sqlmap/plugins/dbms/access/fingerprint.py

#!/usr/bin/env python

"""
$Id$

Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

import re

from lib.core.common import Backend
from lib.core.common import Format
from lib.core.common import getCurrentThreadData
from lib.core.common import randomInt
from lib.core.common import randomStr
from lib.core.common import wasLastRequestDBMSError
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import DBMS
from lib.core.session import setDbms
from lib.core.settings import ACCESS_ALIASES
from lib.core.settings import METADB_SUFFIX
from lib.request import inject
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint

class Fingerprint(GenericFingerprint):
    def __init__(self):
        GenericFingerprint.__init__(self, DBMS.ACCESS)

    def __sandBoxCheck(self):
        # Reference: http://milw0rm.com/papers/198
        retVal = None
        table = None

        if Backend.isVersionWithin(("97", "2000")):
            table = "MSysAccessObjects"
        elif Backend.isVersionWithin(("2002-2003", "2007")):
            table = "MSysAccessStorage"

        if table is not None:
            result = inject.checkBooleanExpression("EXISTS(SELECT CURDIR() FROM %s)" % table)
            retVal = "not sandboxed" if result else "sandboxed"

        return retVal

    def __sysTablesCheck(self):
        infoMsg = "executing system table(s) existence fingerprint"
        logger.info(infoMsg)

        # Microsoft Access table reference updated on 01/2010
        sysTables = {
                      "97":           ("MSysModules2", "MSysAccessObjects"),
                      "2000" :        ("!MSysModules2", "MSysAccessObjects"),
                      "2002-2003" :   ("MSysAccessStorage", "!MSysNavPaneObjectIDs"),
                      "2007" :        ("MSysAccessStorage", "MSysNavPaneObjectIDs")
                    }
        # MSysAccessXML is not a reliable system table because it doesn't always exist
        # ("Access through Access", p6, should be "normally doesn't exist" instead of "is normally empty")

        for version, tables in sysTables.items():
            exist = True

            for table in tables:
                negate = False

                if table[0] == '!':
                    negate = True
                    table = table[1:]

                randInt = randomInt()
                result = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s WHERE %d=%d)" % (table, randInt, randInt))
                if result is None:
                    result = False

                if negate:
                    result = not result

                exist &= result

                if not exist:
                    break

            if exist:
                return version

        return None

    def __getDatabaseDir(self):
        retVal = None

        infoMsg = "searching for database directory"
        logger.info(infoMsg)

        randInt = randomInt()
        randStr = randomStr()
        _ = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s.%s WHERE %d=%d)" % (randStr, randStr, randInt, randInt))

        if wasLastRequestDBMSError():
            threadData = getCurrentThreadData()
            match = re.search("Could not find file\s+'([^']+?)'", threadData.lastErrorPage[1])

            if match:
                retVal = match.group(1).rstrip("%s.mdb" % randStr)

                if retVal.endswith('\\'):
                    retVal = retVal[:-1]

        return retVal

    def getFingerprint(self):
        value = ""
        wsOsFp = Format.getOs("web server", kb.headersFp)

        if wsOsFp:
            value += "%s\n" % wsOsFp

        if kb.data.banner:
            dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)

            if dbmsOsFp:
                value += "%s\n" % dbmsOsFp

        value += "back-end DBMS: "

        if not conf.extensiveFp:
            value += DBMS.ACCESS
            return value

        actVer = Format.getDbms() + " (%s)" % (self.__sandBoxCheck())
        blank = " " * 15
        value += "active fingerprint: %s" % actVer

        if kb.bannerFp:
            banVer = kb.bannerFp["dbmsVersion"]

            if re.search("-log$", kb.data.banner):
                banVer += ", logging enabled"

            banVer = Format.getDbms([banVer])
            value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)

        htmlErrorFp = Format.getErrorParsedDBMSes()

        if htmlErrorFp:
            value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)

        value += "\ndatabase directory: '%s'" % self.__getDatabaseDir()

        return value

    def checkDbms(self):
        if not conf.extensiveFp and (Backend.isDbmsWithin(ACCESS_ALIASES) or conf.dbms in ACCESS_ALIASES):
            setDbms(DBMS.ACCESS)

            return True

        infoMsg = "testing %s" % DBMS.ACCESS
        logger.info(infoMsg)

        result = inject.checkBooleanExpression("VAL(CVAR(1))=1")

        if result:
            infoMsg = "confirming %s" % DBMS.ACCESS
            logger.info(infoMsg)

            result = inject.checkBooleanExpression("IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0")

            if not result:
                warnMsg = "the back-end DBMS is not %s" % DBMS.ACCESS
                logger.warn(warnMsg)
                return False

            setDbms(DBMS.ACCESS)

            if not conf.extensiveFp:
                return True

            infoMsg = "actively fingerprinting %s" % DBMS.ACCESS
            logger.info(infoMsg)

            version = self.__sysTablesCheck()

            if version is not None:
                Backend.setVersion(version)

            return True
        else:
            warnMsg = "the back-end DBMS is not %s" % DBMS.ACCESS
            logger.warn(warnMsg)

            return False

    def forceDbmsEnum(self):
        conf.db = ("%s%s" % (DBMS.ACCESS, METADB_SUFFIX)).replace(' ', '_')
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`#!/usr/bin/env python`

