1#!/usr/bin/env python 2 3""" 4Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) 5See the file 'LICENSE' for copying permission 6""" 7 8import codecs 9import os 10import random 11import re 12import string 13import sys 14 15from lib.core.enums import DBMS 16from lib.core.enums import DBMS_DIRECTORY_NAME 17from lib.core.enums import OS 18from thirdparty.six import unichr as _unichr 19 20# sqlmap version (<major>.<minor>.<month>.<monthly commit>) 21VERSION = "1.3.12" 22TYPE = "pip" 23TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} 24VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) 25DESCRIPTION = "automatic SQL injection and database takeover tool" 26SITE = "http://sqlmap.org" 27DEFAULT_USER_AGENT = "%s (%s)" % (VERSION_STRING, SITE) 28DEV_EMAIL_ADDRESS = "dev@sqlmap.org" 29ISSUES_PAGE = "https://github.com/sqlmapproject/sqlmap/issues/new" 30GIT_REPOSITORY = "https://github.com/sqlmapproject/sqlmap.git" 31GIT_PAGE = "https://github.com/sqlmapproject/sqlmap" 32WIKI_PAGE = "https://github.com/sqlmapproject/sqlmap/wiki/" 33ZIPBALL_PAGE = "https://github.com/sqlmapproject/sqlmap/zipball/master" 34 35# colorful banner 36BANNER = """\033[01;33m\ 37 ___ 38 __H__ 39 ___ ___[.]_____ ___ ___ \033[01;37m{\033[01;%dm%s\033[01;37m}\033[01;33m 40|_ -| . [.] | .'| . | 41|___|_ [.]_|_|_|__,| _| 42 |_|V... |_| \033[0m\033[4;37m%s\033[0m\n 43""" % (TYPE_COLORS.get(TYPE, 31), VERSION_STRING.split('/')[-1], SITE) 44 45# Minimum distance of ratio from kb.matchRatio to result in True 46DIFF_TOLERANCE = 0.05 47CONSTANT_RATIO = 0.9 48 49# Ratio used in heuristic check for WAF/IPS protected targets 50IPS_WAF_CHECK_RATIO = 0.5 51 52# Timeout used in heuristic check for WAF/IPS protected targets 53IPS_WAF_CHECK_TIMEOUT = 10 54 55# Lower and upper values for match ratio in case of stable page 56LOWER_RATIO_BOUND = 0.02 57UPPER_RATIO_BOUND = 0.98 58 59# Markers for special cases when parameter values contain html encoded characters 60PARAMETER_AMP_MARKER = "__AMP__" 61PARAMETER_SEMICOLON_MARKER = "__SEMICOLON__" 62BOUNDARY_BACKSLASH_MARKER = "__BACKSLASH__" 63PARTIAL_VALUE_MARKER = "__PARTIAL_VALUE__" 64PARTIAL_HEX_VALUE_MARKER = "__PARTIAL_HEX_VALUE__" 65URI_QUESTION_MARKER = "__QUESTION_MARK__" 66ASTERISK_MARKER = "__ASTERISK_MARK__" 67REPLACEMENT_MARKER = "__REPLACEMENT_MARK__" 68BOUNDED_INJECTION_MARKER = "__BOUNDED_INJECTION_MARK__" 69SAFE_VARIABLE_MARKER = "__SAFE__" 70SAFE_HEX_MARKER = "__SAFE_HEX__" 71 72RANDOM_INTEGER_MARKER = "[RANDINT]" 73RANDOM_STRING_MARKER = "[RANDSTR]" 74SLEEP_TIME_MARKER = "[SLEEPTIME]" 75INFERENCE_MARKER = "[INFERENCE]" 76SINGLE_QUOTE_MARKER = "[SINGLE_QUOTE]" 77 78PAYLOAD_DELIMITER = "__PAYLOAD_DELIMITER__" 79CHAR_INFERENCE_MARK = "%c" 80PRINTABLE_CHAR_REGEX = r"[^\x00-\x1f\x7f-\xff]" 81 82# Regular expression used for extraction of table names (useful for (e.g.) MsAccess) 83SELECT_FROM_TABLE_REGEX = r"\bSELECT\b.+?\bFROM\s+(?P<result>([\w.]|`[^`<>]+`)+)" 84 85# Regular expression used for recognition of textual content-type 86TEXT_CONTENT_TYPE_REGEX = r"(?i)(text|form|message|xml|javascript|ecmascript|json)" 87 88# Regular expression used for recognition of generic permission messages 89PERMISSION_DENIED_REGEX = r"(?P<result>(command|permission|access)\s*(was|is)?\s*denied)" 90 91# Regular expression used in recognition of generic protection mechanisms 92GENERIC_PROTECTION_REGEX = r"(?i)\b(rejected|blocked|protection|incident|denied|detected|dangerous|firewall)\b" 93 94# Regular expression used for recognition of generic maximum connection messages 95MAX_CONNECTIONS_REGEX = r"\bmax.+?\bconnection" 96 97# Maximum consecutive connection errors before asking the user if he wants to continue 98MAX_CONSECUTIVE_CONNECTION_ERRORS = 15 99 100# Timeout before the pre-connection candidate is being disposed (because of high probability that the web server will reset it) 101PRECONNECT_CANDIDATE_TIMEOUT = 10 102 103# Servers known to cause issue with pre-connection mechanism (because of lack of multi-threaded support) 104PRECONNECT_INCOMPATIBLE_SERVERS = ("SimpleHTTP", "BaseHTTP") 105 106# Identify WAF/IPS inside limited number of responses (Note: for optimization purposes) 107IDENTYWAF_PARSE_LIMIT = 10 108 109# Maximum sleep time in "Murphy" (testing) mode 110MAX_MURPHY_SLEEP_TIME = 3 111 112# Regular expression used for extracting results from Google search 113GOOGLE_REGEX = r"webcache\.googleusercontent\.com/search\?q=cache:[^:]+:([^+]+)\+&cd=|url\?\w+=((?![^>]+webcache\.googleusercontent\.com)http[^>]+)&(sa=U|rct=j)" 114 115# Regular expression used for extracting results from DuckDuckGo search 116DUCKDUCKGO_REGEX = r'<a class="result__url" href="(htt[^"]+)' 117 118# Regular expression used for extracting results from Bing search 119BING_REGEX = r'<h2><a href="([^"]+)" h=' 120 121# Dummy user agent for search (if default one returns different results) 122DUMMY_SEARCH_USER_AGENT = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0" 123 124# Regular expression used for extracting content from "textual" tags 125TEXT_TAG_REGEX = r"(?si)<(abbr|acronym|b|blockquote|br|center|cite|code|dt|em|font|h\d|i|li|p|pre|q|strong|sub|sup|td|th|title|tt|u)(?!\w).*?