mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2026-07-11 19:13:12 +00:00
Merge branch 'master' into hana-pr
# Conflicts: # data/txt/sha256sums.txt # lib/core/common.py # lib/core/settings.py
This commit is contained in:
commit
1465d55a47
239 changed files with 57035 additions and 4345 deletions
|
|
@ -8,11 +8,14 @@ See the file 'LICENSE' for copying permission
|
|||
from lib.controller.handler import setHandler
|
||||
from lib.core.common import Backend
|
||||
from lib.core.common import Format
|
||||
from lib.core.common import hashDBWrite
|
||||
from lib.core.data import conf
|
||||
from lib.core.data import kb
|
||||
from lib.core.data import logger
|
||||
from lib.core.data import paths
|
||||
from lib.core.enums import CONTENT_TYPE
|
||||
from lib.core.enums import DBMS
|
||||
from lib.core.enums import HASHDB_KEYS
|
||||
from lib.core.exception import SqlmapNoneDataException
|
||||
from lib.core.exception import SqlmapUnsupportedDBMSException
|
||||
from lib.core.settings import SUPPORTED_DBMS
|
||||
|
|
@ -28,10 +31,52 @@ def action():
|
|||
if possible
|
||||
"""
|
||||
|
||||
# HTTP/2 timeless timing ('--timeless'): detection is done and the back-end DBMS is known, so engage
|
||||
# the oracle for this target's extraction (swaps the time-based vector for a tuned heavy one, so all
|
||||
# subsequent extraction reads bits by response order instead of delay). Guarded + calibrated - a no-op
|
||||
# unless '--timeless' is set and the target is usable; disengage() first clears any prior target's.
|
||||
from lib.request import timeless
|
||||
timeless.disengage()
|
||||
if not timeless.autoEngage(): # engages if '--timeless' was given and the target is usable
|
||||
timeless.hintTimeless() # otherwise nudge the user toward '--timeless' if the target fits
|
||||
|
||||
# First of all we have to identify the back-end database management
|
||||
# system to be able to go ahead with the injection
|
||||
# automatic WAF-bypass: if a WAF/IPS is present and the back-end DBMS is already indicated by the error
|
||||
# page or the heuristic checks, skip active fingerprinting (the WAF would just block its payloads
|
||||
# and flood the run with 403s) and assume that DBMS, so the user gets a usable result
|
||||
if kb.wafBypass and not conf.forceDbms:
|
||||
fallback = Backend.getErrorParsedDBMSes() or ([kb.heuristicDbms] if kb.heuristicDbms else [])
|
||||
fallback = next((_ for _ in fallback if _ and _.lower() in SUPPORTED_DBMS), None)
|
||||
if fallback:
|
||||
logger.warning("skipping active back-end DBMS fingerprinting behind the WAF/IPS and assuming '%s' from error/heuristic detection" % fallback)
|
||||
conf.forceDbms = fallback
|
||||
|
||||
setHandler()
|
||||
|
||||
if kb.wafBypass and Backend.getDbms(): # persist the assumed DBMS so a resumed run restores it instead of re-fingerprinting (and dead-ending) behind the WAF
|
||||
hashDBWrite(HASHDB_KEYS.DBMS, Backend.getDbms())