			`"""`
			$Id$

updating copyright date 2012-01-11 18:59:46 +04:00			`Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`"""`

			`import re`

refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`from lib.core.common import Backend`
			`from lib.core.common import Format`
thread based data added 2010-12-21 01:45:01 +03:00			`from lib.core.common import getCurrentThreadData`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`from lib.core.common import randomInt`
one more ms access update 2010-11-02 13:50:57 +03:00			`from lib.core.common import randomStr`
update regarding error parsing (and reporting) 2010-11-16 13:42:42 +03:00			`from lib.core.common import wasLastRequestDBMSError`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
further refactoring (all enumerations are now put into enums.py) 2010-11-08 12:20:02 +03:00			`from lib.core.enums import DBMS`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`from lib.core.session import setDbms`
			`from lib.core.settings import ACCESS_ALIASES`
blind dumping of tables in sqlite implemented 2010-12-12 01:13:19 +03:00			`from lib.core.settings import METADB_SUFFIX`
update 2010-12-09 14:23:44 +03:00			`from lib.request import inject`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`from plugins.generic.fingerprint import Fingerprint as GenericFingerprint`

			`class Fingerprint(GenericFingerprint):`
			`def __init__(self):`
Minor bug fix - restored of so called kb.misc.testedDbms (now kb.misc.fpDbms) to force the DBMS (only) during the fingerprint phase 2011-01-14 14:55:20 +03:00			`GenericFingerprint.__init__(self, DBMS.ACCESS)`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00
			`def __sandBoxCheck(self):`
			`# Reference: http://milw0rm.com/papers/198`
			`retVal = None`
			`table = None`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`if Backend.isVersionWithin(("97", "2000")):`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00			`table = "MSysAccessObjects"`
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`elif Backend.isVersionWithin(("2002-2003", "2007")):`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00			`table = "MSysAccessStorage"`

			`if table is not None:`
			`result = inject.checkBooleanExpression("EXISTS(SELECT CURDIR() FROM %s)" % table)`
			`retVal = "not sandboxed" if result else "sandboxed"`
one more ms access update 2010-11-02 13:50:57 +03:00
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`return retVal`

			`def __sysTablesCheck(self):`
type correction and adding global flag kb.ignoreTimeout which could be useful 2011-05-22 12:24:13 +04:00			`infoMsg = "executing system table(s) existence fingerprint"`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`logger.info(infoMsg)`
one more ms access update 2010-11-02 13:50:57 +03:00
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`# Microsoft Access table reference updated on 01/2010`
removing of unused imports together with some general code refactoring 2012-02-22 14:40:11 +04:00			`sysTables = {`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00			`"97": ("MSysModules2", "MSysAccessObjects"),`
			`"2000" : ("!MSysModules2", "MSysAccessObjects"),`
			`"2002-2003" : ("MSysAccessStorage", "!MSysNavPaneObjectIDs"),`
			`"2007" : ("MSysAccessStorage", "MSysNavPaneObjectIDs")`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`}`
			`# MSysAccessXML is not a reliable system table because it doesn't always exist`
			`# ("Access through Access", p6, should be "normally doesn't exist" instead of "is normally empty")`

			`for version, tables in sysTables.items():`
			`exist = True`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`for table in tables:`
			`negate = False`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`if table[0] == '!':`
			`negate = True`
			`table = table[1:]`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`randInt = randomInt()`
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring. 2010-12-14 00:33:42 +03:00			`result = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s WHERE %d=%d)" % (table, randInt, randInt))`
ms access connector update 2010-03-30 16:48:51 +04:00			`if result is None:`
			`result = False`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`if negate:`
			`result = not result`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`exist &= result`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`if not exist:`
			`break`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`if exist:`
			`return version`

			`return None`

one more ms access update 2010-11-02 13:50:57 +03:00			`def __getDatabaseDir(self):`
			`retVal = None`

			`infoMsg = "searching for database directory"`
			`logger.info(infoMsg)`

			`randInt = randomInt()`
			`randStr = randomStr()`
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring. 2010-12-14 00:33:42 +03:00			`_ = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s.%s WHERE %d=%d)" % (randStr, randStr, randInt, randInt))`
one more ms access update 2010-11-02 13:50:57 +03:00
update regarding error parsing (and reporting) 2010-11-16 13:42:42 +03:00			`if wasLastRequestDBMSError():`
thread based data added 2010-12-21 01:45:01 +03:00			`threadData = getCurrentThreadData()`
			`match = re.search("Could not find file\s+'([^']+?)'", threadData.lastErrorPage[1])`
one more ms access update 2010-11-02 13:50:57 +03:00
			`if match:`
			`retVal = match.group(1).rstrip("%s.mdb" % randStr)`

			`if retVal.endswith('\\'):`
			`retVal = retVal[:-1]`

			`return retVal`

Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`def getFingerprint(self):`
Minor code restyling 2011-04-30 17:20:05 +04:00			`value = ""`
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`wsOsFp = Format.getOs("web server", kb.headersFp)`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00
			`if wsOsFp:`
			`value += "%s\n" % wsOsFp`

			`if kb.data.banner:`
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00
			`if dbmsOsFp:`
			`value += "%s\n" % dbmsOsFp`

Minor code restyling 2011-04-30 17:20:05 +04:00			`value += "back-end DBMS: "`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00
			`if not conf.extensiveFp:`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00			`value += DBMS.ACCESS`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`return value`

refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`actVer = Format.getDbms() + " (%s)" % (self.__sandBoxCheck())`
Minor code restyling 2011-04-30 17:20:05 +04:00			`blank = " " * 15`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`value += "active fingerprint: %s" % actVer`

			`if kb.bannerFp:`
			`banVer = kb.bannerFp["dbmsVersion"]`

			`if re.search("-log$", kb.data.banner):`
			`banVer += ", logging enabled"`

refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`banVer = Format.getDbms([banVer])`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)`

refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`htmlErrorFp = Format.getErrorParsedDBMSes()`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00
			`if htmlErrorFp:`
			`value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)`

one more ms access update 2010-11-02 13:50:57 +03:00			`value += "\ndatabase directory: '%s'" % self.__getDatabaseDir()`

Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`return value`

			`def checkDbms(self):`
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`if not conf.extensiveFp and (Backend.isDbmsWithin(ACCESS_ALIASES) or conf.dbms in ACCESS_ALIASES):`
refactoring of hard coded dbms names 2010-11-02 14:59:24 +03:00			`setDbms(DBMS.ACCESS)`
Added support to directly connect also to Microsoft SQL Server database. Fixed direct connection to always use the same query as of UNION query SQL injection (= one query with multiple columns/entries output). Minor fixes to Firebird/Access/SQLite connectors to use connector's execute()/fetchall() as wrapper for third-party libraries' methods. Forced conf.timeout to 10 seconds when directly connecting to database. Slightly improved regular expression to parse -d parameter. Added import check for all connectors' third-party libraries. Code refactoring: * Moved conf.direct request to direct() function in lib/request/direct.py (code reused where needed). * Back-delegated to generic connector close() and other methods. 2010-03-31 14:50:47 +04:00
Minor code refactoring and adjustments - kb.dbms is needed in fingerprint.py, not getIdentifiedDBMS because when checkDbms() method is called, it's within the fingerprint phase and at that stage, getIdentifiedDBMS() would always return kb.misc.fpDbms. 2011-01-14 15:47:07 +03:00			`return True`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00
Minor variable rename 2011-04-30 19:29:59 +04:00			`infoMsg = "testing %s" % DBMS.ACCESS`
			`logger.info(infoMsg)`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring. 2010-12-14 00:33:42 +03:00			`result = inject.checkBooleanExpression("VAL(CVAR(1))=1")`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00
			`if result:`
Minor variable rename 2011-04-30 19:29:59 +04:00			`infoMsg = "confirming %s" % DBMS.ACCESS`
			`logger.info(infoMsg)`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring. 2010-12-14 00:33:42 +03:00			`result = inject.checkBooleanExpression("IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0")`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00
			`if not result:`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00			`warnMsg = "the back-end DBMS is not %s" % DBMS.ACCESS`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`logger.warn(warnMsg)`
			`return False`

Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00			`setDbms(DBMS.ACCESS)`
minor ms access update 2010-11-02 13:13:36 +03:00
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`if not conf.extensiveFp:`
			`return True`
minor ms access update 2010-11-02 13:13:36 +03:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00			`infoMsg = "actively fingerprinting %s" % DBMS.ACCESS`
			`logger.info(infoMsg)`

			`version = self.__sysTablesCheck()`

			`if version is not None:`
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`Backend.setVersion(version)`
minor ms access update 2010-11-02 13:13:36 +03:00
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`return True`
			`else:`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00			`warnMsg = "the back-end DBMS is not %s" % DBMS.ACCESS`
Ahead with code refactoring, related to r1502. Fixed svn:keywords propset to all .py files. 2010-03-24 00:26:45 +03:00			`logger.warn(warnMsg)`

			`return False`
some updates 2010-11-05 02:08:59 +03:00
			`def forceDbmsEnum(self):`
cosmetics 2011-06-01 00:57:29 +04:00			`conf.db = ("%s%s" % (DBMS.ACCESS, METADB_SUFFIX)).replace(' ', '_')`