sqlmap/plugins/dbms/oracle.py

#!/usr/bin/env python

"""
$Id$

This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
                        and Daniele Bellucci <daniele.bellucci@gmail.com>

sqlmap is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation version 2 of the License.

sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
details.

You should have received a copy of the GNU General Public License along
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
"""


import re

from lib.core.common import formatDBMSfp
from lib.core.common import formatOSfp
from lib.core.common import getHtmlErrorFp
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.exception import sqlmapSyntaxException
from lib.core.session import setDbms
from lib.core.settings import ORACLE_ALIASES
from lib.core.settings import ORACLE_SYSTEM_DBS
from lib.core.unescaper import unescaper
from lib.parse.banner import bannerParser
from lib.request import inject
#from lib.utils.fuzzer import passiveFuzzing

from plugins.generic.enumeration import Enumeration
from plugins.generic.filesystem import Filesystem
from plugins.generic.fingerprint import Fingerprint
from plugins.generic.takeover import Takeover


class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
    """
    This class defines Oracle methods
    """


    def __init__(self):
        self.excludeDbsList = ORACLE_SYSTEM_DBS
        Enumeration.__init__(self, "Oracle")

        unescaper.setUnescape(OracleMap.unescape)


    @staticmethod
    def unescape(expression, quote=True):
        if quote:
            while True:
                index = expression.find("'")
                if index == -1:
                    break

                firstIndex = index + 1
                index = expression[firstIndex:].find("'")

                if index == -1:
                    raise sqlmapSyntaxException, "Unenclosed ' in '%s'" % expression

                lastIndex = firstIndex + index
                old = "'%s'" % expression[firstIndex:lastIndex]
                #unescaped = "("
                unescaped = ""

                for i in range(firstIndex, lastIndex):
                    unescaped += "CHR(%d)" % (ord(expression[i]))
                    if i < lastIndex - 1:
                        unescaped += "||"

                #unescaped += ")"
                expression = expression.replace(old, unescaped)
        else:
            expression = "||".join("CHR(%d)" % ord(c) for c in expression)

        return expression


    @staticmethod
    def escape(expression):
        while True:
            index = expression.find("CHR(")
            if index == -1:
                break

            firstIndex = index
            index = expression[firstIndex:].find("))")

            if index == -1:
                raise sqlmapSyntaxException, "Unenclosed ) in '%s'" % expression

            lastIndex = firstIndex + index + 1
            old = expression[firstIndex:lastIndex]
            oldUpper = old.upper()
            oldUpper = oldUpper.replace("CHR(", "").replace(")", "")
            oldUpper = oldUpper.split("||")

            escaped = "'%s'" % "".join([chr(int(char)) for char in oldUpper])
            expression = expression.replace(old, escaped)

        return expression


    def getFingerprint(self):
        value  = "back-end DBMS: "

        if not conf.extensiveFp:
            value += "Oracle"
            return value

        actVer      = formatDBMSfp()
        blank       = " " * 15
        formatInfo  = None
        value      += "active fingerprint: %s" % actVer

        if self.banner:
            info       = bannerParser(self.banner)
            formatInfo = formatOSfp(info)

            banVer = info['version']
            banVer = formatDBMSfp([banVer])
            value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)

        #passiveFuzzing()
        htmlErrorFp = getHtmlErrorFp()

        if htmlErrorFp:
            value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)

        if formatInfo:
            value += "\n%s" % formatInfo

        return value


    def checkDbms(self):
        if conf.dbms in ORACLE_ALIASES:
            setDbms("Oracle")

            if not conf.extensiveFp:
                return True

        logMsg = "testing Oracle"
        logger.info(logMsg)

        query = "LENGTH(SYSDATE)"
        sysdate = inject.getValue(query)

        if sysdate and int(sysdate) > 0:
            logMsg = "confirming Oracle"
            logger.info(logMsg)

            query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1"
            version = inject.getValue(query)

            if not version:
                warnMsg = "the back-end DMBS is not Oracle"
                logger.warn(warnMsg)

                return False

            setDbms("Oracle")

            if not conf.extensiveFp:
                return True

            if re.search("^11", version):
                kb.dbmsVersion = ["11i"]
            elif re.search("^10", version):
                kb.dbmsVersion = ["10g"]
            elif re.search("^9", version):
                kb.dbmsVersion = ["9i"]
            elif re.search("^8", version):
                kb.dbmsVersion = ["8i"]

