) remain = stream.read() altered = getBytes(status_line) + b"\r\n" + remain comment = first_line response = _http_client.HTTPResponse(FakeSocket(altered)) response.begin() try: content = response.read() except _http_client.IncompleteRead: content = raw[raw.find("\r\n\r\n") + 4:].rstrip("\r\n") return cls(httpVersion="HTTP/1.1" if response.version == 11 else "HTTP/1.0", status=response.status, statusText=response.reason, headers=response.msg, content=content, comment=comment, raw=raw)
def _escape(expression, quote=True, escaper=None): retVal = expression if quote: for item in re.findall(r"'[^']*'+", expression): original = item[1:-1] if original: if Backend.isDbms( DBMS.SQLITE) and "X%s" % item in expression: continue if re.search( r"\[(SLEEPTIME|RAND)", original) is None: # e.g. '[SLEEPTIME]' marker replacement = escaper( original) if not conf.noEscape else original if replacement != original: retVal = retVal.replace(item, replacement) elif len(original) != len( getBytes(original) ) and "n'%s'" % original not in retVal and Backend.getDbms( ) in (DBMS.MYSQL, DBMS.PGSQL, DBMS.ORACLE, DBMS.MSSQL): retVal = retVal.replace("'%s'" % original, "n'%s'" % original) else: retVal = escaper(expression) return retVal
def hashKey(key): key = getBytes(key if isinstance(key, six.text_type) else repr(key), errors="xmlcharrefreplace") retVal = int( hashlib.md5(key).hexdigest(), 16 ) & 0x7fffffffffffffff # Reference: http://stackoverflow.com/a/4448400 return retVal
def _(self, length=None): try: retVal = getSafeExString( ex ) # Note: pyflakes mistakenly marks 'ex' as undefined (NOTE: tested in both Python2 and Python3) except: retVal = "" return getBytes(retVal)
def multipart_encode(self, vars, files, boundary=None, buf=None): if boundary is None: boundary = choose_boundary() if buf is None: buf = b"" for (key, value) in vars: if key is not None and value is not None: buf += b"--%s\r\n" % getBytes(boundary) buf += b"Content-Disposition: form-data; name=\"%s\"" % getBytes(key) buf += b"\r\n\r\n" + getBytes(value) + b"\r\n" for (key, fd) in files: file_size = fd.len if hasattr(fd, "len") else os.fstat(fd.fileno())[stat.ST_SIZE] filename = fd.name.split("/")[-1] if "/" in fd.name else fd.name.split("\\")[-1] try: contenttype = mimetypes.guess_type(filename)[0] or b"application/octet-stream" except: # Reference: http://bugs.python.org/issue9291 contenttype = b"application/octet-stream" buf += b"--%s\r\n" % getBytes(boundary) buf += b"Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"\r\n" % (getBytes(key), getBytes(filename)) buf += b"Content-Type: %s\r\n" % getBytes(contenttype) # buf += b"Content-Length: %s\r\n" % file_size fd.seek(0) buf += b"\r\n%s\r\n" % fd.read() buf += b"--%s--\r\n\r\n" % getBytes(boundary) buf = getBytes(buf) return boundary, buf
def hashKey(self, key): # from sqlmap/lib/utils/hashdb.py import six #pylint: disable=import-error,bad-option-value,import-outside-toplevel from lib.core.convert import getBytes #pylint: disable=import-error,bad-option-value,import-outside-toplevel key = getBytes(key if isinstance(key, six.text_type) else repr(key)) retVal = int( hashlib.md5(key).hexdigest(), 16 ) & 0x7fffffffffffffff # Reference: http://stackoverflow.com/a/4448400 return retVal
def sha512_generic_passwd(password, uppercase=False): """ >>> sha512_generic_passwd(password='******', uppercase=False) '78ddc8555bb1677ff5af75ba5fc02cb30bb592b0610277ae15055e189b77fe3fda496e5027a3d99ec85d54941adee1cc174b50438fdc21d82d0a79f85b58cf44' """ retVal = sha512(getBytes(password)).hexdigest() return retVal.upper() if uppercase else retVal.lower()
