diff --git a/.gitignore b/.gitignore index 1f7f94a3b1e..c87c49576c2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,13 @@ + +*.bak +*.sw[op] +*.py[cod] output/ __pycache__/ *.py[cod] .sqlmap_history traffic.txt +*.orig *~ +.idea/ req*.txt -.idea/ \ No newline at end of file diff --git a/data/txt/banking-tables.txt b/data/txt/banking-tables.txt new file mode 100644 index 00000000000..5389ba6ec4f --- /dev/null +++ b/data/txt/banking-tables.txt @@ -0,0 +1,79 @@ +about +banking +banners +contact +locations +privacy +security +services +members_secure +authentication +auth +rates +mortage +mortages +loan +loans +balance +authenticate +authenticating +user +users +members +member_secure +memberaccount +memberaccounts +memberslogin +member_login +member_accounts +accounts +accounting +bankaccounts +banklogin +banklogins +bank_login +bank_logins +bank_accounts +bank_accounting +user_accounts +users_accounts +users_accounting +user_login +users_login +users_bankaccounts +user_account_login +user_password +users_password +user_passwords +users_passwords +user_passwd +users_passwd +user_passwds +users_passwds +account_number +accountnumber +accountpassword +accountpasswords +usercreds +userpasswd +userpasswds +userscreds +userscred +login +logins +admin +admins +bankadmin +bankadmins +bank_admin +bank_admins +branch_login +branch_logins +restricted +secure +user_secure +users_secure +userinfo +usersinfo +user_info +users_info diff --git a/extra/beep/beep.wav b/extra/beep/beep.wav index 35903d8a853..78905231aeb 100644 Binary files a/extra/beep/beep.wav and b/extra/beep/beep.wav differ diff --git a/lib/core/settings.py b/lib/core/settings.py index a4174af4d41..491244f236e 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -29,19 +29,25 @@ DEFAULT_USER_AGENT = "%s (%s)" % (VERSION_STRING, SITE) DEV_EMAIL_ADDRESS = "dev@sqlmap.org" ISSUES_PAGE = "https://github.com/sqlmapproject/sqlmap/issues/new" -GIT_REPOSITORY = "https://github.com/sqlmapproject/sqlmap.git" -GIT_PAGE = "https://github.com/sqlmapproject/sqlmap" +GIT_REPOSITORY = "https://github.com/dtrip/sqlmap.git" +GIT_PAGE = "https://github.com/dtrip/sqlmap" WIKI_PAGE = "https://github.com/sqlmapproject/sqlmap/wiki/" -ZIPBALL_PAGE = "https://github.com/sqlmapproject/sqlmap/zipball/master" +ZIPBALL_PAGE = "https://github.com/dtrip/sqlmap/zipball/master" # colorful banner BANNER = """\033[01;33m\ - ___ - __H__ - ___ ___[.]_____ ___ ___ \033[01;37m{\033[01;%dm%s\033[01;37m}\033[01;33m -|_ -| . [.] | .'| . | -|___|_ [.]_|_|_|__,| _| - |_|V... |_| \033[0m\033[4;37m%s\033[0m\n + .__ \033[01;37m{\033[01;%dm%s\033[01;37m}\033[01;33m + ___________| | _____ _____ ______ + / ___/ ____/ | / \\__ \ \____ \ + \___ < <_| | |_| Y Y \/ __ \| |_> > +/____ >__ |____/__|_| (____ / __/ + \/ |__| \/ \/|__| + ________ __ .__ + \______ \_/ |________|__|_____ + ______ ______ | | \ __\_ __ \ \____ \ + /_____/ /_____/ | ` \ | | | \/ | |_> > + /_______ /__| |__| |__| __/ + \/ |__| \033[0m\033[4;37m%s\033[0m\n """ % (TYPE_COLORS.get(TYPE, 31), VERSION_STRING.split('/')[-1], SITE) # Minimum distance of ratio from kb.matchRatio to result in True @@ -460,7 +466,7 @@ SENSITIVE_OPTIONS = ("hostname", "answers", "data", "dnsDomain", "googleDork", "authCred", "proxyCred", "tbl", "db", "col", "user", "cookie", "proxy", "fileRead", "fileWrite", "fileDest", "testParameter", "authCred", "sqlQuery", "requestFile") # Maximum number of threads (avoiding connection issues and/or DoS) -MAX_NUMBER_OF_THREADS = 10 +MAX_NUMBER_OF_THREADS = 50 # Minimum range between minimum and maximum of statistical set MIN_STATISTICAL_RANGE = 0.01 diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index 6409fea28a0..88460d7e32a 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -742,6 +742,9 @@ def cmdLineParser(argv=None): miscellaneous.add_argument("--disable-coloring", dest="disableColoring", action="store_true", help="Disable console output coloring") + miscellaneous.add_argument("-i", "--identify-waf", dest="identifyWaf", action="store_true", + help="Make a thorough testing for a WAF/IPS protection") + miscellaneous.add_argument("--list-tampers", dest="listTampers", action="store_true", help="Display list of available tamper scripts") diff --git a/mssql.conf b/mssql.conf new file mode 100644 index 00000000000..dba5cde22e3 --- /dev/null +++ b/mssql.conf @@ -0,0 +1,813 @@ +# At least one of these options has to be specified to set the source to +# get target URLs from. +[Target] + +# Direct connection to the database. +# Examples: +# mysql://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME +# oracle://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_SID +direct = + +# Target URL. +# Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2 +url = + +# Parse targets from Burp or WebScarab logs +# Valid: Burp proxy (http://portswigger.net/suite/) requests log file path +# or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) +# 'conversations/' folder path +logFile = + +# Scan multiple targets enlisted in a given textual file +bulkFile = + +# Load HTTP request from a file +# Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme +requestFile = + +# Rather than providing a target URL, let Google return target +# hosts as result of your Google dork expression. For a list of Google +# dorks see Johnny Long Google Hacking Database at +# http://johnny.ihackstuff.com/ghdb.php. +# Example: +ext:php +inurl:"&id=" +intext:"powered by " +googleDork = + +# Parse target(s) from remote sitemap(.xml) file. +# Example: http://192.168.1.121/sitemap.xml +sitemapUrl = + + +# These options can be used to specify how to connect to the target URL. +[Request] + +# Force usage of given HTTP method (e.g. PUT). +method = + +# Data string to be sent through POST. +data = + +# Character used for splitting parameter values. +paramDel = + +# HTTP Cookie header value. +cookie = + +# Character used for splitting cookie values. +cookieDel = + +# File containing cookies in Netscape/wget format. +loadCookies = + +# Ignore Set-Cookie header from response. +# Valid: True or False +dropSetCookie = False + +# HTTP User-Agent header value. Useful to fake the HTTP User-Agent header value +# at each HTTP request. +# sqlmap will also test for SQL injection on the HTTP User-Agent value. +agent = + +# Use randomly selected HTTP User-Agent header value. +# Valid: True or False +randomAgent = True + +# HTTP Host header value. +host = + +# HTTP Referer header. Useful to fake the HTTP Referer header value at +# each HTTP request. +referer = + +# Extra HTTP headers +headers = Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Language: en-us,en;q=0.5 + Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 + +# HTTP Authentication type. Useful only if the target URL requires +# HTTP Basic, Digest or NTLM