sqlmap/plugins/dbms/oracle/enumeration.py

#!/usr/bin/env python

"""
$Id$

Copyright (c) 2006-2011 sqlmap developers (http://www.sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

from lib.core.agent import agent
from lib.core.common import Backend
from lib.core.common import getRange
from lib.core.common import isNoneValue
from lib.core.common import isNumPosStrValue
from lib.core.common import isTechniqueAvailable
from lib.core.common import safeSQLIdentificatorNaming
from lib.core.common import unsafeSQLIdentificatorNaming
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.enums import EXPECTED
from lib.core.enums import PAYLOAD
from lib.core.exception import sqlmapNoneDataException
from lib.request import inject

from plugins.generic.enumeration import Enumeration as GenericEnumeration

class Enumeration(GenericEnumeration):
    def __init__(self):
        GenericEnumeration.__init__(self)

    def getRoles(self, query2=False):
        infoMsg = "fetching database users roles"

        rootQuery = queries[Backend.getIdentifiedDbms()].roles

        if conf.user == "CU":
            infoMsg += " for current user"
            conf.user = self.getCurrentUser()

        logger.info(infoMsg)

        # Set containing the list of DBMS administrators
        areAdmins = set()

        if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:
            if query2:
                query = rootQuery.inband.query2
                condition = rootQuery.inband.condition2
            else:
                query = rootQuery.inband.query
                condition = rootQuery.inband.condition

            if conf.user:
                users = conf.user.split(",")
                query += " WHERE "
                query += " OR ".join("%s = '%s'" % (condition, user) for user in sorted(users))

            values = inject.getValue(query, blind=False)

            if not values and not query2:
                infoMsg = "trying with table USER_ROLE_PRIVS"
                logger.info(infoMsg)

                return self.getRoles(query2=True)

            if not isNoneValue(values):
                for value in values:
                    user = None
                    roles = set()

                    for count in xrange(0, len(value)):
                        # The first column is always the username
                        if count == 0:
                            user = value[count]

                        # The other columns are the roles
                        else:
                            role = value[count]

                            # In Oracle we get the list of roles as string
                            roles.add(role)

                    if self.__isAdminFromPrivileges(roles):
                        areAdmins.add(user)

                    if kb.data.cachedUsersRoles.has_key(user):
                        kb.data.cachedUsersRoles[user].extend(roles)
                    else:
                        kb.data.cachedUsersRoles[user] = list(roles)

        if not kb.data.cachedUsersRoles and not conf.direct:
            conditionChar = "="

            if conf.user:
                users = conf.user.split(",")
            else:
                if not len(kb.data.cachedUsers):
                    users = self.getUsers()
                else:
                    users = kb.data.cachedUsers

            retrievedUsers = set()

            for user in users:
                unescapedUser = None

                if user in retrievedUsers:
                    continue

                infoMsg = "fetching number of roles "
                infoMsg += "for user '%s'" % user
                logger.info(infoMsg)

                if unescapedUser:
                    queryUser = unescapedUser
                else:
                    queryUser = user

                if query2:
                    query = rootQuery.blind.count2 % queryUser
                else:
                    query = rootQuery.blind.count % queryUser
                count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2)

                if not isNumPosStrValue(count):
                    if not count.isdigit() and not query2:
                        infoMsg = "trying with table USER_SYS_PRIVS"
                        logger.info(infoMsg)

                        return self.getPrivileges(query2=True)

                    warnMsg = "unable to retrieve the number of "
                    warnMsg += "roles for user '%s'" % user
                    logger.warn(warnMsg)
                    continue

                infoMsg = "fetching roles for user '%s'" % user
                logger.info(infoMsg)

                roles = set()

                indexRange = getRange(count, plusOne=True)

                for index in indexRange:
                    if query2:
                        query = rootQuery.blind.query2 % (queryUser, index)
                    else:
                        query = rootQuery.blind.query % (queryUser, index)
                    role = inject.getValue(query, inband=False, error=False)

