def _setHTTPUserAgent():
"""
@function Set the HTTP User-Agent header.
"""
if conf.agent:
debugMsg = "setting the HTTP User-Agent header"
logger.debug(debugMsg)
conf.httpHeaders[HTTP_HEADER.USER_AGENT] = conf.agent
if conf.randomAgent:
infoMsg = "loading random HTTP User-Agent header(s) from "
infoMsg += "file '%s'" % paths.USER_AGENTS
logger.log(CUSTOM_LOGGING.SYSINFO, infoMsg)
try:
userAgents = getFileItems(paths.USER_AGENTS)
except IOError:
warnMsg = "unable to read HTTP User-Agent header "
warnMsg += "file '%s'" % paths.USER_AGENTS
logger.log(CUSTOM_LOGGING.WARNING, warnMsg)
return
userAgent = random.sample(userAgents, 1)
infoMsg = "fetched random HTTP User-Agent header from "
infoMsg += "file '%s': '%s'" % (paths.USER_AGENTS, userAgent)
logger.log(CUSTOM_LOGGING.SYSINFO, infoMsg)
conf.httpHeaders[HTTP_HEADER.USER_AGENT] = userAgent
def __setHTTPUserAgent():
"""
Set the HTTP User-Agent header.
Depending on the user options it can be:
* The default sqlmap string
* A default value read as user option
* A random value read from a list of User-Agent headers from a
file choosed as user option
"""
if conf.agent:
debugMsg = "setting the HTTP User-Agent header"
logger.debug(debugMsg)
conf.httpHeaders.append(("User-Agent", conf.agent))
return
if not conf.userAgentsFile:
addDefaultUserAgent = True
for header, _ in conf.httpHeaders:
if header == "User-Agent":
addDefaultUserAgent = False
break
if addDefaultUserAgent:
conf.httpHeaders.append(("User-Agent", __defaultHTTPUserAgent()))
return
if not kb.userAgents:
debugMsg = "loading random HTTP User-Agent header(s) from "
debugMsg += "file '%s'" % conf.userAgentsFile
logger.debug(debugMsg)
try:
kb.userAgents = getFileItems(conf.userAgentsFile)
except IOError:
warnMsg = "unable to read HTTP User-Agent header "
warnMsg += "file '%s'" % conf.userAgentsFile
logger.warn(warnMsg)
conf.httpHeaders.append(("User-Agent", __defaultHTTPUserAgent()))
return
__count = len(kb.userAgents)
if __count == 1:
__userAgent = kb.userAgents[0]
else:
__userAgent = kb.userAgents[randomRange(stop=__count-1)]
__userAgent = sanitizeStr(__userAgent)
conf.httpHeaders.append(("User-Agent", __userAgent))
logMsg = "fetched random HTTP User-Agent header from "
logMsg += "file '%s': %s" % (conf.userAgentsFile, __userAgent)
logger.info(logMsg)
def _setHTTPUserAgent():
"""
@function Set the HTTP User-Agent header.
"""
if conf.agent:
debugMsg = "setting the HTTP User-Agent header"
logger.debug(debugMsg)
conf.httpHeaders[HTTP_HEADER.USER_AGENT] = conf.agent
if conf.randomAgent:
infoMsg = "loading random HTTP User-Agent header(s) from "
infoMsg += "file '%s'" % paths.USER_AGENTS
logger.log(CUSTOM_LOGGING.SYSINFO, infoMsg)
try:
userAgents = getFileItems(paths.USER_AGENTS)
except IOError:
warnMsg = "unable to read HTTP User-Agent header "
warnMsg += "file '%s'" % paths.USER_AGENTS
logger.log(CUSTOM_LOGGING.WARNING, warnMsg)
return
userAgent = random.sample(userAgents, 1)
infoMsg = "fetched random HTTP User-Agent header from "
infoMsg += "file '%s': '%s'" % (paths.USER_AGENTS, userAgent)
logger.log(CUSTOM_LOGGING.SYSINFO, infoMsg)
conf.httpHeaders[HTTP_HEADER.USER_AGENT] = userAgent
def columnExists(columnFile):
if not conf.tbl:
errMsg = "missing table parameter"
raise sqlmapMissingMandatoryOptionException, errMsg
columns = getFileItems(columnFile)
if conf.db and '(*)' not in conf.db:
table = "%s.%s" % (conf.db, conf.tbl)
else:
table = conf.tbl
retVal = []
infoMsg = "checking column existence using items from '%s'" % columnFile
logger.info(infoMsg)
pushValue(conf.verbose)
conf.verbose = 0
count = 0
length = len(columns)
for column in columns:
query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %s FROM %s)", (column, table)))
query = agent.suffixQuery(query)
result = Request.queryPage(agent.payload(newValue=query))
if result:
infoMsg = "\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), column)
infoMsg = "%s%s\n" % (infoMsg, " "*(getConsoleWidth()-1-len(infoMsg)))
dataToStdout(infoMsg, True)
retVal.append(column)
count += 1
status = '%d/%d items (%d%s)' % (count, length, round(100.0*count/length), '%')
dataToStdout("\r[%s] [INFO] tried: %s" % (time.strftime("%X"), status), True)
conf.verbose = popValue()
dataToStdout("\n", True)
if not retVal:
warnMsg = "no column found"
logger.warn(warnMsg)
else:
columns = {}
for column in retVal:
query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %s FROM %s WHERE %s>0)", (column, table, column)))
query = agent.suffixQuery(query)
result = Request.queryPage(agent.payload(newValue=query))
if result:
columns[column] = 'numeric'
else:
columns[column] = 'non-numeric'
kb.data.cachedColumns[conf.db] = {conf.tbl: columns}
return kb.data.cachedColumns
def _init_UAlist(path):
infoMsg = "loading HTTP User-Agent header(s) from "
infoMsg += "file '%s'" % path
logger.info(infoMsg)
# TODO 此处 conf.RANDOM_UA 在其他地方暂时没有用到
conf.RANDOM_UA = True
th.UA_LIST = getFileItems(path)
successMsg = "Total: %d" % len(th.UA_LIST)
logger.info(successMsg)
def _init_UAlist(path):
infoMsg = "loading HTTP User-Agent header(s) from "
infoMsg += "file '%s'" % path
logger.log(CUSTOM_LOGGING.SYSINFO, infoMsg)
# TODO 此处 conf.RANDOM_UA 在其他地方暂时没有用到
conf.RANDOM_UA = True
th.UA_LIST = getFileItems(path)
successMsg = "Total: %d" % len(th.UA_LIST)
logger.log(CUSTOM_LOGGING.SUCCESS, successMsg)
debugPause()
def crackHashFile(hashFile):
i = 0
attack_dict = {}
for line in getFileItems(conf.hashFile):
if ':' in line:
user, hash_ = line.split(':', 1)
attack_dict[user] = [hash_]
else:
attack_dict["%s%d" % (DUMMY_USER_PREFIX, i)] = [line]
i += 1
dictionaryAttack(attack_dict)
def tableExists(tableFile):
tables = getFileItems(tableFile)
retVal = []
infoMsg = "checking table existence using items from '%s'" % tableFile
logger.info(infoMsg)
pushValue(conf.verbose)
conf.verbose = 0
count = 0
length = len(tables)
for table in tables:
if conf.db and '(*)' not in conf.db:
table = "%s.%s" % (conf.db, table)
query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %d FROM %s)", (randomInt(1), table)))
query = agent.suffixQuery(query)
result = Request.queryPage(agent.payload(newValue=query))
if result:
infoMsg = "\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), table)
infoMsg = "%s%s\n" % (infoMsg, " "*(getConsoleWidth()-1-len(infoMsg)))
dataToStdout(infoMsg, True)
retVal.append(table)
count += 1
status = '%d/%d items (%d%s)' % (count, length, round(100.0*count/length), '%')
dataToStdout("\r[%s] [INFO] tried: %s" % (time.strftime("%X"), status), True)
conf.verbose = popValue()
dataToStdout("\n", True)
if not retVal:
warnMsg = "no table found"
logger.warn(warnMsg)
else:
for item in retVal:
if not kb.data.cachedTables.has_key(conf.db):
kb.data.cachedTables[conf.db] = [item]
else:
kb.data.cachedTables[conf.db].append(item)
return kb.data.cachedTables
def setMultipleTarget():
if conf.requires or conf.requiresFreeze:
return
if not conf.urlFile:
for pocname, pocInstance in kb.registeredPocs.items():
target_urls = []
if conf.url.endswith('/24'):
try:
socket.inet_aton(conf.url.split('/')[0])
base_addr = conf.url[:conf.url.rfind('.') + 1]
target_urls = [
'{}{}'.format(base_addr, i)
for i in xrange(1, 255 + 1)
]
except socket.error:
errMsg = 'only id address acceptable'
logger.log(CUSTOM_LOGGING.ERROR, errMsg)
else:
target_urls = conf.url.split(',')
for url in target_urls:
if url:
kb.targets.put((url, pocInstance, pocname))
return
conf.urlFile = safeExpandUser(conf.urlFile)
infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
logger.log(CUSTOM_LOGGING.SYSINFO, infoMsg)
if not os.path.isfile(conf.urlFile):
errMsg = "the specified file does not exist"
raise PeneworkFilePathException(errMsg)
for line in getFileItems(conf.urlFile):
for pocname, poc in kb.registeredPocs.items():
if not isinstance(poc, dict):
kb.targets.put((line.strip(), copy.copy(poc), pocname))
else:
kb.targets.put((line.strip(), poc, pocname))
def setMultipleTarget():
#urlFile
if not conf.urlFile:
target_urls = []
if conf.url:
if conf.url.endswith('/24'):
try:
socket.inet_aton(conf.url.split('/')[0])
base_addr = conf.url[:conf.url.rfind('.') + 1]
target_urls = [
'{}{}'.format(base_addr, i)
for i in xrange(1, 255 + 1)
]
except socket.error:
errMsg = 'only id address acceptable'
log.error(errMsg)
else:
target_urls = conf.url.split(',')
for url in target_urls:
if url:
kb.targets.put((url))
else:
errMsg = 'the url needs to be set'
log.error(errMsg)
return
if paths.ZEROSCAN_TARGET_PATH in conf.urlFile:
conf.urlFile = safeExpandUser(conf.urlFile)
infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
log.process(infoMsg)
else:
conf.urlFile = paths.ZEROSCAN_TARGET_PATH + '/' + conf.urlFile
conf.urlFile = safeExpandUser(conf.urlFile)
infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
log.process(infoMsg)
if not os.path.isfile(conf.urlFile):
errMsg = "the specified file does not exist"
raise ZEROScanFilePathException(errMsg)
for line in getFileItems(conf.urlFile):
kb.targets.put(line.strip())
def setMultipleTarget():
if not conf.urlFile:
for pocname, pocInstance in kb.registeredPocs.items():
kb.targets.put((conf.url, pocInstance, pocname))
return
conf.urlFile = safeExpandUser(conf.urlFile)
infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
logger.log(CUSTOM_LOGGING.SYSINFO, infoMsg)
if not os.path.isfile(conf.urlFile):
errMsg = "the specified file does not exist"
raise PocsuiteFilePathException(errMsg)
for line in getFileItems(conf.urlFile):
for pocname, poc in kb.registeredPocs.items():
if not isinstance(poc, dict):
kb.targets.put((line.strip(), copy.copy(poc), pocname))
else:
kb.targets.put((line.strip(), poc, pocname))
def setMultipleTarget():
if not conf.urlFile:
for pocname, pocInstance in kb.registeredPocs.items():
kb.targets.put((conf.url, pocInstance, pocname))
return
conf.urlFile = safeExpandUser(conf.urlFile)
infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
logger.log(CUSTOM_LOGGING.SYSINFO, infoMsg)
if not os.path.isfile(conf.urlFile):
errMsg = "the specified file does not exist"
raise PocsuiteFilePathException(errMsg)
for line in getFileItems(conf.urlFile):
for pocname, poc in kb.registeredPocs.items():
if not isinstance(poc, dict):
kb.targets.put((line.strip(), copy.copy(poc), pocname))
else:
kb.targets.put((line.strip(), poc, pocname))
def setMultipleTarget():
if conf.requires or conf.requiresFreeze:
return
if not conf.urlFile:
for pocname, pocInstance in kb.registeredPocs.items():
target_urls = []
if conf.url.endswith('/24'):
try:
socket.inet_aton(conf.url.split('/')[0])
base_addr = conf.url[:conf.url.rfind('.') + 1]
target_urls = ['{}{}'.format(base_addr, i)
for i in xrange(1, 255 + 1)]
except socket.error:
errMsg = 'only id address acceptable'
logger.log(CUSTOM_LOGGING.ERROR, errMsg)
else:
target_urls = conf.url.split(',')
for url in target_urls:
if url:
kb.targets.put((url, pocInstance, pocname))
return
conf.urlFile = safeExpandUser(conf.urlFile)
infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
logger.log(CUSTOM_LOGGING.SYSINFO, infoMsg)
if not os.path.isfile(conf.urlFile):
errMsg = "the specified file does not exist"
raise PeneworkFilePathException(errMsg)
for line in getFileItems(conf.urlFile):
for pocname, poc in kb.registeredPocs.items():
if not isinstance(poc, dict):
kb.targets.put((line.strip(), copy.copy(poc), pocname))
else:
kb.targets.put((line.strip(), poc, pocname))
def setMultipleTarget():
#urlFile
if not conf.urlFile:
target_urls = []
if conf.url:
if conf.url.endswith('/24'):
try:
socket.inet_aton(conf.url.split('/')[0])
base_addr = conf.url[:conf.url.rfind('.') + 1]
target_urls = ['{}{}'.format(base_addr, i)
for i in xrange(1, 255 + 1)]
except socket.error:
errMsg = 'only id address acceptable'
log.error(errMsg)
else:
target_urls = conf.url.split(',')
for url in target_urls:
if url:
kb.targets.put((url))
else:
errMsg = 'the url needs to be set'
log.error(errMsg)
return
if paths.ZEROSCAN_TARGET_PATH in conf.urlFile:
conf.urlFile = safeExpandUser(conf.urlFile)
infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
log.process(infoMsg)
else:
conf.urlFile = paths.ZEROSCAN_TARGET_PATH +'/'+ conf.urlFile
conf.urlFile = safeExpandUser(conf.urlFile)
infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
log.process(infoMsg)
if not os.path.isfile(conf.urlFile):
errMsg = "the specified file does not exist"
raise ZEROScanFilePathException(errMsg)
for line in getFileItems(conf.urlFile):
kb.targets.put(line.strip())
def _init_UAlist(path):
# TODO
conf.RANDOM_UA = True
th.UA_LIST = getFileItems(path)
def getWeakPassword():
return getFileItems(paths.WEAK_PASS)
def main():
"""
Main function of sqlmap when running from command line.