            if conf.getBanner:
                self.banner = inject.getValue("SELECT banner FROM v$version WHERE ROWNUM=1")

            return True
        else:
            warnMsg = "the back-end DMBS is not Oracle"
            logger.warn(warnMsg)

            return False


    def forceDbmsEnum(self):
        if conf.db:
            conf.db = conf.db.upper()
        else:
            conf.db = "USERS"

            warnMsg  = "on Oracle it is only possible to enumerate "
            warnMsg += "if you provide a TABLESPACE_NAME as database "
            warnMsg += "name. sqlmap is going to use 'USERS' as database "
            warnMsg += "name"
            logger.warn(warnMsg)

        if conf.tbl:
            conf.tbl = conf.tbl.upper()


    def getDbs(self):
        warnMsg = "on Oracle it is not possible to enumerate databases"
        logger.warn(warnMsg)

        return []
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`This file is part of the sqlmap project, http://sqlmap.sourceforge.net.`

			`Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>`
			`and Daniele Bellucci <daniele.bellucci@gmail.com>`

			`sqlmap is free software; you can redistribute it and/or modify it under`
			`the terms of the GNU General Public License as published by the Free`
			`Software Foundation version 2 of the License.`

			`sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY`
			`WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS`
			`FOR A PARTICULAR PURPOSE. See the GNU General Public License for more`
			`details.`

			`You should have received a copy of the GNU General Public License along`
			`with sqlmap; if not, write to the Free Software Foundation, Inc., 51`
			`Franklin St, Fifth Floor, Boston, MA 02110-1301 USA`
			`"""`



			`import re`

Minor enhancement to fingerprint the back-end DBMS operating system (type, version, release, distribution, codename and service pack) by parsing the DBMS banner value when both -f and -b are provided: adapted the code and added XML files defining regular expressions for matching. Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu: --8<-- back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2 comment injection fingerprint: MySQL 5.0.67 banner parsing fingerprint: MySQL 5.0.67 html error message fingerprint: MySQL back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid) --8<-- 2008-11-16 02:41:31 +03:00			`from lib.core.common import formatDBMSfp`
			`from lib.core.common import formatOSfp`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.common import getHtmlErrorFp`
			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
			`from lib.core.exception import sqlmapSyntaxException`
			`from lib.core.session import setDbms`
			`from lib.core.settings import ORACLE_ALIASES`
			`from lib.core.settings import ORACLE_SYSTEM_DBS`
			`from lib.core.unescaper import unescaper`
Minor enhancement to fingerprint the back-end DBMS operating system (type, version, release, distribution, codename and service pack) by parsing the DBMS banner value when both -f and -b are provided: adapted the code and added XML files defining regular expressions for matching. Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu: --8<-- back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2 comment injection fingerprint: MySQL 5.0.67 banner parsing fingerprint: MySQL 5.0.67 html error message fingerprint: MySQL back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid) --8<-- 2008-11-16 02:41:31 +03:00			`from lib.parse.banner import bannerParser`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.request import inject`
			`#from lib.utils.fuzzer import passiveFuzzing`

			`from plugins.generic.enumeration import Enumeration`
			`from plugins.generic.filesystem import Filesystem`
			`from plugins.generic.fingerprint import Fingerprint`
			`from plugins.generic.takeover import Takeover`


			`class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):`
			`"""`
			`This class defines Oracle methods`
			`"""`


			`def __init__(self):`
Minor code restyling 2008-10-26 20:00:07 +03:00			`self.excludeDbsList = ORACLE_SYSTEM_DBS`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`Enumeration.__init__(self, "Oracle")`

			`unescaper.setUnescape(OracleMap.unescape)`


			`@staticmethod`
Major bug fix so that the users' privileges enumeration now works properly also on both MySQL < 5.0 and MySQL >= 5.0 also if the user has provided one or more users with -U option; 2008-11-02 21:17:12 +03:00			`def unescape(expression, quote=True):`
			`if quote:`
			`while True:`
			`index = expression.find("'")`
			`if index == -1:`
			`break`

			`firstIndex = index + 1`
			`index = expression[firstIndex:].find("'")`

			`if index == -1:`
			`raise sqlmapSyntaxException, "Unenclosed ' in '%s'" % expression`