>(?P<result>[^<]+)" 126 127# Regular expression used for recognition of IP addresses 128IP_ADDRESS_REGEX = r"\b(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\b" 129 130# Regular expression used for recognition of generic "your ip has been blocked" messages 131BLOCKED_IP_REGEX = r"(?i)(\A|\b)ip\b.*\b(banned|blocked|block list|firewall)" 132 133# Dumping characters used in GROUP_CONCAT MySQL technique 134CONCAT_ROW_DELIMITER = ',' 135CONCAT_VALUE_DELIMITER = '|' 136 137# Coefficient used for a time-based query delay checking (must be >= 7) 138TIME_STDEV_COEFF = 7 139 140# Minimum response time that can be even considered as delayed (not a complete requirement) 141MIN_VALID_DELAYED_RESPONSE = 0.5 142 143# Standard deviation after which a warning message should be displayed about connection lags 144WARN_TIME_STDEV = 0.5 145 146# Minimum length of usable union injected response (quick defense against substr fields) 147UNION_MIN_RESPONSE_CHARS = 10 148 149# Coefficient used for a union-based number of columns checking (must be >= 7) 150UNION_STDEV_COEFF = 7 151 152# Length of queue for candidates for time delay adjustment 153TIME_DELAY_CANDIDATES = 3 154 155# Default value for HTTP Accept header 156HTTP_ACCEPT_HEADER_VALUE = "*/*" 157 158# Default value for HTTP Accept-Encoding header 159HTTP_ACCEPT_ENCODING_HEADER_VALUE = "gzip,deflate" 160 161# Default timeout for running commands over backdoor 162BACKDOOR_RUN_CMD_TIMEOUT = 5 163 164# Number of seconds to wait for thread finalization at program end 165THREAD_FINALIZATION_TIMEOUT = 1 166 167# Maximum number of techniques used in inject.py/getValue() per one value 168MAX_TECHNIQUES_PER_VALUE = 2 169 170# In case of missing piece of partial union dump, buffered array must be flushed after certain size 171MAX_BUFFERED_PARTIAL_UNION_LENGTH = 1024 172 173# Maximum size of cache used in @cachedmethod decorator 174MAX_CACHE_ITEMS = 256 175 176# Suffix used for naming meta databases in DBMS(es) without explicit database name 177METADB_SUFFIX = "_masterdb" 178 179# Number of times to retry the pushValue during the exceptions (e.g. KeyboardInterrupt) 180PUSH_VALUE_EXCEPTION_RETRY_COUNT = 3 181 182# Minimum time response set needed for time-comparison based on standard deviation 183MIN_TIME_RESPONSES = 30 184 185# Maximum time response set used during time-comparison based on standard deviation 186MAX_TIME_RESPONSES = 200 187 188# Minimum comparison ratio set needed for searching valid union column number based on standard deviation 189MIN_UNION_RESPONSES = 5 190 191# After these number of blanks at the end inference should stop (just in case) 192INFERENCE_BLANK_BREAK = 5 193 194# Use this replacement character for cases when inference is not able to retrieve the proper character value 195INFERENCE_UNKNOWN_CHAR = '?' 196 197# Character used for operation "greater" in inference 198INFERENCE_GREATER_CHAR = ">" 199 200# Character used for operation "greater or equal" in inference 201INFERENCE_GREATER_EQUALS_CHAR = ">=" 202 203# Character used for operation "equals" in inference 204INFERENCE_EQUALS_CHAR = "=" 205 206# Character used for operation "not-equals" in inference 207INFERENCE_NOT_EQUALS_CHAR = "!=" 208 209# String used for representation of unknown DBMS 210UNKNOWN_DBMS = "Unknown" 211 212# String used for representation of unknown DBMS version 213UNKNOWN_DBMS_VERSION = "Unknown" 214 215# Dynamicity boundary length used in dynamicity removal engine 216DYNAMICITY_BOUNDARY_LENGTH = 20 217 218# Dummy user prefix used in dictionary attack 219DUMMY_USER_PREFIX = "__dummy__" 220 221# Reference: http://en.wikipedia.org/wiki/ISO/IEC_8859-1 222DEFAULT_PAGE_ENCODING = "iso-8859-1" 223 224try: 225 codecs.lookup(DEFAULT_PAGE_ENCODING) 226except LookupError: 227 DEFAULT_PAGE_ENCODING = "utf8" 228 229# Marker for program piped input 230STDIN_PIPE_DASH = '-' 231 232# URL used in dummy runs 233DUMMY_URL = "http://foo/bar?id=1" 234 235# Timeout used during initial websocket (pull) testing 236WEBSOCKET_INITIAL_TIMEOUT = 3 237 238# The name of the operating system dependent module imported. The following names have currently been registered: 'posix', 'nt', 'mac', 'os2', 'ce', 'java', 'riscos' 239PLATFORM = os.name 240PYVERSION = sys.version.split()[0] 241IS_WIN = PLATFORM == "nt" 242 243# Check if running in terminal 244IS_TTY = os.isatty(sys.stdout.fileno()) 245 246# DBMS system databases 247MSSQL_SYSTEM_DBS = ("Northwind", "master", "model", "msdb", "pubs", "tempdb", "Resource", "ReportServer", "ReportServerTempDB") 248MYSQL_SYSTEM_DBS = ("information_schema", "mysql", "performance_schema", "sys") 249PGSQL_SYSTEM_DBS = ("information_schema", "pg_catalog", "pg_toast", "pgagent") 250ORACLE_SYSTEM_DBS = ("ADAMS", "ANONYMOUS", "APEX_030200", "APEX_PUBLIC_USER", "APPQOSSYS", "AURORA$ORB$UNAUTHENTICATED", "AWR_STAGE", "BI", "BLAKE", "CLARK", "CSMIG", "CTXSYS", "DBSNMP", "DEMO", "DIP", "DMSYS", "DSSYS", "EXFSYS", "FLOWS_%", "FLOWS_FILES", "HR", "IX", "JONES", "LBACSYS", "MDDATA", "MDSYS", "MGMT_VIEW", "OC", "OE", "OLAPSYS", "ORACLE_OCM", "ORDDATA", "ORDPLUGINS", "ORDSYS", "OUTLN", "OWBSYS", "PAPER", "PERFSTAT", "PM", "SCOTT", "SH", "SI_INFORMTN_SCHEMA", "SPATIAL_CSW_ADMIN_USR", "SPATIAL_WFS_ADMIN_USR", "SYS", "SYSMAN", "SYSTEM", "TRACESVR", "TSMSYS", "WK_TEST", "WKPROXY", "WKSYS", "WMSYS", "XDB", "XS$NULL") 251SQLITE_SYSTEM_DBS = ("sqlite_master", "sqlite_temp_master") 252ACCESS_SYSTEM_DBS = ("MSysAccessObjects", "MSysACEs", "MSysObjects", "MSysQueries", "MSysRelationships", "MSysAccessStorage", "MSysAccessXML", "MSysModules", "MSysModules2") 253FIREBIRD_SYSTEM_DBS = ("RDB$BACKUP_HISTORY", "RDB$CHARACTER_SETS", "RDB$CHECK_CONSTRAINTS", "RDB$COLLATIONS", "RDB$DATABASE", "RDB$DEPENDENCIES", "RDB$EXCEPTIONS", "RDB$FIELDS", "RDB$FIELD_DIMENSIONS", " RDB$FILES", "RDB$FILTERS", "RDB$FORMATS", "RDB$FUNCTIONS", "RDB$FUNCTION_ARGUMENTS", "RDB$GENERATORS", "RDB$INDEX_SEGMENTS", "RDB$INDICES", "RDB$LOG_FILES", "RDB$PAGES", "RDB$PROCEDURES", "RDB$PROCEDURE_PARAMETERS", "RDB$REF_CONSTRAINTS", "RDB$RELATIONS", "RDB$RELATION_CONSTRAINTS", "RDB$RELATION_FIELDS", "RDB$ROLES", "RDB$SECURITY_CLASSES", "RDB$TRANSACTIONS", "RDB$TRIGGERS", "RDB$TRIGGER_MESSAGES", "RDB$TYPES", "RDB$USER_PRIVILEGES", "RDB$VIEW_RELATIONS") 254MAXDB_SYSTEM_DBS = ("SYSINFO", "DOMAIN") 255SYBASE_SYSTEM_DBS = ("master", "model", "sybsystemdb", "sybsystemprocs") 256DB2_SYSTEM_DBS = ("NULLID", "SQLJ", "SYSCAT", "SYSFUN", "SYSIBM", "SYSIBMADM", "SYSIBMINTERNAL", "SYSIBMTS", "SYSPROC", "SYSPUBLIC", "SYSSTAT", "SYSTOOLS") 257HSQLDB_SYSTEM_DBS = ("INFORMATION_SCHEMA", "SYSTEM_LOB") 258H2_SYSTEM_DBS = ("INFORMATION_SCHEMA",) 259INFORMIX_SYSTEM_DBS = ("sysmaster", "sysutils", "sysuser", "sysadmin") 260 261MSSQL_ALIASES = ("microsoft sql server", "mssqlserver", "mssql", "ms") 262MYSQL_ALIASES = ("mysql", "my", "mariadb", "maria") 263PGSQL_ALIASES = ("postgresql", "postgres", "pgsql", "psql", "pg") 264ORACLE_ALIASES = ("oracle", "orcl", "ora", "or") 265SQLITE_ALIASES = ("sqlite", "sqlite3") 266ACCESS_ALIASES = ("msaccess", "access", "jet", "microsoft access") 267FIREBIRD_ALIASES = ("firebird", "mozilla firebird", "interbase", "ibase", "fb") 268MAXDB_ALIASES = ("maxdb", "sap maxdb", "sap db") 269SYBASE_ALIASES = ("sybase", "sybase sql server") 270DB2_ALIASES = ("db2", "ibm db2", "ibmdb2") 271HSQLDB_ALIASES = ("hsql", "hsqldb", "hs", "hypersql") 272H2_ALIASES = ("h2",) 273INFORMIX_ALIASES = ("informix", "ibm informix", "ibminformix") 274 275DBMS_DIRECTORY_DICT = dict((getattr(DBMS, _), getattr(DBMS_DIRECTORY_NAME, _)) for _ in dir(DBMS) if not _.startswith("_")) 276 277SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES + DB2_ALIASES + HSQLDB_ALIASES + H2_ALIASES + INFORMIX_ALIASES 278SUPPORTED_OS = ("linux", "windows") 279 280DBMS_ALIASES = ((DBMS.MSSQL, MSSQL_ALIASES), (DBMS.MYSQL, MYSQL_ALIASES), (DBMS.PGSQL, PGSQL_ALIASES), (DBMS.ORACLE, ORACLE_ALIASES), (DBMS.SQLITE, SQLITE_ALIASES), (DBMS.ACCESS, ACCESS_ALIASES), (DBMS.FIREBIRD, FIREBIRD_ALIASES), (DBMS.MAXDB, MAXDB_ALIASES), (DBMS.SYBASE, SYBASE_ALIASES), (DBMS.DB2, DB2_ALIASES), (DBMS.HSQLDB, HSQLDB_ALIASES), (DBMS.H2, H2_ALIASES), (DBMS.INFORMIX, INFORMIX_ALIASES)) 281 282USER_AGENT_ALIASES = ("ua", "useragent", "user-agent") 283REFERER_ALIASES = ("ref", "referer", "referrer") 284HOST_ALIASES = ("host",) 285 286H2_DEFAULT_SCHEMA = HSQLDB_DEFAULT_SCHEMA = "PUBLIC" 287 288# Names that can't be used to name files on Windows OS 289WINDOWS_RESERVED_NAMES = ("CON", "PRN", "AUX", "NUL", "COM1", "COM2", "COM3", "COM4", "COM5", "COM6", "COM7", "COM8", "COM9", "LPT1", "LPT2", "LPT3", "LPT4", "LPT5", "LPT6", "LPT7", "LPT8", "LPT9") 290 291# Items displayed in basic help (-h) output 292BASIC_HELP_ITEMS = ( 293 "url", 294 "googleDork", 295 "data", 296 "cookie", 297 "randomAgent", 298 "proxy", 299 "testParameter", 300 "dbms", 301 "level", 302 "risk", 303 "technique", 304 "getAll", 305 "getBanner", 306 "getCurrentUser", 307 "getCurrentDb", 308 "getPasswordHashes", 309 "getTables", 310 "getColumns", 311 "getSchema", 312 "dumpTable", 313 "dumpAll", 314 "db", 315 "tbl", 316 "col", 317 "osShell", 318 "osPwn", 319 "batch", 320 "checkTor", 321 "flushSession", 322 "tor", 323 "sqlmapShell", 324 "wizard", 325) 326 327# Tags used for value replacements inside shell scripts 328SHELL_WRITABLE_DIR_TAG = "%WRITABLE_DIR%" 329SHELL_RUNCMD_EXE_TAG = "%RUNCMD_EXE%" 330 331# String representation for NULL value 332NULL = "NULL" 333 334# String representation for blank ('') value 335BLANK = "<blank>" 336 337# String representation for current database 338CURRENT_DB = "CD" 339 340# String representation for current user 341CURRENT_USER = "CU" 342 343# Name of SQLite file used for storing session data 344SESSION_SQLITE_FILE = "session.sqlite" 345 346# Regular expressions used for finding file paths in error messages 347FILE_PATH_REGEXES = (r"<b>(?P<result>[^<>]+?)</b> on line \d+", r"\bin (?P<result>[^<>'\"]+?)['\"]? on line \d+", r"(?:[>(\[\s])(?P<result>[A-Za-z]:[\\/][\w. \\/-]*)", r"(?:[>(\[\s])(?P<result>/\w[/\w.~-]+)", r"\bhref=['\"]file://(?P<result>/[^'\"]+)", r"\bin <b>(?P<result>[^<]+): line \d+") 348 349# Regular expressions used for parsing error messages (--parse-errors) 350ERROR_PARSING_REGEXES = ( 351 r"\[Microsoft\]\[ODBC SQL Server Driver\]\[SQL Server\](?P<result>[^<]+)", 352 r"<b>[^<]*(fatal|error|warning|exception)[^<]*</b>:?\s*(?P<result>[^<]+)", 353 r"(?m)^\s*(fatal|error|warning|exception):?\s*(?P<result>[^\n]+?)$", 354 r"(sql|dbc)[^>'\"]{0,32}(fatal|error|warning|exception)(</b>)?:\s*(?P<result>[^<>]+)", 355 r"(?P<result>[^\n>]*SQL Syntax[^\n<]+)", 356 r"(?s)<li>Error Type:<br>(?P<result>.+?)