"""
try:
dirtyPatches()
resolveCrossReferences()
checkEnvironment()
setPaths(modulePath())
banner()
# Store original command line options for possible later restoration
args = cmdLineParser()
cmdLineOptions.update(args.__dict__ if hasattr(args, "__dict__") else args)
initOptions(cmdLineOptions)
if checkPipedInput():
conf.batch = True
if conf.get("api"):
# heavy imports
from lib.utils.api import StdDbOut
from lib.utils.api import setRestAPILog
# Overwrite system standard output and standard error to write
# to an IPC database
sys.stdout = StdDbOut(conf.taskid, messagetype="stdout")
sys.stderr = StdDbOut(conf.taskid, messagetype="stderr")
setRestAPILog()
conf.showTime = True
dataToStdout("[!] legal disclaimer: %s\n\n" % LEGAL_DISCLAIMER, forceOutput=True)
dataToStdout("[*] starting @ %s\n\n" % time.strftime("%X /%Y-%m-%d/"), forceOutput=True)
init()
if not conf.updateAll:
# Postponed imports (faster start)
if conf.smokeTest:
from lib.core.testing import smokeTest
os._exitcode = 1 - (smokeTest() or 0)
elif conf.vulnTest:
from lib.core.testing import vulnTest
os._exitcode = 1 - (vulnTest() or 0)
elif conf.bedTest:
from lib.core.testing import bedTest
os._exitcode = 1 - (bedTest() or 0)
elif conf.fuzzTest:
from lib.core.testing import fuzzTest
fuzzTest()
else:
from lib.controller.controller import start
if conf.profile and six.PY2:
from lib.core.profiling import profile
globals()["start"] = start
profile()
else:
try:
if conf.crawlDepth and conf.bulkFile:
targets = getFileItems(conf.bulkFile)
for i in xrange(len(targets)):
try:
kb.targets.clear()
target = targets[i]
if not re.search(r"(?i)\Ahttp[s]*://", target):
target = "http://%s" % target
infoMsg = "starting crawler for target URL '%s' (%d/%d)" % (target, i + 1, len(targets))
logger.info(infoMsg)
crawl(target)
except Exception as ex:
if not isinstance(ex, SqlmapUserQuitException):
errMsg = "problem occurred while crawling '%s' ('%s')" % (target, getSafeExString(ex))
logger.error(errMsg)
else:
raise
else:
if kb.targets:
start()
else:
start()
except Exception as ex:
os._exitcode = 1
if "can't start new thread" in getSafeExString(ex):
errMsg = "unable to start new threads. Please check OS (u)limits"
logger.critical(errMsg)
raise SystemExit
else:
raise
except SqlmapUserQuitException:
if not conf.batch:
errMsg = "user quit"
logger.error(errMsg)
except (SqlmapSilentQuitException, bdb.BdbQuit):
pass
except SqlmapShellQuitException:
cmdLineOptions.sqlmapShell = False
except SqlmapBaseException as ex:
errMsg = getSafeExString(ex)
logger.critical(errMsg)
os._exitcode = 1
raise SystemExit
except KeyboardInterrupt:
print()
except EOFError:
print()
errMsg = "exit"
logger.error(errMsg)
except SystemExit as ex:
os._exitcode = ex.code or 0
except:
print()
errMsg = unhandledExceptionMessage()
excMsg = traceback.format_exc()
valid = checkIntegrity()
os._exitcode = 255
if any(_ in excMsg for _ in ("MemoryError", "Cannot allocate memory")):
errMsg = "memory exhaustion detected"
logger.critical(errMsg)
raise SystemExit
elif any(_ in excMsg for _ in ("No space left", "Disk quota exceeded", "Disk full while accessing")):
errMsg = "no space left on output device"
logger.critical(errMsg)
raise SystemExit
elif any(_ in excMsg for _ in ("The paging file is too small",)):
errMsg = "no space left for paging file"
logger.critical(errMsg)
raise SystemExit
elif all(_ in excMsg for _ in ("Access is denied", "subprocess", "metasploit")):
errMsg = "permission error occurred while running Metasploit"
logger.critical(errMsg)
raise SystemExit
elif all(_ in excMsg for _ in ("Permission denied", "metasploit")):
errMsg = "permission error occurred while using Metasploit"
logger.critical(errMsg)
raise SystemExit
elif "Read-only file system" in excMsg:
errMsg = "output device is mounted as read-only"
logger.critical(errMsg)
raise SystemExit
elif "Insufficient system resources" in excMsg:
errMsg = "resource exhaustion detected"
logger.critical(errMsg)
raise SystemExit
elif "OperationalError: disk I/O error" in excMsg:
errMsg = "I/O error on output device"
logger.critical(errMsg)
raise SystemExit
elif "Violation of BIDI" in excMsg:
errMsg = "invalid URL (violation of Bidi IDNA rule - RFC 5893)"
logger.critical(errMsg)
raise SystemExit
elif "Invalid IPv6 URL" in excMsg:
errMsg = "invalid URL ('%s')" % excMsg.strip().split('\n')[-1]
logger.critical(errMsg)
raise SystemExit
elif "_mkstemp_inner" in excMsg:
errMsg = "there has been a problem while accessing temporary files"
logger.critical(errMsg)
raise SystemExit
elif any(_ in excMsg for _ in ("tempfile.mkdtemp", "tempfile.mkstemp", "tempfile.py")):
errMsg = "unable to write to the temporary directory '%s'. " % tempfile.gettempdir()
errMsg += "Please make sure that your disk is not full and "
errMsg += "that you have sufficient write permissions to "
errMsg += "create temporary files and/or directories"
logger.critical(errMsg)
raise SystemExit
elif all(_ in excMsg for _ in ("twophase", "sqlalchemy")):
errMsg = "please update the 'sqlalchemy' package (>= 1.1.11) "
errMsg += "(Reference: https://qiita.com/tkprof/items/7d7b2d00df9c5f16fffe)"
logger.critical(errMsg)
raise SystemExit
elif all(_ in excMsg for _ in ("scramble_caching_sha2", "TypeError")):
errMsg = "please downgrade the 'PyMySQL' package (=< 0.8.1) "
errMsg += "(Reference: https://github.com/PyMySQL/PyMySQL/issues/700)"
logger.critical(errMsg)
raise SystemExit
elif "must be pinned buffer, not bytearray" in excMsg:
errMsg = "error occurred at Python interpreter which "
errMsg += "is fixed in 2.7. Please update accordingly "
errMsg += "(Reference: https://bugs.python.org/issue8104)"
logger.critical(errMsg)
raise SystemExit
elif all(_ in excMsg for _ in ("Resource temporarily unavailable", "os.fork()", "dictionaryAttack")):
errMsg = "there has been a problem while running the multiprocessing hash cracking. "
errMsg += "Please rerun with option '--threads=1'"
logger.critical(errMsg)
raise SystemExit
elif "can't start new thread" in excMsg:
errMsg = "there has been a problem while creating new thread instance. "
errMsg += "Please make sure that you are not running too many processes"
if not IS_WIN:
errMsg += " (or increase the 'ulimit -u' value)"
logger.critical(errMsg)
raise SystemExit
elif "can't allocate read lock" in excMsg:
errMsg = "there has been a problem in regular socket operation "
errMsg += "('%s')" % excMsg.strip().split('\n')[-1]
logger.critical(errMsg)
raise SystemExit
elif all(_ in excMsg for _ in ("pymysql", "configparser")):
errMsg = "wrong initialization of pymsql detected (using Python3 dependencies)"
logger.critical(errMsg)
raise SystemExit
elif all(_ in excMsg for _ in ("ntlm", "socket.error, err", "SyntaxError")):
errMsg = "wrong initialization of python-ntlm detected (using Python2 syntax)"
logger.critical(errMsg)
raise SystemExit
elif all(_ in excMsg for _ in ("drda", "to_bytes")):
errMsg = "wrong initialization of drda detected (using Python3 syntax)"
logger.critical(errMsg)
raise SystemExit
elif all(_ in excMsg for _ in ("window = tkinter.Tk()",)):
errMsg = "there has been a problem in initialization of GUI interface "
errMsg += "('%s')" % excMsg.strip().split('\n')[-1]
logger.critical(errMsg)
raise SystemExit
elif any(_ in excMsg for _ in ("unable to access item 'liveTest'",)):
errMsg = "detected usage of files from different versions of sqlmap"
logger.critical(errMsg)
raise SystemExit
elif kb.get("dumpKeyboardInterrupt"):
raise SystemExit
elif any(_ in excMsg for _ in ("Broken pipe",)):
raise SystemExit
elif valid is False:
errMsg = "code integrity check failed (turning off automatic issue creation). "
errMsg += "You should retrieve the latest development version from official GitHub "
errMsg += "repository at '%s'" % GIT_PAGE
logger.critical(errMsg)
print()
dataToStdout(excMsg)
raise SystemExit
elif any(_ in excMsg for _ in ("tamper/", "waf/")):
logger.critical(errMsg)
print()
dataToStdout(excMsg)
raise SystemExit
elif any(_ in excMsg for _ in ("ImportError", "ModuleNotFoundError", "Can't find file for module", "SAXReaderNotAvailable", "source code string cannot contain null bytes", "No module named", "tp_name field")):
errMsg = "invalid runtime environment ('%s')" % excMsg.split("Error: ")[-1].strip()
logger.critical(errMsg)
raise SystemExit
elif all(_ in excMsg for _ in ("SyntaxError: Non-ASCII character", ".py on line", "but no encoding declared")):
errMsg = "invalid runtime environment ('%s')" % excMsg.split("Error: ")[-1].strip()
logger.critical(errMsg)
raise SystemExit
elif all(_ in excMsg for _ in ("No such file", "_'")):
errMsg = "corrupted installation detected ('%s'). " % excMsg.strip().split('\n')[-1]
errMsg += "You should retrieve the latest development version from official GitHub "
errMsg += "repository at '%s'" % GIT_PAGE
logger.critical(errMsg)
raise SystemExit
elif all(_ in excMsg for _ in ("HTTPNtlmAuthHandler", "'str' object has no attribute 'decode'")):
errMsg = "package 'python-ntlm' has a known compatibility issue with the "
errMsg += "Python 3 (Reference: https://github.com/mullender/python-ntlm/pull/61)"
logger.critical(errMsg)
raise SystemExit
elif "'DictObject' object has no attribute '" in excMsg and all(_ in errMsg for _ in ("(fingerprinted)", "(identified)")):
errMsg = "there has been a problem in enumeration. "
errMsg += "Because of a considerable chance of false-positive case "
errMsg += "you are advised to rerun with switch '--flush-session'"
logger.critical(errMsg)
raise SystemExit
elif "bad marshal data (unknown type code)" in excMsg:
match = re.search(r"\s*(.+)\s+ValueError", excMsg)
errMsg = "one of your .pyc files are corrupted%s" % (" ('%s')" % match.group(1) if match else "")
errMsg += ". Please delete .pyc files on your system to fix the problem"
logger.critical(errMsg)
raise SystemExit
for match in re.finditer(r'File "(.+?)", line', excMsg):
file_ = match.group(1)
try:
file_ = os.path.relpath(file_, os.path.dirname(__file__))
except ValueError:
pass
file_ = file_.replace("\\", '/')
if "../" in file_:
file_ = re.sub(r"(\.\./)+", '/', file_)
else:
file_ = file_.lstrip('/')
file_ = re.sub(r"/{2,}", '/', file_)
excMsg = excMsg.replace(match.group(1), file_)
errMsg = maskSensitiveData(errMsg)
excMsg = maskSensitiveData(excMsg)
if conf.get("api") or not valid:
logger.critical("%s\n%s" % (errMsg, excMsg))
else:
logger.critical(errMsg)
dataToStdout("%s\n" % setColor(excMsg.strip(), level=logging.CRITICAL))
createGithubIssue(errMsg, excMsg)
finally:
kb.threadContinue = False
if getDaysFromLastUpdate() > LAST_UPDATE_NAGGING_DAYS:
warnMsg = "your sqlmap version is outdated"
logger.warn(warnMsg)
if conf.get("showTime"):
dataToStdout("\n[*] ending @ %s\n\n" % time.strftime("%X /%Y-%m-%d/"), forceOutput=True)
kb.threadException = True
if kb.get("tempDir"):
for prefix in (MKSTEMP_PREFIX.IPC, MKSTEMP_PREFIX.TESTING, MKSTEMP_PREFIX.COOKIE_JAR, MKSTEMP_PREFIX.BIG_ARRAY):
for filepath in glob.glob(os.path.join(kb.tempDir, "%s*" % prefix)):
try:
os.remove(filepath)
except OSError:
pass
if not filterNone(filepath for filepath in glob.glob(os.path.join(kb.tempDir, '*')) if not any(filepath.endswith(_) for _ in (".lock", ".exe", ".so", '_'))): # ignore junk files
try:
shutil.rmtree(kb.tempDir, ignore_errors=True)
except OSError:
pass
if conf.get("hashDB"):
conf.hashDB.flush(True)
if conf.get("harFile"):
try:
with openFile(conf.harFile, "w+b") as f:
json.dump(conf.httpCollector.obtain(), fp=f, indent=4, separators=(',', ': '))
except SqlmapBaseException as ex:
errMsg = getSafeExString(ex)
logger.critical(errMsg)
if conf.get("api"):
conf.databaseCursor.disconnect()
if conf.get("dumper"):
conf.dumper.flush()
# short delay for thread finalization
_ = time.time()
while threading.activeCount() > 1 and (time.time() - _) > THREAD_FINALIZATION_TIMEOUT:
time.sleep(0.01)
if cmdLineOptions.get("sqlmapShell"):
cmdLineOptions.clear()
conf.clear()
kb.clear()
conf.disableBanner = True
main()
def columnExists(columnFile, regex=None):
if kb.columnExistsChoice is None and not any(_ for _ in kb.injection.data if _ not in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED)) and not conf.direct:
warnMsg = "it's not recommended to use '%s' and/or '%s' " % (PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.TIME], PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.STACKED])
warnMsg += "for common column existence check"
logger.warn(warnMsg)
message = "are you sure you want to continue? [y/N] "
kb.columnExistsChoice = readInput(message, default='N', boolean=True)
if not kb.columnExistsChoice:
return None
if not conf.tbl:
errMsg = "missing table parameter"
raise SqlmapMissingMandatoryOptionException(errMsg)
if conf.db and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.db = conf.db.upper()
result = inject.checkBooleanExpression(safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE, (randomStr(), randomStr())))
if result:
errMsg = "can't use column existence check because of detected invalid results "
errMsg += "(most likely caused by inability of the used injection "
errMsg += "to distinguish erroneous results)"
raise SqlmapDataException(errMsg)
message = "which common columns (wordlist) file do you want to use?\n"
message += "[1] default '%s' (press Enter)\n" % columnFile
message += "[2] custom"
choice = readInput(message, default='1')
if choice == '2':
message = "what's the custom common columns file location?\n"
