CERBERUS/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2026-06-28 12:31:00 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
sqlmap/extra/vulnserver/vulnserver.py
Miroslav Štampar e8162d314a
Some checks are pending
/ build (macos-latest, 3.8) (push) Waiting to run
Details
/ build (ubuntu-latest, pypy-2.7) (push) Waiting to run
Details
/ build (windows-latest, 3.14) (push) Waiting to run
Details
Adding switch --ldap
2026-06-28 01:36:38 +02:00

1033 lines
51 KiB
Python
Raw Blame History

#!/usr/bin/env python
"""
vulnserver.py - Trivial SQLi vulnerable HTTP server (Note: for testing purposes)
Copyright (c) 2006-2026 sqlmap developers (https://sqlmap.org)
See the file 'LICENSE' for copying permission
"""
from __future__ import print_function
import base64
import json
import random
import re
import sqlite3
import string
import sys
import threading
import traceback
PY3 = sys.version_info >= (3, 0)
UNICODE_ENCODING = "utf-8"
DEBUG = False
if PY3:
from http.client import FORBIDDEN
from http.client import INTERNAL_SERVER_ERROR
from http.client import NOT_FOUND
from http.client import OK
from http.server import BaseHTTPRequestHandler
from http.server import HTTPServer
from socketserver import ThreadingMixIn
from urllib.parse import parse_qs
from urllib.parse import unquote_plus
else:
from BaseHTTPServer import BaseHTTPRequestHandler
from BaseHTTPServer import HTTPServer
from httplib import FORBIDDEN
from httplib import INTERNAL_SERVER_ERROR
from httplib import NOT_FOUND
from httplib import OK
from SocketServer import ThreadingMixIn
from urlparse import parse_qs
from urllib import unquote_plus
SCHEMA = """
CREATE TABLE users (
id INTEGER,
name TEXT,
surname TEXT,
PRIMARY KEY (id)
);
INSERT INTO users (id, name, surname) VALUES (1, 'luther', 'blisset');
INSERT INTO users (id, name, surname) VALUES (2, 'fluffy', 'bunny');
INSERT INTO users (id, name, surname) VALUES (3, 'wu', 'ming');
INSERT INTO users (id, name, surname) VALUES (4, NULL, 'nameisnull');
INSERT INTO users (id, name, surname) VALUES (5, 'mark', 'lewis');
INSERT INTO users (id, name, surname) VALUES (6, 'ada', 'lovelace');
INSERT INTO users (id, name, surname) VALUES (7, 'grace', 'hopper');
INSERT INTO users (id, name, surname) VALUES (8, 'alan', 'turing');
INSERT INTO users (id, name, surname) VALUES (9, 'margaret','hamilton');
INSERT INTO users (id, name, surname) VALUES (10, 'donald', 'knuth');
INSERT INTO users (id, name, surname) VALUES (11, 'tim', 'bernerslee');
INSERT INTO users (id, name, surname) VALUES (12, 'linus', 'torvalds');
INSERT INTO users (id, name, surname) VALUES (13, 'ken', 'thompson');
INSERT INTO users (id, name, surname) VALUES (14, 'dennis', 'ritchie');
INSERT INTO users (id, name, surname) VALUES (15, 'barbara', 'liskov');
INSERT INTO users (id, name, surname) VALUES (16, 'edsger', 'dijkstra');
INSERT INTO users (id, name, surname) VALUES (17, 'john', 'mccarthy');
INSERT INTO users (id, name, surname) VALUES (18, 'leslie', 'lamport');
INSERT INTO users (id, name, surname) VALUES (19, 'niklaus', 'wirth');
INSERT INTO users (id, name, surname) VALUES (20, 'bjarne', 'stroustrup');
INSERT INTO users (id, name, surname) VALUES (21, 'guido', 'vanrossum');
INSERT INTO users (id, name, surname) VALUES (22, 'brendan', 'eich');
INSERT INTO users (id, name, surname) VALUES (23, 'james', 'gosling');
INSERT INTO users (id, name, surname) VALUES (24, 'andrew', 'tanenbaum');
INSERT INTO users (id, name, surname) VALUES (25, 'yukihiro','matsumoto');
INSERT INTO users (id, name, surname) VALUES (26, 'radia', 'perlman');
INSERT INTO users (id, name, surname) VALUES (27, 'katherine','johnson');
INSERT INTO users (id, name, surname) VALUES (28, 'hady', 'lamarr');
INSERT INTO users (id, name, surname) VALUES (29, 'frank', 'miller');
INSERT INTO users (id, name, surname) VALUES (30, 'john', 'steward');
CREATE TABLE creds (
user_id INTEGER,
password_hash TEXT,
FOREIGN KEY (user_id) REFERENCES users(id)
);
INSERT INTO creds (user_id, password_hash) VALUES (1, 'db3a16990a0008a3b04707fdef6584a0');
INSERT INTO creds (user_id, password_hash) VALUES (2, '4db967ce67b15e7fb84c266a76684729');
INSERT INTO creds (user_id, password_hash) VALUES (3, 'f5a2950eaa10f9e99896800eacbe8275');
INSERT INTO creds (user_id, password_hash) VALUES (4, NULL);
INSERT INTO creds (user_id, password_hash) VALUES (5, '179ad45c6ce2cb97cf1029e212046e81');
INSERT INTO creds (user_id, password_hash) VALUES (6, '0f1e2d3c4b5a69788796a5b4c3d2e1f0');
INSERT INTO creds (user_id, password_hash) VALUES (7, 'a1b2c3d4e5f60718293a4b5c6d7e8f90');
INSERT INTO creds (user_id, password_hash) VALUES (8, '1a2b3c4d5e6f708192a3b4c5d6e7f809');
INSERT INTO creds (user_id, password_hash) VALUES (9, '9f8e7d6c5b4a3928170605f4e3d2c1b0');
INSERT INTO creds (user_id, password_hash) VALUES (10, '3c2d1e0f9a8b7c6d5e4f30291807f6e5');
INSERT INTO creds (user_id, password_hash) VALUES (11, 'b0c1d2e3f405162738495a6b7c8d9eaf');
INSERT INTO creds (user_id, password_hash) VALUES (12, '6e5d4c3b2a190807f6e5d4c3b2a1908f');
INSERT INTO creds (user_id, password_hash) VALUES (13, '11223344556677889900aabbccddeeff');
INSERT INTO creds (user_id, password_hash) VALUES (14, 'ffeeddccbbaa00998877665544332211');
INSERT INTO creds (user_id, password_hash) VALUES (15, '1234567890abcdef1234567890abcdef');
INSERT INTO creds (user_id, password_hash) VALUES (16, 'abcdef1234567890abcdef1234567890');