authentication and you have such data. +# Valid: Basic, Digest, NTLM or PKI +authType = + +# HTTP authentication credentials. Useful only if the target URL requires +# HTTP Basic, Digest or NTLM authentication and you have such data. +# Syntax: username:password +authCred = + +# HTTP Authentication PEM private/cert key file. Useful only if the target URL requires +# PKI authentication and you have such data. +# Syntax: key_file +authFile = + +# Ignore HTTP Error 401 (Unauthorized). +# Valid: True or False +ignore401 = False + +# Ignore system default proxy settings. +# Valid: True or False +ignoreProxy = False + +# Ignore redirection attempts. +# Valid: True or False +ignoreRedirects = False + +# Ignore connection timeouts. +# Valid: True or False +ignoreTimeouts = False + +# Use a proxy to connect to the target URL. +# Syntax: (http|https|socks4|socks5)://address:port +proxy = + +# Proxy authentication credentials. Useful only if the proxy requires +# Basic or Digest authentication and you have such data. +# Syntax: username:password +proxyCred = + +# Load proxy list from a file +proxyFile = + +# Use Tor anonymity network. +# Valid: True or False +tor = False + +# Set Tor proxy port other than default. +# Valid: integer +# torPort = + +# Set Tor proxy type. +# Valid: HTTP, SOCKS4, SOCKS5 +torType = SOCKS5 + +# Check to see if Tor is used properly. +# Valid: True or False +checkTor = False + +# Delay in seconds between each HTTP request. +# Valid: float +# Default: 0 +delay = 0 + +# Seconds to wait before timeout connection. +# Valid: float +# Default: 30 +timeout = 30 + +# Maximum number of retries when the HTTP connection timeouts. +# Valid: integer +# Default: 3 +retries = 3 + +# Randomly change value for the given parameter. +rParam = + +# URL address to visit frequently during testing. +# Example: http://192.168.1.121/index.html +safeUrl = + +# POST data to send to a safe URL. +# Example: username=admin&password=passw0rd! +safePost = + +# Load safe HTTP request from a file. +safeReqFile = + +# Test requests between two visits to a given safe URL (default 0). +# Valid: integer +# Default: 0 +safeFreq = 0 + +# Skip URL encoding of payload data +# Valid: True or False +skipUrlEncode = False + +# Parameter used to hold anti-CSRF token +csrfToken = + +# URL address to visit to extract anti-CSRF token +csrfUrl = + +# Force usage of SSL/HTTPS +# Valid: True or False +forceSSL = False + +# Use HTTP parameter pollution. +# Valid: True or False +hpp = True + +# Evaluate provided Python code before the request. +# Example: import hashlib;id2=hashlib.md5(id).hexdigest() +evalCode = + +# These options can be used to optimize the performance of sqlmap. +[Optimization] + +# Use all optimization options. +# Valid: True or False +optimize = True + +# Predict common queries output. +# Valid: True or False +predictOutput = False + +# Use persistent HTTP(s) connections. +keepAlive = True + +# Retrieve page length without actual HTTP response body. +# Valid: True or False +nullConnection = False + +# Maximum number of concurrent HTTP(s) requests (handled with Python threads) +# to be used in the inference SQL injection attack. +# Valid: integer +# Default: 1 +threads = 3 + + +# These options can be used to specify which parameters to test for, +# provide custom injection payloads and optional tampering scripts. +[Injection] + +# Testable parameter(s) comma separated. By default all GET/POST/Cookie +# parameters and HTTP User-Agent are tested by sqlmap. +testParameter = + +# Skip testing for given parameter(s). +skip = + +# Skip testing parameters that not appear dynamic. +# Valid: True or False +skipStatic = False + +# Regexp to exclude parameters from testing (e.g. "ses"). +paramExclude = + +# Force back-end DBMS to this value. If this option is set, the back-end +# DBMS identification process will be minimized as needed. +# If not set, sqlmap will detect back-end DBMS automatically by default. +# Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql, sqlite, sqlite3, +# access, firebird, maxdb, sybase +dbms = mssql + +# DBMS authentication credentials (user:password). Useful if you want to +# run SQL statements as another user, the back-end database management +# system is PostgreSQL or Microsoft SQL Server and the parameter is +# vulnerable by stacked queries SQL injection or you are connecting directly +# to the DBMS (-d switch). +# Syntax: username:password +dbmsCred = + +# Force back-end DBMS operating system to this value. If this option is +# set, the back-end DBMS identification process will be minimized as +# needed. +# If not set, sqlmap will detect back-end DBMS operating system +# automatically by default. +# Valid: linux, windows +os = + +# Use big numbers for invalidating values. +# Valid: True or False +invalidBignum = False + +# Use logical operations for invalidating values. +# Valid: True or False +invalidLogical = False + +# Use random strings for invalidating values. +# Valid: True or False +invalidString = False + +# Turn off payload casting mechanism +# Valid: True or False +noCast = False + +# Turn off string escaping mechanism +# Valid: True or False +noEscape = False + +# Injection payload prefix string. +prefix = + +# Injection payload suffix string. +suffix = + +# Use given script(s) for tampering injection data. +tamper = xforwardedfor,space2comment + + +# These options can be used to specify how to parse and compare page +# content from HTTP responses when using blind SQL injection technique. +[Detection] + +# Level of tests to perform. +# The higher the value is, the higher the number of HTTP(s) requests are +# as well as the better chances to detect a tricky SQL injection. +# Valid: Integer between 1 and 5 +# Default: 1 +level = 1 + +# Risk of tests to perform. +# Note: boolean-based blind SQL injection tests with AND are considered +# risk 1, with OR are considered risk 3. +# Valid: Integer between 1 and 3 +# Default: 1 +risk = 3 + +# String to match within the raw response when the query is evaluated to +# True, only needed if the page content dynamically changes at each refresh. +# Refer to the user's manual for further details. +string = + +# String to match within the raw response when the query is evaluated to +# False, only needed if the page content dynamically changes at each refresh. +# Refer to the user's manual for further details. +notString = + +# Regular expression to match within the raw response when the query is +# evaluated to True, only needed if the needed if the page content +# dynamically changes at each refresh. +# Refer to the user's manual for further details. +# Valid: regular expression with Python syntax +# (http://www.python.org/doc/2.5.2/lib/re-syntax.html) +regexp = + +# HTTP response code to match when the query is True. +# Valid: Integer +# Example: 200 (assuming any False statement returns a different response +# code) +# code = + +# Compare pages based only on the textual content. +# Valid: True or False +textOnly = False + +# Compare pages based only on their titles. +# Valid: True or False +titles = False + + +# These options can be used to tweak testing of specific SQL injection +# techniques. +[Techniques] + +# SQL injection techniques to use. +# Valid: a string composed by B, E, U, S, T and Q where: +# B: Boolean-based blind SQL injection +# E: Error-based SQL injection +# U: UNION query SQL injection +# S: Stacked queries SQL injection +# T: Time-based blind SQL injection +# Q: Inline SQL injection +# Example: ES (means test for error-based and stacked queries SQL +# injection types only) +# Default: BEUSTQ (means test for all SQL injection types - recommended) +tech = BEUSTQ + +# Seconds to delay the response from the DBMS. +# Valid: integer +# Default: 5 +timeSec = 3 + +# Range of columns to test for +# Valid: range of integers +# Example: 1-10 +uCols = + +# Character to use for bruteforcing number of columns +# Valid: string +# Example: NULL +uChar = + +# Table to use in FROM part of UNION query SQL injection +# Valid: string +# Example: INFORMATION_SCHEMA.COLLATIONS +uFrom = + +# Domain name used for DNS exfiltration attack +# Valid: string +dnsDomain = + +# Resulting page URL searched for second-order response +# Valid: string +secondOrder = + + +[Fingerprint] + +# Perform an extensive back-end database management system fingerprint +# based on various techniques. +# Valid: True or False +extensiveFp = False + + +# These options can be used to enumerate the back-end database +# management system information, structure and data contained in the +# tables. Moreover you can run your own SQL statements. +[Enumeration] + +# Retrieve everything +# Valid: True or False +getAll = False + +# Retrieve back-end database management system banner. +# Valid: True or False +getBanner = False + +# Retrieve back-end database management system current user. +# Valid: True or False +getCurrentUser = False + +# Retrieve back-end database management system current database. +# Valid: True or False +getCurrentDb = False + +# Retrieve back-end database management system server hostname. +# Valid: True or False +getHostname = False + +# Detect if the DBMS current user is DBA. +# Valid: True or False +isDba = False + +# Enumerate back-end database management system users. +# Valid: True or False +getUsers = False + +# Enumerate back-end database management system users password hashes. +# Valid: True or False +getPasswordHashes = False + +# Enumerate back-end database management system users privileges. +# Valid: True or False +getPrivileges = False + +# Enumerate back-end database management system users roles. +# Valid: True or False +getRoles = False + +# Enumerate back-end database management system databases. +# Valid: True or False +getDbs = False + +# Enumerate back-end database management system database tables. +# Optional: db +# Valid: True or False +getTables = False + +# Enumerate back-end database management system database table columns. +# Optional: db, tbl, col +# Valid: True or False +getColumns = False + +# Enumerate back-end database management system schema. +# Valid: True or False +getSchema = False + +# Retrieve number of entries for table(s). +# Valid: True or False +getCount = False + +# Dump back-end database management system database table entries. +# Requires: tbl and/or col +# Optional: db +# Valid: True or False +dumpTable = False + +# Dump all back-end database management system databases tables entries. +# Valid: True or False +dumpAll = False + +# Search column(s), table(s) and/or database name(s). +# Requires: db, tbl or col +# Valid: True or False +search = False + +# Retrieve back-end database management system comments. +# Valid: True or False +getComments = False + +# Back-end database management system database to enumerate. +db = + +# Back-end database management system database table(s) to enumerate. +tbl = + +# Back-end database management system database table column(s) to enumerate. +col = + +# Back-end database management system database table column(s) to not enumerate. +excludeCol = + +# Pivot column name. +pivotColumn = + +# Use WHERE condition while table dumping (e.g. "id=1"). +dumpWhere = + +# Back-end database management system database user to enumerate. +user = + +# Exclude DBMS system databases when enumerating tables. +# Valid: True or False +excludeSysDbs = True + +# First query output entry to retrieve +# Valid: integer +# Default: 0 (sqlmap will start to retrieve the query output entries from +# the first) +limitStart = 0 + +# Last query output entry to retrieve +# Valid: integer +# Default: 0 (sqlmap will detect the number of query output entries and +# retrieve them until the last) +limitStop = 0 + +# First query output word character to retrieve +# Valid: integer +# Default: 0 (sqlmap will enumerate the query output from the first +# character) +firstChar = 0 + +# Last query output word character to retrieve +# Valid: integer +# Default: 0 (sqlmap will enumerate the query output until the last +# character) +lastChar = 0 + +# SQL statement to be executed. +# Example: SELECT 'foo', 'bar' +query = + +# Prompt for an interactive SQL shell. +# Valid: True or False +sqlShell = False + +# Execute SQL statements from given file(s). +sqlFile = + + +# These options can be used to run brute force checks. +[Brute force] + +# Check existence of common tables. +# Valid: True or False +commonTables = False + +# Check existence of common columns. +# Valid: True or False +commonColumns = False + + +# These options can be used to create custom user-defined functions. +[User-defined function] + +# Inject custom user-defined functions +# Valid: True or False +udfInject = False + +# Local path of the shared library +shLib = + + +# These options can be used to access the back-end database management +# system underlying file system. +[File system] + +# Read a specific file from the back-end DBMS underlying file system. +# Examples: /etc/passwd or C:\boot.ini +rFile = + +# Write a local file to a specific path on the back-end DBMS underlying +# file system. +# Example: /tmp/sqlmap.txt or C:\WINNT\Temp\sqlmap.txt +wFile = + +# Back-end DBMS absolute filepath to write the file to. +dFile = + + +# These options can be used to access the back-end database management +# system underlying operating system. +[Takeover] + +# Execute an operating system command. +# Valid: operating system command +osCmd = + +# Prompt for an interactive operating system shell. +# Valid: True or False +osShell = False + +# Prompt for an out-of-band shell, Meterpreter or VNC. +# Valid: True or False +osPwn = False + +# One click prompt for an out-of-band shell, Meterpreter or VNC. +# Valid: True or False +osSmb = False + +# Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored +# procedure heap-based buffer overflow (MS09-004) exploitation. +# Valid: True or False +osBof = False + +# Database process' user privilege escalation. +# Note: Use in conjunction with osPwn, osSmb or osBof. It will force the +# payload to be Meterpreter. +privEsc = False + +# Local path where Metasploit Framework is installed. +# Valid: file system path +msfPath = /usr/local/share/metasploit-framework + +# Remote absolute path of temporary files directory. +# Valid: absolute file system path +tmpPath = + + +# These options can be used to access the back-end database management +# system Windows registry. +[Windows] + +# Read a Windows registry key value. +# Valid: True or False +regRead = False + +# Write a Windows registry key value data. +# Valid: True or False +regAdd = False + +# Delete a Windows registry key value. +# Valid: True or False +regDel = False + +# Windows registry key. +regKey = + +# Windows registry key value. +regVal = + +# Windows registry key value data. +regData = + +# Windows registry key value type. +regType = + + +# These options can be used to set some general working parameters. +[General] + +# Load session from a stored (.sqlite) file +# Example: output/www.target.com/session.sqlite +sessionFile = + +# Log all HTTP traffic into a textual file. +trafficFile = + +# Never ask for user input, use the default behaviour. +# Valid: True or False +batch = True + +# Result fields having binary values (e.g. "digest"). +binaryFields = + +# Force character encoding used for data retrieval. +charset = + +# Check Internet connection before assessing the target. +checkInternet = False + +# Crawl the website starting from the target URL. +# Valid: integer +# Default: 0 +crawlDepth = 0 + +# Regexp to exclude pages from crawling (e.g. "logout"). +crawlExclude = + +# Delimiting character used in CSV output. +# Default: , +csvDel = , + +# Format of dumped data +# Valid: CSV, HTML or SQLITE +dumpFormat = SQLITE + +# Retrieve each query output length and calculate the estimated time of +# arrival in real time. +# Valid: True or False +eta = False + +# Flush session files for current target. +# Valid: True or False +flushSession = False + +# Parse and test forms on target URL. +# Valid: True or False +forms = False + +# Ignore query results stored in session file. +# Valid: True or False +freshQueries = False + +# Use DBMS hex function(s) for data retrieval. +# Valid: True or False +hexConvert = False + +# Custom output directory path. +outputDir = + +# Parse and display DBMS error messages from responses. +# Valid: True or False +parseErrors = True + +# Regular expression for filtering targets from provided Burp. +# or WebScarab proxy log. +# Example: (google|yahoo) +scope = + +# Select tests by payloads and/or titles (e.g. ROW) +testFilter = + +# Skip tests by payloads and/or titles (e.g. BENCHMARK) +testSkip = + +# Update sqlmap. +# Valid: True or False +updateAll = False + + +[Miscellaneous] + +# Run host OS command(s) when SQL injection is found. +alert = + +# Set question answers (e.g. "quit=N,follow=N"). +answers = "further processing=y,temporary file=y,password hashes=n,crack=n,sitemap=y,skip=n" + +# Beep on question and/or when SQL injection is found. +# Valid: True or False +beep = False + +# Offline WAF/IPS/IDS payload detection testing. +# Valid: True or False +checkPayload = False + +# Clean up the DBMS from sqlmap specific UDF and tables. +# Valid: True or False +cleanup = False + +# Check for missing (non-core) sqlmap dependencies. +# Valid: True or False +dependencies = False + +# Disable console output coloring. +# Valid: True or False +disableColoring = False + +# Use Google dork results from specified page number. +# Valid: integer +# Default: 1 +googlePage = 1 + +# Make a thorough testing for a WAF/IPS/IDS protection. +# Valid: True or False +identifyWaf = False + +# Imitate smartphone through HTTP User-Agent header. +# Valid: True or False +mobile = False + +# Work in offline mode (only use session data) +# Valid: True or False +offline = False + +# Skip heuristic detection of WAF/IPS/IDS protection. +# Valid: True or False +skipWaf = False + +# Conduct thorough tests only if positive heuristic(s). +# Valid: True or False +smart = False + +# Local directory for storing temporary files. +tmpDir = + +# Web server document root directory (e.g. "/var/www"). +webRoot = + +# Simple wizard interface for beginner users. +# Valid: True or False +wizard = False + +# Verbosity level. +# Valid: integer between 0 and 6 +# 0: Show only error and critical messages +# 1: Show also warning and info messages +# 2: Show also debug messages +# 3: Show also payloads injected +# 4: Show also HTTP requests +# 5: Show also HTTP responses' headers +# 6: Show also HTTP responses' page content +# Default: 1 +verbose = 1 diff --git a/mysql.conf b/mysql.conf new file mode 100644 index 00000000000..9103eb9d900 --- /dev/null +++ b/mysql.conf @@ -0,0 +1,813 @@ +# At least one of these options has to be specified to set the source to +# get target URLs from. +[Target] + +# Direct connection to the database. +# Examples: +# mysql://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME +# oracle://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_SID +direct = + +# Target URL. +# Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2 +url = + +# Parse targets from Burp or WebScarab logs +# Valid: Burp proxy (http://portswigger.net/suite/) requests log file path +# or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) +# 'conversations/' folder path +logFile = + +# Scan multiple targets enlisted in a given textual file +bulkFile = + +# Load HTTP request from a file +# Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme +requestFile = + +# Rather than providing a target URL, let Google return target +# hosts as result of your Google dork expression. For a list of Google +# dorks see Johnny Long Google Hacking Database at +# http://johnny.ihackstuff.com/ghdb.php. +# Example: +ext:php +inurl:"&id=" +intext:"powered by " +googleDork = + +# Parse target(s) from remote sitemap(.xml) file. +# Example: http://192.168.1.121/sitemap.xml +sitemapUrl = + + +# These options can be used to specify how to connect to the target URL. +[Request] + +# Force usage of given HTTP method (e.g. PUT). +method = + +# Data string to be sent through POST. +data = + +# Character used for splitting parameter values. +paramDel = + +# HTTP Cookie header value. +cookie = + +# Character used for splitting cookie values. +cookieDel = + +# File containing cookies in Netscape/wget format. +loadCookies = + +# Ignore Set-Cookie header from response. +# Valid: True or False +dropSetCookie = False + +# HTTP User-Agent header value. Useful to fake the HTTP User-Agent header value +# at each HTTP request. +# sqlmap will also test for SQL injection on the HTTP User-Agent value. +agent = + +# Use randomly selected HTTP User-Agent header value. +# Valid: True or False +randomAgent = True + +# HTTP Host header value. +host = + +# HTTP Referer header. Useful to fake the HTTP Referer header value at +# each HTTP request. +referer = + +# Extra HTTP headers +headers = Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Language: en-us,en;q=0.5 + Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 + +# HTTP Authentication type. Useful only if the target URL requires +# HTTP Basic, Digest or NTLM authentication and you have such data. +# Valid: Basic, Digest, NTLM or PKI +authType = + +# HTTP authentication credentials. Useful only if the target URL requires +# HTTP Basic, Digest or NTLM authentication and you have such data. +# Syntax: username:password +authCred = + +# HTTP Authentication PEM private/cert key file. Useful only if the target URL requires +# PKI authentication and you have such data. +# Syntax: key_file +authFile = + +# Ignore HTTP Error 401 (Unauthorized). +# Valid: True or False +ignore401 = False + +# Ignore system default proxy settings. +# Valid: True or False +ignoreProxy = False + +# Ignore redirection attempts. +# Valid: True or False +ignoreRedirects = False + +# Ignore connection timeouts. +# Valid: True or False +ignoreTimeouts = False + +# Use a proxy to connect to the target URL. +# Syntax: (http|https|socks4|socks5)://address:port +proxy = + +# Proxy authentication credentials. Useful only if the proxy requires +# Basic or Digest authentication and you have such data. +# Syntax: username:password +proxyCred = + +# Load proxy list from a file +proxyFile = + +# Use Tor anonymity network. +# Valid: True or False +tor = False + +# Set Tor proxy port other than default. +# Valid: integer +# torPort = + +# Set Tor proxy type. +# Valid: HTTP, SOCKS4, SOCKS5 +torType = SOCKS5 + +# Check to see if Tor is used properly. +# Valid: True or False +checkTor = False + +# Delay in seconds between each HTTP request. +# Valid: float +# Default: 0 +delay = 0 + +# Seconds to wait before timeout connection. +# Valid: float +# Default: 30 +timeout = 30 + +# Maximum number of retries when the HTTP connection timeouts. +# Valid: integer +# Default: 3 +retries = 3 + +# Randomly change value for the given parameter. +rParam = + +# URL address to visit frequently during testing. +# Example: http://192.168.1.121/index.html +safeUrl = + +# POST data to send to a safe URL. +# Example: username=admin&password=passw0rd! +safePost = + +# Load safe HTTP request from a file. +safeReqFile = + +# Test requests between two visits to a given safe URL (default 0). +# Valid: integer +# Default: 0 +safeFreq = 0 + +# Skip URL encoding of payload data +# Valid: True or False +skipUrlEncode = False + +# Parameter used to hold anti-CSRF token +csrfToken = + +# URL address to visit to extract anti-CSRF token +csrfUrl = + +# Force usage of SSL/HTTPS +# Valid: True or False +forceSSL = False + +# Use HTTP parameter pollution. +# Valid: True or False +hpp = False + +# Evaluate provided Python code before the request. +# Example: import hashlib;id2=hashlib.md5(id).hexdigest() +evalCode = + +# These options can be used to optimize the performance of sqlmap. +[Optimization] + +# Use all optimization options. +# Valid: True or False +optimize = True + +# Predict common queries output. +# Valid: True or False +predictOutput = False + +# Use persistent HTTP(s) connections. +keepAlive = True + +# Retrieve page length without actual HTTP response body. +# Valid: True or False +nullConnection = False + +# Maximum number of concurrent HTTP(s) requests (handled with Python threads) +# to be used in the inference SQL injection attack. +# Valid: integer +# Default: 1 +threads = 3 + + +# These options can be used to specify which parameters to test for, +# provide custom injection payloads and optional tampering scripts. +[Injection] + +# Testable parameter(s) comma separated. By default all GET/POST/Cookie +# parameters and HTTP User-Agent are tested by sqlmap. +testParameter = + +# Skip testing for given parameter(s). +skip = + +# Skip testing parameters that not appear to be dynamic. +# Valid: True or False +skipStatic = False + +# Regexp to exclude parameters from testing (e.g. "ses"). +paramExclude = + +# Force back-end DBMS to this value. If this option is set, the back-end +# DBMS identification process will be minimized as needed. +# If not set, sqlmap will detect back-end DBMS automatically by default. +# Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql, sqlite, sqlite3, +# access, firebird, maxdb, sybase +dbms = mysql + +# DBMS authentication credentials (user:password). Useful if you want to +# run SQL statements as another user, the back-end database management +# system is PostgreSQL or Microsoft SQL Server and the parameter is +# vulnerable by stacked queries SQL injection or you are connecting directly +# to the DBMS (-d switch). +# Syntax: username:password +dbmsCred = + +# Force back-end DBMS operating system to this value. If this option is +# set, the back-end DBMS identification process will be minimized as +# needed. +# If not set, sqlmap will detect back-end DBMS operating system +# automatically by default. +# Valid: linux, windows +os = + +# Use big numbers for invalidating values. +# Valid: True or False +invalidBignum = False + +# Use logical operations for invalidating values. +# Valid: True or False +invalidLogical = False + +# Use random strings for invalidating values. +# Valid: True or False +invalidString = False + +# Turn off payload casting mechanism +# Valid: True or False +noCast = False + +# Turn off string escaping mechanism +# Valid: True or False +noEscape = False + +# Injection payload prefix string. +prefix = + +# Injection payload suffix string. +suffix = + +# Use given script(s) for tampering injection data. +tamper = xforwardedfor,space2comment + + +# These options can be used to specify how to parse and compare page +# content from HTTP responses when using blind SQL injection technique. +[Detection] + +# Level of tests to perform. +# The higher the value is, the higher the number of HTTP(s) requests are +# as well as the better chances to detect a tricky SQL injection. +# Valid: Integer between 1 and 5 +# Default: 1 +level = 1 + +# Risk of tests to perform. +# Note: boolean-based blind SQL injection tests with AND are considered +# risk 1, with OR are considered risk 3. +# Valid: Integer between 1 and 3 +# Default: 1 +risk = 3 + +# String to match within the