1 def start(): 2 """ 3 This function calls a function that performs checks on both URL 4 stability and all GET, POST, Cookie and User-Agent parameters to 5 check if they are dynamic and SQL injection affected 6 """ 7 if not conf.start: 8 return False 9 10 if conf.direct: 11 initTargetEnv() 12 setupTargetEnv() 13 action() 14 return True 15 16 if conf.url and not conf.forms: 17 kb.targetUrls.add(( conf.url, conf.method, conf.data, conf.cookie )) 18 19 if conf.configFile and not kb.targetUrls: 20 errMsg = "you did not edit the configuration file PRoperly, set " 21 errMsg += "the target url, list of targets or google dork" 22 logger.error(errMsg) 23 return False 24 25 if kb.targetUrls and len(kb.targetUrls) > 1: 26 infoMsg = "sqlmap got a total of %d targets" % len(kb.targetUrls) 27 logger.info(infoMsg) 28 29 hostCount = 0 30 cookieStr = "" 31 setCookieAsInjectable = True 32 33 for targetUrl, targetMethod, targetData, targetCookie in kb.targetUrls: 34 try: 35 conf.url = targetUrl 36 conf.method = targetMethod 37 conf.data = targetData 38 conf.cookie = targetCookie 39 initTargetEnv() 40 parseTargetUrl() 41 42 testSqlInj = False 43 if PLACE.GET in conf.parameters: 44 for parameter in re.findall(r"([^=]+)=[^&]+&?", conf.parameters[PLACE.GET]): 45 paramKey = (conf.hostname, conf.path, PLACE.GET, parameter) 46 if paramKey not in kb.testedParams: 47 testSqlInj = True 48 break 49 else: 50 paramKey = (conf.hostname, conf.path, None, None) 51 if paramKey not in kb.testedParams: 52 testSqlInj = True 53 54 testSqlInj &= (conf.hostname, conf.path, None, None) not in kb.testedParams 55 56 if not testSqlInj: 57 infoMsg = "sk" % targetUrl 58 logger.info(infoMsg) 59 continue 60 61 if conf.multipleTargets: 62 hostCount += 1 63 if conf.forms: 64 message = "[#%d] form:/n%s %s" % (hostCount, conf.method or HTTPMETHOD.GET, targetUrl) 65 else: 66 message = "url %d:/n%s %s%s" % (hostCount, conf.method or HTTPMETHOD.GET, targetUrl, " (PageRank: %s)" % get_pagerank(targetUrl) if conf.googleDork and conf.pageRank else "") 67 68 if conf.cookie: 69 message += "/nCookie: %s" % conf.cookie 70 71 if conf.data: 72 message += "/nPOST data: %s" % urlencode(conf.data) if conf.data else "" 73 74 if conf.forms: 75 if conf.method == HTTPMETHOD.GET and targetUrl.find("?") == -1: 76 continue 77 78 message += "/ndo you want to test this form? [Y/n/q] " 79 test = readInput(message, default="Y") 80 81 if not test or test[0] in ("y", "Y"): 82 if conf.method == HTTPMETHOD.POST: 83 message = "Edit POST data [default: %s]%s: " % (urlencode(conf.data) if conf.data else "None", " (Warning: blank fields detected)" if conf.data and extractRegexResult(EMPTY_FORM_FIELDS_REGEX, conf.data) else "") 84 conf.data = readInput(message, default=conf.data) 85 if extractRegexResult(EMPTY_FORM_FIELDS_REGEX, conf.data): 86 message = "do you want to fill blank fields with random values? [Y/n] " 87 test = readInput(message, default="Y") 88 if not test or test[0] in ("y", "Y"): 89 while extractRegexResult(EMPTY_FORM_FIELDS_REGEX, conf.data): 90 item = extractRegexResult(EMPTY_FORM_FIELDS_REGEX, conf.data) 91 if item[-1] == '&': 92 conf.data = conf.data.replace(item, "%s%s&" % (item[:-1], randomStr())) 93 else: 94 conf.data = conf.data.replace(item, "%s%s" % (item, randomStr())) 95 conf.data = urldecode(conf.data) 96 97 elif conf.method == HTTPMETHOD.GET: 98 if conf.url.find("?") > -1: 99 firstPart = conf.url[:conf.url.find("?")]100 secondPart = conf.url[conf.url.find("?")+1:]101 message = "Edit GET data [default: %s]: " % secondPart102 test = readInput(message, default=secondPart)103 conf.url = "%s?