INSERT INTO creds (user_id, password_hash) VALUES (17, '0a1b2c3d4e5f60718a9b0c1d2e3f4051');
INSERT INTO creds (user_id, password_hash) VALUES (18, '51f04e3d2c1b0a9871605f4e3d2c1b0a');
INSERT INTO creds (user_id, password_hash) VALUES (19, '89abcdef0123456789abcdef01234567');
INSERT INTO creds (user_id, password_hash) VALUES (20, '76543210fedcba9876543210fedcba98');
INSERT INTO creds (user_id, password_hash) VALUES (21, '13579bdf2468ace013579bdf2468ace0');
INSERT INTO creds (user_id, password_hash) VALUES (22, '02468ace13579bdf02468ace13579bdf');
INSERT INTO creds (user_id, password_hash) VALUES (23, 'deadbeefdeadbeefdeadbeefdeadbeef');
INSERT INTO creds (user_id, password_hash) VALUES (24, 'cafebabecafebabecafebabecafebabe');
INSERT INTO creds (user_id, password_hash) VALUES (25, '00112233445566778899aabbccddeeff');
INSERT INTO creds (user_id, password_hash) VALUES (26, 'f0e1d2c3b4a5968778695a4b3c2d1e0f');
INSERT INTO creds (user_id, password_hash) VALUES (27, '7f6e5d4c3b2a190807f6e5d4c3b2a190');
INSERT INTO creds (user_id, password_hash) VALUES (28, '908f7e6d5c4b3a291807f6e5d4c3b2a1');
INSERT INTO creds (user_id, password_hash) VALUES (29, '3049b791fa83e2f42f37bae18634b92d');
INSERT INTO creds (user_id, password_hash) VALUES (30, 'd59a348f90d757c7da30418773424b5e');
CREATE TABLE directory (
dn TEXT,
uid TEXT,
cn TEXT,
sn TEXT,
givenName TEXT,
displayName TEXT,
userPassword TEXT,
mail TEXT,
objectClass TEXT,
objectCategory TEXT,
ou TEXT,
title TEXT,
department TEXT,
company TEXT,
o TEXT,
telephoneNumber TEXT,
mobile TEXT,
manager TEXT,
description TEXT,
l TEXT,
st TEXT,
street TEXT,
postalCode TEXT,
c TEXT,
employeeNumber TEXT,
employeeType TEXT,
member TEXT
);
-- Column order: dn, uid, cn, sn, givenName, displayName, userPassword, mail,
-- objectClass, objectCategory, ou, title, department, company, o,
-- telephoneNumber, mobile, manager, description, l, st, street,
-- postalCode, c, employeeNumber, employeeType, member
INSERT INTO directory VALUES ('uid=luther,ou=users,dc=example,dc=com', 'luther', 'Luther Blisset', 'Blisset', 'Luther', 'Luther Blisset', 'db3a16990a0008a3b04707fdef6584a0', 'luther@example.com', 'inetOrgPerson', 'Person', 'users', 'System Administrator', 'IT Operations', 'Example Corp', 'Example', '+1 555 0100', '+1 555 0101', 'uid=ada,ou=users,dc=example,dc=com', 'System administrator', 'London', 'Greater London', '10 Downing Street', 'SW1A 2AA', 'GB', '1001', 'Employee', NULL);
INSERT INTO directory VALUES ('uid=fluffy,ou=users,dc=example,dc=com', 'fluffy', 'Fluffy Bunny', 'Bunny', 'Fluffy', 'Fluffy Bunny', '4db967ce67b15e7fb84c266a76684729', 'fluffy@example.com', 'inetOrgPerson', 'Person', 'users', 'Security Engineer', 'Security', 'Example Corp', 'Example', '+1 555 0102', '+1 555 0103', NULL, 'Security engineer', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('uid=wu,ou=users,dc=example,dc=com', 'wu', 'Wu Ming', 'Ming', 'Wu', 'Wu Ming', 'f5a2950eaa10f9e99896800eacbe8275', 'wu@example.com', 'inetOrgPerson', 'Person', 'users', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'Developer', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('uid=mark,ou=users,dc=example,dc=com', 'mark', 'Mark Lewis', 'Lewis', 'Mark', 'Mark Lewis', '179ad45c6ce2cb97cf1029e212046e81', 'mark@example.com', 'inetOrgPerson', 'Person', 'users', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'Project manager', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('uid=ada,ou=users,dc=example,dc=com', 'ada', 'Ada Lovelace', 'Lovelace', 'Ada', 'Ada Lovelace', '0f1e2d3c4b5a69788796a5b4c3d2e1f0', 'ada@example.com', 'inetOrgPerson', 'Person', 'users', 'Mathematician', 'Research', 'Example Corp', 'Example', '+1 555 0104', NULL, NULL, 'Mathematician', 'Cambridge', NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('uid=grace,ou=users,dc=example,dc=com', 'grace', 'Grace Hopper', 'Hopper', 'Grace', 'Grace Hopper', 'a1b2c3d4e5f60718293a4b5c6d7e8f90', 'grace@example.com', 'inetOrgPerson', 'Person', 'users', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'Computer scientist', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('uid=alan,ou=users,dc=example,dc=com', 'alan', 'Alan Turing', 'Turing', 'Alan', 'Alan Turing', '1a2b3c4d5e6f708192a3b4c5d6e7f809', 'alan@example.com', 'inetOrgPerson', 'Person', 'users', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'Cryptanalyst', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('uid=margaret,ou=users,dc=example,dc=com', 'margaret', 'Margaret Hamilton', 'Hamilton', 'Margaret', 'Margaret Hamilton', '9f8e7d6c5b4a3928170605f4e3d2c1b0', 'margaret@example.com', 'inetOrgPerson', 'Person', 'users', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'Software engineer', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('uid=donald,ou=users,dc=example,dc=com', 'donald', 'Donald Knuth', 'Knuth', 'Donald', 'Donald Knuth', '3c2d1e0f9a8b7c6d5e4f30291807f6e5', 'donald@example.com', 'inetOrgPerson', 'Person', 'users', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'Computer scientist', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('uid=tim,ou=users,dc=example,dc=com', 'tim', 'Tim Berners-Lee', 'Berners-Lee', 'Tim', 'Tim Berners-Lee', 'b0c1d2e3f405162738495a6b7c8d9eaf', 'tim@example.com', 'inetOrgPerson', 'Person', 'users', 'Inventor', 'Research', 'Example Corp', 'Example', '+1 555 0105', NULL, NULL, 'Inventor