</li>", 357 r"CDbCommand (?P<result>[^<>\n]*SQL[^<>\n]+)", 358 r"error '[0-9a-f]{8}'((<[^>]+>)|\s)+(?P<result>[^<>]+)", 359 r"\[[^\n\]]+(ODBC|JDBC)[^\n\]]+\](\[[^\]]+\])?(?P<result>[^\n]+(in query expression|\(SQL| at /[^ ]+pdo)[^\n<]+)", 360 r"(?P<result>query error: SELECT[^<>]+)" 361) 362 363# Regular expression used for parsing charset info from meta html headers 364META_CHARSET_REGEX = r'(?si)<head>.*<meta[^>]+charset="?(?P<result>[^"> ]+).*</head>' 365 366# Regular expression used for parsing refresh info from meta html headers 367META_REFRESH_REGEX = r'(?i)<meta http-equiv="?refresh"?[^>]+content="?[^">]+;\s*(url=)?["\']?(?P<result>[^\'">]+)' 368 369# Regular expression used for parsing Javascript redirect request 370JAVASCRIPT_HREF_REGEX = r'<script>\s*(\w+\.)?location\.href\s*=["\'](?P<result>[^"\']+)' 371 372# Regular expression used for parsing empty fields in tested form data 373EMPTY_FORM_FIELDS_REGEX = r'(&|\A)(?P<result>[^=]+=(&|\Z))' 374 375# Reference: http://www.cs.ru.nl/bachelorscripties/2010/Martin_Devillers___0437999___Analyzing_password_strength.pdf 376COMMON_PASSWORD_SUFFIXES = ("1", "123", "2", "12", "3", "13", "7", "11", "5", "22", "23", "01", "4", "07", "21", "14", "10", "06", "08", "8", "15", "69", "16", "6", "18") 377 378# Reference: http://www.the-interweb.com/serendipity/index.php?/archives/94-A-brief-analysis-of-40,000-leaked-MySpace-passwords.html 379COMMON_PASSWORD_SUFFIXES += ("!", ".", "*", "!!", "?", ";", "..", "!!!", ", ", "@") 380 381# Splitter used between requests in WebScarab log files 382WEBSCARAB_SPLITTER = "### Conversation" 383 384# Splitter used between requests in BURP log files 385BURP_REQUEST_REGEX = r"={10,}\s+([A-Z]{3,} .+?)\s+={10,}" 386 387# Regex used for parsing XML Burp saved history items 388BURP_XML_HISTORY_REGEX = r'<port>(\d+)</port>.*?<request base64="true"><!\[CDATA\[([^]]+)' 389 390# Encoding used for Unicode data 391UNICODE_ENCODING = "utf8" 392 393# Reference: http://www.w3.org/Protocols/HTTP/Object_Headers.html#uri 394URI_HTTP_HEADER = "URI" 395 396# Uri format which could be injectable (e.g. www.site.com/id82) 397URI_INJECTABLE_REGEX = r"//[^/]*/([^\.*?]+)\Z" 398 399# Regex used for masking sensitive data 400SENSITIVE_DATA_REGEX = r"(\s|=)(?P<result>[^\s=]*\b%s\b[^\s]*)\s" 401 402# Options to explicitly mask in anonymous (unhandled exception) reports (along with anything carrying the <hostname> inside) 403SENSITIVE_OPTIONS = ("hostname", "answers", "data", "dnsDomain", "googleDork", "authCred", "proxyCred", "tbl", "db", "col", "user", "cookie", "proxy", "fileRead", "fileWrite", "fileDest", "testParameter", "authCred", "sqlQuery", "requestFile") 404 405# Maximum number of threads (avoiding connection issues and/or DoS) 406MAX_NUMBER_OF_THREADS = 10 407 408# Minimum range between minimum and maximum of statistical set 409MIN_STATISTICAL_RANGE = 0.01 410 411# Minimum value for comparison ratio 412MIN_RATIO = 0.0 413 414# Maximum value for comparison ratio 415MAX_RATIO = 1.0 416 417# Minimum length of sentence for automatic choosing of --string (in case of high matching ratio) 418CANDIDATE_SENTENCE_MIN_LENGTH = 10 419 420# Character used for marking injectable position inside provided data 421CUSTOM_INJECTION_MARK_CHAR = '*' 422 423# Wildcard value that can be used in option --ignore-code 424IGNORE_CODE_WILDCARD = '*' 425 426# Other way to declare injection position 427INJECT_HERE_REGEX = r"(?i)%INJECT[_ ]?HERE%" 428 429# Minimum chunk length used for retrieving data over error based payloads 430MIN_ERROR_CHUNK_LENGTH = 8 431 432# Maximum chunk length used for retrieving data over error based payloads 433MAX_ERROR_CHUNK_LENGTH = 1024 434 435# Do not escape the injected statement if it contains any of the following SQL keywords 436EXCLUDE_UNESCAPE = ("WAITFOR DELAY '", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ", "BULK ", "EXEC ", "RECONFIGURE ", "DECLARE ", "'%s'" % CHAR_INFERENCE_MARK) 437 438# Mark used for replacement of reflected values 439REFLECTED_VALUE_MARKER = "__REFLECTED_VALUE__" 440 441# Regular expression used for replacing border non-alphanum characters 442REFLECTED_BORDER_REGEX = r"[^A-Za-z]+" 443 444# Regular expression used for replacing non-alphanum characters 445REFLECTED_REPLACEMENT_REGEX = r"[^\n]{1,100}" 446 447# Maximum time (in seconds) spent per reflective value(s) replacement 448REFLECTED_REPLACEMENT_TIMEOUT = 3 449 450# Maximum number of alpha-numerical parts in reflected regex (for speed purposes) 451REFLECTED_MAX_REGEX_PARTS = 10 452 453# Chars which can be used as a failsafe values in case of too long URL encoding value 454URLENCODE_FAILSAFE_CHARS = "()|," 455 456# Maximum length of URL encoded value after which failsafe procedure takes away 457URLENCODE_CHAR_LIMIT = 2000 458 459# Default schema for Microsoft SQL Server DBMS 460DEFAULT_MSSQL_SCHEMA = "dbo" 461 462# Display hash attack info every mod number of items 463HASH_MOD_ITEM_DISPLAY = 11 464 465# Display marker for (cracked) empty password 466HASH_EMPTY_PASSWORD_MARKER = "<empty>" 467 468# Maximum integer value 469MAX_INT = sys.maxsize 470 471# Replacement for unsafe characters in dump table filenames 472UNSAFE_DUMP_FILEPATH_REPLACEMENT = '_' 473 474# Options that need to be restored in multiple targets run mode 