4
$Id: target.py 327 2009-01-12 21:35:38Z inquisb $
6
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
8
Copyright (c) 2006-2009 Bernardo Damele A. G. <bernardo.damele@gmail.com>
9
and Daniele Bellucci <daniele.bellucci@gmail.com>
11
sqlmap is free software; you can redistribute it and/or modify it under
12
the terms of the GNU General Public License as published by the Free
13
Software Foundation version 2 of the License.
15
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
16
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
17
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
20
You should have received a copy of the GNU General Public License along
21
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
22
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
31
from lib.core.common import dataToSessionFile
32
from lib.core.common import paramToDict
33
from lib.core.common import parseTargetUrl
34
from lib.core.common import readInput
35
from lib.core.convert import urldecode
36
from lib.core.data import conf
37
from lib.core.data import kb
38
from lib.core.data import logger
39
from lib.core.data import paths
40
from lib.core.dump import dumper
41
from lib.core.exception import sqlmapFilePathException
42
from lib.core.exception import sqlmapGenericException
43
from lib.core.exception import sqlmapSyntaxException
44
from lib.core.session import resumeConfKb
47
def __setRequestParams():
49
Check and set the parameters and perform checks on 'data' option for
53
__testableParameters = False
55
# Perform checks on GET parameters
56
if conf.parameters.has_key("GET") and conf.parameters["GET"]:
57
parameters = conf.parameters["GET"]
58
__paramDict = paramToDict("GET", parameters)
61
conf.paramDict["GET"] = __paramDict
62
__testableParameters = True
64
# Perform checks on POST parameters
65
if conf.method == "POST" and not conf.data:
66
errMsg = "HTTP POST method depends on HTTP data value to be posted"
67
raise sqlmapSyntaxException, errMsg
70
urlDecodedData = urldecode(conf.data).replace("%", "%%")
71
conf.parameters["POST"] = urlDecodedData
72
__paramDict = paramToDict("POST", urlDecodedData)
75
conf.paramDict["POST"] = __paramDict
76
__testableParameters = True
78
# Perform checks on Cookie parameters
80
# TODO: sure about decoding the cookie?
81
#urlDecodedCookie = urldecode(conf.cookie).replace("%", "%%")
82
urlDecodedCookie = conf.cookie.replace("%", "%%")
83
conf.parameters["Cookie"] = urlDecodedCookie
84
__paramDict = paramToDict("Cookie", urlDecodedCookie)
87
conf.paramDict["Cookie"] = __paramDict
88
__testableParameters = True
90
# Perform checks on User-Agent header value
92
for httpHeader, headerValue in conf.httpHeaders:
93
if httpHeader == "User-Agent":
94
conf.parameters["User-Agent"] = urldecode(headerValue).replace("%", "%%")
96
condition = not conf.testParameter
97
condition |= "User-Agent" in conf.testParameter
98
condition |= "user-agent" in conf.testParameter
99
condition |= "useragent" in conf.testParameter
100
condition |= "ua" in conf.testParameter
103
conf.paramDict["User-Agent"] = { "User-Agent": headerValue }
104
__testableParameters = True
106
if not conf.parameters:
107
errMsg = "you did not provide any GET, POST and Cookie "
108
errMsg += "parameter, neither an User-Agent header"
109
raise sqlmapGenericException, errMsg
111
elif not __testableParameters:
112
errMsg = "all testable parameters you provided are not present "
113
errMsg += "within the GET, POST and Cookie parameters"
114
raise sqlmapGenericException, errMsg
117
def __setOutputResume():
119
Check and set the output text file and the resume functionality.
122
if conf.sessionFile and os.path.exists(conf.sessionFile):
123
readSessionFP = open(conf.sessionFile, "r")
124
lines = readSessionFP.readlines()
127
if line.count("][") == 4:
128
line = line.split("][")
133
url, _, _, expression, value = line
141
if value[-1] == "\n":
147
if url not in kb.resumedQueries.keys():
148
kb.resumedQueries[url] = {}
149
kb.resumedQueries[url][expression] = value
151
resumeConfKb(expression, url, value)
153
if expression not in kb.resumedQueries[url].keys():
154
kb.resumedQueries[url][expression] = value
155
elif len(value) >= len(kb.resumedQueries[url][expression]):
156
kb.resumedQueries[url][expression] = value
158
readSessionFP.close()
162
conf.sessionFP = open(conf.sessionFile, "a")
163
dataToSessionFile("\n[%s]\n" % time.strftime("%X %x"))
165
errMsg = "unable to write on the session file specified"
166
raise sqlmapFilePathException, errMsg
169
def __createFilesDir():
171
Create the file directory.
177
conf.filePath = paths.SQLMAP_FILES_PATH % conf.hostname
179
if not os.path.isdir(conf.filePath):
180
os.makedirs(conf.filePath, 0755)
183
def __createDumpDir():
185
Create the dump directory.
188
if not conf.dumpTable and not conf.dumpAll:
191
conf.dumpPath = paths.SQLMAP_DUMP_PATH % conf.hostname
193
if not os.path.isdir(conf.dumpPath):
194
os.makedirs(conf.dumpPath, 0755)
199
Initialize target environment.
202
if conf.multipleTargets:
206
kb.dbmsDetected = False
207
kb.dbmsVersion = None
208
kb.injParameter = None
211
kb.parenthesis = None
214
kb.unionPosition = None
221
def createTargetDirs():
223
Create the output directory.
226
conf.outputPath = "%s%s%s" % (paths.SQLMAP_OUTPUT_PATH, os.sep, conf.hostname)
228
if not os.path.isdir(paths.SQLMAP_OUTPUT_PATH):
229
os.makedirs(paths.SQLMAP_OUTPUT_PATH, 0755)
231
if not os.path.isdir(conf.outputPath):
232
os.makedirs(conf.outputPath, 0755)
234
dumper.setOutputFile()