def parseOutputString(self, output, debug=False):
"""
This method will discard the output the shell sends, it will read it from
the xml where it expects it to be present.
NOTE: if 'debug' is true then it is being run from a test case and the
output being sent is valid.
"""
parser = NiktoXmlParser(output)
for host in parser.hosts:
h_id = self.createAndAddHost(host.targetip,
hostnames=[host.targethostname])
s_id = self.createAndAddServiceToHost(h_id,
"http",
"tcp",
ports=[host.port],
status="open")
for item in host.items:
v_id = self.createAndAddVulnWebToService(
h_id,
s_id,
name=item.desc,
ref=item.osvdbid,
method=item.method,
params=', '.join(item.params),
**plugin_utils.get_vulnweb_url_fields(item.namelink))
del parser
def parseOutputString(self, output, debug=False):
parser = WebInspectParser(output)
vulns = parser.parse()
for vuln in vulns:
host_id = self.createAndAddHost(vuln.get("Host").get("name"))
interface_id = self.createAndAddInterface(
host_id,
vuln.get("Host").get("name"))
service_id = self.createAndAddServiceToInterface(
host_id,
interface_id,
vuln.get("Service").get("name"),
protocol=vuln.get("Service").get("name"),
ports=[vuln.get("Service").get("port")])
self.createAndAddVulnWebToService(
host_id,
service_id,
vuln.get("Vuln").get("name"),
website=get_vulnweb_url_fields(
vuln.get("Vuln").get("website")).get("website"),
path=get_vulnweb_url_fields(
vuln.get("Vuln").get("website")).get("path"),
query=get_vulnweb_url_fields(
vuln.get("Vuln").get("website")).get("query"),
method=vuln.get("Vuln").get("method"),
request=vuln.get("Vuln").get("request"),
ref=filter(None,
vuln.get("Vuln").get("reference")),
response=vuln.get("Vuln").get("response"),
desc=cleanhtml(vuln.get("Vuln").get("description")),
resolution=cleanhtml(vuln.get("Vuln").get("resolution")),
severity=parser.parse_severity(
vuln.get("Vuln").get("severity")))
return True
def parse_found_url(self, base_url, h_id, s_id, item):
if self.should_ignore_403 and item['status'] == 403:
return
url = urlparse.urlsplit(urlparse.urljoin(base_url, item['path']))
response = "HTTP/1.1 {} {}\nContent-Length: {}".format(
item['status'], status_codes.get(item['status'], 'unknown'),
item['content-length'])
redirect = item.get('redirect')
if redirect is not None:
response += '\nLocation: {}'.format(redirect)
self.createAndAddVulnWebToService(
h_id,
s_id,
name='Path found: {} ({})'.format(item['path'], item['status']),
desc="Dirsearch tool found the following URL: {}".format(
url.geturl()),
severity="info",
method='GET',
response=response,
**get_vulnweb_url_fields(url.geturl()))
def parseOutputString(self, output, debug=False):
"""
This method will discard the output the shell sends, it will read it from
the xml where it expects it to be present.
NOTE: if 'debug' is true then it is being run from a test case and the
output being sent is valid.
"""
if self.ignore_parsing:
return
sys.path.append(self.getSetting("Sqlmap path"))
try:
from lib.core.settings import HASHDB_MILESTONE_VALUE #pylint: disable=import-error,bad-option-value
from lib.core.enums import HASHDB_KEYS #pylint: disable=import-error
from lib.core.settings import UNICODE_ENCODING #pylint: disable=import-error
except:
self.log('Remember set your Sqlmap Path Setting!... Abort plugin.',
'ERROR')
return
if HASHDB_MILESTONE_VALUE not in SUPPORTED_HASHDB_VERSIONS:
self.log(
"Your version of SQLMap is not supported with this plugin. "
"Please use an older version of SQLMap (the suggested one "
"is \"{}\"). Also, we suggest you to open issue in our GitHub "
"issue tracker: https://github.com/infobyte/faraday/issues/".