of the Web', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('uid=linus,ou=users,dc=example,dc=com', 'linus', 'Linus Torvalds', 'Torvalds', 'Linus', 'Linus Torvalds', '6e5d4c3b2a190807f6e5d4c3b2a1908f', 'linus@example.com', 'inetOrgPerson', 'Person', 'users', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'Kernel developer', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('uid=ken,ou=users,dc=example,dc=com', 'ken', 'Ken Thompson', 'Thompson', 'Ken', 'Ken Thompson', '11223344556677889900aabbccddeeff', 'ken@example.com', 'inetOrgPerson', 'Person', 'users', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'Unix co-creator', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('uid=dennis,ou=users,dc=example,dc=com', 'dennis', 'Dennis Ritchie', 'Ritchie', 'Dennis', 'Dennis Ritchie', 'ffeeddccbbaa00998877665544332211', 'dennis@example.com', 'inetOrgPerson', 'Person', 'users', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'C language creator', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('uid=barbara,ou=users,dc=example,dc=com', 'barbara', 'Barbara Liskov', 'Liskov', 'Barbara', 'Barbara Liskov', '1234567890abcdef1234567890abcdef', 'barbara@example.com', 'inetOrgPerson', 'Person', 'users', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'Turing Award winner', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('uid=edsger,ou=users,dc=example,dc=com', 'edsger', 'Edsger Dijkstra', 'Dijkstra', 'Edsger', 'Edsger Dijkstra', 'abcdef1234567890abcdef1234567890', 'edsger@example.com', 'inetOrgPerson', 'Person', 'users', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'Computer scientist', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('ou=users,dc=example,dc=com', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'organizationalUnit', NULL, 'users', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'User accounts', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('ou=groups,dc=example,dc=com', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'organizationalUnit', NULL, 'groups', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'Group entries', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
INSERT INTO directory VALUES ('cn=admins,ou=groups,dc=example,dc=com', NULL, 'admins', NULL, NULL, NULL, NULL, NULL, 'groupOfNames', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'Administrators group', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'uid=luther,ou=users,dc=example,dc=com');
INSERT INTO directory VALUES ('cn=admins,ou=groups,dc=example,dc=com', NULL, 'admins', NULL, NULL, NULL, NULL, NULL, 'groupOfNames', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'Administrators group', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'uid=ada,ou=users,dc=example,dc=com');
INSERT INTO directory VALUES ('cn=developers,ou=groups,dc=example,dc=com', NULL, 'developers', NULL, NULL, NULL, NULL, NULL, 'groupOfNames', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'Developers group', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'uid=wu,ou=users,dc=example,dc=com');
INSERT INTO directory VALUES ('cn=developers,ou=groups,dc=example,dc=com', NULL, 'developers', NULL, NULL, NULL, NULL, NULL, 'groupOfNames', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'Developers group', NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'uid=linus,ou=users,dc=example,dc=com');
"""
LISTEN_ADDRESS = "localhost"
LISTEN_PORT = 8440
# Minimal MongoDB-style collection backing the NoSQL operator-injection endpoint ('/nosql'). The
# 'password' field is the blind-extraction target, constrained by a sibling 'name' equality match.
NOSQL_USERS = {
"luther": "s3cr3t",
"fluffy": "carrot",
"wu": "shanghai",
}
def nosql_match(params):
"""Emulates a MongoDB find() on NOSQL_USERS: reconstructs the operator object for the 'password'
field (from bracket-notation 'password[$ne]=...' or a JSON sub-document) and evaluates it against
the record selected by 'name'. An invalid $regex raises re.error (surfaced as a driver error)."""
record = NOSQL_USERS.get(params.get("name"))
spec = params.get("password")
if isinstance(spec, dict):
op, value = next(iter(spec.items()), ("$eq", None))
else:
op, value = "$eq", spec
for key in params:
match = re.match(r"^password\[(\$\w+)\](?:\[\])?$", key)
if match:
op, value = match.group(1), params[key]
break
if isinstance(value, (tuple, list)):
value = value[-1] if value else None
if record is None:
return False
elif op == "$ne":
return record != value
elif op == "$gt":
return record > (value or "")
elif op == "$regex":
return re.search(value, record) is not None
else: # $eq, $in (single-valued here) and any literal equality
return record == value
_conn = None
_cursor = None
_lock = None
_server = None
_alive = False
_csrf_token = None
def init(quiet=False):
global _conn
global _cursor
global _lock
global _csrf_token
_csrf_token = "".join(random.sample(string.ascii_letters + string.digits, 20))
_conn = sqlite3.connect(":memory:", isolation_level=None, check_same_thread=False)
_cursor = _conn.cursor()
_lock = threading.Lock()
_cursor.executescript(SCHEMA)
if quiet:
global print
def _(*args, **kwargs):
pass
print = _
class ThreadingServer(ThreadingMixIn, HTTPServer):
def finish_request(self, *args, **kwargs):
try:
HTTPServer.finish_request(self, *args, **kwargs)
except Exception:
if DEBUG:
traceback.print_exc()
