def task_new():
"""
Create new task ID
"""
global procs
global tasks
taskid = hexencode(os.urandom(16))
tasks[taskid] = init_options()
procs[taskid] = AttribDict()
_, ipc_database_filepath = tempfile.mkstemp(prefix="sqlmapipc-", text=False)
# Initiate the temporary database for asynchronous I/O with the
# sqlmap engine
procs[taskid].ipc_database_connection = sqlite3.connect(ipc_database_filepath, timeout=1, isolation_level=None)
procs[taskid].ipc_database_cursor = procs[taskid].ipc_database_connection.cursor()
procs[taskid].ipc_database_cursor.execute("CREATE TABLE logs(id INTEGER PRIMARY KEY AUTOINCREMENT, time TEXT, level TEXT, message TEXT)")
procs[taskid].ipc_database_cursor.execute("CREATE TABLE stdout(id INTEGER PRIMARY KEY AUTOINCREMENT, time TEXT, message TEXT)")
procs[taskid].ipc_database_cursor.execute("CREATE TABLE stderr(id INTEGER PRIMARY KEY AUTOINCREMENT, time TEXT, message TEXT)")
# Set the temporary database to use for asynchronous I/O communication
tasks[taskid].ipc_database = ipc_database_filepath
return jsonize({"taskid": taskid})
def init_options():
dataype = {"boolean": False, "string": None, "integer": None, "float": None}
options = AttribDict()
for _ in optDict:
for name, type_ in optDict[_].items():
type_ = unArrayizeValue(type_)
options[name] = _defaults.get(name, dataype[type_])
# Enforce batch mode and disable coloring
options.batch = True
options.disableColoring = True
return options
#coding=utf-8
#!/usr/bin/env python
"""
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.datatype import AttribDict
from lib.core.log import LOGGER
# sqlmap paths sqlmap路径
paths = AttribDict()
# object to store original command line options 对象来存储原始的命令行选项
cmdLineOptions = AttribDict()
# object to store merged options (command line, configuration file and default options) 对象存储合并选项(命令行配置文件和默认选项)
mergedOptions = AttribDict()
# object to share within function and classes command
# line options and settings 对象内部共享函数和类命令行选项和设置
conf = AttribDict()
# object to share within function and classes results 对象内部共享函数和类的结果
kb = AttribDict()
# object with each database management system specific queries 与每个数据库管理系统特定的查询对象
queries = {}
# logger 日志记录
logger = LOGGER
LEGAL_DISCLAIMER = "Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program"
# After this number of misses reflective removal mechanism is turned off (for speed up reasons)
REFLECTIVE_MISS_THRESHOLD = 20
# Regular expression used for extracting HTML title
HTML_TITLE_REGEX = "<title>(?P<result>[^<]+)</title>"
# Table used for Base64 conversion in WordPress hash cracking routine
ITOA64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
PICKLE_REDUCE_WHITELIST = (types.BooleanType, types.DictType, types.FloatType,
types.IntType, types.ListType, types.LongType,
types.NoneType, types.StringType, types.TupleType,
types.UnicodeType, types.XRangeType,
type(AttribDict()), type(set()))
# Chars used to quickly distinguish if the user provided tainted parameter values
DUMMY_SQL_INJECTION_CHARS = ";()'"
