def _verify_vuln(self, vuln_obj): """ This command verifies a vuln. This is really hard work! :P :return : True if vuln can be exploited. """ uri = vuln_obj.get_uri() dc = vuln_obj.get_dc() orig_value = vuln_obj.get_mutant().get_original_value() dc[vuln_obj.get_var()] = orig_value post_data = None if isinstance(dc, Form): post_data = str(dc) or None else: uri.set_querystring(dc) target = Target(uri, post_data) sqlmap = SQLMapWrapper(target, self._uri_opener) if sqlmap.is_vulnerable(): self._sqlmap = sqlmap return True return False
def _verify_vuln(self, vuln_obj): """ This command verifies a vuln. This is really hard work! :P :return : True if vuln can be exploited. """ uri = vuln_obj.get_uri() dc = vuln_obj.get_dc() fuzzable_request = vuln_obj.get_mutant().get_fuzzable_req() m = vuln_obj.get_mutant() orig_value = m.get_original_value() # When the original value of the parameter was empty, mostly when it # was an HTML form, sqlmap can't find the vulnerability (and w3af does) # so we're adding a '1' here just in case. parameter_values = {orig_value, '1'} for pvalue in parameter_values: dc[vuln_obj.get_var()][m.get_var_index()] = pvalue post_data = None if isinstance(fuzzable_request, HTTPQSRequest): uri.set_querystring(dc) else: post_data = str(dc) or None target = Target(uri, post_data) sqlmap = SQLMapWrapper(target, self._uri_opener) if sqlmap.is_vulnerable(): self._sqlmap = sqlmap return True return False
def _verify_vuln(self, vuln_obj): """ This command verifies a vuln. This is really hard work! :P :return : True if vuln can be exploited. """ mutant = vuln_obj.get_mutant() orig_value = mutant.get_token().get_original_value() # When the original value of the parameter was empty, mostly when it # was an HTML form, sqlmap can't find the vulnerability (and w3af does) # so we're adding a '1' here just in case. parameter_values = {orig_value, '1'} for pvalue in parameter_values: mutant = copy.deepcopy(mutant) mutant.set_token_value(pvalue) post_data = mutant.get_data() or None target = Target(mutant.get_uri(), post_data) sqlmap = SQLMapWrapper(target, self._uri_opener) if sqlmap.is_vulnerable(): self._sqlmap = sqlmap return True return False
def test_enable_coloring(self): uri = URL(self.SQLI_GET) target = Target(uri) sqlmap = SQLMapWrapper(target, self.uri_opener, coloring=True) params = sqlmap.get_wrapper_params() self.assertNotIn('--disable-coloring', params)
def setUp(self): uri = URL(self.SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener, debug=True)
def test_verify_vulnerability_POST(self): target = Target(URL(self.SQLI_POST), self.DATA_POST) self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable, self.sqlmap.last_stdout)
def test_verify_vulnerability_ssl(self): uri = URL(self.SSL_SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable, self.sqlmap.last_stdout)
def test_verify_vulnerability_false(self): not_vuln = get_moth_http('/audit/sql_injection/' 'where_string_single_qs.py?fake=pablo') uri = URL(not_vuln) target = Target(uri) self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertFalse(vulnerable)
def test_stds(self): uri = URL(self.SQLI_GET) target = Target(uri) self.sqlmap = SQLMapWrapper(target, self.uri_opener) prms = ['--batch',] cmd, process = self.sqlmap.run_sqlmap_with_pipes(prms) self.assertIsInstance(process.stdout, file) self.assertIsInstance(process.stderr, file) self.assertIsInstance(process.stdin, file) self.assertIsInstance(cmd, basestring) self.assertIn('sqlmap.py', cmd)
def _verify_vuln(self, vuln_obj): """ This command verifies a vuln. This is really hard work! :P :return : True if vuln can be exploited. """ mutant = vuln_obj.get_mutant() if not isinstance(mutant, (QSMutant, PostDataMutant)): msg = ('The SQL injection vulnerability at %s can not be exploited' ' by w3af\'s sqlmap wrapper because it can only handle' ' query string and url-encoded post data parameters.') om.out.console(msg % (mutant.get_url(),)) return False orig_value = mutant.get_token().get_original_value() # When the original value of the parameter was empty, mostly when it # was an HTML form, sqlmap can't find the vulnerability (and w3af does) # so we're adding a '1' here just in case. parameter_values = {orig_value, '1'} for pvalue in parameter_values: mutant = copy.deepcopy(mutant) mutant.set_token_value(pvalue) post_data = mutant.get_data() or None target = Target(mutant.get_uri(), post_data) try: sqlmap = SQLMapWrapper(target, self._uri_opener) except TypeError: issue_url = 'https://github.com/andresriancho/w3af/issues/6439' msg = 'w3af\'s sqlmap wrapper has some limitations, and you' \ ' just found one of them. For more information please' \ ' visit %s .' om.out.console(msg % issue_url) return False else: if sqlmap.is_vulnerable(): self._sqlmap = sqlmap return True else: self._sqlmap = None sqlmap.cleanup() return False