|
||||
|
||||
# automatic WAF-bypass: with MySQL behind the WAF, make data retrieval AND table enumeration survive a
|
||||
# libinjection-class WAF (e.g. OWASP CRS), verified end-to-end through ModSecurity/CRS:
|
||||
# * fingerprinting was skipped, so flag has_information_schema (modern MySQL >=5.0 always has it) -
|
||||
# otherwise enumeration wrongly assumes 'MySQL < 5.0' and bails with "no tables";
|
||||
# * 'blindbinary' reshapes the single-character read ORD(MID())->RIGHT(LEFT())>BINARY 0x.. (sheds the
|
||||
# ORD/MID function names scored by 942151/942190);
|
||||
# * 'infoschema2innodb' moves table enumeration off 'information_schema' (scored by 942140) onto
|
||||
# 'mysql.innodb_table_stats', which is not on those blocklists.
|
||||
# (blindbinary also reshapes PostgreSQL, but full extraction through the CRS proxy garbles there - an
|
||||
# open issue - so PG is not auto-applied; it stays available as manual '--tamper=blindbinary'.)
|
||||
if kb.wafBypass and Backend.getIdentifiedDbms() == DBMS.MYSQL:
|
||||
kb.data.has_information_schema = True
|
||||
if not conf.tamper:
|
||||
from lib.utils.wafbypass import loadTamper
|
||||
for _name in ("blindbinary", "infoschema2innodb"):
|
||||
function = loadTamper(_name)
|
||||
if function is not None and function not in (kb.tamperFunctions or []):
|
||||
kb.tamperFunctions = (kb.tamperFunctions or []) + [function]
|
||||
logger.info("using tamper scripts 'blindbinary' and 'infoschema2innodb' so data retrieval and table enumeration can pass the WAF/IPS")
|
||||
|
||||
if not Backend.getDbms() or not conf.dbmsHandler:
|
||||
htmlParsed = Format.getErrorParsedDBMSes()
|
||||
|
||||
|
|
@ -78,6 +123,9 @@ def action():
|
|||
if conf.getStatements:
|
||||
conf.dumper.statements(conf.dbmsHandler.getStatements())
|
||||
|
||||
if conf.getProcs:
|
||||
conf.dumper.procedures(conf.dbmsHandler.getProcedures())
|
||||
|
||||
if conf.getPasswordHashes:
|
||||
try:
|
||||
conf.dumper.userSettings("database management system users password hashes", conf.dbmsHandler.getPasswordHashes(), "password hash", CONTENT_TYPE.PASSWORDS)
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ from extra.beep.beep import beep
|
|||
from lib.core.agent import agent
|
||||
from lib.core.common import Backend
|
||||
from lib.core.common import extractRegexResult
|
||||
from lib.core.common import extractStructuralTokens
|
||||
from lib.core.common import extractTextTagContent
|
||||
from lib.core.common import filterNone
|
||||
from lib.core.common import findDynamicContent
|
||||
|
|
@ -56,6 +57,7 @@ from lib.core.dicts import HEURISTIC_NULL_EVAL
|
|||
from lib.core.enums import DBMS
|
||||
from lib.core.enums import HASHDB_KEYS
|
||||
from lib.core.enums import HEURISTIC_TEST
|
||||
from lib.core.enums import POST_HINT
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.enums import HTTPMETHOD
|
||||
from lib.core.enums import NOTE
|
||||
|
|
@ -79,14 +81,23 @@ from lib.core.settings import DEFAULT_GET_POST_DELIMITER
|
|||
from lib.core.settings import DUMMY_NON_SQLI_CHECK_APPENDIX
|
||||
from lib.core.settings import FI_ERROR_REGEX
|
||||
from lib.core.settings import FORMAT_EXCEPTION_STRINGS
|
||||
from lib.core.settings import GRAPHQL_ERROR_REGEX
|
||||
from lib.core.settings import HEURISTIC_CHECK_ALPHABET
|
||||
from lib.core.settings import INFERENCE_EQUALS_CHAR
|
||||
from lib.core.settings import LDAP_ERROR_REGEX
|
||||
from lib.core.settings import SSTI_ERROR_REGEX
|
||||
from lib.core.settings import XPATH_ERROR_REGEX
|
||||
from lib.core.settings import XXE_ERROR_REGEX
|
||||
from lib.core.settings import IPS_WAF_CHECK_PAYLOAD
|
||||
from lib.core.settings import IPS_WAF_CHECK_RATIO
|
||||
from lib.core.settings import IPS_WAF_CHECK_TIMEOUT
|
||||
from lib.core.settings import MAX_DIFFLIB_SEQUENCE_LENGTH
|
||||
from lib.core.settings import MAX_STABILITY_DELAY
|
||||
from lib.core.settings import NON_SQLI_CHECK_PREFIX_SUFFIX_LENGTH
|
||||
from lib.core.settings import NOSQL_ERROR_REGEX
|
||||
from lib.core.settings import NULL_CONNECTION_LENGTH_TOLERANCE_HIGH