# Simple check against dummy users
DUMMY_USER_INJECTION = r"(?i)[^\w](AND|OR)\s+[^\s]+[=><]|\bUNION\b.+\bSELECT\b|\bSELECT\b.+\bFROM\b|\b(CONCAT|information_schema|SLEEP|DELAY)\b"
# Extensions skipped by crawler
CRAWL_EXCLUDE_EXTENSIONS = (
"3ds", "3g2", "3gp", "7z", "DS_Store", "a", "aac", "adp", "ai", "aif",
"aiff", "apk", "ar", "asf", "au", "avi", "bak", "bin", "bk", "bmp", "btif",
"bz2", "cab", "caf", "cgm", "cmx", "cpio", "cr2", "dat", "deb", "djvu",
"dll", "dmg", "dmp", "dng", "doc", "docx", "dot", "dotx", "dra", "dsk",
"dts", "dtshd", "dvb", "dwg", "dxf", "ear", "ecelp4800", "ecelp7470",
"ecelp9600", "egg", "eol", "eot", "epub", "exe", "f4v", "fbs", "fh", "fla",
# Keywords expected to be in UPPERCASE in getValue()
GET_VALUE_UPPERCASE_KEYWORDS = ("SELECT", "FROM", "WHERE", "DISTINCT", "COUNT")
LEGAL_DISCLAIMER = "Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program"
# After this number of misses reflective removal mechanism is turned off (for speed up reasons)
REFLECTIVE_MISS_THRESHOLD = 20
# Regular expression used for extracting HTML title
HTML_TITLE_REGEX = r"<title>(?P<result>[^<]+)</title>"
# Table used for Base64 conversion in WordPress hash cracking routine
ITOA64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
PICKLE_REDUCE_WHITELIST = (types.BooleanType, types.DictType, types.FloatType, types.IntType, types.ListType, types.LongType, types.NoneType, types.StringType, types.TupleType, types.UnicodeType, types.XRangeType, type(AttribDict()), type(set()))
# Chars used to quickly distinguish if the user provided tainted parameter values
DUMMY_SQL_INJECTION_CHARS = ";()'"
# Simple check against dummy users
DUMMY_USER_INJECTION = r"(?i)[^\w](AND|OR)\s+[^\s]+[=><]|\bUNION\b.+\bSELECT\b|\bSELECT\b.+\bFROM\b|\b(CONCAT|information_schema|SLEEP|DELAY|FLOOR\(RAND)\b"
# Extensions skipped by crawler
CRAWL_EXCLUDE_EXTENSIONS = ("3ds", "3g2", "3gp", "7z", "DS_Store", "a", "aac", "adp", "ai", "aif", "aiff", "apk", "ar", "asf", "au", "avi", "bak", "bin", "bk", "bmp", "btif", "bz2", "cab", "caf", "cgm", "cmx", "cpio", "cr2", "dat", "deb", "djvu", "dll", "dmg", "dmp", "dng", "doc", "docx", "dot", "dotx", "dra", "dsk", "dts", "dtshd", "dvb", "dwg", "dxf", "ear", "ecelp4800", "ecelp7470", "ecelp9600", "egg", "eol", "eot", "epub", "exe", "f4v", "fbs", "fh", "fla", "flac", "fli", "flv", "fpx", "fst", "fvt", "g3", "gif", "gz", "h261", "h263", "h264", "ico", "ief", "image", "img", "ipa", "iso", "jar", "jpeg", "jpg", "jpgv", "jpm", "jxr", "ktx", "lvp", "lz", "lzma", "lzo", "m3u", "m4a", "m4v", "mar", "mdi", "mid", "mj2", "mka", "mkv", "mmr", "mng", "mov", "movie", "mp3", "mp4", "mp4a", "mpeg", "mpg", "mpga", "mxu", "nef", "npx", "o", "oga", "ogg", "ogv", "otf", "pbm", "pcx", "pdf", "pea", "pgm", "pic", "png", "pnm", "ppm", "pps", "ppt", "pptx", "ps", "psd", "pya", "pyc", "pyo", "pyv", "qt", "rar", "ras", "raw", "rgb", "rip", "rlc", "rz", "s3m", "s7z", "scm", "scpt", "sgi", "shar", "sil", "smv", "so", "sub", "swf", "tar", "tbz2", "tga", "tgz", "tif", "tiff", "tlz", "ts", "ttf", "uvh", "uvi", "uvm", "uvp", "uvs", "uvu", "viv", "vob", "war", "wav", "wax", "wbmp", "wdp", "weba", "webm", "webp", "whl", "wm", "wma", "wmv", "wmx", "woff", "woff2", "wvx", "xbm", "xif", "xls", "xlsx", "xlt", "xm", "xpi", "xpm", "xwd", "xz", "z", "zip", "zipx")
