2013-02-14 15:32:17 +04:00
|
|
|
#!/usr/bin/env python
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
"""
|
2018-01-02 02:48:10 +03:00
|
|
|
Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/)
|
2017-10-11 15:50:46 +03:00
|
|
|
See the file 'LICENSE' for copying permission
|
2012-07-20 22:17:35 +04:00
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
import re
|
|
|
|
|
|
|
|
|
|
from lib.core.agent import agent
|
|
|
|
|
from lib.core.common import arrayizeValue
|
|
|
|
|
from lib.core.common import Backend
|
|
|
|
|
from lib.core.common import filterPairValues
|
|
|
|
|
from lib.core.common import getLimitRange
|
|
|
|
|
from lib.core.common import getUnicode
|
2012-10-25 00:59:46 +04:00
|
|
|
from lib.core.common import isAdminFromPrivileges
|
2012-07-20 22:17:35 +04:00
|
|
|
from lib.core.common import isInferenceAvailable
|
|
|
|
|
from lib.core.common import isNoneValue
|
|
|
|
|
from lib.core.common import isNumPosStrValue
|
|
|
|
|
from lib.core.common import isTechniqueAvailable
|
|
|
|
|
from lib.core.common import parsePasswordHash
|
|
|
|
|
from lib.core.common import readInput
|
|
|
|
|
from lib.core.common import unArrayizeValue
|
2013-01-18 13:44:57 +04:00
|
|
|
from lib.core.convert import hexencode
|
2012-07-20 22:17:35 +04:00
|
|
|
from lib.core.data import conf
|
|
|
|
|
from lib.core.data import kb
|
|
|
|
|
from lib.core.data import logger
|
|
|
|
|
from lib.core.data import queries
|
2016-09-26 15:20:04 +03:00
|
|
|
from lib.core.dicts import DB2_PRIVS
|
|
|
|
|
from lib.core.dicts import FIREBIRD_PRIVS
|
|
|
|
|
from lib.core.dicts import INFORMIX_PRIVS
|
2012-08-21 13:30:01 +04:00
|
|
|
from lib.core.dicts import MYSQL_PRIVS
|
|
|
|
|
from lib.core.dicts import PGSQL_PRIVS
|
2012-07-20 22:17:35 +04:00
|
|
|
from lib.core.enums import CHARSET_TYPE
|
|
|
|
|
from lib.core.enums import DBMS
|
|
|
|
|
from lib.core.enums import EXPECTED
|
|
|
|
|
from lib.core.enums import PAYLOAD
|
2012-12-06 17:14:19 +04:00
|
|
|
from lib.core.exception import SqlmapNoneDataException
|
|
|
|
|
from lib.core.exception import SqlmapUserQuitException
|
2012-07-20 22:17:35 +04:00
|
|
|
from lib.core.threads import getCurrentThreadData
|
|
|
|
|
from lib.request import inject
|
|
|
|
|
from lib.utils.hash import attackCachedUsersPasswords
|
2012-12-04 20:04:32 +04:00
|
|
|
from lib.utils.hash import storeHashesToFile
|
2012-09-10 21:23:24 +04:00
|
|
|
from lib.utils.pivotdumptable import pivotDumpTable
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
class Users:
|
|
|
|
|
"""
|
|
|
|
|
This class defines users' enumeration functionalities for plugins.
