From 42ef5618c3277b6d4c3d29f65956773d6922cd0a Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Fri, 31 May 2019 11:57:32 +0200 Subject: [PATCH] Automatically detecting RAW password hashes in table dumps --- lib/core/settings.py | 5 ++++- lib/utils/hash.py | 17 +++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/lib/core/settings.py b/lib/core/settings.py index 7e97029c0..c1f230f9a 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -18,7 +18,7 @@ from lib.core.enums import OS from thirdparty.six import unichr as _unichr # sqlmap version (...) -VERSION = "1.3.5.157" +VERSION = "1.3.5.158" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) @@ -639,6 +639,9 @@ SLOW_ORDER_COUNT_THRESHOLD = 10000 # Give up on hash recognition if nothing was found in first given number of rows HASH_RECOGNITION_QUIT_THRESHOLD = 10000 +# Regular expression used for automatic hex conversion and hash cracking of (RAW) binary column values +HASH_BINARY_COLUMNS_REGEX = r"(?i)pass|psw|hash" + # Maximum number of redirections to any single URL - this is needed because of the state that cookies introduce MAX_SINGLE_URL_REDIRECTIONS = 4 diff --git a/lib/utils/hash.py b/lib/utils/hash.py index ef521fa40..74c8aeecc 100644 --- a/lib/utils/hash.py +++ b/lib/utils/hash.py @@ -82,9 +82,11 @@ from lib.core.settings import COMMON_PASSWORD_SUFFIXES from lib.core.settings import COMMON_USER_COLUMNS from lib.core.settings import DEV_EMAIL_ADDRESS from lib.core.settings import DUMMY_USER_PREFIX +from lib.core.settings import HASH_BINARY_COLUMNS_REGEX from lib.core.settings import HASH_EMPTY_PASSWORD_MARKER from lib.core.settings import HASH_MOD_ITEM_DISPLAY from lib.core.settings import HASH_RECOGNITION_QUIT_THRESHOLD +from lib.core.settings import INVALID_UNICODE_CHAR_FORMAT from lib.core.settings import IS_WIN from lib.core.settings import ITOA64 from lib.core.settings import NULL @@ -634,12 +636,24 @@ def attackDumpedTable(): col_user = '' col_passwords = set() attack_dict = {} + binary_fields = OrderedSet() for column in sorted(columns, key=len, reverse=True): if column and column.lower() in COMMON_USER_COLUMNS: col_user = column break + for column in columns: + if column != "__infos__": + if all(INVALID_UNICODE_CHAR_FORMAT.split('%')[0] in value for value in table[column]["values"]): + binary_fields.add(column) + + if binary_fields: + _ = ','.join(binary_fields) + warnMsg = "potential binary fields detected ('%s'). You are " % _ + warnMsg += "advised to rerun table dump with '--fresh-queries --binary-fields=\"%s\"'" % _ + logger.warn(warnMsg) + for i in xrange(count): if not found and i > HASH_RECOGNITION_QUIT_THRESHOLD: break @@ -653,6 +667,9 @@ def attackDumpedTable(): value = table[column]["values"][i] + if column in binary_fields and re.search(HASH_BINARY_COLUMNS_REGEX, column) is not None: + value = encodeHex(value, binary=False) + if hashRecognition(value): found = True