%s" % (firstPart, test)104 105 elif test[0] in ("n", "N"):106 continue107 elif test[0] in ("q", "Q"):108 break109 110 elif conf.realTest:111 logger.info(message)112 else:113 message += "/ndo you want to test this url? [Y/n/q]"114 test = readInput(message, default="Y")115 116 if not test or test[0] in ("y", "Y"):117 pass118 elif test[0] in ("n", "N"):119 continue120 elif test[0] in ("q", "Q"):121 break122 123 logMsg = "testing url %s" % targetUrl124 logger.info(logMsg)125 126 setupTargetEnv()127 if not checkConnection(suppressOutput = conf.forms) or not checkString() or not checkRegexp():128 continue129 130 if conf.nullConnection:131 checkNullConnection()132 133 if not conf.dropSetCookie and conf.cj:134 for _, cookie in enumerate(conf.cj):135 cookie = getUnicode(cookie)136 index = cookie.index(" for ")137 138 cookieStr += "%s;" % cookie[8:index]139 140 if cookieStr:141 cookieStr = cookieStr[:-1]142 143 if PLACE.COOKIE in conf.parameters:144 message = "you provided an HTTP Cookie header value. "145 message += "The target url provided its own Cookie within "146 message += "the HTTP Set-Cookie header. Do you want to "147 message += "continue using the HTTP Cookie values that "148 message += "you provided? [Y/n] "149 test = readInput(message, default="Y")150 151 if not test or test[0] in ("y", "Y"):152 setCookieAsInjectable = False153 154 if setCookieAsInjectable:155 conf.httpHeaders.append(("Cookie", cookieStr))156 conf.parameters[PLACE.COOKIE] = cookieStr157 __paramDict = paramToDict(PLACE.COOKIE, cookieStr)158 159 if __paramDict:160 conf.paramDict[PLACE.COOKIE] = __paramDict161 # TODO: consider the following line in __setRequestParams()162 # __testableParameters = True163 164 if (len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None)) /165 and (kb.injection.place is None or kb.injection.parameter is None):166 if not conf.string and not conf.regexp:167 # NOTE: this is not needed anymore, leaving only to display168 # a warning message to the user in case the page is not stable169 checkStability()170 171 # Do a little prioritization reorder of a testable parameter list 172 parameters = conf.parameters.keys()173 174 # Order of testing list (last to first)175 orderList = (PLACE.URI, PLACE.GET, PLACE.POST)176 177 for place in orderList:178 if place in parameters:179 parameters.remove(place)180 parameters.insert(0, place)181 182 proceed = True183 184 for place in parameters:185 # Test User-Agent and Referer headers only if186 # --level >= 3187 skip = (place == PLACE.UA and conf.level < 3)188 skip |= (place == PLACE.REFERER and conf.level < 3)189 190 # Test Cookie header only if --level >= 2191 skip |= (place == PLACE.COOKIE and conf.level < 2)192 193 skip &= not (place == PLACE.UA and intersect(USER_AGENT_ALIASES, conf.testParameter))194 skip &= not (place == PLACE.REFERER and intersect(REFERER_ALIASES, conf.testParameter))195 196 if skip:197 continue198 199 if not conf.paramDict.has_key(place):200 continue201 202 paramDict = conf.paramDict[place]203 for parameter, value in paramDict.items():204 if not proceed:205 break206 207 testSqlInj = True208 209 paramKey = (conf.hostname, conf.path, place, parameter)210 211 if paramKey in kb.testedParams:212 testSqlInj = False213 214 infoMsg = "skipping previously processed %s parameter '%s'" % (place, parameter)215 logger.info(infoMsg)216 217 # Avoid dinamicity test if the user provided the218 # parameter manually219 elif parameter in conf.testParameter or conf.realTest:220 pass221 222 elif not checkDynParam(place, parameter, value):223 warnMsg = "%s parameter '%s' is not dynamic" % (place, parameter)224 logger.warn(warnMsg)225 226 else:227 logMsg = "%s parameter '%s' is dynamic" % (place, parameter)228 logger.info(logMsg)229 230 kb.testedParams.add(paramKey)231 232 if testSqlInj:233 check = heuristicCheckSqlInjection(place, parameter)234 if not check and conf.realTest and/235 not simpletonCheckSqlInjection(place, parameter, value):236 continue237 238 logMsg = "testing sql injection on %s " % place239 logMsg += "parameter '%s'" % parameter240 logger.info(logMsg)241 242 injection = checkSqlInjection(place, parameter, value)243 proceed = not kb.endDetection244 245 if injection is not None and injection.place is not None:246 kb.injections.append(injection)247 248 # In case when user wants to end detection phase (Ctrl+C)249 if not proceed:250 break251 252 msg = "%s parameter '%s' " % (injection.place, injection.parameter)253 msg += "is vulnerable. Do