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
def __init__(self):
|
|
|
|
|
kb.data.currentUser = ""
|
|
|
|
|
kb.data.isDba = None
|
|
|
|
|
kb.data.cachedUsers = []
|
|
|
|
|
kb.data.cachedUsersPasswords = {}
|
|
|
|
|
kb.data.cachedUsersPrivileges = {}
|
|
|
|
|
kb.data.cachedUsersRoles = {}
|
|
|
|
|
|
|
|
|
|
def getCurrentUser(self):
|
|
|
|
|
infoMsg = "fetching current user"
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
|
|
query = queries[Backend.getIdentifiedDbms()].current_user.query
|
|
|
|
|
|
|
|
|
|
if not kb.data.currentUser:
|
|
|
|
|
kb.data.currentUser = unArrayizeValue(inject.getValue(query))
|
|
|
|
|
|
|
|
|
|
return kb.data.currentUser
|
|
|
|
|
|
|
|
|
|
def isDba(self, user=None):
|
|
|
|
|
infoMsg = "testing if current user is DBA"
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
|
|
if Backend.isDbms(DBMS.MYSQL):
|
|
|
|
|
self.getCurrentUser()
|
|
|
|
|
query = queries[Backend.getIdentifiedDbms()].is_dba.query % (kb.data.currentUser.split("@")[0] if kb.data.currentUser else None)
|
|
|
|
|
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and user is not None:
|
|
|
|
|
query = queries[Backend.getIdentifiedDbms()].is_dba.query2 % user
|
|
|
|
|
else:
|
|
|
|
|
query = queries[Backend.getIdentifiedDbms()].is_dba.query
|
|
|
|
|
|
|
|
|
|
query = agent.forgeCaseStatement(query)
|
2013-02-12 16:04:42 +04:00
|
|
|
kb.data.isDba = inject.checkBooleanExpression(query) or False
|
2012-07-20 22:17:35 +04:00
|
|
|
|
2012-09-13 12:20:24 +04:00
|
|
|
return kb.data.isDba
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
def getUsers(self):
|
|
|
|
|
infoMsg = "fetching database users"
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
|
|
rootQuery = queries[Backend.getIdentifiedDbms()].users
|
|
|
|
|
|
|
|
|
|
condition = (Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")))
|
|
|
|
|
condition |= (Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema)
|
|
|
|
|
|
2012-12-05 13:45:17 +04:00
|
|
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
2012-07-20 22:17:35 +04:00
|
|
|
if condition:
|
|
|
|
|
query = rootQuery.inband.query2
|
|
|
|
|
else:
|
|
|
|
|
query = rootQuery.inband.query
|
2012-12-21 13:15:42 +04:00
|
|
|
values = inject.getValue(query, blind=False, time=False)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
2012-12-21 13:15:42 +04:00
|
|
|
if not isNoneValue(values):
|
2014-11-06 13:41:10 +03:00
|
|
|
kb.data.cachedUsers = []
|
|
|
|
|
for value in arrayizeValue(values):
|
2014-12-03 10:46:02 +03:00
|
|
|
value = unArrayizeValue(value)
|
|
|
|
|
if not isNoneValue(value):
|
|
|
|
|
kb.data.cachedUsers.append(value)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
if not kb.data.cachedUsers and isInferenceAvailable() and not conf.direct:
|
|
|
|
|
infoMsg = "fetching number of database users"
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
|
|
if condition:
|
|
|
|
|
query = rootQuery.blind.count2
|
|
|
|
|
else:
|
|
|
|
|
query = rootQuery.blind.count
|
2012-10-25 11:56:36 +04:00
|
|
|
|
2012-10-28 02:36:09 +04:00
|
|
|
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
2014-08-20 01:56:04 +04:00
|
|
|
if count == 0:
|
|
|
|
|
return kb.data.cachedUsers
|
|
|
|
|
elif not isNumPosStrValue(count):
|
2012-07-20 22:17:35 +04:00
|
|
|
errMsg = "unable to retrieve the number of database users"
|
2013-01-04 02:20:55 +04:00
|
|
|
raise SqlmapNoneDataException(errMsg)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
plusOne = Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2)
|
|
|
|
|
indexRange = getLimitRange(count, plusOne=plusOne)
|
|
|
|
|
|
|
|
|
|
for index in indexRange:
|
|
|
|
|
if Backend.getIdentifiedDbms() in (DBMS.SYBASE, DBMS.MAXDB):
|
|
|
|
|