475RESTORE_MERGED_OPTIONS = ("col", "db", "dnsDomain", "privEsc", "tbl", "regexp", "string", "textOnly", "threads", "timeSec", "tmpPath", "uChar", "user") 476 477# Parameters to be ignored in detection phase (upper case) 478IGNORE_PARAMETERS = ("__VIEWSTATE", "__VIEWSTATEENCRYPTED", "__VIEWSTATEGENERATOR", "__EVENTARGUMENT", "__EVENTTARGET", "__EVENTVALIDATION", "ASPSESSIONID", "ASP.NET_SESSIONID", "JSESSIONID", "CFID", "CFTOKEN") 479 480# Regular expression used for recognition of ASP.NET control parameters 481ASP_NET_CONTROL_REGEX = r"(?i)\Actl\d+\$" 482 483# Prefix for Google analytics cookie names 484GOOGLE_ANALYTICS_COOKIE_PREFIX = "__UTM" 485 486# Prefix for configuration overriding environment variables 487SQLMAP_ENVIRONMENT_PREFIX = "SQLMAP_" 488 489# Turn off resume console info to avoid potential slowdowns 490TURN_OFF_RESUME_INFO_LIMIT = 20 491 492# Strftime format for results file used in multiple target mode 493RESULTS_FILE_FORMAT = "results-%m%d%Y_%I%M%p.csv" 494 495# Official web page with the list of Python supported codecs 496CODECS_LIST_PAGE = "http://docs.python.org/library/codecs.html#standard-encodings" 497 498# Simple regular expression used to distinguish scalar from multiple-row commands (not sole condition) 499SQL_SCALAR_REGEX = r"\A(SELECT(?!\s+DISTINCT\(?))?\s*\w*\(" 500 501# Option/switch values to ignore during configuration save 502IGNORE_SAVE_OPTIONS = ("saveConfig",) 503 504# IP address of the localhost 505LOCALHOST = "127.0.0.1" 506 507# Default SOCKS ports used by Tor 508DEFAULT_TOR_SOCKS_PORTS = (9050, 9150) 509 510# Default HTTP ports used by Tor 511DEFAULT_TOR_HTTP_PORTS = (8123, 8118) 512 513# Percentage below which comparison engine could have problems 514LOW_TEXT_PERCENT = 20 515 516# Auxiliary value used in isDBMSVersionAtLeast() version comparison correction cases 517VERSION_COMPARISON_CORRECTION = 0.0001 518 519# These MySQL keywords can't go (alone) into versioned comment form (/*!...*/) 520# Reference: http://dev.mysql.com/doc/refman/5.1/en/function-resolution.html 521IGNORE_SPACE_AFFECTED_KEYWORDS = ("CAST", "COUNT", "EXTRACT", "GROUP_CONCAT", "MAX", "MID", "MIN", "SESSION_USER", "SUBSTR", "SUBSTRING", "SUM", "SYSTEM_USER", "TRIM") 522 523# Keywords expected to be in UPPERCASE in getValue() 524GET_VALUE_UPPERCASE_KEYWORDS = ("SELECT", "FROM", "WHERE", "DISTINCT", "COUNT") 525 526LEGAL_DISCLAIMER = "Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program" 527 528# After this number of misses reflective removal mechanism is turned off (for speed up reasons) 529REFLECTIVE_MISS_THRESHOLD = 20 530 531# Regular expression used for extracting HTML title 532HTML_TITLE_REGEX = r"<title>(?P<result>[^<]+)</title>" 533 534# Table used for Base64 conversion in WordPress hash cracking routine 535ITOA64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 536 537# Chars used to quickly distinguish if the user provided tainted parameter values 538DUMMY_SQL_INJECTION_CHARS = ";()'" 539 540# Simple check against dummy users 541DUMMY_USER_INJECTION = r"(?i)[^\w](AND|OR)\s+[^\s]+[=><]|\bUNION\b.+\bSELECT\b|\bSELECT\b.+\bFROM\b|\b(CONCAT|information_schema|SLEEP|DELAY|FLOOR\(RAND)\b" 542 543# Extensions skipped by crawler 544CRAWL_EXCLUDE_EXTENSIONS = ("3ds", "3g2", "3gp", "7z", "DS_Store", "a", "aac", "adp", "ai", "aif", "aiff", "apk", "ar", "asf", "au", "avi", "bak", "bin", "bk", "bmp", "btif", "bz2", "cab", "caf", "cgm", "cmx", "cpio", "cr2", "dat", "deb", "djvu", "dll", "dmg", "dmp", "dng", "doc", "docx", "dot", "dotx", "dra", "dsk", "dts", "dtshd", "dvb", "dwg", "dxf", "ear", "ecelp4800", "ecelp7470", "ecelp9600", "egg", "eol", "eot", "epub", "exe", "f4v", "fbs", "fh", "fla", "flac", "fli", "flv", "fpx", "fst", "fvt", "g3", "gif", "gz", "h261", "h263", "h264", "ico", "ief", "image", "img", "ipa", "iso", "jar", "jpeg", "jpg", "jpgv", "jpm", "jxr", "ktx", "lvp", "lz", "lzma", "lzo", "m3u", "m4a", "m4v", "mar", "mdi", "mid", "mj2", "mka", "mkv", "mmr", "mng", "mov", "movie", "mp3", "mp4", "mp4a", "mpeg", "mpg", "mpga", "mxu", "nef", "npx", "o", "oga", "ogg", "ogv", "otf", "pbm", "pcx", "pdf", "pea", "pgm", "pic", "png", "pnm", "ppm", "pps", "ppt", "pptx", "ps", "psd", "pya", "pyc", "pyo", "pyv", "qt", "rar", "ras", "raw", "rgb", "rip", "rlc", "rz", "s3m", "s7z", "scm", "scpt", "sgi", "shar", "sil", "smv", "so", "sub", "swf", "tar", "tbz2", "tga", "tgz", "tif", "tiff", "tlz", "ts", "ttf", "uvh", "uvi", "uvm", "uvp", "uvs", "uvu", "viv", "vob", "war", "wav", "wax", "wbmp", "wdp", "weba", "webm", "webp", "whl", "wm", "wma", "wmv", "wmx", "woff", "woff2", "wvx", "xbm", "xif", "xls", "xlsx", "xlt", "xm", "xpi", "xpm", "xwd", "xz", "z", "zip", "zipx") 545 546# Patterns often seen in HTTP headers containing custom injection marking character '*' 547PROBLEMATIC_CUSTOM_INJECTION_PATTERNS = r"(;q=[^;']+)|(\*/\*)" 548 549# Template used for common table existence check 550BRUTE_TABLE_EXISTS_TEMPLATE = "EXISTS(SELECT %d FROM %s)" 551 552# Template used for common column existence check 553BRUTE_COLUMN_EXISTS_TEMPLATE = "EXISTS(SELECT %s FROM %s)" 554 555# Data inside shellcodeexec to be filled with random string 556SHELLCODEEXEC_RANDOM_STRING_MARKER = b"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" 557 558# Period after last-update to start nagging