# Primitive (CRS-style) WAF/IPS emulator used to exercise the automatic WAF/IPS bypass. The request
# surface is normalized like a real WAF (lowercase, comments->space, whitespace compressed) BEFORE
# a cumulative anomaly score is summed; when the score reaches the per-level threshold the request
# is blocked (403 + marker). The rules are shaped so that camouflage tampers (case/whitespace/
# comments) are normalized away and a *structural* substitution (e.g. 'between'/'equaltolike',
# which removes the scored '=' operator) is the genuine bypass - matching real-world behavior.
#
# The emulator also models the OTHER real-world dimension: a scanner-fingerprint rule (mirroring
# CRS 913100) adds a constant score for a recognizable scanner User-Agent that *stacks* with the
# payload score. Its weight is below every threshold, so the scanner UA alone never blocks (benign
# browsing passes), but it tips an otherwise-permitted payload over the threshold - so neutralizing
# the request fingerprint (a non-scanner User-Agent) is itself a genuine bypass, with no SQL tamper.
WAF_NUMERIC_COMPARISON = r"\d+\s*=\s*\d+" # numeric self-comparison (boolean payloads); the structural lever 'between'/'equaltolike' removes it
WAF_RULES = (
(r"\bunion\b.{0,40}\bselect\b", 6),
(r"\binformation_schema\b", 5),
(r"\b(sleep|benchmark|extractvalue|updatexml|xp_cmdshell|waitfor)\b", 5),
(r"\b(select|insert|update|delete|drop)\b", 3),
(WAF_NUMERIC_COMPARISON, 4),
(r"<script", 6),
)
WAF_THRESHOLD = {1: 6, 2: 4, 3: 2, 4: 8, 5: 5} # security_level -> cumulative score that triggers a block
WAF_SCANNER_UA = r"(?i)\b(?:sqlmap|nikto|nessus|acunetix|nmap|masscan|w3af|havij|wpscan|dirbuster|arachni)\b"
WAF_SCANNER_UA_WEIGHT = 3 # CRS 913100-style: constant score for a scanner User-Agent, stacked with the payload score
# Levels 4-5 model a libinjection-class WAF (e.g. OWASP CRS rule 942100): ANY boolean-comparison
# fingerprint scores a flat amount REGARDLESS of operator, so '=','LIKE','BETWEEN','IN' are all
# caught equally - structural tampers (between/equaltolike) do NOT help. There, neutralizing the
# scanner fingerprint is the only payload-preserving bypass (level 4); when even that is not enough
# the search must bail honestly (level 5). This mirrors the hardest real-world case.
WAF_LIBINJECTION_LEVELS = (4, 5)
WAF_LIBINJECTION_WEIGHT = 5
WAF_LIBINJECTION = r"(?i)\b(?:and|or)\b.{0,40}(?:=|>|<|\blike\b|\bbetween\b|\bin\b|\brlike\b|\bregexp\b)"
def waf_score(value, ua=None, level=0):
value = (value or "").lower()
value = re.sub(r"/\*.*?\*/", " ", value) # t:replaceComments (note: -> single space, not empty)
value = re.sub(r"(?:--|#)[^\n]*", " ", value) # t:removeComments (line comments)
value = re.sub(r"\s+", " ", value) # t:compressWhitespace
libinjection = level in WAF_LIBINJECTION_LEVELS
retVal = sum(weight for (pattern, weight) in WAF_RULES if not (libinjection and pattern == WAF_NUMERIC_COMPARISON) and re.search(pattern, value))
if libinjection and re.search(WAF_LIBINJECTION, value): # operator-agnostic comparison score (tampers cannot remove it)
retVal += WAF_LIBINJECTION_WEIGHT
if ua and re.search(WAF_SCANNER_UA, ua): # scanner-fingerprint score, stacked with the payload score
retVal += WAF_SCANNER_UA_WEIGHT
return retVal
# --- LDAP endpoint (vulnerable search and login, backed by the directory table) ------------------
def _ldap_escape_like(value):
"""Escape a value for safe embedding in a SQLite LIKE pattern: backslash, percent,
and underscore are the only characters with special meaning in LIKE."""
if value is None:
return None
return value.replace('\\', '\\\\').replace('%', '\\%').replace('_', '\\_')
def _ldap_attr(attr):
"""Map an LDAP attribute name to the directory table column, or None if unknown."""
valid = {"dn", "uid", "cn", "sn", "givenName", "displayName", "userPassword", "mail", "objectClass", "objectCategory", "ou", "title", "department", "company", "o", "telephoneNumber", "mobile", "manager", "description", "l", "st", "street", "postalCode", "c", "employeeNumber", "employeeType", "member"}
return attr if attr in valid else None
def _ldap_match(text, start):
"""Find the closing ')' that balances the opening '(' at `start`. Skip escaped
hex sequences (e.g. \\28 for literal '(' inside a value) but treat every raw ')'
as a structural closer."""
depth = 0
i = start
while i < len(text):
ch = text[i]
if ch == '(':
depth += 1
elif ch == ')':
depth -= 1
if depth == 0:
return i + 1
elif ch == '\\':
i += 1
i += 1
return len(text)
def _ldap_parse_value(text, start):
"""Parse an assertion value from filter text at position `start`, handling escape sequences.
Returns (value, end_pos)."""
retVal = []
i = start
while i < len(text) and text[i] not in (')',):
if text[i] == '\\' and i + 2 < len(text):
retVal.append(chr(int(text[i+1:i+3], 16)))
i += 3
else:
retVal.append(text[i])
i += 1
return ''.join(retVal), i
def _ldap_filter_to_sql(text, start=0):
"""Convert an LDAP filter substring starting at `start` to a parameterized
SQLite WHERE clause. Returns (sql_template, params, end_pos) or (None, [], end_pos)
on parse failure. Values are passed as parameters so that user-controlled
characters (apostrophe, backslash, etc.) cannot break the SQL string literal."""