                    # In Oracle we get the list of roles as string
                    roles.add(role)

                if roles:
                    kb.data.cachedUsersRoles[user] = list(roles)
                else:
                    warnMsg = "unable to retrieve the roles "
                    warnMsg += "for user '%s'" % user
                    logger.warn(warnMsg)

                retrievedUsers.add(user)

        if not kb.data.cachedUsersRoles:
            errMsg = "unable to retrieve the roles "
            errMsg += "for the database users"
            raise sqlmapNoneDataException, errMsg

        return ( kb.data.cachedUsersRoles, areAdmins )
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`#!/usr/bin/env python`

			`"""`
			$Id$

Changed homepage address 2011-07-08 00:10:03 +04:00			`Copyright (c) 2006-2011 sqlmap developers (http://www.sqlmap.org/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`"""`

Refactor to --search -C and minor bug fix - See #190. 2010-05-17 20:16:49 +04:00			`from lib.core.agent import agent`
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`from lib.core.common import Backend`
Added support to connect directly also to Oracle - see #158 2010-03-28 00:50:19 +03:00			`from lib.core.common import getRange`
fix for a bug reported by viniciusmaxdaloop@gmail.com and few related patches 2011-05-26 12:17:21 +04:00			`from lib.core.common import isNoneValue`
some fixes 2010-12-18 00:45:20 +03:00			`from lib.core.common import isNumPosStrValue`
One more step to fully working UNION exploitation after merge into detection phase 2011-01-12 04:13:32 +03:00			`from lib.core.common import isTechniqueAvailable`
refactoring, cleanup and improvement 2011-03-30 01:54:15 +04:00			`from lib.core.common import safeSQLIdentificatorNaming`
			`from lib.core.common import unsafeSQLIdentificatorNaming`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`from lib.core.data import logger`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`from lib.core.data import queries`
minor refactoring 2010-12-10 16:04:36 +03:00			`from lib.core.enums import EXPECTED`
Minor bug fix 2011-01-15 13:14:05 +03:00			`from lib.core.enums import PAYLOAD`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`from lib.core.exception import sqlmapNoneDataException`
			`from lib.request import inject`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
			`from plugins.generic.enumeration import Enumeration as GenericEnumeration`

			`class Enumeration(GenericEnumeration):`
			`def __init__(self):`
Minor bug fix - restored of so called kb.misc.testedDbms (now kb.misc.fpDbms) to force the DBMS (only) during the fingerprint phase 2011-01-14 14:55:20 +03:00			`GenericEnumeration.__init__(self)`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`def getRoles(self, query2=False):`
			`infoMsg = "fetching database users roles"`

refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`rootQuery = queries[Backend.getIdentifiedDbms()].roles`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00
			`if conf.user == "CU":`
			`infoMsg += " for current user"`
			`conf.user = self.getCurrentUser()`

			`logger.info(infoMsg)`

			`# Set containing the list of DBMS administrators`
			`areAdmins = set()`

Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup. 2011-01-19 02:02:11 +03:00			`if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`if query2:`
Minor code restyling 2011-04-30 17:20:05 +04:00			`query = rootQuery.inband.query2`
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO) 2010-10-21 17:13:12 +04:00			`condition = rootQuery.inband.condition2`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`else:`
Minor code restyling 2011-04-30 17:20:05 +04:00			`query = rootQuery.inband.query`
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO) 2010-10-21 17:13:12 +04:00			`condition = rootQuery.inband.condition`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00
			`if conf.user:`
			`users = conf.user.split(",")`
			`query += " WHERE "`
minor fix for resuming in multi threading mode 2011-06-18 16:23:18 +04:00			`query += " OR ".join("%s = '%s'" % (condition, user) for user in sorted(users))`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup. 2011-01-19 02:02:11 +03:00			`values = inject.getValue(query, blind=False)`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00
			`if not values and not query2:`
			`infoMsg = "trying with table USER_ROLE_PRIVS"`
			`logger.info(infoMsg)`

			`return self.getRoles(query2=True)`

fix for a bug reported by viniciusmaxdaloop@gmail.com and few related patches 2011-05-26 12:17:21 +04:00			`if not isNoneValue(values):`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`for value in values:`
Minor code restyling 2011-04-30 17:20:05 +04:00			`user = None`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`roles = set()`

