This action will force synchronization from yeqingchen1/sqlmap, which will overwrite any changes that you have made since you forked the repository, and can not be recovered!!!
Synchronous operation will process in the background and will refresh the page when finishing processing. Please be patient.
#!/usr/bin/env python"""Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)See the file 'LICENSE' for copying permission"""from __future__ import print_functiontry:from crypt import cryptexcept: # removed ImportError because of https://github.com/sqlmapproject/sqlmap/issues/3171from thirdparty.fcrypt.fcrypt import crypt_multiprocessing = Nonetry:import multiprocessing# problems on FreeBSD (Reference: https://web.archive.org/web/20110710041353/http://www.eggheadcafe.com/microsoft/Python/35880259/multiprocessing-on-freebsd.aspx)_ = multiprocessing.Queue()# problems with ctypes (Reference: https://github.com/sqlmapproject/sqlmap/issues/2952)_ = multiprocessing.Value('i')except (ImportError, OSError, AttributeError):passelse:try:if multiprocessing.cpu_count() > 1:_multiprocessing = multiprocessingexcept NotImplementedError:passimport base64import binasciiimport gcimport osimport reimport tempfileimport timeimport zipfilefrom hashlib import md5from hashlib import sha1from hashlib import sha224from hashlib import sha256from hashlib import sha384from hashlib import sha512from lib.core.common import Backendfrom lib.core.common import checkFilefrom lib.core.common import clearConsoleLinefrom lib.core.common import dataToStdoutfrom lib.core.common import getFileItemsfrom lib.core.common import getPublicTypeMembersfrom lib.core.common import getSafeExStringfrom lib.core.common import hashDBRetrievefrom lib.core.common import hashDBWritefrom lib.core.common import isZipFilefrom lib.core.common import normalizeUnicodefrom lib.core.common import openFilefrom lib.core.common import pathsfrom lib.core.common import readInputfrom lib.core.common import singleTimeLogMessagefrom lib.core.common import singleTimeWarnMessagefrom lib.core.compat import xrangefrom lib.core.convert import decodeBase64from lib.core.convert import decodeHexfrom lib.core.convert import encodeHexfrom lib.core.convert import getBytesfrom lib.core.convert import getTextfrom lib.core.convert import getUnicodefrom lib.core.data import conffrom lib.core.data import kbfrom lib.core.data import loggerfrom lib.core.datatype import OrderedSetfrom lib.core.enums import DBMSfrom lib.core.enums import HASHfrom lib.core.enums import MKSTEMP_PREFIXfrom lib.core.exception import SqlmapDataExceptionfrom lib.core.exception import SqlmapUserQuitExceptionfrom lib.core.settings import COMMON_PASSWORD_SUFFIXESfrom lib.core.settings import COMMON_USER_COLUMNSfrom lib.core.settings import DEV_EMAIL_ADDRESSfrom lib.core.settings import DUMMY_USER_PREFIXfrom lib.core.settings import HASH_BINARY_COLUMNS_REGEXfrom lib.core.settings import HASH_EMPTY_PASSWORD_MARKERfrom lib.core.settings import HASH_MOD_ITEM_DISPLAYfrom lib.core.settings import HASH_RECOGNITION_QUIT_THRESHOLDfrom lib.core.settings import INVALID_UNICODE_CHAR_FORMATfrom lib.core.settings import IS_WINfrom lib.core.settings import ITOA64from lib.core.settings import NULLfrom lib.core.settings import ROTATING_CHARSfrom lib.core.settings import UNICODE_ENCODINGfrom lib.core.wordlist import Wordlistfrom thirdparty import sixfrom thirdparty.colorama.initialise import init as coloramainitfrom thirdparty.pydes.pyDes import CBCfrom thirdparty.pydes.pyDes import desfrom thirdparty.six.moves import queue as _queuedef mysql_passwd(password, uppercase=True):"""Reference(s):https://web.archive.org/web/20120215205312/http://csl.sublevel3.org/mysql-password-function/>>> mysql_passwd(password='testpass', uppercase=True)'*00E247AC5F9AF26AE0194B41E1E769DEE1429A29'"""password = getBytes(password)retVal = "*%s" % sha1(sha1(password).digest()).hexdigest()return retVal.upper() if uppercase else retVal.lower()def mysql_old_passwd(password, uppercase=True): # prior to version '4.1'"""Reference(s):https://web.archive.org/web/20091205000600/http://www.sfr-fresh.com/unix/privat/tpop3d-1.5.5.tar.gz:a/tpop3d-1.5.5/password.chttps://github.com/pwnieexpress/pwn_plug_sources/blob/master/src/darkmysqli/DarkMySQLi.py>>> mysql_old_passwd(password='testpass', uppercase=True)'7DCDA0D57290B453'"""a, b, c = 1345345333, 7, 0x12345671for d in password:if d == ' ' or d == '\t':continuee = ord(d)a ^= (((a & 63) + b) * e) + (a << 8)c += (c << 8) ^ ab += eretVal = "%08lx%08lx" % (a & ((1 << 31) - 1), c & ((1 << 31) - 1))return retVal.upper() if uppercase else retVal.lower()def postgres_passwd(password, username, uppercase=False):"""Reference(s):http://pentestmonkey.net/blog/cracking-postgres-hashes/>>> postgres_passwd(password='testpass', username='testuser', uppercase=False)'md599e5ea7a6f7c3269995cba3927fd0093'"""username = getBytes(username)password = getBytes(password)retVal = "md5%s" % md5(password + username).hexdigest()return retVal.upper() if uppercase else retVal.lower()def mssql_passwd(password, salt, uppercase=False):"""Reference(s):http://www.leidecker.info/projects/phrasendrescher/mssql.chttps://www.evilfingers.com/tools/GSAuditor.php>>> mssql_passwd(password='testpass', salt='4086ceb6', uppercase=False)'0x01004086ceb60c90646a8ab9889fe3ed8e5c150b5460ece8425a'"""binsalt = decodeHex(salt)unistr = b"".join((_.encode(UNICODE_ENCODING) + b"0円") if ord(_) < 256 else _.encode(UNICODE_ENCODING) for _ in password)retVal = "0100%s%s" % (salt, sha1(unistr + binsalt).hexdigest())return "0x%s" % (retVal.upper() if uppercase else retVal.lower())def mssql_old_passwd(password, salt, uppercase=True): # prior to version '2005'"""Reference(s):www.exploit-db.com/download_pdf/15537/http://www.leidecker.info/projects/phrasendrescher/mssql.chttps://www.evilfingers.com/tools/GSAuditor.php>>> mssql_old_passwd(password='testpass', salt='4086ceb6', uppercase=True)'0x01004086CEB60C90646A8AB9889FE3ED8E5C150B5460ECE8425AC7BB7255C0C81D79AA5D0E93D4BB077FB9A51DA0'"""binsalt = decodeHex(salt)unistr = b"".join((_.encode(UNICODE_ENCODING) + b"0円") if ord(_) < 256 else _.encode(UNICODE_ENCODING) for _ in password)retVal = "0100%s%s%s" % (salt, sha1(unistr + binsalt).hexdigest(), sha1(unistr.upper() + binsalt).hexdigest())return "0x%s" % (retVal.upper() if uppercase else retVal.lower())def mssql_new_passwd(password, salt, uppercase=False):"""Reference(s):http://hashcat.net/forum/thread-1474.html>>> mssql_new_passwd(password='testpass', salt='4086ceb6', uppercase=False)'0x02004086ceb6eb051cdbc5bdae68ffc66c918d4977e592f6bdfc2b444a7214f71fa31c35902c5b7ae773ed5f4c50676d329120ace32ee6bc81c24f70711eb0fc6400e85ebf25'"""binsalt = decodeHex(salt)unistr = b"".join((_.encode(UNICODE_ENCODING) + b"0円") if ord(_) < 256 else _.encode(UNICODE_ENCODING) for _ in password)retVal = "0200%s%s" % (salt, sha512(unistr + binsalt).hexdigest())return "0x%s" % (retVal.upper() if uppercase else retVal.lower())def oracle_passwd(password, salt, uppercase=True):"""Reference(s):https://www.evilfingers.com/tools/GSAuditor.phphttp://www.notesbit.com/index.php/scripts-oracle/oracle-11g-new-password-algorithm-is-revealed-by-seclistsorg/http://seclists.org/bugtraq/2007/Sep/304>>> oracle_passwd(password='SHAlala', salt='1B7B5F82B7235E9E182C', uppercase=True)'S:2BFCFDF5895014EE9BB2B9BA067B01E0389BB5711B7B5F82B7235E9E182C'"""binsalt = decodeHex(salt)password = getBytes(password)retVal = "s:%s%s" % (sha1(password + binsalt).hexdigest(), salt)return retVal.upper() if uppercase else retVal.lower()def oracle_old_passwd(password, username, uppercase=True): # prior to version '11g'"""Reference(s):http://www.notesbit.com/index.php/scripts-oracle/oracle-11g-new-password-algorithm-is-revealed-by-seclistsorg/>>> oracle_old_passwd(password='tiger', username='scott', uppercase=True)'F894844C34402B67'"""IV, pad = "0円" * 8, "0円"unistr = b"".join((b"0円" + _.encode(UNICODE_ENCODING)) if ord(_) < 256 else _.encode(UNICODE_ENCODING) for _ in (username + password).upper())cipher = des(decodeHex("0123456789ABCDEF"), CBC, IV, pad)encrypted = cipher.encrypt(unistr)cipher = des(encrypted[-8:], CBC, IV, pad)encrypted = cipher.encrypt(unistr)retVal = encodeHex(encrypted[-8:], binary=False)return retVal.upper() if uppercase else retVal.lower()def md5_generic_passwd(password, uppercase=False):""">>> md5_generic_passwd(password='testpass', uppercase=False)'179ad45c6ce2cb97cf1029e212046e81'"""password = getBytes(password)retVal = md5(password).hexdigest()return retVal.upper() if uppercase else retVal.lower()def sha1_generic_passwd(password, uppercase=False):""">>> sha1_generic_passwd(password='testpass', uppercase=False)'206c80413b9a96c1312cc346b7d2517b84463edd'"""password = getBytes(password)retVal = sha1(password).hexdigest()return retVal.upper() if uppercase else retVal.lower()def apache_sha1_passwd(password, **kwargs):""">>> apache_sha1_passwd(password='testpass')'{SHA}IGyAQTualsExLMNGt9JRe4RGPt0='"""password = getBytes(password)return "{SHA}%s" % getText(base64.b64encode(sha1(password).digest()))def ssha_passwd(password, salt, **kwargs):""">>> ssha_passwd(password='testpass', salt='salt')'{SSHA}mU1HPTvnmoXOhE4ROHP6sWfbfoRzYWx0'"""password = getBytes(password)salt = getBytes(salt)return "{SSHA}%s" % getText(base64.b64encode(sha1(password + salt).digest() + salt))def ssha256_passwd(password, salt, **kwargs):""">>> ssha256_passwd(password='testpass', salt='salt')'{SSHA256}hhubsLrO/Aje9F/kJrgv5ZLE40UmTrVWvI7Dt6InP99zYWx0'"""password = getBytes(password)salt = getBytes(salt)return "{SSHA256}%s" % getText(base64.b64encode(sha256(password + salt).digest() + salt))def ssha512_passwd(password, salt, **kwargs):""">>> ssha512_passwd(password='testpass', salt='salt')'{SSHA512}mCUSLfPMhXCQOJl9WHW/QMn9v9sjq7Ht/Wk7iVau8vLOfh+PeynkGMikqIE8sStFd0khdfcCD8xZmC6UyjTxsHNhbHQ='"""password = getBytes(password)salt = getBytes(salt)return "{SSHA512}%s" % getText(base64.b64encode(sha512(password + salt).digest() + salt))def sha224_generic_passwd(password, uppercase=False):""">>> sha224_generic_passwd(password='testpass', uppercase=False)'648db6019764b598f75ab6b7616d2e82563a00eb1531680e19ac4c6f'"""retVal = sha224(getBytes(password)).hexdigest()return retVal.upper() if uppercase else retVal.lower()def sha256_generic_passwd(password, uppercase=False):""">>> sha256_generic_passwd(password='testpass', uppercase=False)'13d249f2cb4127b40cfa757866850278793f814ded3c587fe5889e889a7a9f6c'"""retVal = sha256(getBytes(password)).hexdigest()return retVal.upper() if uppercase else retVal.lower()def sha384_generic_passwd(password, uppercase=False):""">>> sha384_generic_passwd(password='testpass', uppercase=False)'6823546e56adf46849343be991d4b1be9b432e42ed1b4bb90635a0e4b930e49b9ca007bc3e04bf0a4e0df6f1f82769bf'"""retVal = sha384(getBytes(password)).hexdigest()return retVal.upper() if uppercase else retVal.lower()def sha512_generic_passwd(password, uppercase=False):""">>> sha512_generic_passwd(password='testpass', uppercase=False)'78ddc8555bb1677ff5af75ba5fc02cb30bb592b0610277ae15055e189b77fe3fda496e5027a3d99ec85d54941adee1cc174b50438fdc21d82d0a79f85b58cf44'"""retVal = sha512(getBytes(password)).hexdigest()return retVal.upper() if uppercase else retVal.lower()def crypt_generic_passwd(password, salt, **kwargs):"""Reference(s):http://docs.python.org/library/crypt.htmlhttp://helpful.knobs-dials.com/index.php/Hashing_noteshttp://php.net/manual/en/function.crypt.phphttp://carey.geek.nz/code/python-fcrypt/>>> crypt_generic_passwd(password='rasmuslerdorf', salt='rl', uppercase=False)'rl.3StKT.4T8M'"""return crypt(password, salt)def unix_md5_passwd(password, salt, magic="1ドル$", **kwargs):"""Reference(s):http://www.sabren.net/code/python/crypt/md5crypt.py>>> unix_md5_passwd(password='testpass', salt='aD9ZLmkp')'1ドル$aD9ZLmkp$DRM5a7rRZGyuuOPOjTEk61'"""def _encode64(value, count):output = ""while (count - 1 >= 0):count = count - 1output += ITOA64[value & 0x3f]value = value >> 6return outputpassword = getBytes(password)magic = getBytes(magic)salt = getBytes(salt)salt = salt[:8]ctx = password + magic + saltfinal = md5(password + salt + password).digest()for pl in xrange(len(password), 0, -16):if pl > 16:ctx = ctx + final[:16]else:ctx = ctx + final[:pl]i = len(password)while i:if i & 1:ctx = ctx + b'\x00' # if ($i & 1) { $ctx->add(pack("C", 0)); }else:ctx = ctx + password[0:1]i = i >> 1final = md5(ctx).digest()for i in xrange(1000):ctx1 = b""if i & 1:ctx1 = ctx1 + passwordelse:ctx1 = ctx1 + final[:16]if i % 3:ctx1 = ctx1 + saltif i % 7:ctx1 = ctx1 + passwordif i & 1:ctx1 = ctx1 + final[:16]else:ctx1 = ctx1 + passwordfinal = md5(ctx1).digest()hash_ = _encode64((int(ord(final[0:1])) << 16) | (int(ord(final[6:7])) << 8) | (int(ord(final[12:13]))), 4)hash_ = hash_ + _encode64((int(ord(final[1:2])) << 16) | (int(ord(final[7:8])) << 8) | (int(ord(final[13:14]))), 4)hash_ = hash_ + _encode64((int(ord(final[2:3])) << 16) | (int(ord(final[8:9])) << 8) | (int(ord(final[14:15]))), 4)hash_ = hash_ + _encode64((int(ord(final[3:4])) << 16) | (int(ord(final[9:10])) << 8) | (int(ord(final[15:16]))), 4)hash_ = hash_ + _encode64((int(ord(final[4:5])) << 16) | (int(ord(final[10:11])) << 8) | (int(ord(final[5:6]))), 4)hash_ = hash_ + _encode64((int(ord(final[11:12]))), 2)return getText(magic + salt + b'$' + getBytes(hash_))def joomla_passwd(password, salt, **kwargs):"""Reference: https://stackoverflow.com/a/10428239>>> joomla_passwd(password='testpass', salt='6GGlnaquVXI80b3HRmSyE3K1wEFFaBIf')'e3d5794da74e917637332e0d21b76328:6GGlnaquVXI80b3HRmSyE3K1wEFFaBIf'"""return "%s:%s" % (md5(getBytes(password) + getBytes(salt)).hexdigest(), salt)def django_md5_passwd(password, salt, **kwargs):"""Reference: https://github.com/jay0lee/GAM/blob/master/src/passlib/handlers/django.py>>> django_md5_passwd(password='testpass', salt='salt')'md5$salt972141ドルbcbcb6a0acc96e92309175b3c5'"""return "md5$%s$%s" % (salt, md5(getBytes(salt) + getBytes(password)).hexdigest())def django_sha1_passwd(password, salt, **kwargs):"""Reference: https://github.com/jay0lee/GAM/blob/master/src/passlib/handlers/django.py>>> django_sha1_passwd(password='testpass', salt='salt')'sha1$salt6ドルce0e522aba69d8baa873f01420fccd0250fc5b2'"""return "sha1$%s$%s" % (salt, sha1(getBytes(salt) + getBytes(password)).hexdigest())def vbulletin_passwd(password, salt, **kwargs):"""Reference: https://stackoverflow.com/a/2202810>>> vbulletin_passwd(password='testpass', salt='salt')'85c4d8ea77ebef2236fb7e9d24ba9482:salt'"""return "%s:%s" % (md5(binascii.hexlify(md5(getBytes(password)).digest()) + getBytes(salt)).hexdigest(), salt)def wordpress_passwd(password, salt, count, prefix, **kwargs):"""Reference(s):http://packetstormsecurity.org/files/74448/phpassbrute.py.txthttp://scriptserver.mainframe8.com/wordpress_password_hasher.php>>> wordpress_passwd(password='testpass', salt='aD9ZLmkp', count=2048, prefix='$P9ドルaD9ZLmkp')'$P9ドルaD9ZLmkpsN4A83G8MefaaP888gVKX0'"""def _encode64(input_, count):output = ''i = 0while i < count:value = (input_[i] if isinstance(input_[i], int) else ord(input_[i]))i += 1output = output + ITOA64[value & 0x3f]if i < count:value = value | ((input_[i] if isinstance(input_[i], int) else ord(input_[i])) << 8)output = output + ITOA64[(value >> 6) & 0x3f]i += 1if i >= count:breakif i < count:value = value | ((input_[i] if isinstance(input_[i], int) else ord(input_[i])) << 16)output = output + ITOA64[(value >> 12) & 0x3f]i += 1if i >= count:breakoutput = output + ITOA64[(value >> 18) & 0x3f]return outputpassword = getBytes(password)salt = getBytes(salt)cipher = md5(salt)cipher.update(password)hash_ = cipher.digest()for i in xrange(count):_ = md5(hash_)_.update(password)hash_ = _.digest()return "%s%s" % (prefix, _encode64(hash_, 16))__functions__ = {HASH.MYSQL: mysql_passwd,HASH.MYSQL_OLD: mysql_old_passwd,HASH.POSTGRES: postgres_passwd,HASH.MSSQL: mssql_passwd,HASH.MSSQL_OLD: mssql_old_passwd,HASH.MSSQL_NEW: mssql_new_passwd,HASH.ORACLE: oracle_passwd,HASH.ORACLE_OLD: oracle_old_passwd,HASH.MD5_GENERIC: md5_generic_passwd,HASH.SHA1_GENERIC: sha1_generic_passwd,HASH.SHA224_GENERIC: sha224_generic_passwd,HASH.SHA256_GENERIC: sha256_generic_passwd,HASH.SHA384_GENERIC: sha384_generic_passwd,HASH.SHA512_GENERIC: sha512_generic_passwd,HASH.CRYPT_GENERIC: crypt_generic_passwd,HASH.JOOMLA: joomla_passwd,HASH.DJANGO_MD5: django_md5_passwd,HASH.DJANGO_SHA1: django_sha1_passwd,HASH.WORDPRESS: wordpress_passwd,HASH.APACHE_MD5_CRYPT: unix_md5_passwd,HASH.UNIX_MD5_CRYPT: unix_md5_passwd,HASH.APACHE_SHA1: apache_sha1_passwd,HASH.VBULLETIN: vbulletin_passwd,HASH.VBULLETIN_OLD: vbulletin_passwd,HASH.SSHA: ssha_passwd,HASH.SSHA256: ssha256_passwd,HASH.SSHA512: ssha512_passwd,HASH.MD5_BASE64: md5_generic_passwd,HASH.SHA1_BASE64: sha1_generic_passwd,HASH.SHA256_BASE64: sha256_generic_passwd,HASH.SHA512_BASE64: sha512_generic_passwd,}def storeHashesToFile(attack_dict):if not attack_dict:returnitems = OrderedSet()for user, hashes in attack_dict.items():for hash_ in hashes:hash_ = hash_.split()[0] if hash_ and hash_.strip() else hash_if hash_ and hash_ != NULL and hashRecognition(hash_):item = Noneif user and not user.startswith(DUMMY_USER_PREFIX):item = "%s:%s\n" % (user, hash_)else:item = "%s\n" % hash_if item and item not in items:items.add(item)if kb.storeHashesChoice is None:message = "do you want to store hashes to a temporary file "message += "for eventual further processing with other tools [y/N] "kb.storeHashesChoice = readInput(message, default='N', boolean=True)if items and kb.storeHashesChoice:handle, filename = tempfile.mkstemp(prefix=MKSTEMP_PREFIX.HASHES, suffix=".txt")os.close(handle)infoMsg = "writing hashes to a temporary file '%s' " % filenamelogger.info(infoMsg)with openFile(filename, "w+") as f:for item in items:f.write(item)def attackCachedUsersPasswords():if kb.data.cachedUsersPasswords:results = dictionaryAttack(kb.data.cachedUsersPasswords)lut = {}for (_, hash_, password) in results:lut[hash_.lower()] = passwordfor user in kb.data.cachedUsersPasswords:for i in xrange(len(kb.data.cachedUsersPasswords[user])):if (kb.data.cachedUsersPasswords[user][i] or "").strip():value = kb.data.cachedUsersPasswords[user][i].lower().split()[0]if value in lut:kb.data.cachedUsersPasswords[user][i] += "%s clear-text password: %s" % ('\n' if kb.data.cachedUsersPasswords[user][i][-1] != '\n' else '', lut[value])def attackDumpedTable():if kb.data.dumpedTable:table = kb.data.dumpedTablecolumns = list(table.keys())count = table["__infos__"]["count"]if not count:returndebugMsg = "analyzing table dump for possible password hashes"logger.debug(debugMsg)found = Falsecol_user = ''col_passwords = set()attack_dict = {}binary_fields = OrderedSet()replacements = {}for column in sorted(columns, key=len, reverse=True):if column and column.lower() in COMMON_USER_COLUMNS:col_user = columnbreakfor column in columns:if column != "__infos__" and table[column]["values"]:if all(INVALID_UNICODE_CHAR_FORMAT.split('%')[0] in (value or "") for value in table[column]["values"]):binary_fields.add(column)if binary_fields:_ = ','.join(binary_fields)warnMsg = "potential binary fields detected ('%s'). In case of any problems you are " % _warnMsg += "advised to rerun table dump with '--fresh-queries --binary-fields=\"%s\"'" % _logger.warn(warnMsg)for i in xrange(count):if not found and i > HASH_RECOGNITION_QUIT_THRESHOLD:breakfor column in columns:if column == col_user or column == "__infos__":continueif len(table[column]["values"]) <= i:continuevalue = table[column]["values"][i]if column in binary_fields and re.search(HASH_BINARY_COLUMNS_REGEX, column) is not None:previous = valuevalue = encodeHex(getBytes(value), binary=False)replacements[value] = previousif hashRecognition(value):found = Trueif col_user and i < len(table[col_user]["values"]):if table[col_user]["values"][i] not in attack_dict:attack_dict[table[col_user]["values"][i]] = []attack_dict[table[col_user]["values"][i]].append(value)else:attack_dict["%s%d" % (DUMMY_USER_PREFIX, i)] = [value]col_passwords.add(column)if attack_dict:infoMsg = "recognized possible password hashes in column%s " % ("s" if len(col_passwords) > 1 else "")infoMsg += "'%s'" % ", ".join(col for col in col_passwords)logger.info(infoMsg)storeHashesToFile(attack_dict)message = "do you want to crack them via a dictionary-based attack? %s" % ("[y/N/q]" if conf.multipleTargets else "[Y/n/q]")choice = readInput(message, default='N' if conf.multipleTargets else 'Y').upper()if choice == 'N':returnelif choice == 'Q':raise SqlmapUserQuitExceptionresults = dictionaryAttack(attack_dict)lut = dict()for (_, hash_, password) in results:if hash_:key = hash_ if hash_ not in replacements else replacements[hash_]lut[key.lower()] = passworddebugMsg = "post-processing table dump"logger.debug(debugMsg)for i in xrange(count):for column in columns:if not (column == col_user or column == '__infos__' or len(table[column]['values']) <= i):value = table[column]['values'][i]if value and value.lower() in lut:table[column]['values'][i] = "%s (%s)" % (getUnicode(table[column]['values'][i]), getUnicode(lut[value.lower()] or HASH_EMPTY_PASSWORD_MARKER))table[column]['length'] = max(table[column]['length'], len(table[column]['values'][i]))def hashRecognition(value):retVal = NoneisOracle, isMySQL = Backend.isDbms(DBMS.ORACLE), Backend.isDbms(DBMS.MYSQL)if isinstance(value, six.string_types):for name, regex in getPublicTypeMembers(HASH):# Hashes for Oracle and old MySQL look the same hence these checksif isOracle and regex == HASH.MYSQL_OLD or isMySQL and regex == HASH.ORACLE_OLD:continueelif regex == HASH.CRYPT_GENERIC:if any((value.lower() == value, value.upper() == value)):continueelif re.match(regex, value):retVal = regexbreakreturn retValdef _bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, proc_id, proc_count, wordlists, custom_wordlist, api):if IS_WIN:coloramainit()count = 0rotator = 0hashes = set(item[0][1] for item in attack_info)wordlist = Wordlist(wordlists, proc_id, getattr(proc_count, "value", 0), custom_wordlist)try:for word in wordlist:if not attack_info:breakcount += 1if isinstance(word, six.binary_type):word = getUnicode(word)elif not isinstance(word, six.string_types):continueif suffix:word = word + suffixtry:current = __functions__[hash_regex](password=word, uppercase=False)if current in hashes:for item in attack_info[:]:((user, hash_), _) = itemif hash_ == current:retVal.put((user, hash_, word))clearConsoleLine()infoMsg = "\r[%s] [INFO] cracked password '%s'" % (time.strftime("%X"), word)if user and not user.startswith(DUMMY_USER_PREFIX):infoMsg += " for user '%s'\n" % userelse:infoMsg += " for hash '%s'\n" % hash_dataToStdout(infoMsg, True)attack_info.remove(item)elif (proc_id == 0 or getattr(proc_count, "value", 0) == 1) and count % HASH_MOD_ITEM_DISPLAY == 0 or hash_regex == HASH.ORACLE_OLD or hash_regex == HASH.CRYPT_GENERIC and IS_WIN:rotator += 1if rotator >= len(ROTATING_CHARS):rotator = 0status = "current status: %s... %s" % (word.ljust(5)[:5], ROTATING_CHARS[rotator])if not api:dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status))except KeyboardInterrupt:raiseexcept (UnicodeEncodeError, UnicodeDecodeError):pass # ignore possible encoding problems caused by some words in custom dictionariesexcept Exception as ex:warnMsg = "there was a problem while hashing entry: %s ('%s'). " % (repr(word), getSafeExString(ex))warnMsg += "Please report by e-mail to '%s'" % DEV_EMAIL_ADDRESSlogger.critical(warnMsg)except KeyboardInterrupt:passfinally:if hasattr(proc_count, "value"):with proc_count.get_lock():proc_count.value -= 1def _bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found, proc_id, proc_count, wordlists, custom_wordlist, api):if IS_WIN:coloramainit()count = 0rotator = 0wordlist = Wordlist(wordlists, proc_id, getattr(proc_count, "value", 0), custom_wordlist)try:for word in wordlist:if found.value:breakcount += 1if isinstance(word, six.binary_type):word = getUnicode(word)elif not isinstance(word, six.string_types):continueif suffix:word = word + suffixtry:current = __functions__[hash_regex](password=word, uppercase=False, **kwargs)if hash_ == current:if hash_regex == HASH.ORACLE_OLD: # only for cosmetic purposesword = word.upper()retVal.put((user, hash_, word))clearConsoleLine()infoMsg = "\r[%s] [INFO] cracked password '%s'" % (time.strftime("%X"), word)if user and not user.startswith(DUMMY_USER_PREFIX):infoMsg += " for user '%s'\n" % userelse:infoMsg += " for hash '%s'\n" % hash_dataToStdout(infoMsg, True)found.value = Trueelif (proc_id == 0 or getattr(proc_count, "value", 0) == 1) and count % HASH_MOD_ITEM_DISPLAY == 0:rotator += 1if rotator >= len(ROTATING_CHARS):rotator = 0status = "current status: %s... %s" % (word.ljust(5)[:5], ROTATING_CHARS[rotator])if user and not user.startswith(DUMMY_USER_PREFIX):status += " (user: %s)" % userif not api:dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status))except KeyboardInterrupt:raiseexcept (UnicodeEncodeError, UnicodeDecodeError):pass # ignore possible encoding problems caused by some words in custom dictionariesexcept Exception as ex:warnMsg = "there was a problem while hashing entry: %s ('%s'). " % (repr(word), getSafeExString(ex))warnMsg += "Please report by e-mail to '%s'" % DEV_EMAIL_ADDRESSlogger.critical(warnMsg)except KeyboardInterrupt:passfinally:if hasattr(proc_count, "value"):with proc_count.get_lock():proc_count.value -= 1def dictionaryAttack(attack_dict):suffix_list = [""]custom_wordlist = [""]hash_regexes = []results = []resumes = []user_hash = []processException = FalsefoundHash = Falsefor (_, hashes) in attack_dict.items():for hash_ in hashes:if not hash_:continuehash_ = hash_.split()[0] if hash_ and hash_.strip() else hash_regex = hashRecognition(hash_)if regex and regex not in hash_regexes:hash_regexes.append(regex)infoMsg = "using hash method '%s'" % __functions__[regex].__name__logger.info(infoMsg)for hash_regex in hash_regexes:keys = set()attack_info = []for (user, hashes) in attack_dict.items():for hash_ in hashes:if not hash_:continuefoundHash = Truehash_ = hash_.split()[0] if hash_ and hash_.strip() else hash_if re.match(hash_regex, hash_):try:item = Noneif hash_regex not in (HASH.CRYPT_GENERIC, HASH.JOOMLA, HASH.WORDPRESS, HASH.UNIX_MD5_CRYPT, HASH.APACHE_MD5_CRYPT, HASH.APACHE_SHA1, HASH.VBULLETIN, HASH.VBULLETIN_OLD, HASH.SSHA, HASH.SSHA256, HASH.SSHA512, HASH.DJANGO_MD5, HASH.DJANGO_SHA1, HASH.MD5_BASE64, HASH.SHA1_BASE64, HASH.SHA256_BASE64, HASH.SHA512_BASE64):hash_ = hash_.lower()if hash_regex in (HASH.MD5_BASE64, HASH.SHA1_BASE64, HASH.SHA256_BASE64, HASH.SHA512_BASE64):item = [(user, encodeHex(decodeBase64(hash_, binary=True))), {}]elif hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC, HASH.SHA224_GENERIC, HASH.SHA256_GENERIC, HASH.SHA384_GENERIC, HASH.SHA512_GENERIC, HASH.APACHE_SHA1):item = [(user, hash_), {}]elif hash_regex in (HASH.SSHA,):item = [(user, hash_), {"salt": decodeBase64(hash_, binary=True)[20:]}]elif hash_regex in (HASH.SSHA256,):item = [(user, hash_), {"salt": decodeBase64(hash_, binary=True)[32:]}]elif hash_regex in (HASH.SSHA512,):item = [(user, hash_), {"salt": decodeBase64(hash_, binary=True)[64:]}]elif hash_regex in (HASH.ORACLE_OLD, HASH.POSTGRES):item = [(user, hash_), {'username': user}]elif hash_regex in (HASH.ORACLE,):item = [(user, hash_), {"salt": hash_[-20:]}]elif hash_regex in (HASH.MSSQL, HASH.MSSQL_OLD, HASH.MSSQL_NEW):item = [(user, hash_), {"salt": hash_[6:14]}]elif hash_regex in (HASH.CRYPT_GENERIC,):item = [(user, hash_), {"salt": hash_[0:2]}]elif hash_regex in (HASH.UNIX_MD5_CRYPT, HASH.APACHE_MD5_CRYPT):item = [(user, hash_), {"salt": hash_.split('$')[2], "magic": "$%s$" % hash_.split('$')[1]}]elif hash_regex in (HASH.JOOMLA, HASH.VBULLETIN, HASH.VBULLETIN_OLD):item = [(user, hash_), {"salt": hash_.split(':')[-1]}]elif hash_regex in (HASH.DJANGO_MD5, HASH.DJANGO_SHA1):item = [(user, hash_), {"salt": hash_.split('$')[1]}]elif hash_regex in (HASH.WORDPRESS,):if ITOA64.index(hash_[3]) < 32:item = [(user, hash_), {"salt": hash_[4:12], "count": 1 << ITOA64.index(hash_[3]), "prefix": hash_[:12]}]else:warnMsg = "invalid hash '%s'" % hash_logger.warn(warnMsg)if item and hash_ not in keys:resumed = hashDBRetrieve(hash_)if not resumed:attack_info.append(item)user_hash.append(item[0])else:infoMsg = "resuming password '%s' for hash '%s'" % (resumed, hash_)if user and not user.startswith(DUMMY_USER_PREFIX):infoMsg += " for user '%s'" % userlogger.info(infoMsg)resumes.append((user, hash_, resumed))keys.add(hash_)except (binascii.Error, IndexError):passif not attack_info:continueif not kb.wordlists:while not kb.wordlists:# the slowest of all methods hence smaller default dictif hash_regex in (HASH.ORACLE_OLD,):dictPaths = [paths.SMALL_DICT]else:dictPaths = [paths.WORDLIST]message = "what dictionary do you want to use?\n"message += "[1] default dictionary file '%s' (press Enter)\n" % dictPaths[0]message += "[2] custom dictionary file\n"message += "[3] file with list of dictionary files"choice = readInput(message, default='1')try:if choice == '2':message = "what's the custom dictionary's location?\n"dictPath = readInput(message)if dictPath:dictPaths = [dictPath]logger.info("using custom dictionary")elif choice == '3':message = "what's the list file location?\n"listPath = readInput(message)checkFile(listPath)dictPaths = getFileItems(listPath)logger.info("using custom list of dictionaries")else:logger.info("using default dictionary")dictPaths = [_ for _ in dictPaths if _]for dictPath in dictPaths:checkFile(dictPath)if isZipFile(dictPath):_ = zipfile.ZipFile(dictPath, 'r')if len(_.namelist()) == 0:errMsg = "no file(s) inside '%s'" % dictPathraise SqlmapDataException(errMsg)else:_.open(_.namelist()[0])kb.wordlists = dictPathsexcept Exception as ex:warnMsg = "there was a problem while loading dictionaries"warnMsg += " ('%s')" % getSafeExString(ex)logger.critical(warnMsg)message = "do you want to use common password suffixes? (slow!) [y/N] "if readInput(message, default='N', boolean=True):suffix_list += COMMON_PASSWORD_SUFFIXESinfoMsg = "starting dictionary-based cracking (%s)" % __functions__[hash_regex].