columnFile = readInput(message) or columnFile
infoMsg = "checking column existence using items from '%s'" % columnFile
logger.info(infoMsg)
columns = getFileItems(columnFile, unique=True)
columns.extend(_addPageTextWords())
columns = filterListValue(columns, regex)
table = safeSQLIdentificatorNaming(conf.tbl, True)
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms() not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
table = "%s.%s" % (safeSQLIdentificatorNaming(conf.db), table)
kb.threadContinue = True
kb.bruteMode = True
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(columns)
threadData.shared.value = []
def columnExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
column = safeSQLIdentificatorNaming(columns[threadData.shared.count])
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
result = inject.checkBooleanExpression(safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE, (column, table)))
kb.locks.io.acquire()
if result:
threadData.shared.value.append(column)
if conf.verbose in (1, 2) and not conf.api:
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), unsafeSQLIdentificatorNaming(column))
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = "%d/%d items (%d%%)" % (threadData.shared.count, threadData.shared.limit, round(100.0 * threadData.shared.count / threadData.shared.limit))
dataToStdout("\r[%s] [INFO] tried %s" % (time.strftime("%X"), status), True)
kb.locks.io.release()
try:
runThreads(conf.threads, columnExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during column existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.value:
warnMsg = "no column(s) found"
logger.warn(warnMsg)
else:
columns = {}
for column in threadData.shared.value:
if Backend.getIdentifiedDbms() in (DBMS.MYSQL,):
result = not inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %s FROM %s WHERE %s REGEXP '[^0-9]')", (column, table, column)))
else:
result = inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %s FROM %s WHERE ROUND(%s)=ROUND(%s))", (column, table, column, column)))
if result:
columns[column] = "numeric"
else:
columns[column] = "non-numeric"
kb.data.cachedColumns[conf.db] = {conf.tbl: columns}
for _ in ((conf.db, conf.tbl, item[0], item[1]) for item in list(columns.items())):
if _ not in kb.brute.columns:
kb.brute.columns.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_COLUMNS, kb.brute.columns, True)
return kb.data.cachedColumns
def columnExists(columnFile, regex=None):
if not conf.tbl:
errMsg = "missing table parameter"
raise SqlmapMissingMandatoryOptionException(errMsg)
if conf.db and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.db = conf.db.upper()
result = inject.checkBooleanExpression(
safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE,
(randomStr(), randomStr())))
if result:
errMsg = "can't use column existence check because of detected invalid results "
errMsg += "(most probably caused by inability of the used injection "
errMsg += "to distinguish errornous results)"
raise SqlmapDataException(errMsg)
infoMsg = "checking column existence using items from '%s'" % columnFile
logger.info(infoMsg)
columns = getFileItems(columnFile, unique=True)
columns.extend(_addPageTextWords())
columns = filterListValue(columns, regex)
table = safeSQLIdentificatorNaming(conf.tbl, True)
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms(
) not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
table = "%s.%s" % (safeSQLIdentificatorNaming(conf.db), table)
kb.threadContinue = True
kb.bruteMode = True
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(columns)
threadData.shared.value = []
def columnExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
column = safeSQLIdentificatorNaming(
columns[threadData.shared.count])
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
result = inject.checkBooleanExpression(
safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE,
(column, table)))
kb.locks.io.acquire()
if result:
threadData.shared.value.append(column)
if conf.verbose in (1, 2) and not hasattr(conf, "api"):
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime(
"%X"), unsafeSQLIdentificatorNaming(column))
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%%)' % (
threadData.shared.count, threadData.shared.limit,
round(100.0 * threadData.shared.count /
threadData.shared.limit))
dataToStdout(
"\r[%s] [INFO] tried %s" % (time.strftime("%X"), status),
True)
kb.locks.io.release()
try:
runThreads(conf.threads, columnExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during column existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.value:
warnMsg = "no column(s) found"
logger.warn(warnMsg)
else:
columns = {}
for column in threadData.shared.value:
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, ):
result = not inject.checkBooleanExpression(
"%s" % safeStringFormat(
"EXISTS(SELECT %s FROM %s WHERE %s REGEXP '[^0-9]')",
(column, table, column)))
else:
result = inject.checkBooleanExpression("%s" % safeStringFormat(
"EXISTS(SELECT %s FROM %s WHERE ROUND(%s)=ROUND(%s))",
(column, table, column, column)))
if result:
columns[column] = 'numeric'
else:
columns[column] = 'non-numeric'
kb.data.cachedColumns[conf.db] = {conf.tbl: columns}
for _ in map(lambda x: (conf.db, conf.tbl, x[0], x[1]),
columns.items()):
if _ not in kb.brute.columns:
kb.brute.columns.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_COLUMNS, kb.brute.columns, True)
return kb.data.cachedColumns
def columnExists(columnFile, regex=None):
if kb.columnExistsChoice is None and not any(
_ for _ in kb.injection.data
if _ not in (PAYLOAD.TECHNIQUE.TIME,
PAYLOAD.TECHNIQUE.STACKED)) and not conf.direct:
warnMsg = u"不建议使用'%s'和'%s'" % (
PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.TIME],
PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.STACKED])
warnMsg += u"进行常用的字段的存在性检查"
logger.warn(warnMsg)
message = u"你确定你要继续吗? [y/N] "
kb.columnExistsChoice = readInput(message, default='N', boolean=True)
if not kb.columnExistsChoice:
return None
if not conf.tbl:
errMsg = u"缺少表参数"
raise SqlmapMissingMandatoryOptionException(errMsg)
if conf.db and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.db = conf.db.upper()
result = inject.checkBooleanExpression(
safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE,
(randomStr(), randomStr())))
if result:
errMsg = u"因为检测到的结果无效,所以无法对列的存在性进行检查,"
errMsg += u"(很可能是由于使用的注入无法区分错误结果)。"
raise SqlmapDataException(errMsg)
message = u"您要使用哪些常用字段(wordlist)文件?\n"
message += u"[1] 默认 '%s' (按回车)\n" % columnFile
message += u"[2] 自定义"
choice = readInput(message, default='1')
if choice == '2':
message = u"自定义的常用字段文件位置在哪里?\n"
columnFile = readInput(message) or columnFile
infoMsg = u"使用%s文件检查字段是否存在" % columnFile
logger.info(infoMsg)
columns = getFileItems(columnFile, unique=True)
columns.extend(_addPageTextWords())
columns = filterListValue(columns, regex)
table = safeSQLIdentificatorNaming(conf.tbl, True)
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms(
) not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
table = "%s.%s" % (safeSQLIdentificatorNaming(conf.db), table)
kb.threadContinue = True
kb.bruteMode = True
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(columns)
threadData.shared.value = []
def columnExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
column = safeSQLIdentificatorNaming(
columns[threadData.shared.count])
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
result = inject.checkBooleanExpression(
safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE,
(column, table)))
kb.locks.io.acquire()
if result:
threadData.shared.value.append(column)
if conf.verbose in (1, 2) and not conf.api:
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime(
"%X"), unsafeSQLIdentificatorNaming(column))
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = "%d/%d items (%d%%)" % (
threadData.shared.count, threadData.shared.limit,
round(100.0 * threadData.shared.count /
threadData.shared.limit))
dataToStdout(
"\r[%s] [INFO] tried %s" % (time.strftime("%X"), status),
True)
kb.locks.io.release()
try:
runThreads(conf.threads, columnExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = u"用户在检查字段存在性期间中止,sqlmap将只显示部分输出"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.value:
warnMsg = u"找不到字段"
logger.warn(warnMsg)
else:
columns = {}
for column in threadData.shared.value:
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, ):
result = not inject.checkBooleanExpression(
"%s" % safeStringFormat(
"EXISTS(SELECT %s FROM %s WHERE %s REGEXP '[^0-9]')",
(column, table, column)))
else:
result = inject.checkBooleanExpression("%s" % safeStringFormat(
"EXISTS(SELECT %s FROM %s WHERE ROUND(%s)=ROUND(%s))",
(column, table, column, column)))
if result:
columns[column] = "numeric"
else:
columns[column] = "non-numeric"
kb.data.cachedColumns[conf.db] = {conf.tbl: columns}
for _ in map(lambda x: (conf.db, conf.tbl, x[0], x[1]),
columns.items()):
if _ not in kb.brute.columns:
kb.brute.columns.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_COLUMNS, kb.brute.columns, True)
return kb.data.cachedColumns
def columnExists(columnFile, regex=None):
if kb.columnExistsChoice is None and not any(_ for _ in kb.injection.data if _ not in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED)) and not conf.direct:
warnMsg = "it's not recommended to use '%s' and/or '%s' " % (PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.TIME], PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.STACKED])
warnMsg += "for common column existence check"
logger.warn(warnMsg)
message = "are you sure you want to continue? [y/N] "
kb.columnExistsChoice = readInput(message, default='N', boolean=True)
if not kb.columnExistsChoice:
return None
if not conf.tbl:
errMsg = "missing table parameter"
raise SqlmapMissingMandatoryOptionException(errMsg)
if conf.db and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.db = conf.db.upper()
result = inject.checkBooleanExpression(safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE, (randomStr(), randomStr())))
if result:
errMsg = "can't use column existence check because of detected invalid results "
errMsg += "(most likely caused by inability of the used injection "
errMsg += "to distinguish erroneous results)"
raise SqlmapDataException(errMsg)
message = "which common columns (wordlist) file do you want to use?\n"
message += "[1] default '%s' (press Enter)\n" % columnFile
message += "[2] custom"
choice = readInput(message, default='1')
if choice == '2':
message = "what's the custom common columns file location?\n"
columnFile = readInput(message) or columnFile
infoMsg = "checking column existence using items from '%s'" % columnFile
logger.info(infoMsg)
columns = getFileItems(columnFile, unique=True)
columns.extend(_addPageTextWords())
columns = filterListValue(columns, regex)
table = safeSQLIdentificatorNaming(conf.tbl, True)
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms() not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
table = "%s.%s" % (safeSQLIdentificatorNaming(conf.db), table)
kb.threadContinue = True
kb.bruteMode = True
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(columns)
threadData.shared.value = []
def columnExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
column = safeSQLIdentificatorNaming(columns[threadData.shared.count])
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
result = inject.checkBooleanExpression(safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE, (column, table)))
kb.locks.io.acquire()
if result:
threadData.shared.value.append(column)
if conf.verbose in (1, 2) and not conf.api:
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), unsafeSQLIdentificatorNaming(column))
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = "%d/%d items (%d%%)" % (threadData.shared.count, threadData.shared.limit, round(100.0 * threadData.shared.count / threadData.shared.limit))
dataToStdout("\r[%s] [INFO] tried %s" % (time.strftime("%X"), status), True)
kb.locks.io.release()
try:
runThreads(conf.threads, columnExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during column existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.value:
warnMsg = "no column(s) found"
logger.warn(warnMsg)
else:
columns = {}
for column in threadData.shared.value:
if Backend.getIdentifiedDbms() in (DBMS.MYSQL,):
result = not inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %s FROM %s WHERE %s REGEXP '[^0-9]')", (column, table, column)))
else:
result = inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %s FROM %s WHERE ROUND(%s)=ROUND(%s))", (column, table, column, column)))
if result:
columns[column] = "numeric"
else:
columns[column] = "non-numeric"
kb.data.cachedColumns[conf.db] = {conf.tbl: columns}
for _ in map(lambda x: (conf.db, conf.tbl, x[0], x[1]), columns.items()):
if _ not in kb.brute.columns:
kb.brute.columns.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_COLUMNS, kb.brute.columns, True)
return kb.data.cachedColumns
def dictionaryAttack(attack_dict):
suffix_list = [""]
custom_wordlist = [""]
hash_regexes = []
results = []
resumes = []
user_hash = []
processException = False
foundHash = False
for (_, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
hash_ = hash_.split()[0] if hash_ and hash_.strip() else hash_
regex = hashRecognition(hash_)
if regex and regex not in hash_regexes:
hash_regexes.append(regex)