if start >= len(text) or text[start] != '(':
return None, [], start
i = start + 1
if i >= len(text):
return None, [], start
op = text[i]
i += 1
if op in ('&', '|'):
# Compound filter: collect all sub-filters
sub_clauses = []
sub_params = []
while i < len(text) and text[i] == '(':
clause, params, i = _ldap_filter_to_sql(text, i)
if clause:
sub_clauses.append(clause)
sub_params.extend(params)
# Always use bracket-matched end so nested compounds don't shift the
# parent's notion of where this child ends (reviewer blocker 3)
end = _ldap_match(text, start)
if not sub_clauses:
return None, [], end
if len(sub_clauses) == 1:
return sub_clauses[0], sub_params, end
joiner = " AND " if op == '&' else " OR "
return "(%s)" % joiner.join(sub_clauses), sub_params, end
elif op == '!':
# NOT filter
clause, params, i = _ldap_filter_to_sql(text, i)
end = _ldap_match(text, start)
if clause:
return "(NOT (%s))" % clause, params, end
return None, [], end
else:
# Simple filter: attr OP value
# Re-read from start+1 to get the full attr name
j = start + 1
while j < len(text) and text[j] not in ('=', '>', '<', '~', ')'):
j += 1
attr = text[start+1:j].strip()
if not attr:
return None, [], _ldap_match(text, start)
col = _ldap_attr(attr)
if col is None:
return None, [], _ldap_match(text, start)
if j >= len(text):
return None, [], start
# Check for approx match (~=)
if text[j] == '~' and j + 1 < len(text) and text[j+1] == '=':
op_type = '~='
j += 2
elif text[j] == '>' and j + 1 < len(text) and text[j+1] == '=':
op_type = '>='
j += 2
elif text[j] == '<' and j + 1 < len(text) and text[j+1] == '=':
op_type = '<='
j += 2
elif text[j] == '=':
op_type = '='
j += 1
else:
return None, [], _ldap_match(text, start)
value, _ = _ldap_parse_value(text, j)
end = _ldap_match(text, start)
if op_type == '=':
if value == '*':
return "(%s IS NOT NULL AND %s != '')" % (col, col), [], end
elif '*' in value:
parts = value.split('*')
if len(parts) == 2 and not parts[0] and not parts[1]:
# Just '*' -> presence
return "(%s IS NOT NULL AND %s != '')" % (col, col), [], end
elif len(parts) == 2 and parts[0] and not parts[1]:
# 'prefix*' -> anchored prefix match (LDAP semantics)
return "(%s LIKE ? ESCAPE '\\')" % col, ["%s%%" % _ldap_escape_like(parts[0])], end
elif len(parts) == 2 and not parts[0] and parts[1]:
# '*suffix' -> anchored suffix match (LDAP semantics)
return "(%s LIKE ? ESCAPE '\\')" % col, ["%%%s" % _ldap_escape_like(parts[1])], end
else:
# '*mid*', 'pre*mid*suf', etc. -- split('*') already
# partitions the value into literal segments; joining
# them with '%' naturally produces the correct anchored
# LIKE pattern: empty first/last elements from surrounding
# wildcards become leading/trailing '%' automatically.
pattern = '%'.join(_ldap_escape_like(p) for p in parts)
return "(%s LIKE ? ESCAPE '\\')" % col, [pattern], end
else:
return "(%s = ?)" % col, [value], end
elif op_type == '>=':
return "(%s >= ?)" % col, [value], end
elif op_type == '<=':
return "(%s <= ?)" % col, [value], end
elif op_type == '~=':
return "(%s = ?)" % col, [value], end
return None, [], end
def _ldap_execute(filter_str):
"""Execute an LDAP filter against the directory table. Returns (rows, error_msg)."""
if not filter_str or not filter_str.strip():
return None, "Bad search filter"
# Simple bracket validation
if filter_str.count('(') != filter_str.count(')'):
return None, "Bad search filter (-7)"
try:
clause, params, _ = _ldap_filter_to_sql(filter_str)
if not clause:
return None, "Bad search filter (-7)"
sql = "SELECT * FROM directory WHERE %s" % clause
with _lock:
_cursor.execute(sql, params)
rows = _cursor.fetchall()
return rows, None
except Exception as ex:
msg = str(ex)
# Emulate different back-end error messages
if "no such column" in msg.lower():
return None, "Bad search filter"
if "unrecognized" in msg.lower() or "syntax" in msg.lower():
return None, "Bad search filter (-7)"
return None, "Bad search filter (%s)" % msg.split(':')[0]
def _ldap_row_to_obj(row):
"""Convert a SQLite row to a dict with non-None attributes."""
if not row:
return None
keys = ("dn", "uid", "cn", "sn", "givenName", "displayName", "userPassword", "mail", "objectClass", "objectCategory", "ou", "title", "department", "company", "o", "telephoneNumber", "mobile", "manager", "description", "l", "st", "street", "postalCode", "c", "employeeNumber", "employeeType", "member")
return dict((k, row[i]) for i, k in enumerate(keys) if row[i] is not None)