__name__logger.info(infoMsg)for item in attack_info:((user, _), _) = itemif user and not user.startswith(DUMMY_USER_PREFIX):custom_wordlist.append(normalizeUnicode(user))# Algorithms without extra arguments (e.g. salt and/or username)if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC, HASH.SHA224_GENERIC, HASH.SHA256_GENERIC, HASH.SHA384_GENERIC, HASH.SHA512_GENERIC, HASH.APACHE_SHA1, HASH.VBULLETIN, HASH.VBULLETIN_OLD):for suffix in suffix_list:if not attack_info or processException:breakif suffix:clearConsoleLine()infoMsg = "using suffix '%s'" % suffixlogger.info(infoMsg)retVal = Noneprocesses = []try:if _multiprocessing:if _multiprocessing.cpu_count() > 1:infoMsg = "starting %d processes " % _multiprocessing.cpu_count()singleTimeLogMessage(infoMsg)gc.disable()retVal = _multiprocessing.Queue()count = _multiprocessing.Value('i', _multiprocessing.cpu_count())for i in xrange(_multiprocessing.cpu_count()):process = _multiprocessing.Process(target=_bruteProcessVariantA, args=(attack_info, hash_regex, suffix, retVal, i, count, kb.wordlists, custom_wordlist, conf.api))processes.append(process)for process in processes:process.daemon = Trueprocess.start()while count.value > 0:time.sleep(0.5)else:warnMsg = "multiprocessing hash cracking is currently "warnMsg += "not supported on this platform"singleTimeWarnMessage(warnMsg)retVal = _queue.Queue()_bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, 0, 1, kb.wordlists, custom_wordlist, conf.api)except KeyboardInterrupt:print()processException = TruewarnMsg = "user aborted during dictionary-based attack phase (Ctrl+C was pressed)"logger.warn(warnMsg)for process in processes:try:process.terminate()process.join()except (OSError, AttributeError):passfinally:if _multiprocessing:gc.enable()if retVal:if conf.hashDB:conf.hashDB.beginTransaction()while not retVal.empty():user, hash_, word = item = retVal.get(block=False)attack_info = [_ for _ in attack_info if _[0][0] != user or _[0][1] != hash_]hashDBWrite(hash_, word)results.append(item)if conf.hashDB:conf.hashDB.endTransaction()clearConsoleLine()else:for ((user, hash_), kwargs) in attack_info:if processException:breakif any(_[0] == user and _[1] == hash_ for _ in results):continuecount = 0found = Falsefor suffix in suffix_list:if found or processException:breakif suffix:clearConsoleLine()infoMsg = "using suffix '%s'" % suffixlogger.info(infoMsg)retVal = Noneprocesses = []try:if _multiprocessing:if _multiprocessing.cpu_count() > 1:infoMsg = "starting %d processes " % _multiprocessing.cpu_count()singleTimeLogMessage(infoMsg)gc.disable()retVal = _multiprocessing.Queue()found_ = _multiprocessing.Value('i', False)count = _multiprocessing.Value('i', _multiprocessing.cpu_count())for i in xrange(_multiprocessing.cpu_count()):process = _multiprocessing.Process(target=_bruteProcessVariantB, args=(user, hash_, kwargs, hash_regex, suffix, retVal, found_, i, count, kb.wordlists, custom_wordlist, conf.api))processes.append(process)for process in processes:process.daemon = Trueprocess.start()while count.value > 0:time.sleep(0.5)found = found_.value != 0else:warnMsg = "multiprocessing hash cracking is currently "warnMsg += "not supported on this platform"singleTimeWarnMessage(warnMsg)class Value(object):passretVal = _queue.Queue()found_ = Value()found_.value = False_bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found_, 0, 1, kb.wordlists, custom_wordlist, conf.api)found = found_.valueexcept KeyboardInterrupt:print()processException = TruewarnMsg = "user aborted during dictionary-based attack phase (Ctrl+C was pressed)"logger.warn(warnMsg)for process in processes:try:process.terminate()process.join()except (OSError, AttributeError):passfinally:if _multiprocessing:gc.enable()if retVal and conf.hashDB:if conf.hashDB:conf.hashDB.beginTransaction()while not retVal.empty():user, hash_, word = item = retVal.get(block=False)hashDBWrite(hash_, word)results.append(item)if conf.hashDB:conf.hashDB.endTransaction()clearConsoleLine()results.extend(resumes)if foundHash and len(hash_regexes) == 0:warnMsg = "unknown hash format"logger.warn(warnMsg)if len(results) == 0:warnMsg = "no clear password(s) found"logger.warn(warnMsg)return resultsdef crackHashFile(hashFile):i = 0attack_dict = {}for line in getFileItems(conf.hashFile):if ':' in line:user, hash_ = line.split(':', 1)attack_dict[user] = [hash_]else:attack_dict["%s%d" % (DUMMY_USER_PREFIX, i)] = [line]i += 1dictionaryAttack(attack_dict)
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。