infoMsg = "using hash method '%s'" % __functions__[regex].func_name
logger.info(infoMsg)
for hash_regex in hash_regexes:
keys = set()
attack_info = []
for (user, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
foundHash = True
hash_ = hash_.split()[0] if hash_ and hash_.strip() else hash_
if re.match(hash_regex, hash_):
try:
item = None
if hash_regex not in (HASH.CRYPT_GENERIC, HASH.JOOMLA, HASH.WORDPRESS, HASH.UNIX_MD5_CRYPT, HASH.APACHE_MD5_CRYPT, HASH.APACHE_SHA1, HASH.VBULLETIN, HASH.VBULLETIN_OLD, HASH.SSHA, HASH.SSHA256, HASH.SSHA512, HASH.DJANGO_MD5, HASH.DJANGO_SHA1, HASH.MD5_BASE64, HASH.SHA1_BASE64, HASH.SHA256_BASE64, HASH.SHA512_BASE64):
hash_ = hash_.lower()
if hash_regex in (HASH.MD5_BASE64, HASH.SHA1_BASE64, HASH.SHA256_BASE64, HASH.SHA512_BASE64):
item = [(user, hash_.decode("base64").encode("hex")), {}]
elif hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC, HASH.APACHE_SHA1):
item = [(user, hash_), {}]
elif hash_regex in (HASH.SSHA,):
item = [(user, hash_), {"salt": hash_.decode("base64")[20:]}]
elif hash_regex in (HASH.SSHA256,):
item = [(user, hash_), {"salt": hash_.decode("base64")[32:]}]
elif hash_regex in (HASH.SSHA512,):
item = [(user, hash_), {"salt": hash_.decode("base64")[64:]}]
elif hash_regex in (HASH.ORACLE_OLD, HASH.POSTGRES):
item = [(user, hash_), {'username': user}]
elif hash_regex in (HASH.ORACLE,):
item = [(user, hash_), {"salt": hash_[-20:]}]
elif hash_regex in (HASH.MSSQL, HASH.MSSQL_OLD, HASH.MSSQL_NEW):
item = [(user, hash_), {"salt": hash_[6:14]}]
elif hash_regex in (HASH.CRYPT_GENERIC,):
item = [(user, hash_), {"salt": hash_[0:2]}]
elif hash_regex in (HASH.UNIX_MD5_CRYPT, HASH.APACHE_MD5_CRYPT):
item = [(user, hash_), {"salt": hash_.split('$')[2], "magic": "$%s$" % hash_.split('$')[1]}]
elif hash_regex in (HASH.JOOMLA, HASH.VBULLETIN, HASH.VBULLETIN_OLD):
item = [(user, hash_), {"salt": hash_.split(':')[-1]}]
elif hash_regex in (HASH.DJANGO_MD5, HASH.DJANGO_SHA1):
item = [(user, hash_), {"salt": hash_.split('$')[1]}]
elif hash_regex in (HASH.WORDPRESS,):
if ITOA64.index(hash_[3]) < 32:
item = [(user, hash_), {"salt": hash_[4:12], "count": 1 << ITOA64.index(hash_[3]), "prefix": hash_[:12]}]
else:
warnMsg = "invalid hash '%s'" % hash_
logger.warn(warnMsg)
if item and hash_ not in keys:
resumed = hashDBRetrieve(hash_)
if not resumed:
attack_info.append(item)
user_hash.append(item[0])
else:
infoMsg = "resuming password '%s' for hash '%s'" % (resumed, hash_)
if user and not user.startswith(DUMMY_USER_PREFIX):
infoMsg += " for user '%s'" % user
logger.info(infoMsg)
resumes.append((user, hash_, resumed))
keys.add(hash_)
except (binascii.Error, IndexError):
pass
if not attack_info:
continue
if not kb.wordlists:
while not kb.wordlists:
# the slowest of all methods hence smaller default dict
if hash_regex in (HASH.ORACLE_OLD,):
dictPaths = [paths.SMALL_DICT]
else:
dictPaths = [paths.WORDLIST]
message = "what dictionary do you want to use?\n"
message += "[1] default dictionary file '%s' (press Enter)\n" % dictPaths[0]
message += "[2] custom dictionary file\n"
message += "[3] file with list of dictionary files"
choice = readInput(message, default='1')
try:
if choice == '2':
message = "what's the custom dictionary's location?\n"
dictPath = readInput(message)
if dictPath:
dictPaths = [dictPath]
logger.info("using custom dictionary")
elif choice == '3':
message = "what's the list file location?\n"
listPath = readInput(message)
checkFile(listPath)
dictPaths = getFileItems(listPath)
logger.info("using custom list of dictionaries")
else:
logger.info("using default dictionary")
dictPaths = filter(None, dictPaths)
for dictPath in dictPaths:
checkFile(dictPath)
if os.path.splitext(dictPath)[1].lower() == ".zip":
_ = zipfile.ZipFile(dictPath, 'r')
if len(_.namelist()) == 0:
errMsg = "no file(s) inside '%s'" % dictPath
raise SqlmapDataException(errMsg)
else:
_.open(_.namelist()[0])
kb.wordlists = dictPaths
except Exception, ex:
warnMsg = "there was a problem while loading dictionaries"
warnMsg += " ('%s')" % getSafeExString(ex)
logger.critical(warnMsg)
message = "do you want to use common password suffixes? (slow!) [y/N] "
if readInput(message, default='N', boolean=True):
suffix_list += COMMON_PASSWORD_SUFFIXES
infoMsg = "starting dictionary-based cracking (%s)" % __functions__[hash_regex].func_name
logger.info(infoMsg)
for item in attack_info:
((user, _), _) = item
if user and not user.startswith(DUMMY_USER_PREFIX):
custom_wordlist.append(normalizeUnicode(user))
# Algorithms without extra arguments (e.g. salt and/or username)
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC, HASH.SHA224_GENERIC, HASH.SHA256_GENERIC, HASH.SHA384_GENERIC, HASH.SHA512_GENERIC, HASH.APACHE_SHA1, HASH.VBULLETIN, HASH.VBULLETIN_OLD):
for suffix in suffix_list:
if not attack_info or processException:
break
if suffix:
clearConsoleLine()
infoMsg = "using suffix '%s'" % suffix
logger.info(infoMsg)
retVal = None
processes = []
try:
if _multiprocessing:
if _multiprocessing.cpu_count() > 1:
infoMsg = "starting %d processes " % _multiprocessing.cpu_count()
singleTimeLogMessage(infoMsg)
gc.disable()
retVal = _multiprocessing.Queue()
count = _multiprocessing.Value('i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
process = _multiprocessing.Process(target=_bruteProcessVariantA, args=(attack_info, hash_regex, suffix, retVal, i, count, kb.wordlists, custom_wordlist, conf.api))
processes.append(process)
for process in processes:
process.daemon = True
process.start()
while count.value > 0:
time.sleep(0.5)
else:
warnMsg = "multiprocessing hash cracking is currently "
warnMsg += "not supported on this platform"
singleTimeWarnMessage(warnMsg)
retVal = Queue()
_bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, 0, 1, kb.wordlists, custom_wordlist, conf.api)
except KeyboardInterrupt:
print
processException = True
warnMsg = "user aborted during dictionary-based attack phase (Ctrl+C was pressed)"
logger.warn(warnMsg)
for process in processes:
try:
process.terminate()
process.join()
except (OSError, AttributeError):
pass
finally:
if _multiprocessing:
gc.enable()
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
user, hash_, word = item = retVal.get(block=False)
attack_info = filter(lambda _: _[0][0] != user or _[0][1] != hash_, attack_info)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
else:
for ((user, hash_), kwargs) in attack_info:
if processException:
break
if any(_[0] == user and _[1] == hash_ for _ in results):
continue
count = 0
found = False
for suffix in suffix_list:
if found or processException:
break
if suffix:
clearConsoleLine()
infoMsg = "using suffix '%s'" % suffix
logger.info(infoMsg)
retVal = None
processes = []
try:
if _multiprocessing:
if _multiprocessing.cpu_count() > 1:
infoMsg = "starting %d processes " % _multiprocessing.cpu_count()
singleTimeLogMessage(infoMsg)
gc.disable()
retVal = _multiprocessing.Queue()
found_ = _multiprocessing.Value('i', False)
count = _multiprocessing.Value('i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
process = _multiprocessing.Process(target=_bruteProcessVariantB, args=(user, hash_, kwargs, hash_regex, suffix, retVal, found_, i, count, kb.wordlists, custom_wordlist, conf.api))
processes.append(process)
for process in processes:
process.daemon = True
process.start()
while count.value > 0:
time.sleep(0.5)
found = found_.value != 0
else:
warnMsg = "multiprocessing hash cracking is currently "
warnMsg += "not supported on this platform"
singleTimeWarnMessage(warnMsg)
class Value():
pass
retVal = Queue()
found_ = Value()
found_.value = False
_bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found_, 0, 1, kb.wordlists, custom_wordlist, conf.api)
found = found_.value
except KeyboardInterrupt:
print
processException = True
warnMsg = "user aborted during dictionary-based attack phase (Ctrl+C was pressed)"
logger.warn(warnMsg)
for process in processes:
try:
process.terminate()
process.join()
except (OSError, AttributeError):
pass
finally:
if _multiprocessing:
gc.enable()
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
user, hash_, word = item = retVal.get(block=False)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
def getLargeWeakPassword():
return getFileItems(paths.LARGE_WEAK_PASS)
def getWeakPassword():
return getFileItems(paths.WEAK_PASS)
def tableExists(tableFile, regex=None):
tables = getFileItems(tableFile, lowercase=Backend.getIdentifiedDbms() in (DBMS.ACCESS), unique=True)
retVal = []
infoMsg = "checking table existence using items from '%s'" % tableFile
logger.info(infoMsg)
infoMsg = "adding words used on web page to the check list"
logger.info(infoMsg)
pageWords = getPageTextWordsSet(kb.originalPage)
for word in pageWords:
word = word.lower()
if len(word) > 2 and not word[0].isdigit() and word not in tables:
tables.append(word)
tables = filterListValue(tables, regex)
count = [0]
length = len(tables)
threads = []
items = set()
tbllock = threading.Lock()
iolock = threading.Lock()
kb.threadContinue = True
kb.bruteMode = True
def tableExistsThread():
while count[0] < length and kb.threadContinue:
tbllock.acquire()
table = safeSQLIdentificatorNaming(tables[count[0]])
count[0] += 1
tbllock.release()
if conf.db and not conf.db.endswith(METADB_SUFFIX):
fullTableName = "%s%s%s" % (conf.db, '..' if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) else '.', table)
else:
fullTableName = table
result = inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %d FROM %s)", (randomInt(1), fullTableName)))
iolock.acquire()
if result and table.lower() not in items:
retVal.append(table)
items.add(table.lower())
dataToSessionFile("[%s][%s][%s][TABLE_EXISTS][%s]\n" % (conf.url,\
kb.injection.place, safeFormatString(conf.parameters[kb.injection.place]),\
safeFormatString(fullTableName)))
if conf.verbose in (1, 2):
clearConsoleLine(True)
infoMsg = "\r[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), table)
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%s)' % (count[0], length, round(100.0*count[0]/length), '%')
dataToStdout("\r[%s] [INFO] tried %s" % (time.strftime("%X"), status), True)
iolock.release()
if conf.threads > 1:
infoMsg = "starting %d threads" % conf.threads
logger.info(infoMsg)
else:
message = "please enter number of threads? [Enter for %d (current)] " % conf.threads
choice = readInput(message, default=str(conf.threads))
if choice and choice.isdigit():
conf.threads = int(choice)
if conf.threads == 1:
warnMsg = "running in a single-thread mode. This could take a while."
logger.warn(warnMsg)
# Start the threads
for numThread in range(conf.threads):
thread = threading.Thread(target=tableExistsThread, name=str(numThread))
thread.start()
threads.append(thread)
# And wait for them to all finish
try:
alive = True
while alive:
alive = False
for thread in threads:
if thread.isAlive():
alive = True
thread.join(5)
except KeyboardInterrupt:
kb.threadContinue = False
kb.threadException = True
print
logger.debug("waiting for threads to finish")
warnMsg = "user aborted during common table existence check. "
warnMsg += "sqlmap will display some tables only"
logger.warn(warnMsg)
try:
while (threading.activeCount() > 1):
pass
except KeyboardInterrupt:
raise sqlmapThreadException, "user aborted"
finally:
kb.bruteMode = False
kb.threadContinue = True
kb.threadException = False
clearConsoleLine(True)
dataToStdout("\n")
if not retVal:
warnMsg = "no table found"
logger.warn(warnMsg)
else:
for item in retVal:
if not kb.data.cachedTables.has_key(conf.db):
kb.data.cachedTables[conf.db] = [item]
else:
kb.data.cachedTables[conf.db].append(item)
return kb.data.cachedTables
def columnExists(columnFile, regex=None):
if not conf.tbl:
errMsg = "missing table parameter"
raise sqlmapMissingMandatoryOptionException, errMsg
columns = getFileItems(columnFile, unique=True)
columns = filterListValue(columns, regex)
if conf.db and not conf.db.endswith(METADB_SUFFIX):
table = "%s%s%s" % (conf.db, '..' if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) else '.', conf.tbl)
else:
table = conf.tbl
table = safeSQLIdentificatorNaming(table)
retVal = []
infoMsg = "checking column existence using items from '%s'" % columnFile
logger.info(infoMsg)
count = [0]
length = len(columns)
threads = []
collock = threading.Lock()
iolock = threading.Lock()
kb.threadContinue = True
kb.bruteMode = True
def columnExistsThread():
while count[0] < length and kb.threadContinue:
collock.acquire()
column = safeSQLIdentificatorNaming(columns[count[0]])
count[0] += 1
collock.release()
result = inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %s FROM %s)", (column, table)))
iolock.acquire()
if result:
retVal.append(column)
if conf.verbose in (1, 2):
clearConsoleLine(True)
infoMsg = "\r[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), column)
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%s)' % (count[0], length, round(100.0*count[0]/length), '%')
dataToStdout("\r[%s] [INFO] tried %s" % (time.strftime("%X"), status), True)
iolock.release()
if conf.threads > 1:
infoMsg = "starting %d threads" % conf.threads
logger.info(infoMsg)
else:
message = "please enter number of threads? [Enter for %d (current)] " % conf.threads
choice = readInput(message, default=str(conf.threads))
if choice and choice.isdigit():
conf.threads = int(choice)
if conf.threads == 1:
warnMsg = "running in a single-thread mode. This could take a while."