def uploadShellcodeexec(self, web=False): self.shellcodeexecLocal = os.path.join(paths.SQLMAP_EXTRAS_PATH, "shellcodeexec") if Backend.isOs(OS.WINDOWS): self.shellcodeexecLocal = os.path.join( self.shellcodeexecLocal, "windows", "shellcodeexec.x%s.exe_" % "32") content = decloak(self.shellcodeexecLocal) if SHELLCODEEXEC_RANDOM_STRING_MARKER in content: content = content.replace( SHELLCODEEXEC_RANDOM_STRING_MARKER, getBytes(randomStr( len(SHELLCODEEXEC_RANDOM_STRING_MARKER)))) _ = cloak(data=content) handle, self.shellcodeexecLocal = tempfile.mkstemp( suffix="%s.exe_" % "32") os.close(handle) with open(self.shellcodeexecLocal, "w+b") as f: f.write(_) else: self.shellcodeexecLocal = os.path.join( self.shellcodeexecLocal, "linux", "shellcodeexec.x%s_" % Backend.getArch()) __basename = "tmpse%s%s" % (self._randStr, ".exe" if Backend.isOs(OS.WINDOWS) else "") self.shellcodeexecRemote = "%s/%s" % (conf.tmpPath, __basename) self.shellcodeexecRemote = ntToPosixSlashes( normalizePath(self.shellcodeexecRemote)) logger.info("uploading shellcodeexec to '%s'" % self.shellcodeexecRemote) if web: written = self.webUpload(self.shellcodeexecRemote, os.path.split( self.shellcodeexecRemote)[0], filepath=self.shellcodeexecLocal) else: written = self.writeFile(self.shellcodeexecLocal, self.shellcodeexecRemote, "binary", forceCheck=True) if written is not True: errMsg = "there has been a problem uploading shellcodeexec. It " errMsg += "looks like the binary file has not been written " errMsg += "on the database underlying file system or an AV has " errMsg += "flagged it as malicious and removed it" logger.error(errMsg) return False else: logger.info("shellcodeexec successfully uploaded") return True
def sha384_generic_passwd(password, uppercase=False): """ >>> sha384_generic_passwd(password='******', uppercase=False) '6823546e56adf46849343be991d4b1be9b432e42ed1b4bb90635a0e4b930e49b9ca007bc3e04bf0a4e0df6f1f82769bf' """ retVal = sha384(getBytes(password)).hexdigest() return retVal.upper() if uppercase else retVal.lower()
def sha256_generic_passwd(password, uppercase=False): """ >>> sha256_generic_passwd(password='******', uppercase=False) '13d249f2cb4127b40cfa757866850278793f814ded3c587fe5889e889a7a9f6c' """ retVal = sha256(getBytes(password)).hexdigest() return retVal.upper() if uppercase else retVal.lower()
def sha224_generic_passwd(password, uppercase=False): """ >>> sha224_generic_passwd(password='******', uppercase=False) '648db6019764b598f75ab6b7616d2e82563a00eb1531680e19ac4c6f' """ retVal = sha224(getBytes(password)).hexdigest() return retVal.upper() if uppercase else retVal.lower()
def apache_sha1_passwd(password, **kwargs): """ >>> apache_sha1_passwd(password='******') '{SHA}IGyAQTualsExLMNGt9JRe4RGPt0=' """ password = getBytes(password) return "{SHA}%s" % getText(base64.b64encode(sha1(password).digest()))
def execute(self, query): try: self.cursor.execute(getBytes(query)) except self.__sqlite.OperationalError as ex: logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) '%s'" % getSafeExString(ex)) except self.__sqlite.DatabaseError as ex: raise SqlmapConnectionException(getSafeExString(ex)) self.connector.commit()
def md4_generic_passwd(password, uppercase=False): """ >>> md4_generic_passwd(password='******', uppercase=False) '5b4d300688f19c8fd65b8d6ccf98e0ae' """ password = getBytes(password) retVal = hashlib.new("md4", password).hexdigest() return retVal.upper() if uppercase else retVal.lower()
def send_all(p, data): if not data: return data = getBytes(data) while len(data): sent = p.send(data) if not isinstance(sent, int): break data = buffer(data[sent:])
def md5_generic_passwd(password, uppercase=False): """ >>> md5_generic_passwd(password='******', uppercase=False) '179ad45c6ce2cb97cf1029e212046e81' """ password = getBytes(password) retVal = md5(password).hexdigest() return retVal.upper() if uppercase else retVal.lower()
def sha1_generic_passwd(password, uppercase=False): """ >>> sha1_generic_passwd(password='******', uppercase=False) '206c80413b9a96c1312cc346b7d2517b84463edd' """ password = getBytes(password) retVal = sha1(password).hexdigest() return retVal.upper() if uppercase else retVal.lower()
def execute(self, query): retVal = False try: self.cursor.execute(getBytes(query)) retVal = True except (pymssql.OperationalError, pymssql.ProgrammingError) as ex: logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) '%s'" % getSafeExString(ex).replace("\n", " ")) except pymssql.InternalError as ex: raise SqlmapConnectionException(getSafeExString(ex)) return retVal
def execute(self, query): retVal = False try: self.cursor.execute(getBytes(query)) retVal = True except cx_Oracle.DatabaseError as ex: logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) '%s'" % getSafeExString(ex)) self.connector.commit() return retVal