# Patterns often seen in HTTP headers containing custom injection marking character '*'
PROBLEMATIC_CUSTOM_INJECTION_PATTERNS = r"(;q=[^;']+)|(\*/\*)"
# Template used for common table existence check
BRUTE_TABLE_EXISTS_TEMPLATE = "EXISTS(SELECT %d FROM %s)"
def reset_options(self):
self.options = AttribDict(self._original_options)
#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ Copyright (c) saucerman (https://saucer-man.com) See the file 'LICENSE' for copying permission """ from lib.core.datatype import AttribDict from lib.core.log import LOGGER # saucerframe paths paths = AttribDict() # object to store original command line options cmdLineOptions = AttribDict() # object to share within function and classes command # line options and settings conf = AttribDict() # object to control engine th = AttribDict() # logger logger = LOGGER
#!/usr/bin/env python
"""
Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.datatype import AttribDict
_defaults = {
"csvDel": ',',
"timeSec": 5,
"googlePage": 1,
"verbose": 1,
"delay": 0,
"timeout": 30,
"retries": 3,
"csrfRetries": 0,
"saFreq": 0,
"threads": 1,
"level": 1,
"risk": 1,
"dumpFormat": "CSV",
"tablePrefix": "sqlmap",
"technique": "BEUSTQ",
"torType": "SOCKS5",
}
defaults = AttribDict(_defaults)
#!/usr/bin/env python
import json
from xml.etree import ElementTree as et
from lib.core.enums import PAYLOAD
from lib.core.agent import agent
from lib.core.datatype import AttribDict
from lib.core.common import randomInt
from lib.core.common import randomStr
PAYLOADS_XML = ".\\xml\\payloads.xml"
boundaries = []
tests = []
kb = AttribDict()
kb.data = AttribDict()
def cleanupVals(text, tag):
if tag in ("clause", "where"):
text = text.split(',')
if isinstance(text, basestring):
text = int(text) if text.isdigit() else str(text)
elif isinstance(text, list):
count = 0
for _ in text:
text[count] = int(_) if _.isdigit() else str(_)
count += 1
if len(text) == 1 and tag not in ("clause", "where"):
def prepare_fb(options):
fb = AttribDict()
fb.targets = options.targets.split(",")
try:
fb.task_id = options.task_id
except AttributeError:
fb.task_id = None
fb.vids = options.vids.strip().split(",")
fb.mode = options.mode
fb.verbose = False if options.quiet else True
fb.console = options.from_console
fb.poc_setting = AttribDict()
fb.poc_setting.dir_name = options.poc_dir_name
fb.poc_setting.timeout = options.timeout
fb.poc_setting.thread_num = options.thread
fb.poc_setting.return_resp = options.poc_return_dump
fb.spider = options.spider
return fb
HEURISTIC_CHECK_ALPHABET = ('"', '\'', ')', '(', ',', '.')