logger.warn(warnMsg)
# Start the threads
for numThread in range(conf.threads):
thread = threading.Thread(target=columnExistsThread, name=str(numThread))
thread.start()
threads.append(thread)
# And wait for them to all finish
try:
alive = True
while alive:
alive = False
for thread in threads:
if thread.isAlive():
alive = True
thread.join(5)
except KeyboardInterrupt:
kb.threadContinue = False
kb.threadException = True
print
logger.debug("waiting for threads to finish")
warnMsg = "user aborted during common column existence check. "
warnMsg += "sqlmap will display some columns only"
logger.warn(warnMsg)
try:
while (threading.activeCount() > 1):
pass
except KeyboardInterrupt:
raise sqlmapThreadException, "user aborted"
finally:
kb.bruteMode = False
kb.threadContinue = True
kb.threadException = False
clearConsoleLine(True)
dataToStdout("\n")
if not retVal:
warnMsg = "no column found"
logger.warn(warnMsg)
else:
columns = {}
for column in retVal:
result = inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %s FROM %s WHERE ROUND(%s)=ROUND(%s))", (column, table, column, column)))
if result:
columns[column] = 'numeric'
else:
columns[column] = 'non-numeric'
dataToSessionFile("[%s][%s][%s][COLUMN_EXISTS][%s|%s %s]\n" % (conf.url, kb.injection.place,\
safeFormatString(conf.parameters[kb.injection.place]), safeFormatString(table),\
safeFormatString(column), safeFormatString(columns[column])))
kb.data.cachedColumns[conf.db] = {conf.tbl: columns}
return kb.data.cachedColumns
def fileExists(pathFile):
retVal = []
message = "which common files file do you want to use?\n"
message += "[1] default '%s' (press Enter)\n" % pathFile
message += "[2] custom"
choice = readInput(message, default='1')
if choice == '2':
message = "what's the custom common files file location?\n"
pathFile = readInput(message) or pathFile
infoMsg = "checking files existence using items from '%s'" % pathFile
logger.info(infoMsg)
paths = getFileItems(pathFile, unique=True)
kb.bruteMode = True
try:
conf.dbmsHandler.readFile(randomStr())
except SqlmapNoneDataException:
pass
except:
kb.bruteMode = False
raise
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(paths)
threadData.shared.files = []
def fileExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
path = ntToPosixSlashes(paths[threadData.shared.count])
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
try:
result = unArrayizeValue(conf.dbmsHandler.readFile(path))
except SqlmapNoneDataException:
result = None
kb.locks.io.acquire()
if not isNoneValue(result):
threadData.shared.files.append(result)
if not conf.api:
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: '%s'\n" % (
time.strftime("%X"), path)
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%%)' % (
threadData.shared.count, threadData.shared.limit,
round(100.0 * threadData.shared.count /
threadData.shared.limit))
dataToStdout(
"\r[%s] [INFO] tried %s" % (time.strftime("%X"), status),
True)
kb.locks.io.release()
try:
pushValue(logger.getEffectiveLevel())
logger.setLevel(logging.CRITICAL)
runThreads(conf.threads, fileExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during file existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
finally:
kb.bruteMode = False
logger.setLevel(popValue())
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.files:
warnMsg = "no file(s) found"
logger.warn(warnMsg)
else:
retVal = threadData.shared.files
return retVal
def dictionaryAttack(attack_dict):
suffix_list = [""]
custom_wordlist = [""]
hash_regexes = []
results = []
resumes = []
user_hash = []
processException = False
foundHash = False
for (_, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
hash_ = hash_.split()[0] if hash_ and hash_.strip() else hash_
regex = hashRecognition(hash_)
if regex and regex not in hash_regexes:
hash_regexes.append(regex)
infoMsg = u"使用哈希hash方法 '%s'" % __functions__[regex].func_name
logger.info(infoMsg)
for hash_regex in hash_regexes:
keys = set()
attack_info = []
for (user, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
foundHash = True
hash_ = hash_.split()[0] if hash_ and hash_.strip() else hash_
if re.match(hash_regex, hash_):
item = None
if hash_regex not in (HASH.CRYPT_GENERIC, HASH.WORDPRESS):
hash_ = hash_.lower()
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD,
HASH.MD5_GENERIC, HASH.SHA1_GENERIC):
item = [(user, hash_), {}]
elif hash_regex in (HASH.ORACLE_OLD, HASH.POSTGRES):
item = [(user, hash_), {'username': user}]
elif hash_regex in (HASH.ORACLE, ):
item = [(user, hash_), {'salt': hash_[-20:]}]
elif hash_regex in (HASH.MSSQL, HASH.MSSQL_OLD,
HASH.MSSQL_NEW):
item = [(user, hash_), {'salt': hash_[6:14]}]
elif hash_regex in (HASH.CRYPT_GENERIC, ):
item = [(user, hash_), {'salt': hash_[0:2]}]
elif hash_regex in (HASH.WORDPRESS, ):
if ITOA64.index(hash_[3]) < 32:
item = [(user, hash_), {
'salt': hash_[4:12],
'count': 1 << ITOA64.index(hash_[3]),
'prefix': hash_[:12]
}]
else:
warnMsg = "invalid hash '%s'" % hash_
logger.warn(warnMsg)
if item and hash_ not in keys:
resumed = hashDBRetrieve(hash_)
if not resumed:
attack_info.append(item)
user_hash.append(item[0])
else:
infoMsg = u"正在恢复哈希'%s'的密码'%s'" % (hash_, resumed)
if user and not user.startswith(DUMMY_USER_PREFIX):
infoMsg += u",对于用户'%s'" % user
logger.info(infoMsg)
resumes.append((user, hash_, resumed))
keys.add(hash_)
if not attack_info:
continue
if not kb.wordlists:
while not kb.wordlists:
# the slowest of all methods hence smaller default dict
if hash_regex in (HASH.ORACLE_OLD, HASH.WORDPRESS):
dictPaths = [paths.SMALL_DICT]
else:
dictPaths = [paths.WORDLIST]
message = u"你想要使用什么字典??\n"
message += u"[1] 默认字典文件 '%s' (按回车)\n" % dictPaths[0]
message += u"[2] 自定义字典文件\n"
message += u"[3] 文件与字典文件列表"
choice = readInput(message, default='1')
try:
if choice == '2':
message = u"自定义字典位置?\n"
_ = readInput(message)
if _:
dictPaths = [readInput(message)]
logger.info(u"使用自定义字典")
elif choice == '3':
message = u"列表文件位置?\n"
listPath = readInput(message)
checkFile(listPath)
dictPaths = getFileItems(listPath)
logger.info(u"使用自定义的字典列表")
else:
logger.info(u"使用默认字典")
dictPaths = filter(None, dictPaths)
for dictPath in dictPaths:
checkFile(dictPath)
if os.path.splitext(dictPath)[1].lower() == ".zip":
_ = zipfile.ZipFile(dictPath, 'r')
if len(_.namelist()) == 0:
errMsg = u"'%s'内没有文件" % dictPath
raise SqlmapDataException(errMsg)
else:
_.open(_.namelist()[0])
kb.wordlists = dictPaths
except Exception, ex:
warnMsg = u"加载字典('%s')时出现问题" % getSafeExString(ex)
logger.critical(warnMsg)
message = u"你想使用常用的密码后缀吗? (slow!) [y/N] "
if readInput(message, default='N', boolean=True):
suffix_list += COMMON_PASSWORD_SUFFIXES
infoMsg = u"开始基于字典的破解(%s)" % __functions__[hash_regex].func_name
logger.info(infoMsg)
for item in attack_info:
((user, _), _) = item
if user and not user.startswith(DUMMY_USER_PREFIX):
custom_wordlist.append(normalizeUnicode(user))
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC,
HASH.SHA1_GENERIC):
for suffix in suffix_list:
if not attack_info or processException:
break
if suffix:
clearConsoleLine()
infoMsg = u"使用后缀 '%s'" % suffix
logger.info(infoMsg)
retVal = None
processes = []
try:
if _multiprocessing:
if _multiprocessing.cpu_count() > 1:
infoMsg = u"启动%d个进程" % _multiprocessing.cpu_count()
singleTimeLogMessage(infoMsg)
gc.disable()
retVal = _multiprocessing.Queue()
count = _multiprocessing.Value(
'i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
process = _multiprocessing.Process(
target=_bruteProcessVariantA,
args=(attack_info, hash_regex, suffix, retVal,
i, count, kb.wordlists, custom_wordlist,
conf.api))
processes.append(process)
for process in processes:
process.daemon = True
process.start()
while count.value > 0:
time.sleep(0.5)
else:
warnMsg = u"此平台目前不支持多进程哈希破解"
singleTimeWarnMessage(warnMsg)
retVal = Queue()
_bruteProcessVariantA(attack_info, hash_regex, suffix,
retVal, 0, 1, kb.wordlists,
custom_wordlist, conf.api)
except KeyboardInterrupt:
print
processException = True
warnMsg = u"用户在基于字典的攻击阶段中中止(Ctrl + C被按下)"
logger.warn(warnMsg)
for process in processes:
try:
process.terminate()
process.join()
except (OSError, AttributeError):
pass
finally:
if _multiprocessing:
gc.enable()
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
user, hash_, word = item = retVal.get(block=False)
attack_info = filter(
lambda _: _[0][0] != user or _[0][1] != hash_,
attack_info)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
else:
for ((user, hash_), kwargs) in attack_info:
if processException:
break
if any(_[0] == user and _[1] == hash_ for _ in results):
continue
count = 0
found = False
for suffix in suffix_list:
if found or processException:
break
if suffix:
clearConsoleLine()
infoMsg = u"使用后缀 '%s'" % suffix
logger.info(infoMsg)
retVal = None
processes = []
try:
if _multiprocessing:
if _multiprocessing.cpu_count() > 1:
infoMsg = u"启动%d个进程 " % _multiprocessing.cpu_count(
)
singleTimeLogMessage(infoMsg)
gc.disable()
retVal = _multiprocessing.Queue()
found_ = _multiprocessing.Value('i', False)
count = _multiprocessing.Value(
'i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
process = _multiprocessing.Process(
target=_bruteProcessVariantB,
args=(user, hash_, kwargs, hash_regex,
suffix, retVal, found_, i, count,
kb.wordlists, custom_wordlist,
conf.api))
processes.append(process)
for process in processes:
process.daemon = True
process.start()
while count.value > 0:
time.sleep(0.5)
found = found_.value != 0
else:
warnMsg = u"此平台目前不支持多进程哈希破解"
singleTimeWarnMessage(warnMsg)
class Value():
pass
retVal = Queue()
found_ = Value()
found_.value = False
_bruteProcessVariantB(user, hash_, kwargs,
hash_regex, suffix, retVal,
found_, 0, 1, kb.wordlists,
custom_wordlist, conf.api)
found = found_.value
except KeyboardInterrupt:
print
processException = True
warnMsg = u"用户在基于字典的攻击阶段中中止(Ctrl + C被按下)"
logger.warn(warnMsg)
for process in processes:
try:
process.terminate()
process.join()
except (OSError, AttributeError):
pass
finally:
if _multiprocessing:
gc.enable()
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
user, hash_, word = item = retVal.get(
block=False)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
def dictionaryAttack(attack_dict):
suffix_list = [""]
hash_regexes = []
results = []
for (_, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
hash_ = hash_.split()[0]
regex = hashRecognition(hash_)
if regex and regex not in hash_regexes:
hash_regexes.append(regex)
infoMsg = "using hash method: '%s'" % __functions__[
regex].func_name
logger.info(infoMsg)
for hash_regex in hash_regexes:
attack_info = []
for (user, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
hash_ = hash_.split()[0]
if getCompiledRegex(hash_regex).match(hash_):
hash_ = hash_.lower()
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD,
HASH.MD5_GENERIC, HASH.SHA1_GENERIC):
attack_info.append([(user, hash_), {}])
elif hash_regex in (HASH.ORACLE_OLD, HASH.POSTGRES):
attack_info.append([(user, hash_), {'username': user}])
elif hash_regex in (HASH.ORACLE):
attack_info.append([(user, hash_), {
'salt': hash_[-20:]
}])
elif hash_regex in (HASH.MSSQL, HASH.MSSQL_OLD):
attack_info.append([(user, hash_), {
'salt': hash_[6:14]
}])
elif hash_regex in (HASH.CRYPT_GENERIC):
attack_info.append([(user, hash_), {
'salt': hash_[0:2]
}])
if not attack_info:
continue
if not kb.wordlist:
if hash_regex == HASH.ORACLE_OLD: #it's the slowest of all methods hence smaller default dict
message = "what's the dictionary's location? [%s]" % paths.ORACLE_DEFAULT_PASSWD
dictpath = readInput(message,
default=paths.ORACLE_DEFAULT_PASSWD)
else:
message = "what's the dictionary's location? [%s]" % paths.WORDLIST
dictpath = readInput(message, default=paths.WORDLIST)
checkFile(dictpath)
infoMsg = "loading dictionary from: '%s'" % dictpath
logger.info(infoMsg)
kb.wordlist = getFileItems(dictpath, None, False)
message = "do you want to use common password suffixes? (slow!) [y/N] "
test = readInput(message, default="N")
if test[0] in ("y", "Y"):
suffix_list += COMMON_PASSWORD_SUFFIXES
infoMsg = "starting dictionary attack (%s)" % __functions__[
hash_regex].func_name
logger.info(infoMsg)
for item in attack_info:
((user, _), _) = item
kb.wordlist.append(normalizeUnicode(user))
length = len(kb.wordlist) * len(suffix_list)
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC,
HASH.SHA1_GENERIC):
count = 0
for suffix in suffix_list:
if not attack_info:
break
for word in kb.wordlist:
if not attack_info:
break
count += 1
if suffix:
word = word + suffix
try:
current = __functions__[hash_regex](password=word,
uppercase=False)
for item in attack_info:
((user, hash_), _) = item
if hash_ == current:
results.append((user, hash_, word))
clearConsoleLine()
infoMsg = "[%s] [INFO] found: '%s'" % (
time.strftime("%X"), word)
if user and not user.startswith(
DUMMY_USER_PREFIX):
infoMsg += " for user: '******'\n" % user
else:
infoMsg += " for hash: '%s'\n" % hash_
dataToStdout(infoMsg, True)
attack_info.remove(item)
elif count % HASH_MOD_ITEM_DISPLAY == 0 or count == length or hash_regex in (
HASH.ORACLE_OLD
) or hash_regex == HASH.CRYPT_GENERIC and IS_WIN:
status = '%d/%d words (%d%s)' % (
count, length, round(
100.0 * count / length), '%')
dataToStdout("\r[%s] [INFO] %s" %
(time.strftime("%X"), status))
except KeyboardInterrupt:
print
warnMsg = "user aborted during dictionary attack phase"
logger.warn(warnMsg)
return results
except:
warnMsg = "there was a problem while hashing entry: %s. " % repr(
word)
warnMsg += "Please report by e-mail to %s." % ML
logger.critical(warnMsg)
clearConsoleLine()
else:
for ((user, hash_), kwargs) in attack_info:
count = 0
found = False
for suffix in suffix_list:
if found:
break
for word in kb.wordlist:
current = __functions__[hash_regex](password=word,
uppercase=False,
**kwargs)
count += 1
if suffix:
word = word + suffix
try:
if hash_ == current:
if regex == HASH.ORACLE_OLD: #only for cosmetic purposes
word = word.upper()
results.append((user, hash_, word))
clearConsoleLine()
infoMsg = "[%s] [INFO] found: '%s'" % (
time.strftime("%X"), word)
if user and not user.startswith(
DUMMY_USER_PREFIX):
infoMsg += " for user: '******'\n" % user
else:
infoMsg += " for hash: '%s'\n" % hash_
dataToStdout(infoMsg, True)
found = True
break
elif count % HASH_MOD_ITEM_DISPLAY == 0 or count == length or hash_regex in (
HASH.ORACLE_OLD
) or hash_regex == HASH.CRYPT_GENERIC and IS_WIN:
status = '%d/%d words (%d%s)' % (
count, length, round(
100.0 * count / length), '%')
if not user.startswith(DUMMY_USER_PREFIX):
status += ' (user: %s)' % user
dataToStdout("\r[%s] [INFO] %s" %
(time.strftime("%X"), status))
except KeyboardInterrupt:
print
warnMsg = "user aborted during dictionary attack phase"
logger.warn(warnMsg)
return results
except:
warnMsg = "there was a problem while hashing entry: %s. " % repr(
word)
warnMsg += "Please report by e-mail to %s." % ML
logger.critical(warnMsg)
clearConsoleLine()
if len(hash_regexes) == 0:
warnMsg = "unknown hash Format. "
warnMsg += "Please report by e-mail to %s." % ML
logger.warn(warnMsg)
if len(results) == 0:
warnMsg = "no clear password(s) found"
logger.warn(warnMsg)
return results
def dictionaryAttack(attack_dict):
suffix_list = [""]
custom_wordlist = []
hash_regexes = []
results = []
resumes = []
processException = False
user_hash = []
for (_, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
hash_ = hash_.split()[0]
regex = hashRecognition(hash_)
if regex and regex not in hash_regexes:
hash_regexes.append(regex)
infoMsg = "using hash method '%s'" % __functions__[
regex].func_name
logger.info(infoMsg)
for hash_regex in hash_regexes:
keys = set()
attack_info = []
for (user, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
hash_ = hash_.split()[0]