# --- GraphQL endpoint (vulnerable Apollo-style, backed by the same SQLite database) ----------
# Hard-coded introspection response matching the schema below. Every GraphQL tool (including
# sqlmap's --graphql engine) uses this to discover fields, arguments, and types.
def _graphql_introspection():
return {
"data": {
"__schema": {
"queryType": {"name": "Query"},
"mutationType": {"name": "Mutation"},
"subscriptionType": None,
"directives": [],
"types": [
{"kind": "OBJECT", "name": "Query", "fields": [
{"name": "user", "args": [
{"name": "username", "defaultValue": None, "type": {"kind": "NON_NULL", "name": None, "ofType": {"kind": "SCALAR", "name": "String", "ofType": None}}}
], "type": {"kind": "OBJECT", "name": "User", "ofType": None}},
{"name": "search", "args": [
{"name": "term", "defaultValue": None, "type": {"kind": "SCALAR", "name": "String", "ofType": None}}
], "type": {"kind": "LIST", "name": None, "ofType": {"kind": "OBJECT", "name": "User", "ofType": None}}},
{"name": "login", "args": [
{"name": "username", "defaultValue": None, "type": {"kind": "NON_NULL", "name": None, "ofType": {"kind": "SCALAR", "name": "String", "ofType": None}}},
{"name": "password", "defaultValue": None, "type": {"kind": "NON_NULL", "name": None, "ofType": {"kind": "SCALAR", "name": "String", "ofType": None}}}
], "type": {"kind": "OBJECT", "name": "AuthPayload", "ofType": None}},
], "inputFields": None, "enumValues": None},
{"kind": "OBJECT", "name": "Mutation", "fields": [
{"name": "updateUser", "args": [
{"name": "id", "defaultValue": None, "type": {"kind": "NON_NULL", "name": None, "ofType": {"kind": "SCALAR", "name": "Int", "ofType": None}}},
{"name": "email", "defaultValue": None, "type": {"kind": "NON_NULL", "name": None, "ofType": {"kind": "SCALAR", "name": "String", "ofType": None}}}
], "type": {"kind": "OBJECT", "name": "User", "ofType": None}},
], "inputFields": None, "enumValues": None},
{"kind": "INPUT_OBJECT", "name": "UpdateUserInput", "inputFields": [
{"name": "id", "defaultValue": None, "type": {"kind": "NON_NULL", "name": None, "ofType": {"kind": "SCALAR", "name": "Int", "ofType": None}}},
{"name": "email", "defaultValue": None, "type": {"kind": "NON_NULL", "name": None, "ofType": {"kind": "SCALAR", "name": "String", "ofType": None}}}
]},
{"kind": "SCALAR", "name": "Int"},
{"kind": "SCALAR", "name": "String"},
{"kind": "SCALAR", "name": "Boolean"},
{"kind": "SCALAR", "name": "Float"},
{"kind": "SCALAR", "name": "ID"},
{"kind": "OBJECT", "name": "User", "fields": [
{"name": "id", "args": [], "type": {"kind": "SCALAR", "name": "Int", "ofType": None}},
{"name": "name", "args": [], "type": {"kind": "SCALAR", "name": "String", "ofType": None}},
{"name": "surname", "args": [], "type": {"kind": "SCALAR", "name": "String", "ofType": None}},
], "inputFields": None, "enumValues": None},
{"kind": "OBJECT", "name": "AuthPayload", "fields": [
{"name": "token", "args": [], "type": {"kind": "SCALAR", "name": "String", "ofType": None}},
{"name": "user", "args": [], "type": {"kind": "OBJECT", "name": "User", "ofType": None}},
], "inputFields": None, "enumValues": None},
]
}
}
}
def _graphql_arg(raw):
"""Parse a single GraphQL argument value: strip quotes from strings, keep numbers as-is"""
raw = raw.strip()
if raw.startswith('"') and raw.endswith('"'):
return raw[1:-1].replace('\\"', '"')
return raw
def _graphql_match(text, start):
"""Index just past the bracket matching the one at text[start] ('(' or '{'), skipping over
double-quoted strings so brackets inside argument literals (e.g. an injected SQL payload) and
nested selection sets do not throw off the balance."""
pairs = {'(': ')', '{': '}'}
opener, closer = text[start], pairs[text[start]]
depth, i, n = 0, start, len(text)
while i < n:
char = text[i]
if char == '"':
i += 1
while i < n and text[i] != '"':
i += 2 if text[i] == '\\' else 1
elif char == opener:
depth += 1
elif char == closer:
depth -= 1
if depth == 0:
return i + 1
i += 1
return n
def _graphql_selections(body):
"""Split a selection set into its top-level (alias, field, rawArgs) fields, tolerating aliasing,
argument literals carrying brackets/quotes, and nested selection sets (which are skipped over)."""
identifier = re.compile(r'[A-Za-z_]\w*')
selections, i, n = [], 0, len(body)
while i < n:
while i < n and body[i] in ' \t\r\n,':
i += 1
match = identifier.match(body, i)
if not match:
i += 1
continue
name, i = match.group(0), match.end()
j = i
while j < n and body[j] in ' \t\r\n':
j += 1
if j < n and body[j] == ':': # 'name' was an alias; the real field follows
j += 1
while j < n and body[j] in ' \t\r\n':
j += 1
match = identifier.match(body, j)
if not match:
continue
alias, field, i = name, match.group(0), match.end()
else:
alias, field = None, name
while i < n and body[i] in ' \t\r\n':
i += 1
rawArgs = ""
if i < n and body[i] == '(':
end = _graphql_match(body, i)
rawArgs, i = body[i + 1:end - 1], end
while i < n and body[i] in ' \t\r\n':
i += 1
if i < n and body[i] == '{': # skip this field's (possibly nested) selection set
i = _graphql_match(body, i)
selections.append((alias, field, rawArgs))
return selections
def _graphql_resolve(query, variables):
"""Minimal GraphQL resolver: parse the query, call the matching resolver for each top-level field,
and return (data_dict_or_None, errors_list). Multiple aliased fields are supported in one request
(alias:field(args){...} ...), so a client can batch independent probes into a single round-trip."""