BANNER = re.sub(
r"\[.\]", lambda _: "[\033[01;41m%s\033[01;49m]" % random.sample(
HEURISTIC_CHECK_ALPHABET, 1)[0], BANNER)
NMAP_CONF = {
1: ["-T4 -F "],
2: ["-T4 -A -v -Pn"],
3: ["-p 1-65535 -T4 -A -v -sS -Pn"]
}
SUDO_PASSWORD = ""
ASYNC_NUM = 100
PROCESS_NUM = 10
CONF = AttribDict()
CONF.ROOT_PATH = ""
TARGETS = AttribDict()
TARGETS.END = AttribDict()
TARGETS.ERROR = AttribDict()
RESULT = AttribDict()
target_end = AttribDict()
DNS_SERVERS = "data/subDomain/dns_server.txt"
DNS_SUB_FILE = "data/subDomain/next_sub_full.txt"
DNS_SUB_FULL_FILE = "data/subDomain/subnames_full.txt"
DIR_FILE = "data/webScan/dict.txt"
# coding=utf-8 from lib.core.datatype import AttribDict # 项目中的路径信息 paths = AttribDict() # 配置信息数据 conf = AttribDict() # 共享数据 kb = AttribDict()
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from lib.core.datatype import AttribDict
from lib.core.defaults import defaults
# object to share within function and classes command
# line options and settings
conf = AttribDict()
# Dictionary storing
# (1)targets<队列形式的目标>, (2)targetName<options中的值>, (3) CurrentPlugin<当前插件的信息>
# (4)results, (5)expNumbers<插件数目>
# (6)multiThreadMode \ threadContinue \ threadException
kb = AttribDict()
registeredPocs = {}
# zeroscan paths,本质上还是个字典类型
paths = AttribDict()
defaults = AttribDict(defaults)
savedReq = AttribDict()
def initOptions(CmdOptions=AttribDict()):
_initConfAttr()
_initRuAttr()
_setCmdOptionsToConf(CmdOptions)
from thirdparty.bottle.bottle import hook
from thirdparty.bottle.bottle import post
from thirdparty.bottle.bottle import request
from thirdparty.bottle.bottle import response
from thirdparty.bottle.bottle import run
from thirdparty.bottle.bottle import static_file
from thirdparty.bottle.bottle import template
RESTAPI_SERVER_HOST = "127.0.0.1"
RESTAPI_SERVER_PORT = 8775
# Local global variables
adminid = ""
pipes = dict()
procs = dict()
tasks = AttribDict()
# Generic functions
def is_admin(taskid):
global adminid
if adminid != taskid:
return False
else:
return True
def init_options():
dataype = {
"boolean": False,
"string": None,
from lib.core.compat import WichmannHill
from lib.core.compat import xrange
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.datatype import AttribDict
from lib.core.enums import PAYLOAD
from lib.core.exception import SqlmapBaseException
from lib.core.exception import SqlmapConnectionException
from lib.core.exception import SqlmapThreadException
from lib.core.exception import SqlmapUserQuitException
from lib.core.exception import SqlmapValueException
from lib.core.settings import MAX_NUMBER_OF_THREADS
from lib.core.settings import PYVERSION
shared = AttribDict()
class _ThreadData(threading.local):
"""
Represents thread independent data
"""
def __init__(self):
self.reset()
def reset(self):
"""
Resets thread data model
"""
self.disableStdOut = False
#!/usr/bin/env python # -*- coding: utf-8 -*- from lib.core.log import SHEEP_LOGGER from lib.core.datatype import AttribDict logger = SHEEP_LOGGER paths = AttribDict() conf = AttribDict() scr = AttribDict() th = AttribDict()
from lib.core.datatype import AttribDict
from configparser import ConfigParser
import queue
headers = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36',
'Connection': 'close'
}
cfg = ConfigParser()
cfg.read('lib/core/config.ini')
#作为所有路径传参
paths = AttribDict()
#存储命令相关参数
conf = AttribDict()
##存储其他信息的一个全程对象
realman = AttribDict()
#存储目标的一个队列
realman.queue = queue.Queue()
#存储目标的一个list
realman.tlist = []
#存储收集信息的一个dict
realman.timo = AttribDict()
#存储payload验证存在漏洞地址的url的list
realman.exist = []
#!/usr/bin/env python """ Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/) See the file 'doc/COPYING' for copying permission """ from lib.core.datatype import AttribDict from lib.core.log import MY_LOGGER logger = MY_LOGGER # Ajatar paths paths = AttribDict() # Ajatar cmder cmdLineOptions = AttribDict() # Ajatar urlconfig urlconfig = AttribDict() Ajconfig = AttribDict() # Ajatar plugins pycode hash Aj_hash_pycode = dict()
def checkSqlInjection(place, parameter, value):