if re.match(hash_regex, hash_):
item = None
if hash_regex not in (HASH.CRYPT_GENERIC, HASH.WORDPRESS):
hash_ = hash_.lower()
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD,
HASH.MD5_GENERIC, HASH.SHA1_GENERIC):
item = [(user, hash_), {}]
elif hash_regex in (HASH.ORACLE_OLD, HASH.POSTGRES):
item = [(user, hash_), {'username': user}]
elif hash_regex in (HASH.ORACLE):
item = [(user, hash_), {'salt': hash_[-20:]}]
elif hash_regex in (HASH.MSSQL, HASH.MSSQL_OLD):
item = [(user, hash_), {'salt': hash_[6:14]}]
elif hash_regex in (HASH.CRYPT_GENERIC):
item = [(user, hash_), {'salt': hash_[0:2]}]
elif hash_regex in (HASH.WORDPRESS):
item = [(user, hash_), {
'salt': hash_[4:12],
'count': 1 << ITOA64.index(hash_[3]),
'prefix': hash_[:12]
}]
if item and hash_ not in keys:
resumed = hashDBRetrieve(hash_)
if not resumed:
attack_info.append(item)
user_hash.append(item[0])
else:
infoMsg = "resuming password '%s' for hash '%s'" % (
resumed, hash_)
if user and not user.startswith(DUMMY_USER_PREFIX):
infoMsg += " for user '%s'" % user
logger.info(infoMsg)
resumes.append((user, hash_, resumed))
keys.add(hash_)
if not attack_info:
continue
if not kb.wordlists:
while not kb.wordlists:
# the slowest of all methods hence smaller default dict
if hash_regex in (HASH.ORACLE_OLD, HASH.WORDPRESS):
dictPaths = [paths.SMALL_DICT]
else:
dictPaths = [paths.WORDLIST]
message = "what dictionary do you want to use?\n"
message += "[1] default dictionary file '%s' (press Enter)\n" % dictPaths[
0]
message += "[2] custom dictionary file\n"
message += "[3] file with list of dictionary files"
choice = readInput(message, default="1")
try:
if choice == "2":
message = "what's the custom dictionary's location?\n"
dictPaths = [readInput(message)]
logger.info("using custom dictionary")
elif choice == "3":
message = "what's the list file location?\n"
listPath = readInput(message)
checkFile(listPath)
dictPaths = getFileItems(listPath)
logger.info("using custom list of dictionaries")
else:
logger.info("using default dictionary")
for dictPath in dictPaths:
checkFile(dictPath)
kb.wordlists = dictPaths
except sqlmapFilePathException, msg:
warnMsg = "there was a problem while loading dictionaries"
warnMsg += " ('%s')" % msg
logger.critical(warnMsg)
message = "do you want to use common password suffixes? (slow!) [y/N] "
test = readInput(message, default="N")
if test[0] in ("y", "Y"):
suffix_list += COMMON_PASSWORD_SUFFIXES
infoMsg = "starting dictionary-based cracking (%s)" % __functions__[
hash_regex].func_name
logger.info(infoMsg)
for item in attack_info:
((user, _), _) = item
if user and not user.startswith(DUMMY_USER_PREFIX):
custom_wordlist.append(normalizeUnicode(user))
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC,
HASH.SHA1_GENERIC):
for suffix in suffix_list:
if not attack_info or processException:
break
if suffix:
clearConsoleLine()
infoMsg = "using suffix '%s'" % suffix
logger.info(infoMsg)
retVal = None
processes = []
try:
if _multiprocessing:
if _multiprocessing.cpu_count() > 1:
infoMsg = "starting %d processes " % _multiprocessing.cpu_count(
)
singleTimeLogMessage(infoMsg)
retVal = _multiprocessing.Queue()
count = _multiprocessing.Value(
'i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
p = _multiprocessing.Process(
target=__bruteProcessVariantA,
args=(attack_info, hash_regex, suffix, retVal,
i, count, kb.wordlists, custom_wordlist))
processes.append(p)
for p in processes:
p.start()
for p in processes:
p.join()
else:
warnMsg = "multiprocessing hash cracking is currently "
warnMsg += "not supported on this platform"
singleTimeWarnMessage(warnMsg)
retVal = Queue()
__bruteProcessVariantA(attack_info, hash_regex, suffix,
retVal, 0, 1, kb.wordlists,
custom_wordlist)
except KeyboardInterrupt:
print
processException = True
warnMsg = "user aborted during dictionary-based attack phase (Ctrl+C was pressed)"
logger.warn(warnMsg)
for process in processes:
try:
process.terminate()
process.join()
except OSError:
pass
finally:
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
user, hash_, word = item = retVal.get(block=False)
attack_info = filter(
lambda _: _[0][0] != user or _[0][1] != hash_,
attack_info)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
else:
for ((user, hash_), kwargs) in attack_info:
if processException:
break
if any(_[0] == user and _[1] == hash_ for _ in results):
continue
count = 0
found = False
for suffix in suffix_list:
if found or processException:
break
if suffix:
clearConsoleLine()
infoMsg = "using suffix '%s'" % suffix
logger.info(infoMsg)
retVal = None
processes = []
try:
if _multiprocessing:
if _multiprocessing.cpu_count() > 1:
infoMsg = "starting %d processes " % _multiprocessing.cpu_count(
)
singleTimeLogMessage(infoMsg)
retVal = _multiprocessing.Queue()
found_ = _multiprocessing.Value('i', False)
count = _multiprocessing.Value(
'i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
p = _multiprocessing.Process(
target=__bruteProcessVariantB,
args=(user, hash_, kwargs, hash_regex,
suffix, retVal, found_, i, count,
kb.wordlists, custom_wordlist))
processes.append(p)
for p in processes:
p.start()
for p in processes:
p.join()
found = found_.value != 0
else:
warnMsg = "multiprocessing hash cracking is currently "
warnMsg += "not supported on this platform"
singleTimeWarnMessage(warnMsg)
class Value():
pass
retVal = Queue()
found_ = Value()
found_.value = False
__bruteProcessVariantB(user, hash_, kwargs,
hash_regex, suffix, retVal,
found_, 0, 1, kb.wordlists,
custom_wordlist)
found = found_.value
except KeyboardInterrupt:
print
processException = True
warnMsg = "user aborted during dictionary-based attack phase (Ctrl+C was pressed)"
logger.warn(warnMsg)
for process in processes:
try:
process.terminate()
process.join()
except OSError:
pass
finally:
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
user, hash_, word = item = retVal.get(
block=False)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
def tableExists(tableFile, regex=None):
if kb.tableExistsChoice is None and not any(_ for _ in kb.injection.data if _ not in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED)) and not conf.direct:
warnMsg = "it's not recommended to use '%s' and/or '%s' " % (PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.TIME], PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.STACKED])
warnMsg += "for common table existence check"
logger.warn(warnMsg)
message = "are you sure you want to continue? [y/N] "
kb.tableExistsChoice = readInput(message, default='N', boolean=True)
if not kb.tableExistsChoice:
return None
result = inject.checkBooleanExpression("%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE, (randomInt(1), randomStr())))
if conf.db and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.db = conf.db.upper()
if result:
errMsg = "can't use table existence check because of detected invalid results "
errMsg += "(most likely caused by inability of the used injection "
errMsg += "to distinguish erroneous results)"
raise SqlmapDataException(errMsg)
message = "which common tables (wordlist) file do you want to use?\n"
message += "[1] default '%s' (press Enter)\n" % tableFile
message += "[2] custom"
choice = readInput(message, default='1')
if choice == '2':
message = "what's the custom common tables file location?\n"
tableFile = readInput(message) or tableFile
infoMsg = "checking table existence using items from '%s'" % tableFile
logger.info(infoMsg)
tables = getFileItems(tableFile, lowercase=Backend.getIdentifiedDbms() in (DBMS.ACCESS,), unique=True)
tables.extend(_addPageTextWords())
tables = filterListValue(tables, regex)
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(tables)
threadData.shared.value = []
threadData.shared.unique = set()
def tableExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
table = safeSQLIdentificatorNaming(tables[threadData.shared.count], True)
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms() not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
fullTableName = "%s.%s" % (conf.db, table)
else:
fullTableName = table
result = inject.checkBooleanExpression("%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE, (randomInt(1), fullTableName)))
kb.locks.io.acquire()
if result and table.lower() not in threadData.shared.unique:
threadData.shared.value.append(table)
threadData.shared.unique.add(table.lower())
if conf.verbose in (1, 2) and not conf.api:
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), unsafeSQLIdentificatorNaming(table))
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%%)' % (threadData.shared.count, threadData.shared.limit, round(100.0 * threadData.shared.count / threadData.shared.limit))
dataToStdout("\r[%s] [INFO] tried %s" % (time.strftime("%X"), status), True)
kb.locks.io.release()
try:
runThreads(conf.threads, tableExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during table existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.value:
warnMsg = "no table(s) found"
logger.warn(warnMsg)
else:
for item in threadData.shared.value:
if conf.db not in kb.data.cachedTables:
kb.data.cachedTables[conf.db] = [item]
else:
kb.data.cachedTables[conf.db].append(item)
for _ in ((conf.db, item) for item in threadData.shared.value):
if _ not in kb.brute.tables:
kb.brute.tables.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_TABLES, kb.brute.tables, True)
return kb.data.cachedTables
def __setKnowledgeBaseAttributes():
"""
This function set some needed attributes into the knowledge base
singleton.
"""
debugMsg = "initializing the knowledge base"
logger.debug(debugMsg)
kb.absFilePaths = set()
kb.assumeEmpty = False
kb.authHeader = None
kb.bannerFp = advancedDict()
kb.cache = advancedDict()
kb.cache.content = {}
kb.cache.regex = {}
kb.commonOutputs = None
kb.data = advancedDict()
# Basic back-end DBMS fingerprint
kb.dbms = None
kb.dbmsDetected = False
# Active (extensive) back-end DBMS fingerprint
kb.dbmsVersion = [ "Unknown" ]
kb.dep = None
kb.docRoot = None
kb.dynamicMarkings = []
kb.errorTest = None
kb.formNames = advancedDict()
kb.headersCount = 0
kb.headersFp = {}
kb.hintValue = None
kb.htmlFp = []
kb.injParameter = None
kb.injPlace = None
kb.injType = None
kb.injections = xmlobject.XMLFile(path=paths.INJECTIONS_XML)
kb.keywords = set(getFileItems(paths.SQL_KEYWORDS))
kb.lastErrorPage = None
kb.lastRequestUID = 0
kb.locks = advancedDict()
kb.locks.cacheLock = threading.Lock()
kb.locks.reqLock = threading.Lock()
kb.locks.seqLock = None
kb.nullConnection = None
# Back-end DBMS underlying operating system fingerprint via banner (-b)
# parsing
kb.os = None
kb.osVersion = None
kb.osSP = None
kb.pageStable = None
kb.paramMatchRatio = {}
kb.parenthesis = None
kb.partRun = None
kb.proxyAuthHeader = None
kb.queryCounter = 0
kb.resumedQueries = {}
kb.stackedTest = None
kb.tamperFunctions = []
kb.targetUrls = set()
kb.testedParams = set()
kb.timeTest = None
kb.unionComment = ""
kb.unionCount = None
kb.unionPosition = None
kb.unionNegative = False
kb.unionFalseCond = False
kb.unionTest = None
kb.userAgents = None
kb.valueStack = []
def dictionaryAttack(attack_dict):
suffix_list = [""]
custom_wordlist = [""]
hash_regexes = []
results = []
resumes = []
user_hash = []
processException = False
foundHash = False
for (_, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
hash_ = hash_.split()[0] if hash_ and hash_.strip() else hash_
regex = hashRecognition(hash_)
if regex and regex not in hash_regexes:
hash_regexes.append(regex)
infoMsg = "using hash method '%s'" % __functions__[
regex].func_name
logger.info(infoMsg)
for hash_regex in hash_regexes:
keys = set()
attack_info = []
for (user, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
foundHash = True
hash_ = hash_.split()[0] if hash_ and hash_.strip() else hash_
if re.match(hash_regex, hash_):
try:
item = None
if hash_regex not in (
HASH.CRYPT_GENERIC, HASH.JOOMLA,
HASH.WORDPRESS, HASH.UNIX_MD5_CRYPT,
HASH.APACHE_MD5_CRYPT, HASH.APACHE_SHA1,
HASH.VBULLETIN, HASH.VBULLETIN_OLD, HASH.SSHA,
HASH.SSHA256, HASH.SSHA512, HASH.DJANGO_MD5,
HASH.DJANGO_SHA1, HASH.MD5_BASE64,
HASH.SHA1_BASE64, HASH.SHA256_BASE64,
HASH.SHA512_BASE64):
hash_ = hash_.lower()
if hash_regex in (HASH.MD5_BASE64, HASH.SHA1_BASE64,
HASH.SHA256_BASE64,
HASH.SHA512_BASE64):
item = [(user,
hash_.decode("base64").encode("hex")), {}]
elif hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD,
HASH.MD5_GENERIC,
HASH.SHA1_GENERIC,
HASH.APACHE_SHA1):
item = [(user, hash_), {}]
elif hash_regex in (HASH.SSHA, ):
item = [(user, hash_), {
"salt": hash_.decode("base64")[20:]
}]
elif hash_regex in (HASH.SSHA256, ):
item = [(user, hash_), {
"salt": hash_.decode("base64")[32:]
}]
elif hash_regex in (HASH.SSHA512, ):
item = [(user, hash_), {
"salt": hash_.decode("base64")[64:]
}]
elif hash_regex in (HASH.ORACLE_OLD, HASH.POSTGRES):
item = [(user, hash_), {'username': user}]
elif hash_regex in (HASH.ORACLE, ):
item = [(user, hash_), {"salt": hash_[-20:]}]
elif hash_regex in (HASH.MSSQL, HASH.MSSQL_OLD,
HASH.MSSQL_NEW):
item = [(user, hash_), {"salt": hash_[6:14]}]
elif hash_regex in (HASH.CRYPT_GENERIC, ):
item = [(user, hash_), {"salt": hash_[0:2]}]
elif hash_regex in (HASH.UNIX_MD5_CRYPT,
HASH.APACHE_MD5_CRYPT):
item = [(user, hash_), {
"salt": hash_.split('$')[2],
"magic": "$%s$" % hash_.split('$')[1]
}]
elif hash_regex in (HASH.JOOMLA, HASH.VBULLETIN,
HASH.VBULLETIN_OLD):
item = [(user, hash_), {
"salt": hash_.split(':')[-1]
}]
elif hash_regex in (HASH.DJANGO_MD5, HASH.DJANGO_SHA1):
item = [(user, hash_), {
"salt": hash_.split('$')[1]
}]
elif hash_regex in (HASH.WORDPRESS, ):
if ITOA64.index(hash_[3]) < 32:
item = [(user, hash_), {
"salt": hash_[4:12],
"count": 1 << ITOA64.index(hash_[3]),
"prefix": hash_[:12]
}]
else:
warnMsg = "invalid hash '%s'" % hash_
logger.warn(warnMsg)
if item and hash_ not in keys:
resumed = hashDBRetrieve(hash_)
if not resumed:
attack_info.append(item)
user_hash.append(item[0])
else:
infoMsg = "resuming password '%s' for hash '%s'" % (
resumed, hash_)
if user and not user.startswith(
DUMMY_USER_PREFIX):
infoMsg += " for user '%s'" % user
logger.info(infoMsg)
resumes.append((user, hash_, resumed))
keys.add(hash_)
except (binascii.Error, IndexError):
pass
if not attack_info:
continue
if not kb.wordlists:
while not kb.wordlists:
# the slowest of all methods hence smaller default dict
if hash_regex in (HASH.ORACLE_OLD, ):
dictPaths = [paths.SMALL_DICT]
else:
dictPaths = [paths.WORDLIST]
message = "what dictionary do you want to use?\n"
message += "[1] default dictionary file '%s' (press Enter)\n" % dictPaths[
0]
message += "[2] custom dictionary file\n"
message += "[3] file with list of dictionary files"
choice = readInput(message, default='1')
try:
if choice == '2':
message = "what's the custom dictionary's location?\n"
dictPath = readInput(message)
if dictPath:
dictPaths = [dictPath]
logger.info("using custom dictionary")
elif choice == '3':
message = "what's the list file location?\n"
listPath = readInput(message)
checkFile(listPath)
dictPaths = getFileItems(listPath)
logger.info("using custom list of dictionaries")
else:
logger.info("using default dictionary")
dictPaths = filter(None, dictPaths)
for dictPath in dictPaths:
checkFile(dictPath)
if os.path.splitext(dictPath)[1].lower() == ".zip":
_ = zipfile.ZipFile(dictPath, 'r')
if len(_.namelist()) == 0:
errMsg = "no file(s) inside '%s'" % dictPath
raise SqlmapDataException(errMsg)
else:
_.open(_.namelist()[0])
kb.wordlists = dictPaths
except Exception, ex:
warnMsg = "there was a problem while loading dictionaries"
warnMsg += " ('%s')" % getSafeExString(ex)
logger.critical(warnMsg)
message = "do you want to use common password suffixes? (slow!) [y/N] "