|
||||
from lib.core.settings import NULL_CONNECTION_LENGTH_TOLERANCE_LOW
|
||||
from lib.core.settings import NULL_CONNECTION_SKIP_READ_MIN_LENGTH
|
||||
from lib.core.settings import PRECONNECT_INCOMPATIBLE_SERVERS
|
||||
from lib.core.settings import SINGLE_QUOTE_MARKER
|
||||
from lib.core.settings import SLEEP_TIME_MARKER
|
||||
|
|
@ -94,12 +105,14 @@ from lib.core.settings import SUHOSIN_MAX_VALUE_LENGTH
|
|||
from lib.core.settings import SUPPORTED_DBMS
|
||||
from lib.core.settings import UPPER_RATIO_BOUND
|
||||
from lib.core.settings import URI_HTTP_HEADER
|
||||
from lib.core.settings import WAF_BLOCK_HTTP_CODES
|
||||
from lib.core.threads import getCurrentThreadData
|
||||
from lib.core.unescaper import unescaper
|
||||
from lib.request.connect import Connect as Request
|
||||
from lib.request.comparison import comparison
|
||||
from lib.request.inject import checkBooleanExpression
|
||||
from lib.request.templates import getPageTemplate
|
||||
from lib.utils.dialect import dialectCheckDbms
|
||||
from lib.techniques.union.test import unionTest
|
||||
from lib.techniques.union.use import configUnion
|
||||
from thirdparty import six
|
||||
|
|
@ -149,6 +162,13 @@ def checkSqlInjection(place, parameter, value):
|
|||
if not Backend.getIdentifiedDbms() and kb.heuristicDbms is None and not kb.droppingRequests:
|
||||
kb.heuristicDbms = heuristicCheckDbms(injection)
|
||||
|
||||
# keyword-free fallback: heuristicCheckDbms() above uses SELECT/quote payloads
|
||||
# and is skipped when the WAF/IPS is dropping requests; the operator-dialect
|
||||
# probes carry no SELECT/quote/schema name, so they can still narrow the DBMS in
|
||||
# that case (or when it was inconclusive), using the now-calibrated boolean oracle
|
||||
if not Backend.getIdentifiedDbms() and kb.heuristicDbms is None:
|
||||
kb.heuristicDbms = dialectCheckDbms(injection)
|
||||
|
||||
# If the DBMS has already been fingerprinted (via DBMS-specific
|
||||
# error message, simple heuristic check or via DBMS-specific
|
||||
# payload), ask the user to limit the tests to the fingerprinted
|
||||
|
|
@ -580,6 +600,18 @@ def checkSqlInjection(place, parameter, value):
|
|||
break
|
||||
|
||||
if injectable:
|
||||
# WAF/IPS block-artifact guard: a TRUE condition (the always-true payload that
|
||||
# mimics a legitimate request) coming back with a blocked HTTP status (e.g. 403)
|
||||
# while the FALSE condition passes (2xx) is the WAF answering, not the database.
|
||||
# A real boolean injection's TRUE condition reproduces the normal page, so this
|
||||
# status-code asymmetry is the classic false positive - refuse it here.
|
||||
if not kb.negativeLogic and trueCode in WAF_BLOCK_HTTP_CODES and (falseCode or 0) < 400 and (kb.heuristicCode or 200) < 400:
|
||||
warnMsg = "%sparameter '%s' TRUE/FALSE responses differ only by a blocked HTTP %d vs %d status, " % ("%s " % paramType if paramType != parameter else "", parameter, trueCode, falseCode)
|
||||
warnMsg += "which is characteristic of a WAF/IPS block rather than a SQL injection; skipping as a likely false positive"
|
||||
logger.warning(warnMsg)
|
||||
injectable = False
|
||||
continue
|
||||
|
||||
if kb.pageStable and not any((conf.string, conf.notString, conf.regexp, conf.code, conf.titles, kb.nullConnection)):
|
||||
if all((falseCode, trueCode)) and falseCode != trueCode and trueCode != kb.heuristicCode:
|
||||
suggestion = conf.code = trueCode
|
||||
|
|
@ -1149,6 +1181,48 @@ def heuristicCheckSqlInjection(place, parameter):
|
|||
except (SystemError, RuntimeError) as ex:
|
||||
logger.debug("Skipping FI heuristic due to regex failure: %s", getSafeExString(ex))
|
||||
|
||||
if not conf.nosql and re.search(NOSQL_ERROR_REGEX, page or ""):
|
||||
infoMsg = "heuristic (NoSQL) test shows that %sparameter '%s' might be vulnerable to NoSQL injection attacks (rerun with switch '--nosql')" % ("%s " % paramType if paramType != parameter else "", parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
if conf.beep:
|
||||
beep()