about the old revision 559LAST_UPDATE_NAGGING_DAYS = 60 560 561# Minimum non-writing chars (e.g. ['"-:/]) ratio in case of parsed error messages 562MIN_ERROR_PARSING_NON_WRITING_RATIO = 0.05 563 564# Generic address for checking the Internet connection while using switch --check-internet 565CHECK_INTERNET_ADDRESS = "https://ipinfo.io/" 566 567# Value to look for in response to CHECK_INTERNET_ADDRESS 568CHECK_INTERNET_VALUE = "IP Address Details" 569 570# Payload used for checking of existence of WAF/IPS (dummier the better) 571IPS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert(\"XSS\")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')#" 572 573# Vectors used for provoking specific WAF/IPS behavior(s) 574WAF_ATTACK_VECTORS = ( 575 "", # NIL 576 "search=<script>alert(1)</script>", 577 "file=../../../../etc/passwd", 578 "q=<invalid>foobar", 579 "id=1 %s" % IPS_WAF_CHECK_PAYLOAD 580) 581 582# Used for status representation in dictionary attack phase 583ROTATING_CHARS = ('\\', '|', '|', '/', '-') 584 585# Approximate chunk length (in bytes) used by BigArray objects (only last chunk and cached one are held in memory) 586BIGARRAY_CHUNK_SIZE = 1024 * 1024 587 588# Compress level used for storing BigArray chunks to disk (0-9) 589BIGARRAY_COMPRESS_LEVEL = 9 590 591# Maximum number of socket pre-connects 592SOCKET_PRE_CONNECT_QUEUE_SIZE = 3 593 594# Only console display last n table rows 595TRIM_STDOUT_DUMP_SIZE = 256 596 597# Reference: http://stackoverflow.com/a/3168436 598# Reference: https://support.microsoft.com/en-us/kb/899149 599DUMP_FILE_BUFFER_SIZE = 1024 600 601# Parse response headers only first couple of times 602PARSE_HEADERS_LIMIT = 3 603 604# Step used in ORDER BY technique used for finding the right number of columns in UNION query injections 605ORDER_BY_STEP = 10 606 607# Maximum value used in ORDER BY technique used for finding the right number of columns in UNION query injections 608ORDER_BY_MAX = 1000 609 610# Maximum number of times for revalidation of a character in inference (as required) 611MAX_REVALIDATION_STEPS = 5 612 613# Characters that can be used to split parameter values in provided command line (e.g. in --tamper) 614PARAMETER_SPLITTING_REGEX = r"[,|;]" 615 616# Regular expression describing possible union char value (e.g. used in --union-char) 617UNION_CHAR_REGEX = r"\A\w+\Z" 618 619# Attribute used for storing original parameter value in special cases (e.g. POST) 620UNENCODED_ORIGINAL_VALUE = "original" 621 622# Common column names containing usernames (used for hash cracking in some cases) 623COMMON_USER_COLUMNS = ("login", "user", "username", "user_name", "user_login", "benutzername", "benutzer", "utilisateur", "usager", "consommateur", "utente", "utilizzatore", "utilizator", "utilizador", "usufrutuario", "korisnik", "uporabnik", "usuario", "consumidor", "client", "cuser") 624 625# Default delimiter in GET/POST values 626DEFAULT_GET_POST_DELIMITER = '&' 627 628# Default delimiter in cookie values 629DEFAULT_COOKIE_DELIMITER = ';' 630 631# Unix timestamp used for forcing cookie expiration when provided with --load-cookies 632FORCE_COOKIE_EXPIRATION_TIME = "9999999999" 633 634# Github OAuth token used for creating an automatic Issue for unhandled exceptions 635GITHUB_REPORT_OAUTH_TOKEN = "NTYzYjhmZWJjYzc0Njg2ODJhNzhmNDg1YzM0YzlkYjk3N2JiMzE3Nw==" 636 637# Skip unforced HashDB flush requests below the threshold number of cached items 638HASHDB_FLUSH_THRESHOLD = 32 639 640# Number of retries for unsuccessful HashDB flush attempts 641HASHDB_FLUSH_RETRIES = 3 642 643# Number of retries for unsuccessful HashDB retrieve attempts 644HASHDB_RETRIEVE_RETRIES = 3 645 646# Number of retries for unsuccessful HashDB end transaction attempts 647HASHDB_END_TRANSACTION_RETRIES = 3 648 649# Unique milestone value used for forced deprecation of old HashDB values (e.g. when changing hash/pickle mechanism) 650HASHDB_MILESTONE_VALUE = "OdqjeUpBLc" # python -c 'import random, string; print "".join(random.sample(string.ascii_letters, 10))' 651 652# Pickle protocl used for storage of serialized data inside HashDB (https://docs.python.org/3/library/pickle.html#data-stream-format) 653PICKLE_PROTOCOL = 2 654 655# Warn user of possible delay due to large page dump in full UNION query injections 656LARGE_OUTPUT_THRESHOLD = 1024 ** 2 657 658# On huge tables there is a considerable slowdown if every row retrieval requires ORDER BY (most noticable in table dumping using ERROR injections) 659SLOW_ORDER_COUNT_THRESHOLD = 10000 660 661# Give up on hash recognition if nothing was found in first given number of rows 662HASH_RECOGNITION_QUIT_THRESHOLD = 10000 663 664# Regular expression used for automatic hex conversion and hash cracking of (RAW) binary column values 665HASH_BINARY_COLUMNS_REGEX = r"(?i)pass|psw|hash" 666 667# Maximum number of redirections to any single URL - this is needed because of the state that cookies introduce 668MAX_SINGLE_URL_REDIRECTIONS = 4 669 670# Maximum total number of redirections (regardless of URL) - before assuming we're in a loop 671MAX_TOTAL_REDIRECTIONS = 10 672 673# Maximum (deliberate) delay used in page stability check 674MAX_STABILITY_DELAY = 0.5 675 676# Reference: http://www.tcpipguide.com/free/t_DNSLabelsNamesandSyntaxRules.htm 677MAX_DNS_LABEL = 63 678 679# Alphabet used for prefix and suffix strings of name resolution requests in DNS technique (excluding hexadecimal chars for not mixing with inner content) 680DNS_BOUNDARIES_ALPHABET = re.sub(r"[a-fA-F]", "", string.ascii_letters) 681 682# Alphabet used for heuristic checks 683HEURISTIC_CHECK_ALPHABET = ('"', '\'', ')', '(', ',', '.') 