raw response when the query is evaluated to +# True, only needed if the page content dynamically changes at each refresh. +# Refer to the user's manual for further details. +string = + +# String to match within the raw response when the query is evaluated to +# False, only needed if the page content dynamically changes at each refresh. +# Refer to the user's manual for further details. +notString = + +# Regular expression to match within the raw response when the query is +# evaluated to True, only needed if the needed if the page content +# dynamically changes at each refresh. +# Refer to the user's manual for further details. +# Valid: regular expression with Python syntax +# (http://www.python.org/doc/2.5.2/lib/re-syntax.html) +regexp = + +# HTTP response code to match when the query is True. +# Valid: Integer +# Example: 200 (assuming any False statement returns a different response +# code) +# code = + +# Compare pages based only on the textual content. +# Valid: True or False +textOnly = False + +# Compare pages based only on their titles. +# Valid: True or False +titles = False + + +# These options can be used to tweak testing of specific SQL injection +# techniques. +[Techniques] + +# SQL injection techniques to use. +# Valid: a string composed by B, E, U, S, T and Q where: +# B: Boolean-based blind SQL injection +# E: Error-based SQL injection +# U: UNION query SQL injection +# S: Stacked queries SQL injection +# T: Time-based blind SQL injection +# Q: Inline SQL injection +# Example: ES (means test for error-based and stacked queries SQL +# injection types only) +# Default: BEUSTQ (means test for all SQL injection types - recommended) +tech = BEUSTQ + +# Seconds to delay the response from the DBMS. +# Valid: integer +# Default: 5 +timeSec = 3 + +# Range of columns to test for +# Valid: range of integers +# Example: 1-10 +uCols = + +# Character to use for bruteforcing number of columns +# Valid: string +# Example: NULL +uChar = + +# Table to use in FROM part of UNION query SQL injection +# Valid: string +# Example: INFORMATION_SCHEMA.COLLATIONS +uFrom = + +# Domain name used for DNS exfiltration attack +# Valid: string +dnsDomain = + +# Resulting page URL searched for second-order response +# Valid: string +secondOrder = + + +[Fingerprint] + +# Perform an extensive back-end database management system fingerprint +# based on various techniques. +# Valid: True or False +extensiveFp = False + + +# These options can be used to enumerate the back-end database +# management system information, structure and data contained in the +# tables. Moreover you can run your own SQL statements. +[Enumeration] + +# Retrieve everything +# Valid: True or False +getAll = False + +# Retrieve back-end database management system banner. +# Valid: True or False +getBanner = False + +# Retrieve back-end database management system current user. +# Valid: True or False +getCurrentUser = False + +# Retrieve back-end database management system current database. +# Valid: True or False +getCurrentDb = False + +# Retrieve back-end database management system server hostname. +# Valid: True or False +getHostname = False + +# Detect if the DBMS current user is DBA. +# Valid: True or False +isDba = False + +# Enumerate back-end database management system users. +# Valid: True or False +getUsers = False + +# Enumerate back-end database management system users password hashes. +# Valid: True or False +getPasswordHashes = False + +# Enumerate back-end database management system users privileges. +# Valid: True or False +getPrivileges = False + +# Enumerate back-end database management system users roles. +# Valid: True or False +getRoles = False + +# Enumerate back-end database management system databases. +# Valid: True or False +getDbs = False + +# Enumerate back-end database management system database tables. +# Optional: db +# Valid: True or False +getTables = False + +# Enumerate back-end database management system database table columns. +# Optional: db, tbl, col +# Valid: True or False +getColumns = False + +# Enumerate back-end database management system schema. +# Valid: True or False +getSchema = False + +# Retrieve number of entries for table(s). +# Valid: True or False +getCount = False + +# Dump back-end database management system database table entries. +# Requires: tbl and/or col +# Optional: db +# Valid: True or False +dumpTable = False + +# Dump all back-end database management system databases tables entries. +# Valid: True or False +dumpAll = False + +# Search column(s), table(s) and/or database name(s). +# Requires: db, tbl or col +# Valid: True or False +search = False + +# Retrieve back-end database management system comments. +# Valid: True or False +getComments = False + +# Back-end database management system database to enumerate. +db = + +# Back-end database management system database table(s) to enumerate. +tbl = + +# Back-end database management system database table column(s) to enumerate. +col = + +# Back-end database management system database table column(s) to not enumerate. +excludeCol = + +# Pivot column name. +pivotColumn = + +# Use WHERE condition while table dumping (e.g. "id=1"). +dumpWhere = + +# Back-end database management system database user to enumerate. +user = + +# Exclude DBMS system databases when enumerating tables. +# Valid: True or False +excludeSysDbs = True + +# First query output entry to retrieve +# Valid: integer +# Default: 0 (sqlmap will start to retrieve the query output entries from +# the first) +limitStart = 0 + +# Last query output entry to retrieve +# Valid: integer +# Default: 0 (sqlmap will detect the number of query output entries and +# retrieve them until the last) +limitStop = 0 + +# First query output word character to retrieve +# Valid: integer +# Default: 0 (sqlmap will enumerate the query output from the first +# character) +firstChar = 0 + +# Last query output word character to retrieve +# Valid: integer +# Default: 0 (sqlmap will enumerate the query output until the last +# character) +lastChar = 0 + +# SQL statement to be executed. +# Example: SELECT 'foo', 'bar' +query = + +# Prompt for an interactive SQL shell. +# Valid: True or False +sqlShell = False + +# Execute SQL statements from given file(s). +sqlFile = + + +# These options can be used to run brute force checks. +[Brute force] + +# Check existence of common tables. +# Valid: True or False +commonTables = False + +# Check existence of common columns. +# Valid: True or False +commonColumns = False + + +# These options can be used to create custom user-defined functions. +[User-defined function] + +# Inject custom user-defined functions +# Valid: True or False +udfInject = False + +# Local path of the shared library +shLib = + + +# These options can be used to