variables = variables or {}
errors = []
data = {}
op = "query"
for keyword in ("mutation", "subscription"):
if query.strip().startswith(keyword):
op = keyword
break
start = query.find('{')
if start == -1:
errors.append({"message": "Cannot parse query", "extensions": {"code": "GRAPHQL_PARSE_FAILED"}})
return None, errors
for alias, field, rawArgs in _graphql_selections(query[start + 1:_graphql_match(query, start) - 1]):
key = alias or field
# Parse arguments
args = {}
for am in re.finditer(r'(\w+)\s*:\s*("(?:[^"\\]|\\.)*"|\$?\w+(?:\.\w+)?)', rawArgs):
name, val = am.group(1), am.group(2)
if val.startswith('$'):
args[name] = variables.get(val[1:], None)
else:
args[name] = _graphql_arg(val)
try:
if field in ("__typename", "__schema"):
data[key] = op.title()
elif field == "user":
data[key] = _resolver_user(args.get("username"))
elif field == "search":
data[key] = _resolver_search(args.get("term"))
elif field == "login":
data[key] = _resolver_login(args.get("username"), args.get("password"))
elif field == "updateUser":
data[key] = _resolver_updateUser(args.get("id"), args.get("email"))
else:
errors.append({"message": "Cannot query field '%s' on type '%s'. Did you mean 'user', 'search', 'login', or 'updateUser'?" % (field, op.title()),
"extensions": {"code": "GRAPHQL_VALIDATION_FAILED"}})
except Exception as ex:
# Leak the backend error through the GraphQL error envelope (as many real servers do
# in development mode) -- this drives error-based detection
errors.append({"message": "%s: %s" % (re.search(r"'([^']+)'", str(type(ex))).group(1), ex),
"path": [key], "extensions": {"exception": str(ex)}})
if not data and not errors:
return None, errors
return data, errors
# --- Vulnerable resolvers (direct string concatenation into SQLite) ------------------------
def _resolver_user(username):
if not username:
return None
with _lock:
_cursor.execute("SELECT id, name, surname FROM users WHERE name='%s'" % username)
row = _cursor.fetchone()
return {"id": row[0], "name": row[1], "surname": row[2]} if row else None
def _resolver_search(term):
with _lock:
_cursor.execute("SELECT id, name, surname FROM users WHERE name LIKE '%%%s%%'" % (term or ""))
rows = _cursor.fetchall()
return [{"id": r[0], "name": r[1], "surname": r[2]} for r in (rows or [])]
def _resolver_login(username, password):
if not username or not password:
return None
with _lock:
_cursor.execute("SELECT u.id, u.name, u.surname FROM users u JOIN creds c ON u.id=c.user_id WHERE u.name='%s' AND c.password_hash='%s'" % (username, password))
row = _cursor.fetchone()
if row:
return {"token": "tok_%d_%s" % (row[0], row[1]), "user": {"id": row[0], "name": row[1], "surname": row[2]}}
return None # returns null in data (boolean oracle: true=object, false=null)
def _resolver_updateUser(id_, email):
with _lock:
_cursor.execute("UPDATE users SET surname='%s' WHERE id=%s" % (email, id_))
_cursor.execute("SELECT id, name, surname FROM users WHERE id=%s" % id_)
row = _cursor.fetchone()
return {"id": row[0], "name": row[1], "surname": row[2]} if row else None
class ReqHandler(BaseHTTPRequestHandler):
def do_REQUEST(self):
path, query = self.path.split('?', 1) if '?' in self.path else (self.path, "")
params = {}
if query:
params.update(parse_qs(query))
if "<script>" in unquote_plus(query):
self.send_response(INTERNAL_SERVER_ERROR)
self.send_header("X-Powered-By", "Express")
self.send_header("Connection", "close")
self.end_headers()
self.wfile.write("CLOUDFLARE_ERROR_500S_BOX".encode(UNICODE_ENCODING))
return
if hasattr(self, "data"):
if self.data.startswith('{') and self.data.endswith('}'):
params.update(json.loads(self.data))
elif self.data.startswith('<') and self.data.endswith('>'):
params.update(dict((_[0], _[1].replace("&apos;", "'").replace("&quot;", '"').replace("&lt;", '<').replace("&gt;", '>').replace("&amp;", '&')) for _ in re.findall(r'name="([^"]+)" value="([^"]*)"', self.data)))
else:
self.data = self.data.replace(';', '&') # Note: seems that Python3 started ignoring parameter splitting with ';'
params.update(parse_qs(self.data))
for name in self.headers:
params[name.lower()] = self.headers[name]
if "cookie" in params:
for part in params["cookie"].split(';'):
part = part.strip()
if '=' in part:
name, value = part.split('=', 1)
params[name.strip()] = unquote_plus(value.strip())
for key in params:
if params[key] and isinstance(params[key], (tuple, list)):
params[key] = params[key][-1]
self.url, self.params = path, params
# primitive WAF/IPS emulator (opt-in via 'security_level' param; 0/absent = off)
try:
level = int(self.params.get("security_level", 0) or 0)
except (TypeError, ValueError):
level = 0
if level > 0:
surface = "%s %s" % (unquote_plus(query), getattr(self, "data", "") or "")
if waf_score(surface, ua=self.params.get("user-agent"), level=level) >= WAF_THRESHOLD.get(level, 2):
self.send_response(FORBIDDEN)
self.send_header("Content-type", "text/html; charset=%s" % UNICODE_ENCODING)
self.send_header("Connection", "close")
self.end_headers()
self.wfile.write(b"<html><body>Request blocked: security policy violation (WAF)</body></html>")
return
if self.url == "/csrf":
if self.params.get("csrf_token") == _csrf_token:
self.url = "/"
else:
self.send_response(OK)
self.send_header("Content-type", "text/html; charset=%s" % UNICODE_ENCODING)
self.end_headers()
form = (
"<html><body>"
"CSRF protection check<br>"
"<form action='/csrf' method='POST'>"
"<input type='hidden' name='csrf_token' value='%s'>"
"id: <input type='text' name='id'>"
"<input type='submit' value='Submit'>"
"</form>"
"</body></html>"
) % _csrf_token
self.wfile.write(form.encode(UNICODE_ENCODING))
return
if self.url == "/nosql":
self.send_response(OK)
self.send_header("Content-type", "text/html; charset=%s" % UNICODE_ENCODING)
self.send_header("Connection", "close")
self.end_headers()
try:
output = "<html><body><b>Welcome %s</b></body></html>" % self.params.get("name") if nosql_match(self.params) else "<html><body><b>Invalid credentials</b></body></html>"
except re.error: # invalid $regex -> emulate a MongoDB driver error (drives fingerprinting)
output = "<html><body>MongoServerError: Regular expression is invalid: missing terminating ] for character class</body></html>"