|
||||
|
||||
if not conf.graphql and re.search(GRAPHQL_ERROR_REGEX, page or ""):
|
||||
infoMsg = "heuristic (GraphQL) test shows that %sparameter '%s' appears to be a GraphQL endpoint (rerun with switch '--graphql')" % ("%s " % paramType if paramType != parameter else "", parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
if conf.beep:
|
||||
beep()
|
||||
|
||||
if not conf.ldap and re.search(LDAP_ERROR_REGEX, page or ""):
|
||||
infoMsg = "heuristic (LDAP) test shows that %sparameter '%s' might be vulnerable to LDAP injection (rerun with switch '--ldap')" % ("%s " % paramType if paramType != parameter else "", parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
if conf.beep:
|
||||
beep()
|
||||
|
||||
if not conf.xpath and re.search(XPATH_ERROR_REGEX, page or ""):
|
||||
infoMsg = "heuristic (XPath) test shows that %sparameter '%s' might be vulnerable to XPath injection (rerun with switch '--xpath')" % ("%s " % paramType if paramType != parameter else "", parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
if conf.beep:
|
||||
beep()
|
||||
|
||||
if not conf.ssti and re.search(SSTI_ERROR_REGEX, page or ""):
|
||||
infoMsg = "heuristic (SSTI) test shows that %sparameter '%s' might be vulnerable to server-side template injection (rerun with switch '--ssti')" % ("%s " % paramType if paramType != parameter else "", parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
if conf.beep:
|
||||
beep()
|
||||
|
||||
if not conf.xxe and kb.postHint in (POST_HINT.XML, POST_HINT.SOAP) and re.search(XXE_ERROR_REGEX, page or ""):
|
||||
infoMsg = "heuristic (XXE) test shows that the XML request body might be vulnerable to XML External Entity injection (rerun with switch '--xxe')"
|
||||
logger.info(infoMsg)
|
||||
|
||||
if conf.beep:
|
||||
beep()
|
||||
|
||||
kb.disableHtmlDecoding = False
|
||||
kb.heuristicMode = False
|
||||
|
||||
|
|
@ -1209,7 +1283,9 @@ def checkDynamicContent(firstPage, secondPage):
|
|||
seqMatcher.set_seq1(firstPage)
|
||||
seqMatcher.set_seq2(secondPage)
|
||||
ratio = seqMatcher.quick_ratio()
|
||||
except MemoryError:
|
||||
except (MemoryError, TypeError, SystemError, ValueError, AttributeError):
|
||||
# difflib can fail on pathological input or, rarely, with interpreter-level
|
||||
# errors under heavy threading; degrade to "undetermined" instead of crashing
|
||||
ratio = None
|
||||
|
||||
if ratio is None:
|
||||
|
|
@ -1224,6 +1300,27 @@ def checkDynamicContent(firstPage, secondPage):
|
|||
count += 1
|
||||
|
||||
if count > conf.retries:
|
||||
# Last resort before the (lossy) '--text-only' fallback: if the page is byte-unstable
|
||||
# but STRUCTURALLY stable - an identical, non-empty tag/class/id skeleton across
|
||||
# requests - base the comparison on that value-free structure instead. Dynamic text
|
||||
# (e.g. per-render result rows) then no longer masks an injection whose signal is
|
||||
# structural (the HTML counterpart of the structure-aware JSON comparison). Content
|
||||
# with no usable structure (empty skeleton, e.g. random/binary bodies) falls through
|
||||
# to '--text-only' as before.
|
||||
skeleton = extractStructuralTokens(firstPage)
|
||||
if skeleton and skeleton == extractStructuralTokens(secondPage):
|
||||
kb.pageStructurallyStable = True
|
||||
|
||||
if kb.nullConnection:
|
||||
debugMsg = "turning off NULL connection support because of structural page comparison"
|
||||
logger.debug(debugMsg)
|
||||
kb.nullConnection = None
|
||||
|
||||
infoMsg = "target URL content is not byte-stable but structurally stable; sqlmap "
|
||||
infoMsg += "will base the page comparison on the page structure"
|
||||
logger.info(infoMsg)
|
||||
return
|
||||
|
||||
warnMsg = "target URL content appears to be too dynamic. "
|
||||
warnMsg += "Switching to '--text-only' "
|
||||
logger.warning(warnMsg)
|
||||
|
|
@ -1351,6 +1448,10 @@ def checkWaf():
|
|||
warnMsg = "previous heuristics detected that the target "
|
||||
warnMsg += "is protected by some kind of WAF/IPS"
|
||||
logger.critical(warnMsg)
|
||||