def test_kb_list_shells_sqlmap_2181(self): """ Also very related with test_pickleable_shells :see: https://github.com/andresriancho/w3af/issues/2181 """ w3af_core = w3afCore() target = Target(URL('http://w3af.org/')) sqlmap_wrapper = SQLMapWrapper(target, w3af_core.uri_opener) sqlmap_shell = SQLMapShell(MockVuln(), w3af_core.uri_opener, w3af_core.worker_pool, sqlmap_wrapper) kb.append('a', 'b', sqlmap_shell) shells = kb.get_all_shells(w3af_core=w3af_core) self.assertEqual(len(shells), 1) unpickled_shell = shells[0] self.assertEqual(sqlmap_shell, unpickled_shell) self.assertIs(unpickled_shell._uri_opener, w3af_core.uri_opener) self.assertIs(unpickled_shell.worker_pool, w3af_core.worker_pool) self.assertIs(unpickled_shell.sqlmap.proxy._uri_opener, w3af_core.uri_opener) w3af_core.quit()
class TestSQLMapWrapper(unittest.TestCase): SQLI_GET = get_moth_http('/audit/sql_injection/' 'where_string_single_qs.py?uname=pablo') SSL_SQLI_GET = get_moth_https('/audit/sql_injection/' 'where_string_single_qs.py?uname=pablo') SQLI_POST = get_moth_http('/audit/sql_injection/where_integer_form.py') DATA_POST = 'text=1' def setUp(self): uri = URL(self.SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener, debug=True) def tearDown(self): self.uri_opener.end() self.sqlmap.cleanup() @classmethod def setUpClass(cls): output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output') if os.path.exists(output_dir): shutil.rmtree(output_dir) @classmethod def tearDownClass(cls): # Doing this in both setupclass and teardownclass in order to be sure # that a ctrl+c doesn't break it output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output') if os.path.exists(output_dir): shutil.rmtree(output_dir) def test_verify_vulnerability(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) def test_verify_vulnerability_ssl(self): uri = URL(self.SSL_SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable, self.sqlmap.last_stdout) def test_verify_vulnerability_false(self): not_vuln = get_moth_http('/audit/sql_injection/' 'where_string_single_qs.py?fake=pablo') uri = URL(not_vuln) target = Target(uri) self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertFalse(vulnerable) def test_verify_vulnerability_POST(self): target = Target(URL(self.SQLI_POST), self.DATA_POST) self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable, self.sqlmap.last_stdout) def test_wrapper_invalid_url(self): self.assertRaises(TypeError, SQLMapWrapper, self.SQLI_GET, self.uri_opener) def test_stds(self): uri = URL(self.SQLI_GET) target = Target(uri) self.sqlmap = SQLMapWrapper(target, self.uri_opener) prms = ['--batch',] cmd, process = self.sqlmap.run_sqlmap_with_pipes(prms) self.assertIsInstance(process.stdout, file) self.assertIsInstance(process.stderr, file) self.assertIsInstance(process.stdin, file) self.assertIsInstance(cmd, basestring) self.assertIn('sqlmap.py', cmd) def test_target_basic(self): target = Target(URL(self.SQLI_GET)) params = target.to_params() self.assertEqual(params, ["--url=%s" % self.SQLI_GET]) def test_target_post_data(self): target = Target(URL(self.SQLI_GET), self.DATA_POST) params = target.to_params() self.assertEqual(params, ["--url=%s" % self.SQLI_GET, "--data=%s" % self.DATA_POST]) def test_no_coloring(self): params = self.sqlmap.get_wrapper_params() self.assertIn('--disable-coloring', params) def test_always_batch(self): params = self.sqlmap.get_wrapper_params() self.assertIn('--batch', params) def test_use_proxy(self): params = self.sqlmap.get_wrapper_params() self.assertTrue(any(i.startswith('--proxy=http://127.0.0.1:') for i in params)) def test_enable_coloring(self): uri = URL(self.SQLI_GET) target = Target(uri) sqlmap = SQLMapWrapper(target, self.uri_opener, coloring=True) params = sqlmap.get_wrapper_params() self.assertNotIn('--disable-coloring', params) def test_dbs(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.dbs() output = process.stdout.read() self.assertIn('on SQLite it is not possible to enumerate databases', output) def test_tables(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.tables() output = process.stdout.read() self.assertIn('auth_group_permissions', output) self.assertIn('Database: SQLite_masterdb', output) self.assertIn('django_content_type', output) def test_users(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.users() output = process.stdout.read() self.assertIn('on SQLite it is not possible to enumerate the users', output) def test_dump(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.dump() output = process.stdout.read() self.assertIn('django_session', output) self.assertIn('auth_user_user_permissions', output) def test_sqlmap(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.direct('--tables') output = process.stdout.read() self.assertIn('django_session', output) self.assertIn('auth_user_user_permissions', output) self.assertNotIn('information_schema', output) self.assertNotIn('COLUMN_PRIVILEGES', output)
class TestSQLMapWrapper(unittest.TestCase): SQLI_GET = get_moth_http('/audit/sql_injection/' 'where_string_single_qs.py?uname=pablo') SSL_SQLI_GET = get_moth_https('/audit/sql_injection/' 'where_string_single_qs.py?uname=pablo') SQLI_POST = get_moth_http('/audit/sql_injection/where_integer_form.py') DATA_POST = 'text=1' def setUp(self): uri = URL(self.SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener, debug=True) def tearDown(self): self.uri_opener.end() self.sqlmap.cleanup() @classmethod def setUpClass(cls): output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output') if os.path.exists(output_dir): shutil.rmtree(output_dir) @classmethod def tearDownClass(cls): # Doing this in both setupclass and teardownclass in order to be sure # that a ctrl+c doesn't break it output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output') if os.path.exists(output_dir): shutil.rmtree(output_dir) def test_verify_vulnerability(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) def test_verify_vulnerability_ssl(self): uri = URL(self.SSL_SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable, self.sqlmap.last_stdout) def test_verify_vulnerability_false(self): not_vuln = get_moth_http('/audit/sql_injection/' 'where_string_single_qs.py?fake=pablo') uri = URL(not_vuln) target = Target(uri) self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertFalse(vulnerable) def test_verify_vulnerability_POST(self): target = Target(URL(self.SQLI_POST), self.DATA_POST) self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable, self.sqlmap.last_stdout) def test_wrapper_invalid_url(self): self.assertRaises(TypeError, SQLMapWrapper, self.SQLI_GET, self.uri_opener) def test_stds(self): uri = URL(self.SQLI_GET) target = Target(uri) self.sqlmap = SQLMapWrapper(target, self.uri_opener) prms = [ '--batch', ] cmd, process = self.sqlmap.run_sqlmap_with_pipes(prms) self.assertIsInstance(process.stdout, file) self.assertIsInstance(process.stderr, file) self.assertIsInstance(process.stdin, file) self.assertIsInstance(cmd, basestring) self.assertIn('sqlmap.py', cmd) def test_target_basic(self): target = Target(URL(self.SQLI_GET)) params = target.to_params() self.assertEqual(params, ["--url=%s" % self.SQLI_GET]) def test_target_post_data(self): target = Target(URL(self.SQLI_GET), self.DATA_POST) params = target.to_params() self.assertEqual( params, ["--url=%s" % self.SQLI_GET, "--data=%s" % self.DATA_POST]) def test_no_coloring(self): params = self.sqlmap.get_wrapper_params() self.assertIn('--disable-coloring', params) def test_always_batch(self): params = self.sqlmap.get_wrapper_params() self.assertIn('--batch', params) def test_use_proxy(self): params = self.sqlmap.get_wrapper_params() self.assertTrue( any(i.startswith('--proxy=http://127.0.0.1:') for i in params)) def test_enable_coloring(self): uri = URL(self.SQLI_GET) target = Target(uri) sqlmap = SQLMapWrapper(target, self.uri_opener, coloring=True) params = sqlmap.get_wrapper_params() self.assertNotIn('--disable-coloring', params) def test_dbs(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.dbs() output = process.stdout.read() self.assertIn('on SQLite it is not possible to enumerate databases', output) def test_tables(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.tables() output = process.stdout.read() self.assertIn('auth_group_permissions', output) self.assertIn('Database: SQLite_masterdb', output) self.assertIn('django_content_type', output) def test_users(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.users() output = process.stdout.read() self.assertIn('on SQLite it is not possible to enumerate the users', output) def test_dump(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.dump() output = process.stdout.read() self.assertIn('django_session', output) self.assertIn('auth_user_user_permissions', output) def test_sqlmap(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable, self.sqlmap.last_stdout) cmd, process = self.sqlmap.direct('--tables') output = process.stdout.read() self.assertIn('django_session', output) self.assertIn('auth_user_user_permissions', output) self.assertNotIn('COLUMN_PRIVILEGES', output)