if readInput(message, default='N', boolean=True):
suffix_list += COMMON_PASSWORD_SUFFIXES
infoMsg = "starting dictionary-based cracking (%s)" % __functions__[
hash_regex].func_name
logger.info(infoMsg)
for item in attack_info:
((user, _), _) = item
if user and not user.startswith(DUMMY_USER_PREFIX):
custom_wordlist.append(normalizeUnicode(user))
# Algorithms without extra arguments (e.g. salt and/or username)
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC,
HASH.SHA1_GENERIC, HASH.SHA224_GENERIC,
HASH.SHA256_GENERIC, HASH.SHA384_GENERIC,
HASH.SHA512_GENERIC, HASH.APACHE_SHA1,
HASH.VBULLETIN, HASH.VBULLETIN_OLD):
for suffix in suffix_list:
if not attack_info or processException:
break
if suffix:
clearConsoleLine()
infoMsg = "using suffix '%s'" % suffix
logger.info(infoMsg)
retVal = None
processes = []
try:
if _multiprocessing:
if _multiprocessing.cpu_count() > 1:
infoMsg = "starting %d processes " % _multiprocessing.cpu_count(
)
singleTimeLogMessage(infoMsg)
gc.disable()
retVal = _multiprocessing.Queue()
count = _multiprocessing.Value(
'i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
process = _multiprocessing.Process(
target=_bruteProcessVariantA,
args=(attack_info, hash_regex, suffix, retVal,
i, count, kb.wordlists, custom_wordlist,
conf.api))
processes.append(process)
for process in processes:
process.daemon = True
process.start()
while count.value > 0:
time.sleep(0.5)
else:
warnMsg = "multiprocessing hash cracking is currently "
warnMsg += "not supported on this platform"
singleTimeWarnMessage(warnMsg)
retVal = Queue()
_bruteProcessVariantA(attack_info, hash_regex, suffix,
retVal, 0, 1, kb.wordlists,
custom_wordlist, conf.api)
except KeyboardInterrupt:
print
processException = True
warnMsg = "user aborted during dictionary-based attack phase (Ctrl+C was pressed)"
logger.warn(warnMsg)
for process in processes:
try:
process.terminate()
process.join()
except (OSError, AttributeError):
pass
finally:
if _multiprocessing:
gc.enable()
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
user, hash_, word = item = retVal.get(block=False)
attack_info = filter(
lambda _: _[0][0] != user or _[0][1] != hash_,
attack_info)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
else:
for ((user, hash_), kwargs) in attack_info:
if processException:
break
if any(_[0] == user and _[1] == hash_ for _ in results):
continue
count = 0
found = False
for suffix in suffix_list:
if found or processException:
break
if suffix:
clearConsoleLine()
infoMsg = "using suffix '%s'" % suffix
logger.info(infoMsg)
retVal = None
processes = []
try:
if _multiprocessing:
if _multiprocessing.cpu_count() > 1:
infoMsg = "starting %d processes " % _multiprocessing.cpu_count(
)
singleTimeLogMessage(infoMsg)
gc.disable()
retVal = _multiprocessing.Queue()
found_ = _multiprocessing.Value('i', False)
count = _multiprocessing.Value(
'i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
process = _multiprocessing.Process(
target=_bruteProcessVariantB,
args=(user, hash_, kwargs, hash_regex,
suffix, retVal, found_, i, count,
kb.wordlists, custom_wordlist,
conf.api))
processes.append(process)
for process in processes:
process.daemon = True
process.start()
while count.value > 0:
time.sleep(0.5)
found = found_.value != 0
else:
warnMsg = "multiprocessing hash cracking is currently "
warnMsg += "not supported on this platform"
singleTimeWarnMessage(warnMsg)
class Value():
pass
retVal = Queue()
found_ = Value()
found_.value = False
_bruteProcessVariantB(user, hash_, kwargs,
hash_regex, suffix, retVal,
found_, 0, 1, kb.wordlists,
custom_wordlist, conf.api)
found = found_.value
except KeyboardInterrupt:
print
processException = True
warnMsg = "user aborted during dictionary-based attack phase (Ctrl+C was pressed)"
logger.warn(warnMsg)
for process in processes:
try:
process.terminate()
process.join()
except (OSError, AttributeError):
pass
finally:
if _multiprocessing:
gc.enable()
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
user, hash_, word = item = retVal.get(
block=False)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
def getLargeWeakPassword():
return getFileItems(paths.LARGE_WEAK_PASS)
def dictionaryAttack(attack_dict):
suffix_list = [""]
custom_wordlist = []
hash_regexes = []
results = []
resumes = []
processException = False
user_hash = []
for (_, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
hash_ = hash_.split()[0]
regex = hashRecognition(hash_)
if regex and regex not in hash_regexes:
hash_regexes.append(regex)
infoMsg = "using hash method '%s'" % __functions__[regex].func_name
logger.info(infoMsg)
for hash_regex in hash_regexes:
keys = set()
attack_info = []
for (user, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
hash_ = hash_.split()[0]
if re.match(hash_regex, hash_):
item = None
if hash_regex not in (HASH.CRYPT_GENERIC, HASH.WORDPRESS):
hash_ = hash_.lower()
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC):
item = [(user, hash_), {}]
elif hash_regex in (HASH.ORACLE_OLD, HASH.POSTGRES):
item = [(user, hash_), {'username': user}]
elif hash_regex in (HASH.ORACLE):
item = [(user, hash_), {'salt': hash_[-20:]}]
elif hash_regex in (HASH.MSSQL, HASH.MSSQL_OLD):
item = [(user, hash_), {'salt': hash_[6:14]}]
elif hash_regex in (HASH.CRYPT_GENERIC):
item = [(user, hash_), {'salt': hash_[0:2]}]
elif hash_regex in (HASH.WORDPRESS):
item = [(user, hash_), {'salt': hash_[4:12], 'count': 1<<ITOA64.index(hash_[3]), 'prefix': hash_[:12]}]
if item and hash_ not in keys:
resumed = hashDBRetrieve(hash_)
if not resumed:
attack_info.append(item)
user_hash.append(item[0])
else:
infoMsg = "resuming password '%s' for hash '%s'" % (resumed, hash_)
if user and not user.startswith(DUMMY_USER_PREFIX):
infoMsg += " for user '%s'" % user
logger.info(infoMsg)
resumes.append((user, hash_, resumed))
keys.add(hash_)
if not attack_info:
continue
if not kb.wordlists:
while not kb.wordlists:
# the slowest of all methods hence smaller default dict
if hash_regex in (HASH.ORACLE_OLD, HASH.WORDPRESS):
dictPaths = [paths.SMALL_DICT]
else:
dictPaths = [paths.WORDLIST]
message = "what dictionary do you want to use?\n"
message += "[1] default dictionary file '%s' (press Enter)\n" % dictPaths[0]
message += "[2] custom dictionary file\n"
message += "[3] file with list of dictionary files"
choice = readInput(message, default="1")
try:
if choice == "2":
message = "what's the custom dictionary's location?\n"
dictPaths = [readInput(message)]
logger.info("using custom dictionary")
elif choice == "3":
message = "what's the list file location?\n"
listPath = readInput(message)
checkFile(listPath)
dictPaths = getFileItems(listPath)
logger.info("using custom list of dictionaries")
else:
logger.info("using default dictionary")
for dictPath in dictPaths:
checkFile(dictPath)
kb.wordlists = dictPaths
except SqlmapFilePathException, msg:
warnMsg = "there was a problem while loading dictionaries"
warnMsg += " ('%s')" % msg
logger.critical(warnMsg)
message = "do you want to use common password suffixes? (slow!) [y/N] "
test = readInput(message, default="N")
if test[0] in ("y", "Y"):
suffix_list += COMMON_PASSWORD_SUFFIXES
infoMsg = "starting dictionary-based cracking (%s)" % __functions__[hash_regex].func_name
logger.info(infoMsg)
for item in attack_info:
((user, _), _) = item
if user and not user.startswith(DUMMY_USER_PREFIX):
custom_wordlist.append(normalizeUnicode(user))
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC):
for suffix in suffix_list:
if not attack_info or processException:
break
if suffix:
clearConsoleLine()
infoMsg = "using suffix '%s'" % suffix
logger.info(infoMsg)
retVal = None
processes = []
try:
if _multiprocessing:
if _multiprocessing.cpu_count() > 1:
infoMsg = "starting %d processes " % _multiprocessing.cpu_count()
singleTimeLogMessage(infoMsg)
retVal = _multiprocessing.Queue()
count = _multiprocessing.Value('i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
p = _multiprocessing.Process(target=_bruteProcessVariantA, args=(attack_info, hash_regex, suffix, retVal, i, count, kb.wordlists, custom_wordlist))
processes.append(p)
for p in processes:
p.start()
for p in processes:
p.join()
else:
warnMsg = "multiprocessing hash cracking is currently "
warnMsg += "not supported on this platform"
singleTimeWarnMessage(warnMsg)
retVal = Queue()
_bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, 0, 1, kb.wordlists, custom_wordlist)
except KeyboardInterrupt:
print
processException = True
warnMsg = "user aborted during dictionary-based attack phase (Ctrl+C was pressed)"
logger.warn(warnMsg)
for process in processes:
try:
process.terminate()
process.join()
except OSError:
pass
finally:
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
user, hash_, word = item = retVal.get(block=False)
attack_info = filter(lambda _: _[0][0] != user or _[0][1] != hash_, attack_info)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
else:
for ((user, hash_), kwargs) in attack_info:
if processException:
break
if any(_[0] == user and _[1] == hash_ for _ in results):
continue
count = 0
found = False
for suffix in suffix_list:
if found or processException:
break
if suffix:
clearConsoleLine()
infoMsg = "using suffix '%s'" % suffix
logger.info(infoMsg)
retVal = None
processes = []
try:
if _multiprocessing:
if _multiprocessing.cpu_count() > 1:
infoMsg = "starting %d processes " % _multiprocessing.cpu_count()
singleTimeLogMessage(infoMsg)
retVal = _multiprocessing.Queue()
found_ = _multiprocessing.Value('i', False)
count = _multiprocessing.Value('i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
p = _multiprocessing.Process(target=_bruteProcessVariantB, args=(user, hash_, kwargs, hash_regex, suffix, retVal, found_, i, count, kb.wordlists, custom_wordlist))
processes.append(p)
for p in processes:
p.start()
for p in processes:
p.join()
found = found_.value != 0
else:
warnMsg = "multiprocessing hash cracking is currently "
warnMsg += "not supported on this platform"
singleTimeWarnMessage(warnMsg)
class Value():
pass
retVal = Queue()
found_ = Value()
found_.value = False
_bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found_, 0, 1, kb.wordlists, custom_wordlist)
found = found_.value
except KeyboardInterrupt:
print
processException = True
warnMsg = "user aborted during dictionary-based attack phase (Ctrl+C was pressed)"
logger.warn(warnMsg)
for process in processes:
try:
process.terminate()
process.join()
except OSError:
pass
finally:
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
user, hash_, word = item = retVal.get(block=False)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
def tableExists(tableFile, regex=None):
if kb.tableExistsChoice is None and not any(
_ for _ in kb.injection.data
if _ not in (PAYLOAD.TECHNIQUE.TIME,
PAYLOAD.TECHNIQUE.STACKED)) and not conf.direct:
warnMsg = u"不建议使用'%s'和'%s'" % (
PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.TIME],
PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.STACKED])
warnMsg += u"对常用的表的存在性进行检查"
logger.warn(warnMsg)
message = u"你确定要继续吗? [y/N] "
kb.tableExistsChoice = readInput(message, default='N', boolean=True)
if not kb.tableExistsChoice:
return None
result = inject.checkBooleanExpression(
"%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE,
(randomInt(1), randomStr())))
if conf.db and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.db = conf.db.upper()
if result:
errMsg = u"因为检测到的结果无效,所以无法对数据库中的表的存在性进行检查,"
errMsg += u"(很可能是由于使用的注入无法区分错误结果)"
raise SqlmapDataException(errMsg)
message = u"您要使用哪些常用表(wordlist)文件?\n"
message += u"[1] 默认 '%s' (按回车键)\n" % tableFile
message += u"[2] 自定义"
choice = readInput(message, default='1')
if choice == '2':
message = u"自定义的常用表文件位置在哪里?\n"
tableFile = readInput(message) or tableFile
infoMsg = u"使用自己提供的表文件'%s'检查表的存在性" % tableFile
logger.info(infoMsg)
tables = getFileItems(tableFile,
lowercase=Backend.getIdentifiedDbms()
in (DBMS.ACCESS, ),
unique=True)
tables.extend(_addPageTextWords())
tables = filterListValue(tables, regex)
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(tables)
threadData.shared.value = []
threadData.shared.unique = set()
def tableExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
table = safeSQLIdentificatorNaming(
tables[threadData.shared.count], True)
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms(
) not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
fullTableName = "%s.%s" % (conf.db, table)
else:
fullTableName = table
result = inject.checkBooleanExpression(
"%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE,
(randomInt(1), fullTableName)))
kb.locks.io.acquire()
if result and table.lower() not in threadData.shared.unique:
threadData.shared.value.append(table)
threadData.shared.unique.add(table.lower())
if conf.verbose in (1, 2) and not conf.api:
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime(
"%X"), unsafeSQLIdentificatorNaming(table))
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%%)' % (
threadData.shared.count, threadData.shared.limit,
round(100.0 * threadData.shared.count /
threadData.shared.limit))
dataToStdout(
"\r[%s] [INFO] tried %s" % (time.strftime("%X"), status),
True)
kb.locks.io.release()
try:
runThreads(conf.threads, tableExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = u"用户在检查表的存在性期间中止,sqlmap将只显示部分输出"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.value:
warnMsg = u"没有发现表"
logger.warn(warnMsg)
else:
for item in threadData.shared.value:
if conf.db not in kb.data.cachedTables:
kb.data.cachedTables[conf.db] = [item]
else:
kb.data.cachedTables[conf.db].append(item)
for _ in ((conf.db, item) for item in threadData.shared.value):
if _ not in kb.brute.tables:
kb.brute.tables.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_TABLES, kb.brute.tables, True)
return kb.data.cachedTables
def dictionaryAttack(attack_dict):
suffix_list = [""]
hash_regexes = []
results = []
for (_, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
hash_ = hash_.split()[0]
regex = hashRecognition(hash_)
if regex and regex not in hash_regexes:
hash_regexes.append(regex)
infoMsg = "using hash method: '%s'" % __functions__[regex].func_name
logger.info(infoMsg)
for hash_regex in hash_regexes:
attack_info = []
for (user, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
hash_ = hash_.split()[0]
if getCompiledRegex(hash_regex).match(hash_):
hash_ = hash_.lower()
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC):
attack_info.append([(user, hash_), {}])
elif hash_regex in (HASH.ORACLE_OLD, HASH.POSTGRES):
attack_info.append([(user, hash_), {'username': user}])
elif hash_regex in (HASH.ORACLE):
attack_info.append([(user, hash_), {'salt': hash_[-20:]}])
elif hash_regex in (HASH.MSSQL, HASH.MSSQL_OLD):
attack_info.append([(user, hash_), {'salt': hash_[6:14]}])
elif hash_regex in (HASH.CRYPT_GENERIC):
attack_info.append([(user, hash_), {'salt': hash_[0:2]}])
if not attack_info:
continue
if not kb.wordlist:
if hash_regex == HASH.ORACLE_OLD: #it's the slowest of all methods hence smaller default dict
message = "what's the dictionary's location? [%s]" % paths.ORACLE_DEFAULT_PASSWD
dictpath = readInput(message, default=paths.ORACLE_DEFAULT_PASSWD)
else:
message = "what's the dictionary's location? [%s]" % paths.WORDLIST
dictpath = readInput(message, default=paths.WORDLIST)
checkFile(dictpath)
infoMsg = "loading dictionary from: '%s'" % dictpath
logger.info(infoMsg)
kb.wordlist = getFileItems(dictpath, None, False)
message = "do you want to use common password suffixes? (slow!) [y/N] "
test = readInput(message, default="N")
if test[0] in ("y", "Y"):
suffix_list += COMMON_PASSWORD_SUFFIXES
infoMsg = "starting dictionary attack (%s)" % __functions__[hash_regex].func_name