if hashDBRetrieve(HASHDB_KEYS.CHECK_WAF_BYPASS, True): # re-apply a previously accepted automatic bypass
|
||||
from lib.utils.wafbypass import neutralizeFingerprint
|
||||
kb.wafBypass = True
|
||||
neutralizeFingerprint()
|
||||
return _
|
||||
|
||||
if not kb.originalPage:
|
||||
|
|
@ -1393,6 +1494,7 @@ def checkWaf():
|
|||
|
||||
hashDBWrite(HASHDB_KEYS.CHECK_WAF_RESULT, retVal, True)
|
||||
|
||||
|
||||
if retVal:
|
||||
if not kb.identifiedWafs:
|
||||
warnMsg = "heuristics detected that the target "
|
||||
|
|
@ -1406,9 +1508,19 @@ def checkWaf():
|
|||
if not choice:
|
||||
raise SqlmapUserQuitException
|
||||
else:
|
||||
if not conf.tamper:
|
||||
warnMsg = "please consider usage of tamper scripts (option '--tamper')"
|
||||
singleTimeWarnMessage(warnMsg)
|
||||
if not conf.tamper and not kb.tamperFunctions:
|
||||
message = "do you want sqlmap to try to automatically bypass the WAF/IPS during "
|
||||
message += "the run (e.g. by using a non-scanner User-Agent and tamper script(s))? [Y/n] "
|
||||
kb.wafBypass = readInput(message, default='Y', boolean=True)
|
||||
hashDBWrite(HASHDB_KEYS.CHECK_WAF_BYPASS, kb.wafBypass, True)
|
||||
if kb.wafBypass:
|
||||
# apply it up-front so the whole run (detection included) avoids the scanner
|
||||
# fingerprint, instead of getting blocked first and only then retrying
|
||||
from lib.utils.wafbypass import neutralizeFingerprint
|
||||
neutralizeFingerprint()
|
||||
logger.info("using a random (non-scanner) User-Agent and browser-like headers to bypass the WAF/IPS")
|
||||
else:
|
||||
singleTimeWarnMessage("please consider manual usage of tamper scripts (option '--tamper')")
|
||||
|
||||
return retVal
|
||||
|
||||
|
|
@ -1436,30 +1548,79 @@ def checkNullConnection():
|
|||
pushValue(kb.pageCompress)
|
||||
kb.pageCompress = False
|
||||
|
||||
# A method is accepted only if the length it reports tracks the real GET response. The
|
||||
# original page length (len(kb.originalPage)) is the reference; a method whose length is
|
||||
# grossly off (e.g. HEAD returning 'Content-Length: 0', HEAD served from a different code
|
||||
# path, or sneaked-in compression) would otherwise make every page look identical and
|
||||
# silently break detection. The band is coarse on purpose (byte-vs-character size and
|
||||
# moderate page dynamism are expected); a false reject just forgoes the optimization
|
||||
def _plausibleLength(length):
|
||||
reference = len(kb.originalPage or "")
|
||||
if not reference:
|
||||
return True
|
||||
return NULL_CONNECTION_LENGTH_TOLERANCE_LOW * reference <= length <= NULL_CONNECTION_LENGTH_TOLERANCE_HIGH * reference
|
||||
|
||||
try:
|
||||
page, headers, _ = Request.getPage(method=HTTPMETHOD.HEAD, raise404=False)
|
||||
|
||||
if not page and HTTP_HEADER.CONTENT_LENGTH in (headers or {}):
|
||||
kb.nullConnection = NULLCONNECTION.HEAD
|
||||
try:
|
||||
length = int(headers[HTTP_HEADER.CONTENT_LENGTH].split(',')[0])
|
||||
except ValueError:
|
||||
length = None
|
||||
|
||||
infoMsg = "NULL connection is supported with HEAD method ('Content-Length')"
|
||||
logger.info(infoMsg)
|
||||
else:
|
||||
if length is not None and _plausibleLength(length):
|
||||
kb.nullConnection = NULLCONNECTION.HEAD
|
||||
|
||||
infoMsg = "NULL connection is supported with HEAD method ('Content-Length')"
|
||||
logger.info(infoMsg)
|
||||
elif length is not None:
|
||||
debugMsg = "HEAD method reports an implausible 'Content-Length' (%d B vs ~%d B for the original page); skipping it" % (length, len(kb.originalPage or ""))
|
||||
logger.debug(debugMsg)
|
||||
|
||||
if kb.nullConnection is None:
|
||||
page, headers, _ = Request.getPage(auxHeaders={HTTP_HEADER.RANGE: "bytes=-1"})
|
||||
|
||||
if page and len(page) == 1 and HTTP_HEADER.CONTENT_RANGE in (headers or {}):
|
||||
kb.nullConnection = NULLCONNECTION.RANGE
|
||||
try:
|
||||
length = int(headers[HTTP_HEADER.CONTENT_RANGE][headers[HTTP_HEADER.CONTENT_RANGE].find('/') + 1:])
|
||||
except ValueError:
|
||||
length = None
|
||||
|
||||