684 685# Minor artistic touch 686BANNER = re.sub(r"\[.\]", lambda _: "[\033[01;41m%s\033[01;49m]" % random.sample(HEURISTIC_CHECK_ALPHABET, 1)[0], BANNER) 687 688# String used for dummy non-SQLi (e.g. XSS) heuristic checks of a tested parameter value 689DUMMY_NON_SQLI_CHECK_APPENDIX = "<'\">" 690 691# Regular expression used for recognition of file inclusion errors 692FI_ERROR_REGEX = r"(?i)[^\n]{0,100}(no such file|failed (to )?open)[^\n]{0,100}" 693 694# Length of prefix and suffix used in non-SQLI heuristic checks 695NON_SQLI_CHECK_PREFIX_SUFFIX_LENGTH = 6 696 697# Connection read size (processing large responses in parts to avoid MemoryError crashes - e.g. large table dump in full UNION injections) 698MAX_CONNECTION_READ_SIZE = 10 * 1024 * 1024 699 700# Maximum response total page size (trimmed if larger) 701MAX_CONNECTION_TOTAL_SIZE = 100 * 1024 * 1024 702 703# For preventing MemoryError exceptions (caused when using large sequences in difflib.SequenceMatcher) 704MAX_DIFFLIB_SEQUENCE_LENGTH = 10 * 1024 * 1024 705 706# Maximum (multi-threaded) length of entry in bisection algorithm 707MAX_BISECTION_LENGTH = 50 * 1024 * 1024 708 709# Mark used for trimming unnecessary content in large connection reads 710LARGE_READ_TRIM_MARKER = "__TRIMMED_CONTENT__" 711 712# Generic SQL comment formation 713GENERIC_SQL_COMMENT = "-- [RANDSTR]" 714 715# Threshold value for turning back on time auto-adjustment mechanism 716VALID_TIME_CHARS_RUN_THRESHOLD = 100 717 718# Check for empty columns only if table is sufficiently large 719CHECK_ZERO_COLUMNS_THRESHOLD = 10 720 721# Boldify all logger messages containing these "patterns" 722BOLD_PATTERNS = ("' injectable", "provided empty", "leftover chars", "might be injectable", "' is vulnerable", "is not injectable", "does not seem to be", "test failed", "test passed", "live test final result", "test shows that", "the back-end DBMS is", "created Github", "blocked by the target server", "protection is involved", "CAPTCHA", "specific response", "NULL connection is supported", "PASSED", "FAILED", "for more than") 723 724# TLDs used in randomization of email-alike parameter values 725RANDOMIZATION_TLDS = ("com", "net", "ru", "org", "de", "jp", "cn", "fr", "it", "pl", "tv", "edu", "in", "ir", "es", "me", "info", "gr", "gov", "ca", "co", "se", "cz", "to", "vn", "nl", "cc", "az", "hu", "ua", "be", "no", "biz", "io", "ch", "ro", "sk", "eu", "us", "tw", "pt", "fi", "at", "lt", "kz", "cl", "hr", "pk", "lv", "la", "pe") 726 727# Generic www root directory names 728GENERIC_DOC_ROOT_DIRECTORY_NAMES = ("htdocs", "httpdocs", "public", "wwwroot", "www") 729 730# Maximum length of a help part containing switch/option name(s) 731MAX_HELP_OPTION_LENGTH = 18 732 733# Maximum number of connection retries (to prevent problems with recursion) 734MAX_CONNECT_RETRIES = 100 735 736# Strings for detecting formatting errors 737FORMAT_EXCEPTION_STRINGS = ("Type mismatch", "Error converting", "Please enter a", "Conversion failed", "String or binary data would be truncated", "Failed to convert", "unable to interpret text value", "Input string was not in a correct format", "System.FormatException", "java.lang.NumberFormatException", "ValueError: invalid literal", "TypeMismatchException", "CF_SQL_INTEGER", "CF_SQL_NUMERIC", " for CFSQLTYPE ", "cfqueryparam cfsqltype", "InvalidParamTypeException", "Invalid parameter type", "Attribute validation error for tag", "is not of type numeric", "<cfif Not IsNumeric(", "invalid input syntax for integer", "invalid input syntax for type", "invalid number", "character to number conversion error", "unable to interpret text value", "String was not recognized as a valid", "Convert.ToInt", "cannot be converted to a ", "InvalidDataException", "Arguments are of the wrong type") 738 739# Regular expression used for extracting ASP.NET view state values 740VIEWSTATE_REGEX = r'(?i)(?P<name>__VIEWSTATE[^"]*)[^>]+value="(?P<result>[^"]+)' 741 742# Regular expression used for extracting ASP.NET event validation values 743EVENTVALIDATION_REGEX = r'(?i)(?P<name>__EVENTVALIDATION[^"]*)[^>]+value="(?P<result>[^"]+)' 744 745# Number of rows to generate inside the full union test for limited output (mustn't be too large to prevent payload length problems) 746LIMITED_ROWS_TEST_NUMBER = 15 747 748# Default adapter to use for bottle server 749RESTAPI_DEFAULT_ADAPTER = "wsgiref" 750 751# Default REST-JSON API server listen address 752RESTAPI_DEFAULT_ADDRESS = "127.0.0.1" 753 754# Default REST-JSON API server listen port 755RESTAPI_DEFAULT_PORT = 8775 756 757# Use "Supplementary Private Use Area-A" 758INVALID_UNICODE_PRIVATE_AREA = False 759 760# Format used for representing invalid unicode characters 761INVALID_UNICODE_CHAR_FORMAT = r"\x%02x" 762 763# Regular expression for XML POST data 764XML_RECOGNITION_REGEX = r"(?s)\A\s*<[^>]+>(.+>)?