logger.info(infoMsg)
for item in attack_info:
((user, _), _) = item
kb.wordlist.append(normalizeUnicode(user))
length = len(kb.wordlist) * len(suffix_list)
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC):
count = 0
for suffix in suffix_list:
if not attack_info:
break
for word in kb.wordlist:
if not attack_info:
break
count += 1
if suffix:
word = word + suffix
try:
current = __functions__[hash_regex](password = word, uppercase = False)
for item in attack_info:
((user, hash_), _) = item
if hash_ == current:
results.append((user, hash_, word))
clearConsoleLine()
infoMsg = "[%s] [INFO] found: '%s'" % (time.strftime("%X"), word)
if user and not user.startswith(DUMMY_USER_PREFIX):
infoMsg += " for user: '******'\n" % user
else:
infoMsg += " for hash: '%s'\n" % hash_
dataToStdout(infoMsg, True)
attack_info.remove(item)
elif count % HASH_MOD_ITEM_DISPLAY == 0 or count == length or hash_regex in (HASH.ORACLE_OLD) or hash_regex == HASH.CRYPT_GENERIC and IS_WIN:
status = '%d/%d words (%d%s)' % (count, length, round(100.0*count/length), '%')
dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status))
except KeyboardInterrupt:
print
warnMsg = "user aborted during dictionary attack phase"
logger.warn(warnMsg)
return results
except:
warnMsg = "there was a problem while hashing entry: %s. " % repr(word)
warnMsg += "Please report by e-mail to %s." % ML
logger.critical(warnMsg)
clearConsoleLine()
else:
for ((user, hash_), kwargs) in attack_info:
count = 0
found = False
for suffix in suffix_list:
if found:
break
for word in kb.wordlist:
current = __functions__[hash_regex](password = word, uppercase = False, **kwargs)
count += 1
if suffix:
word = word + suffix
try:
if hash_ == current:
if regex == HASH.ORACLE_OLD: #only for cosmetic purposes
word = word.upper()
results.append((user, hash_, word))
clearConsoleLine()
infoMsg = "[%s] [INFO] found: '%s'" % (time.strftime("%X"), word)
if user and not user.startswith(DUMMY_USER_PREFIX):
infoMsg += " for user: '******'\n" % user
else:
infoMsg += " for hash: '%s'\n" % hash_
dataToStdout(infoMsg, True)
found = True
break
elif count % HASH_MOD_ITEM_DISPLAY == 0 or count == length or hash_regex in (HASH.ORACLE_OLD) or hash_regex == HASH.CRYPT_GENERIC and IS_WIN:
status = '%d/%d words (%d%s)' % (count, length, round(100.0*count/length), '%')
if not user.startswith(DUMMY_USER_PREFIX):
status += ' (user: %s)' % user
dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status))
except KeyboardInterrupt:
print
warnMsg = "user aborted during dictionary attack phase"
logger.warn(warnMsg)
return results
except:
warnMsg = "there was a problem while hashing entry: %s. " % repr(word)
warnMsg += "Please report by e-mail to %s." % ML
logger.critical(warnMsg)
clearConsoleLine()
if len(hash_regexes) == 0:
warnMsg = "unknown hash Format. "
warnMsg += "Please report by e-mail to %s." % ML
logger.warn(warnMsg)
if len(results) == 0:
warnMsg = "no clear password(s) found"
logger.warn(warnMsg)
return results
def columnExists(columnFile, regex=None):
if not conf.tbl:
errMsg = "missing table parameter"
raise SqlmapMissingMandatoryOptionException, errMsg
result = inject.checkBooleanExpression(safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE, (randomStr(), randomStr())))
if result:
errMsg = "can't use column existence check because of detected invalid results "
errMsg += "(most probably caused by inability of the used injection "
errMsg += "to distinguish errornous results)"
raise SqlmapDataException, errMsg
infoMsg = "checking column existence using items from '%s'" % columnFile
logger.info(infoMsg)
columns = getFileItems(columnFile, unique=True)
columns.extend(_addPageTextWords())
columns = filterListValue(columns, regex)
table = safeSQLIdentificatorNaming(conf.tbl, True)
if conf.db and METADB_SUFFIX not in conf.db:
table = "%s.%s" % (safeSQLIdentificatorNaming(conf.db), table)
kb.threadContinue = True
kb.bruteMode = True
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(columns)
threadData.shared.outputs = []
def columnExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
column = safeSQLIdentificatorNaming(columns[threadData.shared.count])
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
result = inject.checkBooleanExpression(safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE, (column, table)))
kb.locks.io.acquire()
if result:
threadData.shared.outputs.append(column)
if conf.verbose in (1, 2):
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), column)
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%s)' % (threadData.shared.count, threadData.shared.limit, round(100.0*threadData.shared.count/threadData.shared.limit), '%')
dataToStdout("\r[%s] [INFO] tried %s" % (time.strftime("%X"), status), True)
kb.locks.io.release()
try:
runThreads(conf.threads, columnExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during column existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.outputs:
warnMsg = "no column(s) found"
logger.warn(warnMsg)
else:
columns = {}
for column in threadData.shared.outputs:
result = inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %s FROM %s WHERE ROUND(%s)=ROUND(%s))", (column, table, column, column)))
if result:
columns[column] = 'numeric'
else:
columns[column] = 'non-numeric'
kb.data.cachedColumns[conf.db] = {conf.tbl: columns}
for _ in map(lambda x: (conf.db, conf.tbl, x[0], x[1]), columns.items()):
if _ not in kb.brute.columns:
kb.brute.columns.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_COLUMNS, kb.brute.columns, True)
return kb.data.cachedColumns
def tableExists(tableFile, regex=None):
if kb.tableExistsChoice is None and not any(_ for _ in kb.injection.data if _ not in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED)) and not conf.direct:
warnMsg = "it's not recommended to use '%s' and/or '%s' " % (PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.TIME], PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.STACKED])
warnMsg += "for common table existence check"
logger.warn(warnMsg)
message = "are you sure you want to continue? [y/N] "
kb.tableExistsChoice = readInput(message, default='N', boolean=True)
if not kb.tableExistsChoice:
return None
result = inject.checkBooleanExpression("%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE, (randomInt(1), randomStr())))
if conf.db and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.db = conf.db.upper()
if result:
errMsg = "can't use table existence check because of detected invalid results "
errMsg += "(most likely caused by inability of the used injection "
errMsg += "to distinguish erroneous results)"
raise SqlmapDataException(errMsg)
message = "which common tables (wordlist) file do you want to use?\n"
message += "[1] default '%s' (press Enter)\n" % tableFile
message += "[2] custom"
choice = readInput(message, default='1')
if choice == '2':
message = "what's the custom common tables file location?\n"
tableFile = readInput(message) or tableFile
infoMsg = "checking table existence using items from '%s'" % tableFile
logger.info(infoMsg)
tables = getFileItems(tableFile, lowercase=Backend.getIdentifiedDbms() in (DBMS.ACCESS,), unique=True)
tables.extend(_addPageTextWords())
tables = filterListValue(tables, regex)
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(tables)
threadData.shared.value = []
threadData.shared.unique = set()
def tableExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
table = safeSQLIdentificatorNaming(tables[threadData.shared.count], True)
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms() not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
fullTableName = "%s.%s" % (conf.db, table)
else:
fullTableName = table
result = inject.checkBooleanExpression("%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE, (randomInt(1), fullTableName)))
kb.locks.io.acquire()
if result and table.lower() not in threadData.shared.unique:
threadData.shared.value.append(table)
threadData.shared.unique.add(table.lower())
if conf.verbose in (1, 2) and not conf.api:
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), unsafeSQLIdentificatorNaming(table))
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%%)' % (threadData.shared.count, threadData.shared.limit, round(100.0 * threadData.shared.count / threadData.shared.limit))
dataToStdout("\r[%s] [INFO] tried %s" % (time.strftime("%X"), status), True)
kb.locks.io.release()
try:
runThreads(conf.threads, tableExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during table existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.value:
warnMsg = "no table(s) found"
logger.warn(warnMsg)
else:
for item in threadData.shared.value:
if conf.db not in kb.data.cachedTables:
kb.data.cachedTables[conf.db] = [item]
else:
kb.data.cachedTables[conf.db].append(item)
for _ in ((conf.db, item) for item in threadData.shared.value):
if _ not in kb.brute.tables:
kb.brute.tables.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_TABLES, kb.brute.tables, True)
return kb.data.cachedTables
def tableExists(tableFile, regex=None):
result = inject.checkBooleanExpression("%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE, (randomInt(1), randomStr())))
if result:
errMsg = "can't use table existence check because of detected invalid results "
errMsg += "(most probably caused by inability of the used injection "
errMsg += "to distinguish errornous results)"
raise SqlmapDataException, errMsg
tables = getFileItems(tableFile, lowercase=Backend.getIdentifiedDbms() in (DBMS.ACCESS,), unique=True)
infoMsg = "checking table existence using items from '%s'" % tableFile
logger.info(infoMsg)
tables.extend(_addPageTextWords())
tables = filterListValue(tables, regex)
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(tables)
threadData.shared.outputs = []
threadData.shared.unique = set()
def tableExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
table = safeSQLIdentificatorNaming(tables[threadData.shared.count], True)
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
if conf.db and METADB_SUFFIX not in conf.db:
fullTableName = "%s%s%s" % (conf.db, '..' if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) else '.', table)
else:
fullTableName = table
result = inject.checkBooleanExpression("%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE, (randomInt(1), fullTableName)))
kb.locks.io.acquire()
if result and table.lower() not in threadData.shared.unique:
threadData.shared.outputs.append(table)
threadData.shared.unique.add(table.lower())
if conf.verbose in (1, 2):
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), table)
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%s)' % (threadData.shared.count, threadData.shared.limit, round(100.0*threadData.shared.count/threadData.shared.limit), '%')
dataToStdout("\r[%s] [INFO] tried %s" % (time.strftime("%X"), status), True)
kb.locks.io.release()
try:
runThreads(conf.threads, tableExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during table existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.outputs:
warnMsg = "no table(s) found"
logger.warn(warnMsg)
else:
for item in threadData.shared.outputs:
if conf.db not in kb.data.cachedTables:
kb.data.cachedTables[conf.db] = [item]
else:
kb.data.cachedTables[conf.db].append(item)
for _ in map(lambda x: (conf.db, x), threadData.shared.outputs):
if _ not in kb.brute.tables:
kb.brute.tables.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_TABLES, kb.brute.tables, True)
return kb.data.cachedTables
def fileExists(pathFile):
retVal = []
paths = getFileItems(pathFile, unique=True)
kb.bruteMode = True
try:
conf.dbmsHandler.readFile(randomStr())
except SqlmapNoneDataException:
pass
except:
kb.bruteMode = False
raise
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(paths)
threadData.shared.value = []
def fileExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
path = paths[threadData.shared.count]
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
try:
result = unArrayizeValue(conf.dbmsHandler.readFile(path))
except SqlmapNoneDataException:
result = None
kb.locks.io.acquire()
if not isNoneValue(result):
threadData.shared.value.append(result)
if conf.verbose in (1, 2) and not conf.api:
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: '%s'\n" % (
time.strftime("%X"), path)
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%%)' % (
threadData.shared.count, threadData.shared.limit,
round(100.0 * threadData.shared.count /
threadData.shared.limit))
dataToStdout(
"\r[%s] [INFO] tried %s" % (time.strftime("%X"), status),
True)
kb.locks.io.release()
try:
pushValue(logger.getEffectiveLevel())
logger.setLevel(logging.CRITICAL)
runThreads(conf.threads, fileExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during file existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
finally:
kb.bruteMode = False
logger.setLevel(popValue())
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.value:
warnMsg = "no file(s) found"
logger.warn(warnMsg)
else:
retVal = threadData.shared.value
return retVal
def tableExists(tableFile, regex=None):
result = inject.checkBooleanExpression(
"%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE,
(randomInt(1), randomStr())))
if conf.db and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.db = conf.db.upper()
if result:
errMsg = "can't use table existence check because of detected invalid results "
errMsg += "(most probably caused by inability of the used injection "
errMsg += "to distinguish errornous results)"
raise SqlmapDataException(errMsg)
tables = getFileItems(tableFile,
lowercase=Backend.getIdentifiedDbms()
in (DBMS.ACCESS, ),
unique=True)
infoMsg = "checking table existence using items from '%s'" % tableFile
logger.info(infoMsg)
tables.extend(_addPageTextWords())
tables = filterListValue(tables, regex)
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(tables)
threadData.shared.value = []
threadData.shared.unique = set()
def tableExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
table = safeSQLIdentificatorNaming(
tables[threadData.shared.count], True)
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms(
) not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
fullTableName = "%s%s%s" % (
conf.db, '..' if Backend.getIdentifiedDbms() in
(DBMS.MSSQL, DBMS.SYBASE) else '.', table)
else:
fullTableName = table
result = inject.checkBooleanExpression(
"%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE,
(randomInt(1), fullTableName)))
kb.locks.io.acquire()
if result and table.lower() not in threadData.shared.unique:
threadData.shared.value.append(table)
threadData.shared.unique.add(table.lower())
if conf.verbose in (1, 2) and not hasattr(conf, "api"):
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime(
"%X"), unsafeSQLIdentificatorNaming(table))
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%%)' % (
threadData.shared.count, threadData.shared.limit,
round(100.0 * threadData.shared.count /
threadData.shared.limit))
dataToStdout(
"\r[%s] [INFO] tried %s" % (time.strftime("%X"), status),
True)
kb.locks.io.release()
try:
runThreads(conf.threads, tableExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during table existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.value:
warnMsg = "no table(s) found"
logger.warn(warnMsg)
else:
for item in threadData.shared.value:
if conf.db not in kb.data.cachedTables:
kb.data.cachedTables[conf.db] = [item]
else:
kb.data.cachedTables[conf.db].append(item)
for _ in ((conf.db, item) for item in threadData.shared.value):
if _ not in kb.brute.tables:
kb.brute.tables.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_TABLES, kb.brute.tables, True)
return kb.data.cachedTables