infoMsg = "NULL connection is supported with GET method ('Range')"
|
||||
logger.info(infoMsg)
|
||||
else:
|
||||
_, headers, _ = Request.getPage(skipRead=True)
|
||||
if length is not None and _plausibleLength(length):
|
||||
kb.nullConnection = NULLCONNECTION.RANGE
|
||||
|
||||
if HTTP_HEADER.CONTENT_LENGTH in (headers or {}):
|
||||
infoMsg = "NULL connection is supported with GET method ('Range')"
|
||||
logger.info(infoMsg)
|
||||
elif length is not None:
|
||||
debugMsg = "'Range' method reports an implausible total length (%d B vs ~%d B for the original page); skipping it" % (length, len(kb.originalPage or ""))
|
||||
logger.debug(debugMsg)
|
||||
|
||||
if kb.nullConnection is None:
|
||||
_, headers, _ = Request.getPage(skipRead=True)
|
||||
|
||||
if HTTP_HEADER.CONTENT_LENGTH in (headers or {}):
|
||||
try:
|
||||
length = int(headers[HTTP_HEADER.CONTENT_LENGTH].split(',')[0])
|
||||
except ValueError:
|
||||
length = len(kb.originalPage or "")
|
||||
|
||||
if not _plausibleLength(length):
|
||||
debugMsg = "'skip-read' method reports an implausible 'Content-Length' (%d B vs ~%d B for the original page); skipping it" % (length, len(kb.originalPage or ""))
|
||||
logger.debug(debugMsg)
|
||||
# Unlike HEAD/Range, 'skip-read' leaves the body unread and must close the
|
||||
# connection (an unread body cannot be reused), paying a fresh TCP/TLS handshake
|
||||
# per request. That only outweighs the avoided body transfer for large responses;
|
||||
# for small ones it is a net slowdown, so it is gated by the response size here
|
||||
elif length >= NULL_CONNECTION_SKIP_READ_MIN_LENGTH:
|
||||
kb.nullConnection = NULLCONNECTION.SKIP_READ
|
||||
|
||||
infoMsg = "NULL connection is supported with 'skip-read' method"
|
||||
logger.info(infoMsg)
|
||||
else:
|
||||
debugMsg = "'skip-read' NULL connection method is available but skipped because the "
|
||||
debugMsg += "response (%d B) is too small for it to outweigh the per-request reconnect cost" % length
|
||||
logger.debug(debugMsg)
|
||||
|
||||
except SqlmapConnectionException:
|
||||
pass
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@ from lib.core.common import readInput
|
|||
from lib.core.common import removePostHintPrefix
|
||||
from lib.core.common import safeCSValue
|
||||
from lib.core.common import showHttpErrorCodes
|
||||
from lib.core.common import singleTimeWarnMessage
|
||||
from lib.core.common import urldecode
|
||||
from lib.core.common import urlencode
|
||||
from lib.core.compat import xrange
|
||||
|
|
@ -70,11 +71,13 @@ from lib.core.settings import CSRF_TOKEN_PARAMETER_INFIXES
|
|||
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
|
||||
from lib.core.settings import EMPTY_FORM_FIELDS_REGEX
|
||||
from lib.core.settings import GOOGLE_ANALYTICS_COOKIE_REGEX
|
||||
from lib.core.settings import HASHDB_STALE_DAYS
|
||||
from lib.core.settings import HOST_ALIASES
|
||||
from lib.core.settings import IGNORE_PARAMETERS
|
||||
from lib.core.settings import LOW_TEXT_PERCENT
|
||||
from lib.core.settings import REFERER_ALIASES
|
||||
from lib.core.settings import USER_AGENT_ALIASES
|
||||
from lib.core.settings import WAF_BYPASS_MAX_TRIALS
|
||||
from lib.core.target import initTargetEnv
|
||||
from lib.core.target import setupTargetEnv
|
||||
from lib.utils.hash import crackHashFile
|
||||
|
|
@ -167,6 +170,57 @@ def _formatInjection(inj):
|
|||
|
||||
return data
|
||||
|
||||
def _autoWafBypass(place, parameter, value):
|
||||
"""
|
||||
Automatic WAF/IPS bypass (offered interactively once a WAF/IPS is detected, cached in
|
||||
kb.wafBypass). The request fingerprint has already been neutralized up-front (non-scanner
|
||||
User-Agent, see checkWaf), so here the empirically-ranked candidate tamper scripts are trialled
|
||||
and the first that RESTORES a confirmed injection is adopted. Re-running checkSqlInjection()
|
||||
through a candidate is itself the validation - it succeeds only if the resulting payload both
|
||||
passes the WAF and stays valid SQL, so junk/incompatible candidates are rejected automatically.