\s*\Z" 765 766# Regular expression used for detecting JSON POST data 767JSON_RECOGNITION_REGEX = r'(?s)\A(\s*\[)*\s*\{.*"[^"]+"\s*:\s*("[^"]*"|\d+|true|false|null).*\}\s*(\]\s*)*\Z' 768 769# Regular expression used for detecting JSON-like POST data 770JSON_LIKE_RECOGNITION_REGEX = r"(?s)\A(\s*\[)*\s*\{.*'[^']+'\s*:\s*('[^']+'|\d+).*\}\s*(\]\s*)*\Z" 771 772# Regular expression used for detecting multipart POST data 773MULTIPART_RECOGNITION_REGEX = r"(?i)Content-Disposition:[^;]+;\s*name=" 774 775# Regular expression used for detecting Array-like POST data 776ARRAY_LIKE_RECOGNITION_REGEX = r"(\A|%s)(\w+)\[\]=.+%s\2\[\]=" % (DEFAULT_GET_POST_DELIMITER, DEFAULT_GET_POST_DELIMITER) 777 778# Default POST data content-type 779DEFAULT_CONTENT_TYPE = "application/x-www-form-urlencoded; charset=utf-8" 780 781# Raw text POST data content-type 782PLAIN_TEXT_CONTENT_TYPE = "text/plain; charset=utf-8" 783 784# Length used while checking for existence of Suhosin-patch (like) protection mechanism 785SUHOSIN_MAX_VALUE_LENGTH = 512 786 787# Minimum size of an (binary) entry before it can be considered for dumping to disk 788MIN_BINARY_DISK_DUMP_SIZE = 100 789 790# Filenames of payloads xml files (in order of loading) 791PAYLOAD_XML_FILES = ("boolean_blind.xml", "error_based.xml", "inline_query.xml", "stacked_queries.xml", "time_blind.xml", "union_query.xml") 792 793# Regular expression used for extracting form tags 794FORM_SEARCH_REGEX = r"(?si)<form(?!.+<form).+?</form>" 795 796# Maximum number of lines to save in history file 797MAX_HISTORY_LENGTH = 1000 798 799# Minimum field entry length needed for encoded content (hex, base64,...) check 800MIN_ENCODED_LEN_CHECK = 5 801 802# Timeout in seconds in which Metasploit remote session has to be initialized 803METASPLOIT_SESSION_TIMEOUT = 120 804 805# Reference: http://www.postgresql.org/docs/9.0/static/catalog-pg-largeobject.html 806LOBLKSIZE = 2048 807 808# Prefix used to mark special variables (e.g. keywords, having special chars, etc.) 809EVALCODE_ENCODED_PREFIX = "EVAL_" 810 811# Reference: https://en.wikipedia.org/wiki/Zip_(file_format) 812ZIP_HEADER = b"\x50\x4b\x03\x04" 813 814# Reference: http://www.cookiecentral.com/faq/#3.5 815NETSCAPE_FORMAT_HEADER_COOKIES = "# Netscape HTTP Cookie File." 816 817# Infixes used for automatic recognition of parameters carrying anti-CSRF tokens 818CSRF_TOKEN_PARAMETER_INFIXES = ("csrf", "xsrf", "token") 819 820# Prefixes used in brute force search for web server document root 821BRUTE_DOC_ROOT_PREFIXES = { 822 OS.LINUX: ("/var/www", "/usr/local/apache", "/usr/local/apache2", "/usr/local/www/apache22", "/usr/local/www/apache24", "/usr/local/httpd", "/var/www/nginx-default", "/srv/www", "/var/www/%TARGET%", "/var/www/vhosts/%TARGET%", "/var/www/virtual/%TARGET%", "/var/www/clients/vhosts/%TARGET%", "/var/www/clients/virtual/%TARGET%"), 823 OS.WINDOWS: ("/xampp", "/Program Files/xampp", "/wamp", "/Program Files/wampp", "/apache", "/Program Files/Apache Group/Apache", "/Program Files/Apache Group/Apache2", "/Program Files/Apache Group/Apache2.2", "/Program Files/Apache Group/Apache2.4", "/Inetpub/wwwroot", "/Inetpub/wwwroot/%TARGET%", "/Inetpub/vhosts/%TARGET%") 824} 825 826# Suffixes used in brute force search for web server document root 827BRUTE_DOC_ROOT_SUFFIXES = ("", "html", "htdocs", "httpdocs", "php", "public", "src", "site", "build", "web", "www", "data", "sites/all", "www/build") 828 829# String used for marking target name inside used brute force web server document root 830BRUTE_DOC_ROOT_TARGET_MARK = "%TARGET%" 831 832# Character used as a boundary in kb.chars (preferably less frequent letter) 833KB_CHARS_BOUNDARY_CHAR = 'q' 834 835# Letters of lower frequency used in kb.chars 836KB_CHARS_LOW_FREQUENCY_ALPHABET = "zqxjkvbp" 837 838# SQL keywords used for splitting in HTTP chunked transfer encoded requests (switch --chunk) 839HTTP_CHUNKED_SPLIT_KEYWORDS = ("SELECT", "UPDATE", "INSERT", "FROM", "LOAD_FILE", "UNION", "information_schema", "sysdatabases", "msysaccessobjects", "msysqueries", "sysmodules") 840 841# CSS style used in HTML dump format 842HTML_DUMP_CSS_STYLE = """<style> 843table{ 844 margin:10; 845 background-color:#FFFFFF; 846 font-family:verdana; 847 font-size:12px; 848 align:center; 849} 850thead{ 851 font-weight:bold; 852 background-color:#4F81BD; 853 color:#FFFFFF; 854} 855tr:nth-child(even) { 856 background-color: #D3DFEE 857} 858td{ 859 font-size:12px; 860} 861th{ 862 font-size:12px; 863} 864</style>""" 865 866# Leaving (dirty) possibility to change values from here (e.g. `export SQLMAP__MAX_NUMBER_OF_THREADS=20`) 867for key, value in os.environ.items(): 868 if key.upper().startswith("%s_" % SQLMAP_ENVIRONMENT_PREFIX): 869 _ = key[len(SQLMAP_ENVIRONMENT_PREFIX) + 1:].upper() 870 if _ in globals(): 871 globals()[_] = value 872 873# Installing "reversible" unicode (decoding) error handler 874def _reversible(ex): 875 if isinstance(ex, UnicodeDecodeError): 876 if INVALID_UNICODE_PRIVATE_AREA: 877 return (u"".join(_unichr(int('000f00%2x' % (_ if isinstance(_, int) else ord(_)), 16)) for _ in ex.object[ex.start:ex.end]), ex.end) 878 else: 879 return (u"".join(INVALID_UNICODE_CHAR_FORMAT % (_ if isinstance(_, int) else ord(_)) for _ in ex.object[ex.start:ex.end]), ex.end) 880 881codecs.register_error("reversible", _reversible) 882