# Store here the details about boundaries and payload used to
# successfully inject
injection = InjectionDict()
# Localized thread data needed for some methods
threadData = getCurrentThreadData()
# Set the flag for SQL injection test mode
kb.testMode = True
for test in getSortedInjectionTests():
try:
if kb.endDetection:
break
title = test.title
stype = test.stype
clause = test.clause
unionExtended = False
if stype == PAYLOAD.TECHNIQUE.UNION:
configUnion(test.request.char)
if "[CHAR]" in title:
if conf.uChar is None:
continue
else:
title = title.replace("[CHAR]", conf.uChar)
elif "[RANDNUM]" in title or "(NULL)" in title:
title = title.replace("[RANDNUM]", "random number")
if test.request.columns == "[COLSTART]-[COLSTOP]":
if conf.uCols is None:
continue
else:
title = title.replace("[COLSTART]", str(conf.uColsStart))
title = title.replace("[COLSTOP]", str(conf.uColsStop))
elif conf.uCols is not None:
debugMsg = "skipping test '%s' because the user " % title
debugMsg += "provided custom column range %s" % conf.uCols
logger.debug(debugMsg)
continue
match = re.search(r"(\d+)-(\d+)", test.request.columns)
if injection.data and match:
lower, upper = int(match.group(1)), int(match.group(2))
for _ in (lower, upper):
if _ > 1:
unionExtended = True
test.request.columns = re.sub(r"\b%d\b" % _, str(2 * _), test.request.columns)
title = re.sub(r"\b%d\b" % _, str(2 * _), title)
test.title = re.sub(r"\b%d\b" % _, str(2 * _), test.title)
# Skip test if the user's wants to test only for a specific
# technique
if conf.tech and isinstance(conf.tech, list) and stype not in conf.tech:
debugMsg = "skipping test '%s' because the user " % title
debugMsg += "specified to test only for "
debugMsg += "%s techniques" % " & ".join(map(lambda x: PAYLOAD.SQLINJECTION[x], conf.tech))
logger.debug(debugMsg)
continue
# Skip test if it is the same SQL injection type already
# identified by another test
if injection.data and stype in injection.data:
debugMsg = "skipping test '%s' because " % title
debugMsg += "the payload for %s has " % PAYLOAD.SQLINJECTION[stype]
debugMsg += "already been identified"
logger.debug(debugMsg)
continue
# Skip tests if title is not included by the given filter
if conf.testFilter:
if not any(re.search(conf.testFilter, str(item), re.I) for item in (test.title, test.vector,\
test.details.dbms if "details" in test and "dbms" in test.details else "")):
debugMsg = "skipping test '%s' because " % title
debugMsg += "its name/vector/dbms is not included by the given filter"
logger.debug(debugMsg)
continue
else:
# Skip test if the risk is higher than the provided (or default)
# value
# Parse test's <risk>
if test.risk > conf.risk:
debugMsg = "skipping test '%s' because the risk (%d) " % (title, test.risk)
debugMsg += "is higher than the provided (%d)" % conf.risk
logger.debug(debugMsg)
continue
# Skip test if the level is higher than the provided (or default)
# value
# Parse test's <level>
if test.level > conf.level:
debugMsg = "skipping test '%s' because the level (%d) " % (title, test.level)
debugMsg += "is higher than the provided (%d)" % conf.level
logger.debug(debugMsg)
continue
# Skip DBMS-specific test if it does not match either the
# previously identified or the user's provided DBMS (either
# from program switch or from parsed error message(s))
if "details" in test and "dbms" in test.details:
dbms = test.details.dbms
else:
dbms = None
if dbms is not None:
if injection.dbms is not None and not intersect(injection.dbms, dbms):
debugMsg = "skipping test '%s' because " % title
debugMsg += "the back-end DBMS identified is "
debugMsg += "%s" % injection.dbms
logger.debug(debugMsg)
continue
if conf.dbms is not None and not intersect(conf.dbms.lower(), [value.lower() for value in arrayizeValue(dbms)]):
debugMsg = "skipping test '%s' because " % title
debugMsg += "the provided DBMS is %s" % conf.dbms
logger.debug(debugMsg)
continue
if len(Backend.getErrorParsedDBMSes()) > 0 and not intersect(dbms, Backend.getErrorParsedDBMSes()) and kb.skipOthersDbms is None:
msg = "parsed error message(s) showed that the "