|
||||
"""
|
||||
|
||||
from lib.utils.wafbypass import candidateTampers, loadTamper
|
||||
|
||||
retVal = None
|
||||
|
||||
savedTamper = kb.tamperFunctions
|
||||
savedTechnique = conf.technique
|
||||
conf.technique = [PAYLOAD.TECHNIQUE.BOOLEAN] # bound each trial to a quick boolean re-check
|
||||
|
||||
candidates = candidateTampers(identifiedWafs=kb.identifiedWafs)
|
||||
|
||||
try:
|
||||
for count, name in enumerate(candidates):
|
||||
if count >= WAF_BYPASS_MAX_TRIALS:
|
||||
break
|
||||
|
||||
function = loadTamper(name)
|
||||
if function is None:
|
||||
continue
|
||||
|
||||
kb.tamperFunctions = [function]
|
||||
logger.info("trying to bypass the WAF/IPS with tamper script '%s'" % name)
|
||||
|
||||
injection = checkSqlInjection(place, parameter, value)
|
||||
if getattr(injection, "place", None) is not None and NOTE.FALSE_POSITIVE_OR_UNEXPLOITABLE not in injection.notes:
|
||||
logger.info("bypassed the WAF/IPS by using tamper script '%s' (with a non-scanner User-Agent)" % name)
|
||||
logger.info("the same result can be reproduced manually with switch '--random-agent' and tamper script '%s'" % name)
|
||||
retVal = injection
|
||||
return retVal
|
||||
|
||||
if kb.droppingRequests and count >= 2:
|
||||
logger.warning("target keeps dropping requests; giving up on the WAF/IPS bypass")
|
||||
break
|
||||
finally:
|
||||
conf.technique = savedTechnique
|
||||
if retVal is None: # nothing worked - leave tampering untouched
|
||||
kb.tamperFunctions = savedTamper
|
||||
# honest bail: say it could not be bypassed and what to try manually
|
||||
logger.warning("unable to automatically bypass the WAF/IPS; it might be using behavioral or rate-based detection (consider a manual '--tamper' selection, '--delay', or '--proxy' rotation)")
|
||||
|
||||
return retVal
|
||||
|
||||
def _showInjections():
|
||||
if conf.wizard and kb.wizardMode:
|
||||
kb.wizardMode = False
|
||||
|
|
@ -181,9 +235,29 @@ def _showInjections():
|
|||
conf.dumper.string("", {"url": conf.url, "query": conf.parameters.get(PLACE.GET), "data": conf.parameters.get(PLACE.POST)}, content_type=CONTENT_TYPE.TARGET)
|
||||
conf.dumper.string("", kb.injections, content_type=CONTENT_TYPE.TECHNIQUES)
|
||||
else:
|
||||
# --report-json: capture the same TARGET/TECHNIQUES structures the API emits, without
|
||||
# printing them (the human-readable injection points are rendered just below)
|
||||
if conf.reportJson:
|
||||
conf.dumper._reportData({"url": conf.url, "query": conf.parameters.get(PLACE.GET), "data": conf.parameters.get(PLACE.POST)}, CONTENT_TYPE.TARGET)
|
||||
conf.dumper._reportData(kb.injections, CONTENT_TYPE.TECHNIQUES)
|
||||
|
||||
data = "".join(set(_formatInjection(_) for _ in kb.injections)).rstrip("\n")
|
||||
conf.dumper.string(header, data)
|
||||
|
||||
# when results were resumed (no test requests this run), nudge if the session file is stale -
|
||||
# this is the common "why is it showing old/unexpected results?" confusion
|
||||
if kb.testQueryCount == 0 and not conf.freshQueries:
|
||||
try:
|
||||
days = int((time.time() - os.path.getmtime(conf.hashDBFile)) / (24 * 3600))
|
||||
except (OSError, IOError, TypeError):
|
||||
days = 0
|
||||
|
||||
if days >= HASHDB_STALE_DAYS:
|
||||
warnMsg = "results above were resumed from a session file last updated %d days ago, " % days
|
||||
warnMsg += "so they may be stale. Rerun with '--flush-session' to retest "
|
||||
warnMsg += "or '--fresh-queries' to ignore cached query results"
|
||||
logger.warning(warnMsg)
|
||||
|
||||
if conf.tamper:
|
||||
warnMsg = "changes made by tampering scripts are not "
|
||||
warnMsg += "included in shown payload content(s)"
|
||||
|
|
@ -431,9 +505,17 @@ def start():
|
|||
infoMsg = "testing URL '%s'" % targetUrl
|
||||
logger.info(infoMsg)
|
||||
|
||||
if conf.graphql and PLACE.GET not in conf.parameters:
|
||||
# graphqlScan() is self-contained and operates on the GraphQL
|
||||
# document, not on HTTP parameters. A dummy GET parameter keeps
|
||||
# _setRequestParams() from appending the URI injection marker ('*')
|
||||
# to a bare endpoint URL (which would break detection under
|
||||
# '--batch'); it is discarded by graphqlScan() on entry.
|
||||
conf.parameters[PLACE.GET] = "x"
|
||||
|
||||
setupTargetEnv()
|
||||
|
||||
if not checkConnection(suppressOutput=conf.forms):
|
||||
if not any((conf.graphql,)) and not checkConnection(suppressOutput=conf.forms):
|
||||
continue
|
||||
|
||||
if conf.rParam and kb.originalPage:
|
||||
|
|
@ -447,13 +529,47 @@ def start():
|
|||
|
||||
checkWaf()
|
||||
|
||||
if any((conf.graphql, conf.nosql, conf.ldap, conf.xpath, conf.ssti, conf.xxe)) and (conf.reportJson or conf.resultsFile):
|
||||
singleTimeWarnMessage("'--report-json'/'--results-file' do not (yet) capture non-SQL technique (--graphql/--nosql/--ldap/--xpath/--ssti/--xxe) findings; these are reported on the console only")
|
||||
|
||||
if conf.graphql:
|
||||
from lib.techniques.graphql.inject import graphqlScan
|
||||
graphqlScan()
|
||||
continue
|
||||
|
||||
if conf.nosql:
|
||||
from lib.techniques.nosql.inject import nosqlScan
|
||||
nosqlScan()
|
||||
continue
|
||||
|
||||
if conf.ldap:
|
||||
from lib.techniques.ldap.inject import ldapScan
|
||||
ldapScan()
|
||||
continue
|
||||
|
||||
if conf.xpath:
|
||||
from lib.techniques.xpath.inject import xpathScan
|
||||
xpathScan()
|
||||
continue
|
||||
|
||||
if conf.ssti:
|
||||
from lib.techniques.ssti.inject import sstiScan
|
||||
sstiScan()
|
||||
continue
|
||||
|
||||
if conf.xxe:
|
||||
from lib.techniques.xxe.inject import xxeScan
|
||||
xxeScan()
|
||||
continue
|
||||
|
||||
if conf.nullConnection:
|
||||
checkNullConnection()
|
||||
|
||||
if (len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None)) and (kb.injection.place is None or kb.injection.parameter is None):
|
||||
if not any((conf.string, conf.notString, conf.regexp)) and PAYLOAD.TECHNIQUE.BOOLEAN in conf.technique:
|
||||
# NOTE: this is not needed anymore, leaving only to display
|
||||
# a warning message to the user in case the page is not stable
|
||||
if not any((conf.string, conf.notString, conf.regexp)) and any(_ in conf.technique for _ in (PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.UNION)):
|
||||
# NOTE: besides the not-stable warning, this marks dynamic content for removal, which
|
||||
# UNION column-count detection relies on too (it compares pages) - so it must run when
|
||||
# UNION is tested even if BOOLEAN is excluded (e.g. '--technique=U' on a dynamic page)
|
||||
checkStability()
|
||||
|
||||
# Do a little prioritization reorder of a testable parameter list
|
||||
|
|
@ -605,6 +721,14 @@ def start():
|
|||
logger.info(infoMsg)
|
||||
|
||||
injection = checkSqlInjection(place, parameter, value)
|
||||
|
||||
# WAF/IPS bypass accepted: the parameter looks injectable (heuristics) but
|
||||
# the standard payloads were blocked -> try to auto-bypass it (request
|
||||
# fingerprint neutralization and/or a tamper script)
|
||||
if getattr(injection, "place", None) is None and kb.wafBypass and check == HEURISTIC_TEST.POSITIVE \
|
||||
and not conf.tamper and not kb.tamperFunctions:
|
||||
injection = _autoWafBypass(place, parameter, value) or injection
|
||||
|
||||
proceed = not kb.endDetection
|
||||
injectable = False
|
||||
|
||||
|
|
@ -704,9 +828,13 @@ def start():
|
|||
errMsg += "does not match exclusively True responses."
|
||||
|
||||
if not conf.tamper:
|
||||
errMsg += " If you suspect that there is some kind of protection mechanism "
|
||||
errMsg += "involved (e.g. WAF) maybe you could try to use "
|
||||
errMsg += "option '--tamper' (e.g. '--tamper=space2comment')"
|
||||
if kb.identifiedWafs:
|
||||
errMsg += " As a WAF/IPS ('%s') was identified during the run, " % ", ".join(kb.identifiedWafs)
|
||||
errMsg += "you are strongly advised to retry with option '--tamper' (e.g. '--tamper=space2comment')"
|
||||
else:
|
||||
errMsg += " If you suspect that there is some kind of protection mechanism "
|
||||
errMsg += "involved (e.g. WAF) maybe you could try to use "
|
||||
errMsg += "option '--tamper' (e.g. '--tamper=space2comment')"
|
||||
|
||||
if not conf.randomAgent:
|
||||
errMsg += " and/or switch '--random-agent'"
|
||||
|
|
@ -729,7 +857,12 @@ def start():
|
|||
condition = True
|
||||
|
||||
if condition:
|
||||
action()
|
||||
try:
|
||||
action()
|
||||
finally:
|
||||
if conf.proof:
|
||||
from lib.utils.prove import proveExploitation
|
||||
proveExploitation()
|
||||
|
||||
except KeyboardInterrupt:
|
||||
if kb.lastCtrlCTime and (time.time() - kb.lastCtrlCTime < 1):
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue