2010-03-23 01:57:57 +03:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
$Id$
|
|
|
|
|
|
2010-10-14 18:41:14 +04:00
|
|
|
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
|
2010-10-15 03:18:29 +04:00
|
|
|
See the file 'doc/COPYING' for copying permission
|
2010-03-23 01:57:57 +03:00
|
|
|
"""
|
|
|
|
|
|
2010-05-17 20:16:49 +04:00
|
|
|
from lib.core.agent import agent
|
2011-01-13 20:36:54 +03:00
|
|
|
from lib.core.common import getIdentifiedDBMS
|
2010-03-28 00:50:19 +03:00
|
|
|
from lib.core.common import getRange
|
2010-12-18 00:45:20 +03:00
|
|
|
from lib.core.common import isNumPosStrValue
|
2011-01-12 04:13:32 +03:00
|
|
|
from lib.core.common import isTechniqueAvailable
|
2010-03-25 18:46:06 +03:00
|
|
|
from lib.core.data import conf
|
|
|
|
|
from lib.core.data import kb
|
2010-03-23 01:57:57 +03:00
|
|
|
from lib.core.data import logger
|
2010-03-25 18:46:06 +03:00
|
|
|
from lib.core.data import queries
|
2010-12-10 16:04:36 +03:00
|
|
|
from lib.core.enums import EXPECTED
|
2010-03-25 18:46:06 +03:00
|
|
|
from lib.core.exception import sqlmapNoneDataException
|
|
|
|
|
from lib.request import inject
|
2010-03-23 01:57:57 +03:00
|
|
|
|
|
|
|
|
from plugins.generic.enumeration import Enumeration as GenericEnumeration
|
|
|
|
|
|
|
|
|
|
class Enumeration(GenericEnumeration):
|
|
|
|
|
def __init__(self):
|
2011-01-14 14:55:20 +03:00
|
|
|
GenericEnumeration.__init__(self)
|
2010-03-23 01:57:57 +03:00
|
|
|
|
2010-03-25 18:46:06 +03:00
|
|
|
def getRoles(self, query2=False):
|
|
|
|
|
infoMsg = "fetching database users roles"
|
|
|
|
|
|
2011-01-13 20:36:54 +03:00
|
|
|
rootQuery = queries[getIdentifiedDBMS()].roles
|
2010-03-25 18:46:06 +03:00
|
|
|
|
|
|
|
|
if conf.user == "CU":
|
|
|
|
|
infoMsg += " for current user"
|
|
|
|
|
conf.user = self.getCurrentUser()
|
|
|
|
|
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
|
|
# Set containing the list of DBMS administrators
|
|
|
|
|
areAdmins = set()
|
|
|
|
|
|
2011-01-12 04:13:32 +03:00
|
|
|
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
|
2010-03-25 18:46:06 +03:00
|
|
|
if query2:
|
2010-10-21 17:13:12 +04:00
|
|
|
query = rootQuery.inband.query2
|
|
|
|
|
condition = rootQuery.inband.condition2
|
2010-03-25 18:46:06 +03:00
|
|
|
else:
|
2010-10-21 17:13:12 +04:00
|
|
|
query = rootQuery.inband.query
|
|
|
|
|
condition = rootQuery.inband.condition
|
2010-03-25 18:46:06 +03:00
|
|
|
|
|
|
|
|
if conf.user:
|
|
|
|
|
users = conf.user.split(",")
|
|
|
|
|
query += " WHERE "
|
|
|
|
|
query += " OR ".join("%s = '%s'" % (condition, user) for user in users)
|
|
|
|
|
|
2010-10-25 16:25:29 +04:00
|
|
|
values = inject.getValue(query, blind=False, error=False)
|
2010-03-25 18:46:06 +03:00
|
|
|
|
|
|
|
|
if not values and not query2:
|
|
|
|
|
infoMsg = "trying with table USER_ROLE_PRIVS"
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
|
|
return self.getRoles(query2=True)
|
|
|
|
|
|
|
|
|
|
if values:
|
|
|
|
|
for value in values:
|
|
|
|
|
user = None
|
|
|
|
|
roles = set()
|
|
|
|
|
|
|
|
|
|
for count in xrange(0, len(value)):
|
|
|
|
|
# The first column is always the username
|
|
|
|
|
if count == 0:
|
|
|
|
|
user = value[count]
|
|
|
|
|
|
|
|
|
|
# The other columns are the roles
|
|
|
|
|
else:
|
|
|
|
|
role = value[count]
|
|
|
|
|
|
|
|
|
|
# In Oracle we get the list of roles as string
|
|
|
|
|
roles.add(role)
|
|
|
|
|
|
|
|
|
|
if self.__isAdminFromPrivileges(roles):
|
|
|
|
|
areAdmins.add(user)
|
|
|
|
|
|
|
|
|
|
if kb.data.cachedUsersRoles.has_key(user):
|
|
|
|
|
kb.data.cachedUsersRoles[user].extend(roles)
|
|
|
|
|
else:
|
|
|
|
|
kb.data.cachedUsersRoles[user] = list(roles)
|
|
|
|
|
|
2010-03-31 14:50:47 +04:00
|
|
|
if not kb.data.cachedUsersRoles and not conf.direct:
|
2010-03-25 18:46:06 +03:00
|
|
|
conditionChar = "="
|
|
|
|
|
|
|
|
|
|
if conf.user:
|
|
|
|
|
users = conf.user.split(",")
|
|
|
|
|
else:
|
|
|
|
|
if not len(kb.data.cachedUsers):
|
|
|
|
|
users = self.getUsers()
|
|
|
|
|
else:
|
|
|
|
|
users = kb.data.cachedUsers
|
|
|
|
|
|
|
|
|
|
retrievedUsers = set()
|
|
|
|
|
|
|
|
|
|
for user in users:
|
|
|
|
|
unescapedUser = None
|
|
|
|
|
|
|
|
|
|
if user in retrievedUsers:
|
|
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
infoMsg = "fetching number of roles "
|
|
|
|
|
infoMsg += "for user '%s'" % user
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
|
|
if unescapedUser:
|
|
|
|
|
queryUser = unescapedUser
|
|
|
|
|
else:
|
|
|
|
|
queryUser = user
|
|
|
|
|
|
|
|
|
|
if query2:
|
2010-10-21 17:13:12 +04:00
|
|
|
query = rootQuery.blind.count2 % queryUser
|
2010-03-25 18:46:06 +03:00
|
|
|
else:
|
2010-10-21 17:13:12 +04:00
|
|
|
query = rootQuery.blind.count % queryUser
|
2010-12-10 16:04:36 +03:00
|
|
|
count = inject.getValue(query, inband=False, expected=EXPECTED.INT, charsetType=2)
|
2010-03-25 18:46:06 +03:00
|
|
|
|
2010-12-18 00:45:20 +03:00
|
|
|
if not isNumPosStrValue(count):
|
2010-03-25 18:46:06 +03:00
|
|
|
if not count.isdigit() and not query2:
|
|
|
|
|
infoMsg = "trying with table USER_SYS_PRIVS"
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
|
|
return self.getPrivileges(query2=True)
|
|
|
|
|
|
|
|
|
|
warnMsg = "unable to retrieve the number of "
|
|
|
|
|
warnMsg += "roles for user '%s'" % user
|
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
infoMsg = "fetching roles for user '%s'" % user
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
|
|
roles = set()
|
|
|
|
|
|
|
|
|
|
indexRange = getRange(count, plusOne=True)
|
|
|
|
|
|
|
|
|
|
for index in indexRange:
|
|
|
|
|
if query2:
|
2010-10-21 17:13:12 +04:00
|
|
|
query = rootQuery.blind.query2 % (queryUser, index)
|
2010-03-25 18:46:06 +03:00
|
|
|
else:
|
2010-10-21 17:13:12 +04:00
|
|
|
query = rootQuery.blind.query % (queryUser, index)
|
2010-03-25 18:46:06 +03:00
|
|
|
role = inject.getValue(query, inband=False)
|
|
|
|
|
|
|
|
|
|
# In Oracle we get the list of roles as string
|
|
|
|
|
roles.add(role)
|
|
|
|
|
|
|
|
|
|
if roles:
|
|
|
|
|
kb.data.cachedUsersRoles[user] = list(roles)
|
|
|
|
|
else:
|
|
|
|
|
warnMsg = "unable to retrieve the roles "
|
|
|
|
|
warnMsg += "for user '%s'" % user
|
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
|
|
|
|
|
retrievedUsers.add(user)
|
|
|
|
|
|
|
|
|
|
if not kb.data.cachedUsersRoles:
|
|
|
|
|
errMsg = "unable to retrieve the roles "
|
|
|
|
|
errMsg += "for the database users"
|
|
|
|
|
raise sqlmapNoneDataException, errMsg
|
|
|
|
|
|
|
|
|
|
return ( kb.data.cachedUsersRoles, areAdmins )
|
|
|
|
|
|
2010-03-23 01:57:57 +03:00
|
|
|
def getDbs(self):
|
|
|
|
|
warnMsg = "on Oracle it is not possible to enumerate databases"
|
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
|
|
|
|
|
return []
|
2010-05-07 17:40:57 +04:00
|
|
|
|
|
|
|
|
def searchDb(self):
|
|
|
|
|
warnMsg = "on Oracle it is not possible to search databases"
|
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
|
|
|
|
|
return []
|
2010-05-17 20:16:49 +04:00
|
|
|
|
|
|
|
|
def searchColumn(self):
|
2011-01-13 20:36:54 +03:00
|
|
|
rootQuery = queries[getIdentifiedDBMS()].search_column
|
2010-05-17 20:16:49 +04:00
|
|
|
foundCols = {}
|
|
|
|
|
dbs = { "USERS": {} }
|
|
|
|
|