you want to keep testing the others? [y/N] "254 test = readInput(msg, default="N")255 256 if test[0] in ("n", "N"):257 proceed = False258 paramKey = (conf.hostname, conf.path, None, None)259 kb.testedParams.add(paramKey)260 else:261 warnMsg = "%s parameter '%s' is not " % (place, parameter)262 warnMsg += "injectable"263 logger.warn(warnMsg)264 265 if len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None):266 if not conf.realTest:267 errMsg = "all parameters are not injectable, try to "268 errMsg += "increase --level/--risk values to perform "269 errMsg += "more tests."270 271 if isinstance(conf.tech, list) and len(conf.tech) > 0:272 errMsg += " Rerun without providing the --technique switch."273 274 if not conf.textOnly and kb.originalPage:275 percent = (100.0 * len(getFilteredPageContent(kb.originalPage)) / len(kb.originalPage))276 errMsg += " Give it a go with the --text-only switch "277 errMsg += "if the target page has a low percentage of "278 errMsg += "textual content (~%.2f%% of " % percent279 errMsg += "page content is text)"280 281 raise sqlmapNotVulnerableException, errMsg282 else:283 errMsg = "it seems that all parameters are not injectable"284 raise sqlmapNotVulnerableException, errMsg285 else:286 # Flush the flag287 kb.testMode = False288 289 __saveTosessionFile()290 __showInjections()291 __selectInjection()292 293 if kb.injection.place is not None and kb.injection.parameter is not None:294 if kb.testQueryCount == 0 and conf.realTest:295 condition = False296 elif conf.multipleTargets:297 message = "do you want to exploit this SQL injection? [Y/n] "298 exploit = readInput(message, default="Y")299 300 condition = not exploit or exploit[0] in ("y", "Y")301 else:302 condition = True303 if condition:304 action()305 306 except KeyboardInterrupt:307 if conf.multipleTargets:308 warnMsg = "user aborted in multiple target mode"309 logger.warn(warnMsg)310 311 message = "do you want to skip to the next target in list? [Y/n/q]"312 test = readInput(message, default="Y")313 314 if not test or test[0] in ("y", "Y"):315 pass316 elif test[0] in ("n", "N"):317 return False318 elif test[0] in ("q", "Q"):319 raise sqlmapUserQuitException320 else:321 raise322 323 except sqlmapUserQuitException:324 raise325 326 except sqlmapSilentQuitException:327 raise328 329 except exceptionsTuple, e:330 e = getUnicode(e)331 332 if conf.multipleTargets:333 e += ", skipping to the next %s" % ("form" if conf.forms else "url")334 logger.error(e)335 else:336 logger.critical(e)337 return False338 339 finally:340 showHttpErrorCodes()341 342 if conf.loggedToOut and not conf.multipleTargets:343 logger.info("Fetched data logged to text files under '%s'" % conf.outputPath)344 345 return True
if conf.direct: initTargetEnv() setupTargetEnv() action() return True
conf.direct是通過命令行參數:"-d"指定的。
通過參數"-d"指定要連接的數據庫
eg:-d "MySQL:123123//root:@127.0.0.1:3306/security"
initTargetEnv()parseTargetUrl()initTargetEnv()函數主要就是完成全局變量conf和kb的初始化工作
parseTargetUrl()函數主要完成針對目標網址的解析工作,如獲取協議名、路徑、端口、請求參數等信息
if PLACE.GET in conf.parameters: for parameter in re.findall(r"([^=]+)=[^&]+&?", conf.parameters[PLACE.GET]): paramKey = (conf.hostname, conf.path, PLACE.GET, parameter) if paramKey not in kb.testedParams: testSqlInj = True breakelse: paramKey = (conf.hostname, conf.path, None, None) if paramKey not in kb.testedParams: testSqlInj = True
測試過的url參數信息會保存到kb.testedParams中(第230行和第259行),所以在進行test之前,會先判斷當前的url是否已經test過
如果沒test過的話,則testSqlInj = True,否則testSqlInj = False。
當testSqlInj = False的時候,就不會執行 injection = checkSqlInjection(place, parameter, value)這句代碼了。
setupTargetEnv()
該函數主要包含3個子功能:
1.創建保存目標執行結果的目錄和文件
2.將get或post發送的數據解析成字典形式,并保存到conf.paramDict中
3.讀取session文件(如果存在的話),并提起文件中的數據,保存到kb變量中
如果在命令中有提供cookie的話,就會將攻城師指定的cookie加入到http請求頭中,以便使用cookie訪問。
提取url中的參數信息,并將其傳遞給checkSqlInjection函數,checkSqlInjection函數的功能主要是檢測給定的url參數,看其是否可注入,如果可注入的話,就將payload等相關信息返回(即checkSqlInjection函數的返回值),再將其append到kb.injections中。
action()是很總要的一個函數,該函數主要根據攻城師的命令行參數選型,從而利用存在注入漏洞的url,以進一步獲取攻城師要獲取的數據。
比如:當前的數據庫用戶、枚舉數據庫的所有數據表等等
新聞熱點
疑難解答