			`lastIndex = firstIndex + index`
			`old = "'%s'" % expression[firstIndex:lastIndex]`
			`#unescaped = "("`
			`unescaped = ""`

			`for i in range(firstIndex, lastIndex):`
			`unescaped += "CHR(%d)" % (ord(expression[i]))`
			`if i < lastIndex - 1:`
			`unescaped += "\|\|"`

			`#unescaped += ")"`
			`expression = expression.replace(old, unescaped)`
			`else:`
			`expression = "\|\|".join("CHR(%d)" % ord(c) for c in expression)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`return expression`


			`@staticmethod`
			`def escape(expression):`
			`while True:`
			`index = expression.find("CHR(")`
			`if index == -1:`
			`break`

			`firstIndex = index`
			`index = expression[firstIndex:].find("))")`

			`if index == -1:`
			`raise sqlmapSyntaxException, "Unenclosed ) in '%s'" % expression`

			`lastIndex = firstIndex + index + 1`
			`old = expression[firstIndex:lastIndex]`
			`oldUpper = old.upper()`
			`oldUpper = oldUpper.replace("CHR(", "").replace(")", "")`
			`oldUpper = oldUpper.split("\|\|")`

			`escaped = "'%s'" % "".join([chr(int(char)) for char in oldUpper])`
			`expression = expression.replace(old, escaped)`

			`return expression`


			`def getFingerprint(self):`
Minor layout adjustments, minor fixes and updated changelog 2008-11-17 03:00:54 +03:00			`value = "back-end DBMS: "`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Minor layout adjustments, minor fixes and updated changelog 2008-11-17 03:00:54 +03:00			`if not conf.extensiveFp:`
			`value += "Oracle"`
			`return value`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Minor layout adjustments, minor fixes and updated changelog 2008-11-17 03:00:54 +03:00			`actVer = formatDBMSfp()`
			`blank = " " * 15`
			`formatInfo = None`
			`value += "active fingerprint: %s" % actVer`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if self.banner:`
Minor enhancement to fingerprint the back-end DBMS operating system (type, version, release, distribution, codename and service pack) by parsing the DBMS banner value when both -f and -b are provided: adapted the code and added XML files defining regular expressions for matching. Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu: --8<-- back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2 comment injection fingerprint: MySQL 5.0.67 banner parsing fingerprint: MySQL 5.0.67 html error message fingerprint: MySQL back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid) --8<-- 2008-11-16 02:41:31 +03:00			`info = bannerParser(self.banner)`
			`formatInfo = formatOSfp(info)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Minor enhancement to fingerprint the back-end DBMS operating system (type, version, release, distribution, codename and service pack) by parsing the DBMS banner value when both -f and -b are provided: adapted the code and added XML files defining regular expressions for matching. Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu: --8<-- back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2 comment injection fingerprint: MySQL 5.0.67 banner parsing fingerprint: MySQL 5.0.67 html error message fingerprint: MySQL back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid) --8<-- 2008-11-16 02:41:31 +03:00			`banVer = info['version']`
			`banVer = formatDBMSfp([banVer])`
			`value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`#passiveFuzzing()`
Minor layout adjustments, minor fixes and updated changelog 2008-11-17 03:00:54 +03:00			`htmlErrorFp = getHtmlErrorFp()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Minor layout adjustments, minor fixes and updated changelog 2008-11-17 03:00:54 +03:00			`if htmlErrorFp:`
			`value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Minor enhancement to fingerprint the back-end DBMS operating system (type, version, release, distribution, codename and service pack) by parsing the DBMS banner value when both -f and -b are provided: adapted the code and added XML files defining regular expressions for matching. Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu: --8<-- back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2 comment injection fingerprint: MySQL 5.0.67 banner parsing fingerprint: MySQL 5.0.67 html error message fingerprint: MySQL back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid) --8<-- 2008-11-16 02:41:31 +03:00			`if formatInfo:`
			`value += "\n%s" % formatInfo`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`return value`


			`def checkDbms(self):`
			`if conf.dbms in ORACLE_ALIASES:`
			`setDbms("Oracle")`

			`if not conf.extensiveFp:`
			`return True`

			`logMsg = "testing Oracle"`
			`logger.info(logMsg)`

			`query = "LENGTH(SYSDATE)"`
			`sysdate = inject.getValue(query)`

			`if sysdate and int(sysdate) > 0:`
			`logMsg = "confirming Oracle"`
			`logger.info(logMsg)`