msg += "back-end DBMS could be %s. " % Format.getErrorParsedDBMSes()
msg += "Do you want to skip test payloads specific for other DBMSes? [Y/n]"
if readInput(msg, default="Y") in ("y", "Y"):
kb.skipOthersDbms = Backend.getErrorParsedDBMSes()
else:
kb.skipOthersDbms = []
if kb.skipOthersDbms and not intersect(dbms, kb.skipOthersDbms):
debugMsg = "skipping test '%s' because " % title
debugMsg += "the parsed error message(s) showed "
debugMsg += "that the back-end DBMS could be "
debugMsg += "%s" % Format.getErrorParsedDBMSes()
logger.debug(debugMsg)
continue
# Skip test if it does not match the same SQL injection clause
# already identified by another test
clauseMatch = False
for clauseTest in clause:
if injection.clause is not None and clauseTest in injection.clause:
clauseMatch = True
break
if clause != [0] and injection.clause and injection.clause != [0] and not clauseMatch:
debugMsg = "skipping test '%s' because the clauses " % title
debugMsg += "differs from the clause already identified"
logger.debug(debugMsg)
continue
# Skip test if the user provided custom character
if conf.uChar is not None and ("random number" in title or "(NULL)" in title):
debugMsg = "skipping test '%s' because the user " % title
debugMsg += "provided a specific character, %s" % conf.uChar
logger.debug(debugMsg)
continue
infoMsg = "testing '%s'" % title
logger.info(infoMsg)
# Force back-end DBMS according to the current
# test value for proper payload unescaping
Backend.forceDbms(dbms[0] if isinstance(dbms, list) else dbms)
# Parse test's <request>
comment = agent.getComment(test.request) if len(conf.boundaries) > 1 else None
fstPayload = agent.cleanupPayload(test.request.payload, origValue=value)
# Favoring non-string specific boundaries in case of digit-like parameter values
if value.isdigit():
boundaries = sorted(copy.deepcopy(conf.boundaries), key=lambda x: any(_ in (x.prefix or "") or _ in (x.suffix or "") for _ in ('"', '\'')))
else:
boundaries = conf.boundaries
for boundary in boundaries:
injectable = False
# Skip boundary if the level is higher than the provided (or
# default) value
# Parse boundary's <level>
if boundary.level > conf.level:
continue
# Skip boundary if it does not match against test's <clause>
# Parse test's <clause> and boundary's <clause>
clauseMatch = False
for clauseTest in test.clause:
if clauseTest in boundary.clause:
clauseMatch = True
break
if test.clause != [0] and boundary.clause != [0] and not clauseMatch:
continue
# Skip boundary if it does not match against test's <where>
# Parse test's <where> and boundary's <where>
whereMatch = False
for where in test.where:
if where in boundary.where:
whereMatch = True
break
if not whereMatch:
continue
# Parse boundary's <prefix>, <suffix> and <ptype>
prefix = boundary.prefix if boundary.prefix else ""
suffix = boundary.suffix if boundary.suffix else ""
# Options --prefix/--suffix have a higher priority (if set by user)
prefix = conf.prefix if conf.prefix is not None else prefix
suffix = conf.suffix if conf.suffix is not None else suffix
comment = None if conf.suffix is not None else comment
ptype = boundary.ptype
# If the previous injections succeeded, we know which prefix,
# suffix and parameter type to use for further tests, no
# need to cycle through the boundaries for the following tests
condBound = (injection.prefix is not None and injection.suffix is not None)
condBound &= (injection.prefix != prefix or injection.suffix != suffix)
condType = injection.ptype is not None and injection.ptype != ptype
if condBound or condType:
continue
# For each test's <where>
for where in test.where:
templatePayload = None
vector = None
# Threat the parameter original value according to the
# test's <where> tag
if where == PAYLOAD.WHERE.ORIGINAL:
origValue = value
elif where == PAYLOAD.WHERE.NEGATIVE:
# Use different page template than the original
# one as we are changing parameters value, which
# will likely result in a different content
if conf.invalidLogical:
origValue = "%s AND %s=%s" % (origValue, randomInt(), randomInt())