format(self.version), 'ERROR')
return
self.HASHDB_MILESTONE_VALUE = HASHDB_MILESTONE_VALUE
self.HASHDB_KEYS = HASHDB_KEYS
self.UNICODE_ENCODING = UNICODE_ENCODING
password = self.getpassword(output)
webserver = re.search("web application technology: (.*?)\n", output)
if webserver:
webserver = webserver.group(1)
users = self.getuser(output)
dbs = self.getdbs(output)
tables = self.gettables(output)
columns = self.getcolumns(output)
db = Database(self._output_path)
db.connect()
absFilePaths = self.hashDBRetrieve(self.HASHDB_KEYS.KB_ABS_FILE_PATHS,
True, db)
brute_tables = self.hashDBRetrieve(self.HASHDB_KEYS.KB_BRUTE_TABLES,
True, db)
brute_columns = self.hashDBRetrieve(self.HASHDB_KEYS.KB_BRUTE_COLUMNS,
True, db)
xpCmdshellAvailable = self.hashDBRetrieve(
self.HASHDB_KEYS.KB_XP_CMDSHELL_AVAILABLE, True, db)
dbms_version = self.hashDBRetrieve(self.HASHDB_KEYS.DBMS, False, db)
self.ip = self.getAddress(self.hostname)
h_id = self.createAndAddHost(self.ip)
i_id = self.createAndAddInterface(h_id,
name=self.ip,
ipv4_address=self.ip,
hostname_resolution=[self.hostname])
s_id = self.createAndAddServiceToInterface(h_id,
i_id,
self.protocol,
'tcp', [self.port],
status="open",
version=webserver)
n_id = self.createAndAddNoteToService(h_id, s_id, "website", '')
self.createAndAddNoteToNote(h_id, s_id, n_id, self.hostname, '')
db_port = 0
for item in self.db_port.keys():
if dbms_version.find(item) >= 0:
db_port = self.db_port[item]
s_id2 = self.createAndAddServiceToInterface(
h_id,
i_id,
name=dbms_version,
protocol="tcp",
status="closed",
version=str(dbms_version),
ports=[str(db_port)],
description="DB detect by SQLi")
# sqlmap.py --users
if users:
for v in users:
if v:
self.createAndAddCredToService(h_id, s_id2, v, '')
# sqlmap.py --passwords
if password:
for k, v in password.iteritems():
self.createAndAddCredToService(h_id, s_id2, k, v)
# sqlmap.py --file-dest
if absFilePaths:
self.createAndAddNoteToService(h_id, s_id2, "sqlmap.absFilePaths",
'\n'.join(absFilePaths))
# sqlmap.py --common-tables
if brute_tables:
for item in brute_tables:
self.createAndAddNoteToService(h_id, s_id2,
"sqlmap.brutetables", item[1])
# sqlmap.py --tables
if tables:
table_names = [
'{}.{}'.format(db_name, table)
for (db_name, db_tables) in tables.items()
for table in db_tables
]
self.createAndAddNoteToService(h_id, s_id2, "sqlmap.tables",
'\n'.join(table_names))
# sqlmap.py --columns
if columns:
# Create one note per database
for (database, tables) in columns.items():
text = ''
for (table_name, columns) in tables.items():
columns_text = ', '.join('{} {}'.format(col_name, type_)
for (col_name, type_) in columns)
text += '{}: {}\n'.format(table_name, columns_text)
self.createAndAddNoteToService(h_id, s_id2,
"sqlmap.columns." + database,
text)
# sqlmap.py --common-columns
if brute_columns:
text = ('Db: ' + brute_columns[0][0] + '\nTable: ' +
brute_columns[0][1] + '\nColumns:')
for element in brute_columns:
text += str(element[2]) + '\n'
self.createAndAddNoteToService(h_id, s_id2, "sqlmap.brutecolumns",
text)
# sqlmap.py --os-shell
if xpCmdshellAvailable:
self.createAndAddNoteToService(h_id, s_id2,
"sqlmap.xpCmdshellAvailable",
str(xpCmdshellAvailable))
# sqlmap.py --dbs
if dbs:
self.createAndAddNoteToService(h_id, s_id2, "db.databases",
'\n'.join(dbs))
for inj in self.hashDBRetrieve(self.HASHDB_KEYS.KB_INJECTIONS, True,
db) or []:
for k, v in inj.data.items():
self.createAndAddVulnWebToService(
h_id,
s_id,
name=inj.data[k]['title'],
desc="Payload:" + str(inj.data[k]['payload']) +
"\nVector:" + str(inj.data[k]['vector']) +
"\nParam type:" + str(self.ptype[inj.ptype]),
ref=[],
pname=inj.parameter,
severity="high",
method=inj.place,
params=self.params,
**get_vulnweb_url_fields(self.fullpath))