Minor enhancement to fingerprint the back-end DBMS operating system (type, version, release, distribution, codename and service pack) by parsing the DBMS banner value when both -f and -b are provided: adapted the code and added XML files defining regular expressions for matching. Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu: --8<-- back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2 comment injection fingerprint: MySQL 5.0.67 banner parsing fingerprint: MySQL 5.0.67 html error message fingerprint: MySQL back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid) --8<-- 2008-11-16 02:41:31 +03:00			`query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1"`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`version = inject.getValue(query)`

			`if not version:`
			`warnMsg = "the back-end DMBS is not Oracle"`
			`logger.warn(warnMsg)`

			`return False`

			`setDbms("Oracle")`

			`if not conf.extensiveFp:`
			`return True`

Minor enhancement to fingerprint the back-end DBMS operating system (type, version, release, distribution, codename and service pack) by parsing the DBMS banner value when both -f and -b are provided: adapted the code and added XML files defining regular expressions for matching. Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu: --8<-- back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2 comment injection fingerprint: MySQL 5.0.67 banner parsing fingerprint: MySQL 5.0.67 html error message fingerprint: MySQL back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid) --8<-- 2008-11-16 02:41:31 +03:00			`if re.search("^11", version):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`kb.dbmsVersion = ["11i"]`
Minor enhancement to fingerprint the back-end DBMS operating system (type, version, release, distribution, codename and service pack) by parsing the DBMS banner value when both -f and -b are provided: adapted the code and added XML files defining regular expressions for matching. Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu: --8<-- back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2 comment injection fingerprint: MySQL 5.0.67 banner parsing fingerprint: MySQL 5.0.67 html error message fingerprint: MySQL back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid) --8<-- 2008-11-16 02:41:31 +03:00			`elif re.search("^10", version):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`kb.dbmsVersion = ["10g"]`
Minor enhancement to fingerprint the back-end DBMS operating system (type, version, release, distribution, codename and service pack) by parsing the DBMS banner value when both -f and -b are provided: adapted the code and added XML files defining regular expressions for matching. Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu: --8<-- back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2 comment injection fingerprint: MySQL 5.0.67 banner parsing fingerprint: MySQL 5.0.67 html error message fingerprint: MySQL back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid) --8<-- 2008-11-16 02:41:31 +03:00			`elif re.search("^9", version):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`kb.dbmsVersion = ["9i"]`
Minor enhancement to fingerprint the back-end DBMS operating system (type, version, release, distribution, codename and service pack) by parsing the DBMS banner value when both -f and -b are provided: adapted the code and added XML files defining regular expressions for matching. Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu: --8<-- back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2 comment injection fingerprint: MySQL 5.0.67 banner parsing fingerprint: MySQL 5.0.67 html error message fingerprint: MySQL back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid) --8<-- 2008-11-16 02:41:31 +03:00			`elif re.search("^8", version):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`kb.dbmsVersion = ["8i"]`

			`if conf.getBanner:`
			`self.banner = inject.getValue("SELECT banner FROM v$version WHERE ROWNUM=1")`

			`return True`
			`else:`
			`warnMsg = "the back-end DMBS is not Oracle"`
			`logger.warn(warnMsg)`

			`return False`


Major improvement to correctly enumerate tables, columns and dump tables entries on PostgreSQL when the database name is not 'public' or a system database and on Oracle. Minor code restyle. 2008-10-26 19:19:15 +03:00			`def forceDbmsEnum(self):`
			`if conf.db:`
			`conf.db = conf.db.upper()`
			`else:`
			`conf.db = "USERS"`

			`warnMsg = "on Oracle it is only possible to enumerate "`
			`warnMsg += "if you provide a TABLESPACE_NAME as database "`
			`warnMsg += "name. sqlmap is going to use 'USERS' as database "`
			`warnMsg += "name"`
			`logger.warn(warnMsg)`

			`if conf.tbl:`
			`conf.tbl = conf.tbl.upper()`


After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`def getDbs(self):`
Be more user friendly on messages and minor code layout improvement 2008-11-02 21:23:42 +03:00			`warnMsg = "on Oracle it is not possible to enumerate databases"`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`logger.warn(warnMsg)`

			`return []`