colList = conf.col.split(",")
|
2010-10-21 17:13:12 +04:00
|
|
|
colCond = rootQuery.inband.condition
|
2010-05-17 20:16:49 +04:00
|
|
|
colConsider, colCondParam = self.likeOrExact("column")
|
|
|
|
|
|
|
|
|
|
for column in colList:
|
|
|
|
|
column = column.upper()
|
|
|
|
|
|
|
|
|
|
infoMsg = "searching column"
|
|
|
|
|
if colConsider == "1":
|
|
|
|
|
infoMsg += "s like"
|
|
|
|
|
infoMsg += " '%s'" % column
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
|
|
foundCols[column] = {}
|
|
|
|
|
|
|
|
|
|
colQuery = "%s%s" % (colCond, colCondParam)
|
|
|
|
|
colQuery = colQuery % column
|
|
|
|
|
|
|
|
|
|
for db in dbs.keys():
|
2011-01-12 04:13:32 +03:00
|
|
|
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
|
2010-10-21 17:13:12 +04:00
|
|
|
query = rootQuery.inband.query
|
2010-05-17 20:16:49 +04:00
|
|
|
query += colQuery
|
2010-10-25 16:25:29 +04:00
|
|
|
values = inject.getValue(query, blind=False, error=False)
|
2010-05-17 20:16:49 +04:00
|
|
|
|
|
|
|
|
if values:
|
2010-05-25 14:09:35 +04:00
|
|
|
if isinstance(values, basestring):
|
2010-05-17 20:16:49 +04:00
|
|
|
values = [ values ]
|
|
|
|
|
|
|
|
|
|
for foundTbl in values:
|
|
|
|
|
if foundTbl not in dbs[db]:
|
|
|
|
|
dbs[db][foundTbl] = {}
|
|
|
|
|
|
|
|
|
|
if colConsider == "1":
|
|
|
|
|
conf.db = db
|
|
|
|
|
conf.tbl = foundTbl
|
|
|
|
|
conf.col = column
|
|
|
|
|
|
|
|
|
|
self.getColumns(onlyColNames=True)
|
|
|
|
|
|
|
|
|
|
dbs[db][foundTbl].update(kb.data.cachedColumns[db][foundTbl])
|
|
|
|
|
kb.data.cachedColumns = {}
|
|
|
|
|
else:
|
|
|
|
|
dbs[db][foundTbl][column] = None
|
|
|
|
|
|
|
|
|
|
if db in foundCols[column]:
|
|
|
|
|
foundCols[column][db].append(foundTbl)
|
|
|
|
|
else:
|
|
|
|
|
foundCols[column][db] = [ foundTbl ]
|
|
|
|
|
else:
|
|
|
|
|
foundCols[column][db] = []
|
|
|
|
|
|
|
|
|
|
infoMsg = "fetching number of tables containing column"
|
|
|
|
|
if colConsider == "1":
|
|
|
|
|
infoMsg += "s like"
|
|
|
|
|
infoMsg += " '%s' in database '%s'" % (column, db)
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
2010-10-21 17:13:12 +04:00
|
|
|
query = rootQuery.blind.count2
|
2010-05-17 20:16:49 +04:00
|
|
|
query += " WHERE %s" % colQuery
|
2010-12-10 16:04:36 +03:00
|
|
|
count = inject.getValue(query, inband=False, expected=EXPECTED.INT, charsetType=2)
|
2010-05-17 20:16:49 +04:00
|
|
|
|
2010-12-18 00:45:20 +03:00
|
|
|
if not isNumPosStrValue(count):
|
2010-05-17 20:16:49 +04:00
|
|
|
warnMsg = "no tables contain column"
|
|
|
|
|
if colConsider == "1":
|
|
|
|
|
warnMsg += "s like"
|
|
|
|
|
warnMsg += " '%s' " % column
|
|
|
|
|
warnMsg += "in database '%s'" % db
|
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
|
|
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
indexRange = getRange(count)
|
|
|
|
|
|
|
|
|
|
for index in indexRange:
|
2010-10-21 17:13:12 +04:00
|
|
|
query = rootQuery.blind.query2
|
2010-05-17 20:16:49 +04:00
|
|
|
query += " WHERE %s" % colQuery
|
|
|
|
|
query = agent.limitQuery(index, query)
|
|
|
|
|
tbl = inject.getValue(query, inband=False)
|
|
|
|
|
kb.hintValue = tbl
|
|
|
|
|
|
|
|
|
|
if tbl not in dbs[db]:
|
|
|
|
|
dbs[db][tbl] = {}
|
|
|
|
|
|
|
|
|
|
if colConsider == "1":
|
|
|
|
|
conf.db = db
|
|
|
|
|
conf.tbl = tbl
|
|
|
|
|
conf.col = column
|
|
|
|
|
|
|
|
|
|
self.getColumns(onlyColNames=True)
|
|
|
|
|
|
|
|
|
|
dbs[db][tbl].update(kb.data.cachedColumns[db][tbl])
|
|
|
|
|
kb.data.cachedColumns = {}
|
|
|
|
|
else:
|
|
|
|
|
dbs[db][tbl][column] = None
|
|
|
|
|
|
|
|
|
|
foundCols[column][db].append(tbl)
|
|
|
|
|
|
|
|
|
|
self.dumpFoundColumn(dbs, foundCols, colConsider)
|