elif conf.invalidBignum:
origValue = "%d.%d" % (randomInt(6), randomInt(1))
else:
origValue = "-%s" % randomInt()
templatePayload = agent.payload(place, parameter, newValue=origValue, where=where)
elif where == PAYLOAD.WHERE.REPLACE:
origValue = ""
kb.pageTemplate, kb.errorIsNone = getPageTemplate(templatePayload, place)
# Forge request payload by prepending with boundary's
# prefix and appending the boundary's suffix to the
# test's ' <payload><comment> ' string
boundPayload = agent.prefixQuery(fstPayload, prefix, where, clause)
boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
reqPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)
# Perform the test's request and check whether or not the
# payload was successful
# Parse test's <response>
for method, check in test.response.items():
check = agent.cleanupPayload(check, origValue=value)
# In case of boolean-based blind SQL injection
if method == PAYLOAD.METHOD.COMPARISON:
# Generate payload used for comparison
def genCmpPayload():
sndPayload = agent.cleanupPayload(test.response.comparison, origValue=value)
# Forge response payload by prepending with
# boundary's prefix and appending the boundary's
# suffix to the test's ' <payload><comment> '
# string
boundPayload = agent.prefixQuery(sndPayload, prefix, where, clause)
boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
cmpPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)
return cmpPayload
# Useful to set kb.matchRatio at first based on
# the False response content
kb.matchRatio = None
kb.negativeLogic = (where == PAYLOAD.WHERE.NEGATIVE)
Request.queryPage(genCmpPayload(), place, raise404=False)
falsePage = threadData.lastComparisonPage or ""
# Perform the test's True request
trueResult = Request.queryPage(reqPayload, place, raise404=False)
truePage = threadData.lastComparisonPage or ""
if trueResult:
falseResult = Request.queryPage(genCmpPayload(), place, raise404=False)
# Perform the test's False request
if not falseResult:
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
injectable = True
if not injectable and not any((conf.string, conf.notString, conf.regexp)) and kb.pageStable:
trueSet = set(extractTextTagContent(truePage))
falseSet = set(extractTextTagContent(falsePage))
candidates = filter(None, (_.strip() if _.strip() in (kb.pageTemplate or "") and _.strip() not in falsePage else None for _ in (trueSet - falseSet)))
if candidates:
conf.string = random.sample(candidates, 1)[0]
infoMsg = "%s parameter '%s' seems to be '%s' injectable (with --string=\"%s\")" % (place, parameter, title, repr(conf.string).lstrip('u').strip("'"))
logger.info(infoMsg)
injectable = True
# In case of error-based SQL injection
elif method == PAYLOAD.METHOD.GREP:
# Perform the test's request and grep the response
# body for the test's <grep> regular expression
try:
page, headers = Request.queryPage(reqPayload, place, content=True, raise404=False)
output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE) \
or extractRegexResult(check, listToStrValue(headers.headers \
if headers else None), re.DOTALL | re.IGNORECASE) \
or extractRegexResult(check, threadData.lastRedirectMsg[1] \
if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == \
threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE)
if output:
result = output == "1"
if result:
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
injectable = True
except sqlmapConnectionException, msg:
debugMsg = "problem occured most likely because the "
debugMsg += "server hasn't recovered as expected from the "
debugMsg += "error-based payload used ('%s')" % msg
logger.debug(debugMsg)
# In case of time-based blind or stacked queries
# SQL injections
elif method == PAYLOAD.METHOD.TIME:
# Perform the test's request
trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False)
if trueResult:
# Confirm test's results
trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False)
if trueResult:
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
injectable = True
# In case of UNION query SQL injection
elif method == PAYLOAD.METHOD.UNION:
# Test for UNION injection and set the sample
# payload as well as the vector.
# NOTE: vector is set to a tuple with 6 elements,
# used afterwards by Agent.forgeUnionQuery()
# method to forge the UNION query payload
configUnion(test.request.char, test.request.columns)
if not Backend.getIdentifiedDbms():
warnMsg = "using unescaped version of the test "
warnMsg += "because of zero knowledge of the "
warnMsg += "back-end DBMS. You can try to "
warnMsg += "explicitly set it using option '--dbms'"
singleTimeWarnMessage(warnMsg)
if unionExtended:
infoMsg = "automatically extending ranges "
infoMsg += "for UNION query injection technique tests as "
infoMsg += "there is at least one other potential "
infoMsg += "injection technique found"
singleTimeLogMessage(infoMsg)
# Test for UNION query SQL injection
reqPayload, vector = unionTest(comment, place, parameter, value, prefix, suffix)
if isinstance(reqPayload, basestring):
infoMsg = "%s parameter '%s' is '%s' injectable" % (place, parameter, title)
logger.info(infoMsg)
injectable = True
# Overwrite 'where' because it can be set
# by unionTest() directly
where = vector[6]
kb.previousMethod = method
# If the injection test was successful feed the injection
# object with the test's details
if injectable is True:
# Feed with the boundaries details only the first time a
# test has been successful
if injection.place is None or injection.parameter is None:
if place in (PLACE.USER_AGENT, PLACE.REFERER, PLACE.HOST):
injection.parameter = place
else:
injection.parameter = parameter
injection.place = place
injection.ptype = ptype
injection.prefix = prefix
injection.suffix = suffix
injection.clause = clause
# Feed with test details every time a test is successful
if hasattr(test, "details"):
for dKey, dValue in test.details.items():
if dKey == "dbms":
injection.dbms = dValue
if not isinstance(dValue, list):
Backend.setDbms(dValue)
else:
Backend.forceDbms(dValue[0], True)
elif dKey == "dbms_version" and injection.dbms_version is None and not conf.testFilter:
injection.dbms_version = Backend.setVersion(dValue)
elif dKey == "os" and injection.os is None:
injection.os = Backend.setOs(dValue)
if vector is None and "vector" in test and test.vector is not None:
vector = test.vector
injection.data[stype] = AttribDict()
injection.data[stype].title = title
injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload)
injection.data[stype].where = where
injection.data[stype].vector = vector
injection.data[stype].comment = comment
injection.data[stype].templatePayload = templatePayload
injection.data[stype].matchRatio = kb.matchRatio
injection.conf.textOnly = conf.textOnly
injection.conf.titles = conf.titles
injection.conf.string = conf.string
injection.conf.notString = conf.notString
injection.conf.regexp = conf.regexp
injection.conf.optimize = conf.optimize
if conf.beep:
beep()
# There is no need to perform this test for other
# <where> tags
break
if injectable is True:
kb.vulnHosts.add(conf.hostname)
break
#!/usr/bin/env python3 # -*- coding: utf-8 -*- ''' @Author: xxlin @LastEditors: xxlin @Date: 2019-04-10 13:27:58 @LastEditTime: 2019-04-10 17:46:40 ''' from lib.core.datatype import AttribDict # dirmap paths paths = AttribDict() # object to store original command line options cmdLineOptions = AttribDict() # object to share within function and classes command # line options and settings conf = AttribDict() # object to control engine th = AttribDict() #创建payloads字典对象存储payloads payloads = AttribDict() #创建tasks字典对象存储tasks tasks = AttribDict() #创建进度条对象存储进度