def _verify_vuln(self, vuln_obj): """ This command verifies a vuln. This is really hard work! :P :return : True if vuln can be exploited. """ mutant = vuln_obj.get_mutant() if not isinstance(mutant, (QSMutant, PostDataMutant)): msg = ('The SQL injection vulnerability at %s can not be exploited' ' by w3af\'s sqlmap wrapper because it can only handle' ' query string and url-encoded post data parameters.') om.out.console(msg % (mutant.get_url(), )) return False orig_value = mutant.get_token().get_original_value() # When the original value of the parameter was empty, mostly when it # was an HTML form, sqlmap can't find the vulnerability (and w3af does) # so we're adding a '1' here just in case. parameter_values = {orig_value, '1'} for pvalue in parameter_values: mutant = copy.deepcopy(mutant) mutant.set_token_value(pvalue) self._sqlmap = None post_data = mutant.get_data() or None target = Target(mutant.get_uri(), post_data) try: sqlmap = SQLMapWrapper(target, self._uri_opener) except TypeError: issue_url = 'https://github.com/andresriancho/w3af/issues/6439' msg = ('w3af\'s sqlmap wrapper has some limitations, and you' ' just found one of them. For more information please' ' visit %s .') om.out.console(msg % issue_url) return False try: is_vuln = sqlmap.is_vulnerable() except: sqlmap.cleanup() if sqlmap.last_stdout is None or sqlmap.last_stderr is None: # Not sure when we get here return False taint_error = 'provided tainted parameter' if not (taint_error in sqlmap.last_stdout or taint_error in sqlmap.last_stderr): # Some error that we don't have a special handling for return False issue_url = 'https://github.com/andresriancho/w3af/issues/1989' msg = ('w3af\'s sqlmap wrapper has some limitations, and you' ' just found one of them. For more information please' ' visit %s and add the steps required to reproduce this' ' issue which will help us debug and fix it.') om.out.console(msg % issue_url) return False if is_vuln: self._sqlmap = sqlmap return True else: sqlmap.cleanup() return False
def _verify_vuln(self, vuln_obj): """ This command verifies a vuln. This is really hard work! :P :return : True if vuln can be exploited. """ mutant = vuln_obj.get_mutant() if not isinstance(mutant, (QSMutant, PostDataMutant)): msg = ('The SQL injection vulnerability at %s can not be exploited' ' by w3af\'s sqlmap wrapper because it can only handle' ' query string and url-encoded post data parameters.') om.out.console(msg % (mutant.get_url(),)) return False orig_value = mutant.get_token().get_original_value() # When the original value of the parameter was empty, mostly when it # was an HTML form, sqlmap can't find the vulnerability (and w3af does) # so we're adding a '1' here just in case. parameter_values = {orig_value, '1'} for pvalue in parameter_values: mutant = copy.deepcopy(mutant) mutant.set_token_value(pvalue) self._sqlmap = None post_data = mutant.get_data() or None target = Target(mutant.get_uri(), post_data) try: sqlmap = SQLMapWrapper(target, self._uri_opener) except TypeError: issue_url = 'https://github.com/andresriancho/w3af/issues/6439' msg = ('w3af\'s sqlmap wrapper has some limitations, and you' ' just found one of them. For more information please' ' visit %s .') om.out.console(msg % issue_url) return False try: is_vuln = sqlmap.is_vulnerable() except: sqlmap.cleanup() if sqlmap.last_stdout is None or sqlmap.last_stderr is None: # Not sure when we get here return False taint_error = 'provided tainted parameter' if not (taint_error in sqlmap.last_stdout or taint_error in sqlmap.last_stderr): # Some error that we don't have a special handling for return False issue_url = 'https://github.com/andresriancho/w3af/issues/1989' msg = ('w3af\'s sqlmap wrapper has some limitations, and you' ' just found one of them. For more information please' ' visit %s and add the steps required to reproduce this' ' issue which will help us debug and fix it.') om.out.console(msg % issue_url) return False if is_vuln: self._sqlmap = sqlmap return True else: sqlmap.cleanup() return False