			`for count in xrange(0, len(value)):`
			`# The first column is always the username`
			`if count == 0:`
			`user = value[count]`

			`# The other columns are the roles`
			`else:`
			`role = value[count]`

			`# In Oracle we get the list of roles as string`
			`roles.add(role)`

			`if self.__isAdminFromPrivileges(roles):`
			`areAdmins.add(user)`

			`if kb.data.cachedUsersRoles.has_key(user):`
			`kb.data.cachedUsersRoles[user].extend(roles)`
			`else:`
			`kb.data.cachedUsersRoles[user] = list(roles)`

Added support to directly connect also to Microsoft SQL Server database. Fixed direct connection to always use the same query as of UNION query SQL injection (= one query with multiple columns/entries output). Minor fixes to Firebird/Access/SQLite connectors to use connector's execute()/fetchall() as wrapper for third-party libraries' methods. Forced conf.timeout to 10 seconds when directly connecting to database. Slightly improved regular expression to parse -d parameter. Added import check for all connectors' third-party libraries. Code refactoring: * Moved conf.direct request to direct() function in lib/request/direct.py (code reused where needed). * Back-delegated to generic connector close() and other methods. 2010-03-31 14:50:47 +04:00			`if not kb.data.cachedUsersRoles and not conf.direct:`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`conditionChar = "="`

			`if conf.user:`
			`users = conf.user.split(",")`
			`else:`
			`if not len(kb.data.cachedUsers):`
			`users = self.getUsers()`
			`else:`
			`users = kb.data.cachedUsers`

			`retrievedUsers = set()`

			`for user in users:`
			`unescapedUser = None`

			`if user in retrievedUsers:`
			`continue`

Minor code restyling 2011-04-30 17:20:05 +04:00			`infoMsg = "fetching number of roles "`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`infoMsg += "for user '%s'" % user`
			`logger.info(infoMsg)`

			`if unescapedUser:`
			`queryUser = unescapedUser`
			`else:`
			`queryUser = user`

			`if query2:`
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO) 2010-10-21 17:13:12 +04:00			`query = rootQuery.blind.count2 % queryUser`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`else:`
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO) 2010-10-21 17:13:12 +04:00			`query = rootQuery.blind.count % queryUser`
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup. 2011-01-19 02:02:11 +03:00			`count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2)`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00
some fixes 2010-12-18 00:45:20 +03:00			`if not isNumPosStrValue(count):`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`if not count.isdigit() and not query2:`
			`infoMsg = "trying with table USER_SYS_PRIVS"`
			`logger.info(infoMsg)`

			`return self.getPrivileges(query2=True)`

Minor code restyling 2011-04-30 17:20:05 +04:00			`warnMsg = "unable to retrieve the number of "`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`warnMsg += "roles for user '%s'" % user`
			`logger.warn(warnMsg)`
			`continue`

			`infoMsg = "fetching roles for user '%s'" % user`
			`logger.info(infoMsg)`

			`roles = set()`

			`indexRange = getRange(count, plusOne=True)`

			`for index in indexRange:`
			`if query2:`
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO) 2010-10-21 17:13:12 +04:00			`query = rootQuery.blind.query2 % (queryUser, index)`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`else:`
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO) 2010-10-21 17:13:12 +04:00			`query = rootQuery.blind.query % (queryUser, index)`
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup. 2011-01-19 02:02:11 +03:00			`role = inject.getValue(query, inband=False, error=False)`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00
			`# In Oracle we get the list of roles as string`
			`roles.add(role)`

			`if roles:`
			`kb.data.cachedUsersRoles[user] = list(roles)`
			`else:`
Minor code restyling 2011-04-30 17:20:05 +04:00			`warnMsg = "unable to retrieve the roles "`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`warnMsg += "for user '%s'" % user`
			`logger.warn(warnMsg)`

			`retrievedUsers.add(user)`

			`if not kb.data.cachedUsersRoles:`
Minor code restyling 2011-04-30 17:20:05 +04:00			`errMsg = "unable to retrieve the roles "`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`errMsg += "for the database users"`
			`raise sqlmapNoneDataException, errMsg`

			`return ( kb.data.cachedUsersRoles, areAdmins )`