Automatically detecting RAW password hashes in table dumps

stamparm · stamparm · commit 42ef5618c327 · 2019-05-31T11:57:32.000+02:00
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -18,7 +18,7 @@
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.3.5.157"
+VERSION = "1.3.5.158"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -639,6 +639,9 @@
 # Give up on hash recognition if nothing was found in first given number of rows
 HASH_RECOGNITION_QUIT_THRESHOLD = 10000
 
+# Regular expression used for automatic hex conversion and hash cracking of (RAW) binary column values
+HASH_BINARY_COLUMNS_REGEX = r"(?i)pass|psw|hash"
+
 # Maximum number of redirections to any single URL - this is needed because of the state that cookies introduce
 MAX_SINGLE_URL_REDIRECTIONS = 4
 
diff --git a/lib/utils/hash.py b/lib/utils/hash.py
@@ -82,9 +82,11 @@
 from lib.core.settings import COMMON_USER_COLUMNS
 from lib.core.settings import DEV_EMAIL_ADDRESS
 from lib.core.settings import DUMMY_USER_PREFIX
+from lib.core.settings import HASH_BINARY_COLUMNS_REGEX
 from lib.core.settings import HASH_EMPTY_PASSWORD_MARKER
 from lib.core.settings import HASH_MOD_ITEM_DISPLAY
 from lib.core.settings import HASH_RECOGNITION_QUIT_THRESHOLD
+from lib.core.settings import INVALID_UNICODE_CHAR_FORMAT
 from lib.core.settings import IS_WIN
 from lib.core.settings import ITOA64
 from lib.core.settings import NULL
@@ -634,12 +636,24 @@ def attackDumpedTable():
         col_user = ''
         col_passwords = set()
         attack_dict = {}
+        binary_fields = OrderedSet()
 
         for column in sorted(columns, key=len, reverse=True):
             if column and column.lower() in COMMON_USER_COLUMNS:
                 col_user = column
                 break
 
+        for column in columns:
+            if column != "__infos__":
+                if all(INVALID_UNICODE_CHAR_FORMAT.split('%')[0] in value for value in table[column]["values"]):
+                    binary_fields.add(column)
+
+        if binary_fields:
+            _ = ','.join(binary_fields)
+            warnMsg = "potential binary fields detected ('%s'). You are " % _
+            warnMsg += "advised to rerun table dump with '--fresh-queries --binary-fields=\"%s\"'" % _
+            logger.warn(warnMsg)
+
         for i in xrange(count):
             if not found and i > HASH_RECOGNITION_QUIT_THRESHOLD:
                 break
@@ -653,6 +667,9 @@ def attackDumpedTable():
 
                 value = table[column]["values"][i]
 
+                if column in binary_fields and re.search(HASH_BINARY_COLUMNS_REGEX, column) is not None:
+                    value = encodeHex(value, binary=False)
+
                 if hashRecognition(value):
                     found = True
 