access the back-end database management +# system underlying file system. +[File system] + +# Read a specific file from the back-end DBMS underlying file system. +# Examples: /etc/passwd or C:\boot.ini +rFile = + +# Write a local file to a specific path on the back-end DBMS underlying +# file system. +# Example: /tmp/sqlmap.txt or C:\WINNT\Temp\sqlmap.txt +wFile = + +# Back-end DBMS absolute filepath to write the file to. +dFile = + + +# These options can be used to access the back-end database management +# system underlying operating system. +[Takeover] + +# Execute an operating system command. +# Valid: operating system command +osCmd = + +# Prompt for an interactive operating system shell. +# Valid: True or False +osShell = False + +# Prompt for an out-of-band shell, Meterpreter or VNC. +# Valid: True or False +osPwn = False + +# One click prompt for an out-of-band shell, Meterpreter or VNC. +# Valid: True or False +osSmb = False + +# Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored +# procedure heap-based buffer overflow (MS09-004) exploitation. +# Valid: True or False +osBof = False + +# Database process' user privilege escalation. +# Note: Use in conjunction with osPwn, osSmb or osBof. It will force the +# payload to be Meterpreter. +privEsc = False + +# Local path where Metasploit Framework is installed. +# Valid: file system path +msfPath = /usr/local/share/metasploit-framework + +# Remote absolute path of temporary files directory. +# Valid: absolute file system path +tmpPath = + + +# These options can be used to access the back-end database management +# system Windows registry. +[Windows] + +# Read a Windows registry key value. +# Valid: True or False +regRead = False + +# Write a Windows registry key value data. +# Valid: True or False +regAdd = False + +# Delete a Windows registry key value. +# Valid: True or False +regDel = False + +# Windows registry key. +regKey = + +# Windows registry key value. +regVal = + +# Windows registry key value data. +regData = + +# Windows registry key value type. +regType = + + +# These options can be used to set some general working parameters. +[General] + +# Load session from a stored (.sqlite) file +# Example: output/www.target.com/session.sqlite +sessionFile = + +# Log all HTTP traffic into a textual file. +trafficFile = + +# Never ask for user input, use the default behaviour. +# Valid: True or False +batch = True + +# Result fields having binary values (e.g. "digest"). +binaryFields = + +# Force character encoding used for data retrieval. +charset = + +# Check Internet connection before assessing the target. +checkInternet = False + +# Crawl the website starting from the target URL. +# Valid: integer +# Default: 0 +crawlDepth = 0 + +# Regexp to exclude pages from crawling (e.g. "logout"). +crawlExclude = + +# Delimiting character used in CSV output. +# Default: , +csvDel = , + +# Format of dumped data +# Valid: CSV, HTML or SQLITE +dumpFormat = SQLITE + +# Retrieve each query output length and calculate the estimated time of +# arrival in real time. +# Valid: True or False +eta = False + +# Flush session files for current target. +# Valid: True or False +flushSession = False + +# Parse and test forms on target URL. +# Valid: True or False +forms = False + +# Ignore query results stored in session file. +# Valid: True or False +freshQueries = False + +# Use DBMS hex function(s) for data retrieval. +# Valid: True or False +hexConvert = False + +# Custom output directory path. +outputDir = + +# Parse and display DBMS error messages from responses. +# Valid: True or False +parseErrors = True + +# Regular expression for filtering targets from provided Burp. +# or WebScarab proxy log. +# Example: (google|yahoo) +scope = + +# Select tests by payloads and/or titles (e.g. ROW) +testFilter = + +# Skip tests by payloads and/or titles (e.g. BENCHMARK) +testSkip = + +# Update sqlmap. +# Valid: True or False +updateAll = False + + +[Miscellaneous] + +# Run host OS command(s) when SQL injection is found. +alert = + +# Set question answers (e.g. "quit=N,follow=N"). +answers = "further processing=y,temporary file=y,password hashes=n,crack=n,sitemap=y,skip=n" + +# Beep on question and/or when SQL injection is found. +# Valid: True or False +beep = False + +# Offline WAF/IPS/IDS payload detection testing. +# Valid: True or False +checkPayload = False + +# Clean up the DBMS from sqlmap specific UDF and tables. +# Valid: True or False +cleanup = False + +# Check for missing (non-core) sqlmap dependencies. +# Valid: True or False +dependencies = False + +# Disable console output coloring. +# Valid: True or False +disableColoring = False + +# Use Google dork results from specified page number. +# Valid: integer +# Default: 1 +googlePage = 1 + +# Make a thorough testing for a WAF/IPS/IDS protection. +# Valid: True or False +identifyWaf = False + +# Imitate smartphone through HTTP User-Agent header. +# Valid: True or False +mobile = False + +# Work in offline mode (only use session data) +# Valid: True or False +offline = False + +# Skip heuristic detection of WAF/IPS/IDS protection. +# Valid: True or False +skipWaf = False + +# Conduct thorough tests only if positive heuristic(s). +# Valid: True or False +smart = False + +# Local directory for storing temporary files. +tmpDir = + +# Web server document root directory (e.g. "/var/www"). +webRoot = + +# Simple wizard interface for beginner users. +# Valid: True or False +wizard = False + +# Verbosity level. +# Valid: integer between 0 and 6 +# 0: Show only error and critical messages +# 1: Show also warning and info messages +# 2: Show also debug messages +# 3: Show also payloads injected +# 4: Show also HTTP requests +# 5: Show also HTTP responses' headers +# 6: Show also HTTP responses' page content +# Default: 1 +verbose = 1 diff --git a/sqlmap.conf b/sqlmap.conf index 9504b7b4632..07eced662a2 100644 --- a/sqlmap.conf +++ b/sqlmap.conf @@ -72,7 +72,7 @@ mobile = False # Use randomly selected HTTP User-Agent header value. # Valid: True or False -randomAgent = False +randomAgent = True # HTTP Host header value. host = @@ -219,14 +219,14 @@ evalCode = # Use all optimization options. # Valid: True or False -optimize = False +optimize = True # Predict common queries output. # Valid: True or False predictOutput = False # Use persistent HTTP(s) connections. -keepAlive = False +keepAlive = True # Retrieve page length without actual HTTP response body. # Valid: True or False @@ -236,7 +236,7 @@ nullConnection = False # to be used in the inference SQL injection attack. # Valid: integer # Default: 1 -threads = 1 +threads = 3 # These options can be used to specify which parameters to test for, @@ -310,7 +310,7 @@ prefix = suffix = # Use given script(s) for tampering injection data. -tamper = +tamper = xforwardedfor # These options can be used to specify how to parse and compare page @@ -329,7 +329,7 @@ level = 1 # risk 1, with OR are considered risk 3. # Valid: Integer between 1 and 3 # Default: 1 -risk = 1 +risk = 3 # String to match within the raw response when the query is evaluated to # True, only needed if the page content dynamically changes at each refresh. @@ -388,7 +388,7 @@ technique = BEUSTQ # Seconds to delay the response from the DBMS. # Valid: integer # Default: 5 -timeSec = 5 +timeSec = 3 # Range of columns to test for. # Valid: range of integers @@ -539,7 +539,7 @@ user = # Exclude DBMS system databases when enumerating tables. # Valid: True or False -excludeSysDbs = False +excludeSysDbs = True # First query output entry to retrieve # Valid: integer @@ -653,7 +653,7 @@ privEsc = False # Local path where Metasploit Framework is installed. # Valid: file system path -msfPath = +msfPath = /usr/local/share/metasploit-framework # Remote absolute path of temporary files directory. # Valid: absolute file system path @@ -700,7 +700,7 @@ sessionFile = trafficFile = # Set predefined answers (e.g. "quit=N,follow=N"). -answers = +answers = "further processing=y,temporary file=y,password hashes=n,crack=n,sitemap=y,skip=n" # Parameter(s) containing Base64 encoded data base64Parameter = @@ -711,7 +711,7 @@ base64Safe = False # Never ask for user input, use the default behaviour. # Valid: True or False -batch = False +batch = True # Result fields having binary values (e.g. "digest"). binaryFields = @@ -737,7 +737,7 @@ csvDel = , # Format of dumped data # Valid: CSV, HTML or SQLITE -dumpFormat = CSV +dumpFormat = SQLITE # Force character encoding used for data retrieval. encoding = @@ -773,7 +773,7 @@ outputDir = # Parse and display DBMS error messages from responses. # Valid: True or False -parseErrors = False +parseErrors = True # Use given script(s) for preprocessing of request. preprocess = diff --git a/sqlmap.py b/sqlmap.py index 81cedef845e..2646a7b67dc 100755 --- a/sqlmap.py +++ b/sqlmap.py @@ -165,7 +165,7 @@ def main(): setRestAPILog() conf.showTime = True - dataToStdout("[!] legal disclaimer: %s\n\n" % LEGAL_DISCLAIMER, forceOutput=True) + # dataToStdout("[!] legal disclaimer: %s\n\n" % LEGAL_DISCLAIMER, forceOutput=True) dataToStdout("[*] starting @ %s\n\n" % time.strftime("%X /%Y-%m-%d/"), forceOutput=True) init() diff --git a/tamper/incapsula.py b/tamper/incapsula.py new file mode 100644 index 00000000000..09fec815e9e --- /dev/null +++ b/tamper/incapsula.py @@ -0,0 +1,42 @@ +#!/usr/bin/env python + +""" +Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/) +See the file 'doc/COPYING' for copying permission +""" + +from lib.core.enums import PRIORITY + +__priority__ = PRIORITY.LOW + +def dependencies(): + pass + +def tamper(payload, **kwargs): + """ + Escapes forward slash character '/' with '\/' + + Tested against: + + Notes: + * Useful to bypass Incapsula application firewall + + >>> tamper('cat /etc/passwd') + 'cat%20\/etc\/passwd' + """ + retVal = payload + + if payload: + retVal = "" + i = 0 + + while i < len(payload): + if payload[i] == '/': + retVal += "\/" + elif payload[i] == ' ' or payload[i] == '+': + retVal += "%%%.2X" % ord(payload[i]) + else: + retVal += payload[i] + i += 1 + + return retVal diff --git a/tamper/mariacomment.py b/tamper/mariacomment.py new file mode 100644 index 00000000000..f1eb55d5983 --- /dev/null +++ b/tamper/mariacomment.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python + +""" +Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/) +See the file 'doc/COPYING' for copying permission +""" + +from lib.core.common import randomInt +from lib.core.enums import PRIORITY + +__priority__ = PRIORITY.HIGHER + +def dependencies(): + pass + +def tamper(payload, **kwargs): + """ + Embraces complete query in executable comment + + Requirement: + * Maria DB + + Tested against: + * Maria DB 5.5.5 + + Notes: + * Useful for exploiting Maria DB perhaps? + + >>> import random + >>> random.seed(0) + >>> tamper('1 AND 2>1--') + '1 /*M!30874AND 2>1*/--' + """ + + retVal = payload + + if payload: + postfix = '' + for comment in ('#', '--', '/*'): + if comment in payload: + postfix = payload[payload.find(comment):] + payload = payload[:payload.find(comment)] + break + if ' ' in payload: + retVal = "%s /*M!50101 %s*/%s" % (payload[:payload.find(' ')], payload[payload.find(' ') + 1:], postfix) + + return retVal diff --git a/tamper/space2inlinecomment.py b/tamper/space2inlinecomment.py new file mode 100644 index 00000000000..231c177b139 --- /dev/null +++ b/tamper/space2inlinecomment.py @@ -0,0 +1,57 @@ +#!/usr/bin/env python + +""" +Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/) +See the file 'doc/COPYING' for copying permission +""" + +from lib.core.enums import PRIORITY + +__priority__ = PRIORITY.LOW + +def dependencies(): + pass + +def tamper(payload, **kwargs): + """ + Replaces space character (' ') with comments '/*&id=1*/ ' + + Tested against: + * Microsoft SQL Server 2005 + * MySQL 4, 5.0 and 5.5 + * Oracle 10g + * PostgreSQL 8.3, 8.4, 9.0 + + Notes: + * Useful to bypass weak and bespoke web application firewalls + + >>> tamper('SELECT id FROM users') + 'SELECT /*&id=1*/ id /*&id=1*/ FROM /*&id=1*/ users' + """ + + retVal = payload + + if payload: + retVal = "" + quote, doublequote, firstspace = False, False, False + + for i in xrange(len(payload)): + if not firstspace: + if payload[i].isspace(): + firstspace = True + retVal += " /*&id=1*/ " + continue + + elif payload[i] == '\'': + quote = not quote + + elif payload[i] == '"': + doublequote = not doublequote + + elif payload[i] == " " and not doublequote and not quote: + retVal += " /*&id=1*/ " + continue + + retVal += payload[i] + + return retVal diff --git a/tamper/space2underscore.py b/tamper/space2underscore.py new file mode 100644 index 00000000000..c49346ffb8b --- /dev/null +++ b/tamper/space2underscore.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python + +""" +Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/) +See the file 'doc/COPYING' for copying permission +""" + +import random +import string + +from lib.core.enums import PRIORITY + +__priority__ = PRIORITY.LOW + +def tamper(payload, **kwargs): + """ + Replaces space character (' ') with a dash comment ('_') ) + """ + + retVal = payload + + if payload: + retVal = "" + quote, doublequote, firstspace = False, False, False + + for i in xrange(len(payload)): + if not firstspace: + if payload[i].isspace(): + firstspace = True + retVal += "_" + continue + + elif payload[i] == '\'': + quote = not quote + + elif payload[i] == '"': + doublequote = not doublequote + + elif payload[i] == " " and not doublequote and not quote: + retVal += "_" + continue + + retVal += payload[i] + + return retVal