self.wfile.write(output.encode(UNICODE_ENCODING))
return
if self.url == "/graphql":
self.send_response(OK)
self.send_header("Content-type", "application/json; charset=%s" % UNICODE_ENCODING)
self.send_header("Connection", "close")
self.end_headers()
query = self.params.get("query", "")
variables = self.params.get("variables") or {}
if not isinstance(variables, dict):
try:
variables = json.loads(str(variables))
except Exception:
variables = {}
if "__schema" in query:
output = json.dumps(_graphql_introspection())
else:
data, errors = _graphql_resolve(query, variables)
resp = {}
if errors:
resp["errors"] = errors
if data:
resp["data"] = data
output = json.dumps(resp, default=str)
self.wfile.write(output.encode(UNICODE_ENCODING))
return
if self.url in ("/ldap", "/ldap/search"):
self.send_response(OK)
self.send_header("Content-type", "application/json; charset=%s" % UNICODE_ENCODING)
self.send_header("Connection", "close")
self.end_headers()
q = self.params.get("q", "")
if q:
filter_str = "(|(cn=*%s*)(sn=*%s*)(mail=*%s*)(uid=*%s*)(description=*%s*))" % (q, q, q, q, q)
rows, error = _ldap_execute(filter_str)
if error:
output = json.dumps({"resultCode": 1, "errorMessage": error})
else:
entries = [_ldap_row_to_obj(r) for r in (rows or [])]
output = json.dumps({"resultCode": 0, "entries": entries, "count": len(entries)}, default=str)
else:
output = json.dumps({"resultCode": 0, "entries": [], "count": 0})
self.wfile.write(output.encode(UNICODE_ENCODING))
return
if self.url == "/ldap/login":
self.send_response(OK)
self.send_header("Content-type", "application/json; charset=%s" % UNICODE_ENCODING)
self.send_header("Connection", "close")
self.end_headers()
user = self.params.get("user", "")
password = self.params.get("pass", "")
if user and password:
filter_str = "(&(uid=%s)(userPassword=%s))" % (user, password)
rows, error = _ldap_execute(filter_str)
if error:
output = json.dumps({"resultCode": 49, "errorMessage": error})
elif rows:
entry = _ldap_row_to_obj(rows[0])
output = json.dumps({"resultCode": 0, "authenticated": True, "user": entry}, default=str)
else:
output = json.dumps({"resultCode": 49, "authenticated": False, "errorMessage": "Invalid credentials"})
else:
output = json.dumps({"resultCode": 49, "authenticated": False, "errorMessage": "Missing credentials"})
self.wfile.write(output.encode(UNICODE_ENCODING))
return
if self.url == '/':
if not any(_ in self.params for _ in ("id", "query")):
self.send_response(OK)
self.send_header("Content-type", "text/html; charset=%s" % UNICODE_ENCODING)
self.send_header("Connection", "close")
self.end_headers()
self.wfile.write(b"<!DOCTYPE html><html><head><title>vulnserver</title></head><body><h3>GET:</h3><a href='/?id=1'>link</a><hr><h3>POST:</h3><form method='post'>ID: <input type='text' name='id'><input type='submit' value='Submit'></form></body></html>")
else:
code, output = OK, "<body><html>"
contentType = "text/html"
try:
if self.params.get("echo", ""):
output += "%s<br>" % self.params["echo"]
if self.params.get("reflect", ""):
output += "%s<br>" % self.params.get("id")
with _lock:
if "query" in self.params:
_cursor.execute(self.params["query"])
elif "id" in self.params:
if "base64" in self.params:
_cursor.execute("SELECT * FROM users WHERE id=%s LIMIT 0, 1" % base64.b64decode("%s===" % self.params["id"], altchars=self.params.get("altchars")).decode())
else:
_cursor.execute("SELECT * FROM users WHERE id=%s LIMIT 0, 1" % self.params["id"])
results = _cursor.fetchall()
if self.params.get("json", ""):
# JSON response mode: serialize the SAME query results as application/json
# (exercises the structure-aware comparison oracle end to end). HTML branches
# below are untouched, so existing tests are unaffected.
if self.params.get("code", "") and not results:
code = INTERNAL_SERVER_ERROR
else:
contentType = "application/json"
output = json.dumps({"results": [list(row) for row in results], "count": len(results)})
else:
output += "<b>SQL results:</b><br>\n"
if self.params.get("code", ""):
if not results:
code = INTERNAL_SERVER_ERROR
else:
if results:
output += "<table border=\"1\">\n"
for row in results:
output += "<tr>"
for value in row:
output += "<td>%s</td>" % value
output += "</tr>\n"
output += "</table>\n"
else:
output += "no results found"
if not results:
output = "<title>No results</title>" + output
else:
output = "<title>Results</title>" + output
output += "</body></html>"
except Exception as ex:
code = INTERNAL_SERVER_ERROR
output = "%s: %s" % (re.search(r"'([^']+)'", str(type(ex))).group(1), ex)
self.send_response(code)
self.send_header("Content-type", contentType)
self.send_header("Connection", "close")
if self.raw_requestline.startswith(b"HEAD"):
self.send_header("Content-Length", str(len(output)))
self.end_headers()
else:
self.end_headers()
self.wfile.write(output if isinstance(output, bytes) else output.encode(UNICODE_ENCODING))
else:
self.send_response(NOT_FOUND)
self.send_header("Connection", "close")
self.end_headers()
def do_GET(self):
self.do_REQUEST()
def do_PUT(self):
self.do_POST()
def do_HEAD(self):
self.do_REQUEST()
def do_POST(self):
length = int(self.headers.get("Content-length", 0))
if length:
data = self.rfile.read(length)
data = unquote_plus(data.decode(UNICODE_ENCODING, "ignore"))
self.data = data
elif self.headers.get("Transfer-encoding") == "chunked":
data, line = b"", b""
count = 0
while True:
line += self.rfile.read(1)
if line.endswith(b'\n'):
if count % 2 == 1:
current = line.rstrip(b"\r\n")
if not current:
break
else:
data += current
count += 1
line = b""
self.data = data.decode(UNICODE_ENCODING, "ignore")
self.do_REQUEST()
def log_message(self, format, *args):
return
def run(address=LISTEN_ADDRESS, port=LISTEN_PORT):
global _alive
global _server
try:
_alive = True
_server = ThreadingServer((address, port), ReqHandler)
print("[i] running HTTP server at 'http://%s:%d'" % (address, port))
_server.serve_forever()
except KeyboardInterrupt:
_server.socket.close()
raise
finally:
_alive = False
if __name__ == "__main__":
try:
init()
run(sys.argv[1] if len(sys.argv) > 1 else LISTEN_ADDRESS, int(sys.argv[2] if len(sys.argv) > 2 else LISTEN_PORT))
except KeyboardInterrupt:
print("\r[x] Ctrl-C received")
Reference in a new issue View git blame Copy permalink