query = rootQuery.blind.query % (kb.data.cachedUsers[-1] if kb.data.cachedUsers else " ")
|
|
|
|
|
elif condition:
|
|
|
|
|
query = rootQuery.blind.query2 % index
|
|
|
|
|
else:
|
|
|
|
|
query = rootQuery.blind.query % index
|
2012-12-21 13:15:42 +04:00
|
|
|
user = unArrayizeValue(inject.getValue(query, union=False, error=False))
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
if user:
|
|
|
|
|
kb.data.cachedUsers.append(user)
|
|
|
|
|
|
|
|
|
|
if not kb.data.cachedUsers:
|
|
|
|
|
errMsg = "unable to retrieve the database users"
|
2013-01-21 21:11:46 +04:00
|
|
|
logger.error(errMsg)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
return kb.data.cachedUsers
|
|
|
|
|
|
|
|
|
|
def getPasswordHashes(self):
|
|
|
|
|
infoMsg = "fetching database users password hashes"
|
|
|
|
|
|
|
|
|
|
rootQuery = queries[Backend.getIdentifiedDbms()].passwords
|
|
|
|
|
|
|
|
|
|
if conf.user == "CU":
|
|
|
|
|
infoMsg += " for current user"
|
|
|
|
|
conf.user = self.getCurrentUser()
|
|
|
|
|
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
|
|
if conf.user and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
|
|
|
|
|
conf.user = conf.user.upper()
|
|
|
|
|
|
|
|
|
|
if conf.user:
|
2017-04-18 16:56:24 +03:00
|
|
|
users = conf.user.split(',')
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
if Backend.isDbms(DBMS.MYSQL):
|
|
|
|
|
for user in users:
|
2017-10-31 13:38:09 +03:00
|
|
|
parsedUser = re.search(r"['\"]?(.*?)['\"]?\@", user)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
if parsedUser:
|
|
|
|
|
users[users.index(user)] = parsedUser.groups()[0]
|
|
|
|
|
else:
|
|
|
|
|
users = []
|
|
|
|
|
|
|
|
|
|
users = filter(None, users)
|
|
|
|
|
|
2012-12-05 13:45:17 +04:00
|
|
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
2012-07-20 22:17:35 +04:00
|
|
|
if Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")):
|
|
|
|
|
query = rootQuery.inband.query2
|
|
|
|
|
else:
|
|
|
|
|
query = rootQuery.inband.query
|
|
|
|
|
|
|
|
|
|
condition = rootQuery.inband.condition
|
|
|
|
|
|
|
|
|
|
if conf.user:
|
|
|
|
|
query += " WHERE "
|
|
|
|
|
query += " OR ".join("%s = '%s'" % (condition, user) for user in sorted(users))
|
|
|
|
|
|
|
|
|
|
if Backend.isDbms(DBMS.SYBASE):
|
|
|
|
|
getCurrentThreadData().disableStdOut = True
|
|
|
|
|
|
2018-09-22 00:06:45 +03:00
|
|
|
retVal = pivotDumpTable("(%s) AS %s" % (query, kb.aliasName), ['%s.name' % kb.aliasName, '%s.password' % kb.aliasName], blind=False)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
if retVal:
|
2018-09-22 00:06:45 +03:00
|
|
|
for user, password in filterPairValues(zip(retVal[0]["%s.name" % kb.aliasName], retVal[0]["%s.password" % kb.aliasName])):
|
2012-07-20 22:17:35 +04:00
|
|
|
if user not in kb.data.cachedUsersPasswords:
|
|
|
|
|
kb.data.cachedUsersPasswords[user] = [password]
|
|
|
|
|
else:
|
|
|
|
|
kb.data.cachedUsersPasswords[user].append(password)
|
|
|
|
|
|
|
|
|
|
getCurrentThreadData().disableStdOut = False
|
|
|
|
|
else:
|
2012-12-21 13:15:42 +04:00
|
|
|
values = inject.getValue(query, blind=False, time=False)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
2012-12-21 13:15:42 +04:00
|
|
|
for user, password in filterPairValues(values):
|
2012-07-20 22:17:35 +04:00
|
|
|
if not user or user == " ":
|
|
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
password = parsePasswordHash(password)
|
|
|
|
|
|
|
|
|
|
if user not in kb.data.cachedUsersPasswords:
|
|
|
|
|
kb.data.cachedUsersPasswords[user] = [password]
|
|
|
|
|
else:
|
|
|
|
|
kb.data.cachedUsersPasswords[user].append(password)
|
|
|
|
|
|
|
|
|
|
if not kb.data.cachedUsersPasswords and isInferenceAvailable() and not conf.direct:
|
|
|
|
|
if not len(users):
|
|
|
|
|
users = self.getUsers()
|
|
|
|
|
|
|
|
|
|
if Backend.isDbms(DBMS.MYSQL):
|
|
|
|
|
for user in users:
|
2017-10-31 13:38:09 +03:00
|
|
|
parsedUser = re.search(r"['\"]?(.*?)['\"]?\@", user)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
if parsedUser:
|
|
|
|
|
users[users.index(user)] = parsedUser.groups()[0]
|
|
|
|
|
|
|
|
|
|
if Backend.isDbms(DBMS.SYBASE):
|
|
|
|
|
getCurrentThreadData().disableStdOut = True
|
|
|
|
|
|
|
|
|
|
query = rootQuery.inband.query
|
|
|
|
|
|
2018-09-22 00:06:45 +03:00
|
|
|
retVal = pivotDumpTable("(%s) AS %s" % (query, kb.aliasName), ['%s.name' % kb.aliasName, '%s.password' % kb.aliasName], blind=True)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
if retVal:
|
2018-09-22 00:06:45 +03:00
|
|
|
for user, password in filterPairValues(zip(retVal[0]["%s.name" % kb.aliasName], retVal[0]["%s.password" % kb.aliasName])):
|
2017-09-21 15:35:24 +03:00
|
|
|
password = "0x%s" % hexencode(password, conf.encoding).upper()
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
if user not in kb.data.cachedUsersPasswords:
|
|
|
|
|
kb.data.cachedUsersPasswords[user] = [password]
|
|
|
|
|
else:
|
|
|
|
|
kb.data.cachedUsersPasswords[user].append(password)
|
|
|
|
|
|
|
|
|
|
getCurrentThreadData().disableStdOut = False
|
|
|
|
|
else:
|
|
|
|
|
retrievedUsers = set()
|
|
|
|
|
|
|
|
|
|
for user in users:
|
2013-06-01 15:44:27 +04:00
|
|
|
user = unArrayizeValue(user)
|
|
|
|
|
|
2012-07-20 22:17:35 +04:00
|
|
|
if user in retrievedUsers:
|
|
|
|
|
continue
|
|
|
|
|
|
2016-09-26 17:38:03 +03:00
|
|
|
if Backend.isDbms(DBMS.INFORMIX):
|
|
|
|
|
count = 1
|
2012-07-20 22:17:35 +04:00
|
|
|
else:
|
2016-09-26 17:38:03 +03:00
|
|
|
infoMsg = "fetching number of password hashes "
|
|
|
|
|
infoMsg += "for user '%s'" % user
|
|
|
|
|
logger.info(infoMsg)
|
2012-10-25 11:56:36 +04:00
|
|
|
|
2016-09-26 17:38:03 +03:00
|
|
|
if Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")):
|
|
|
|
|
query = rootQuery.blind.count2 % user
|
|
|
|
|
else:
|
|
|
|
|
query = rootQuery.blind.count % user
|
2012-07-20 22:17:35 +04:00
|
|
|
|
2016-09-26 17:38:03 +03:00
|
|
|
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
|
|
|
|
|
|
|
|
|
if not isNumPosStrValue(count):
|
|
|
|
|
warnMsg = "unable to retrieve the number of password "
|
|
|
|
|
warnMsg += "hashes for user '%s'" % user
|
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
continue
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
infoMsg = "fetching password hashes for user '%s'" % user
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
|
|
passwords = []
|
|
|
|
|
|
|
|
|
|
plusOne = Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2)
|
|
|
|
|
indexRange = getLimitRange(count, plusOne=plusOne)
|
|
|
|
|
|
|
|
|
|
for index in indexRange:
|
|
|
|
|
if Backend.isDbms(DBMS.MSSQL):
|
|
|
|
|
if Backend.isVersionWithin(("2005", "2008")):
|
|
|
|
|
query = rootQuery.blind.query2 % (user, index, user)
|
|
|
|
|
else:
|
|
|
|
|
query = rootQuery.blind.query % (user, index, user)
|
2016-09-26 17:38:03 +03:00
|
|
|
elif Backend.isDbms(DBMS.INFORMIX):
|
|
|
|
|
query = rootQuery.blind.query % (user,)
|
2018-11-19 11:44:13 +03:00
|
|
|
elif Backend.isDbms(DBMS.HSQLDB):
|
|
|
|
|
query = rootQuery.blind.query % (index, user)
|
2012-07-20 22:17:35 +04:00
|
|
|
else:
|
|
|
|
|
query = rootQuery.blind.query % (user, index)
|
2012-10-25 11:56:36 +04:00
|
|
|
|
2012-12-21 13:15:42 +04:00
|
|
|
password = unArrayizeValue(inject.getValue(query, union=False, error=False))
|
2012-07-20 22:17:35 +04:00
|
|
|
password = parsePasswordHash(password)
|
2016-09-26 17:38:03 +03:00
|
|
|
|
2012-07-20 22:17:35 +04:00
|
|
|
passwords.append(password)
|
|
|
|
|
|
|
|
|
|
if passwords:
|
|
|
|
|
kb.data.cachedUsersPasswords[user] = passwords
|
|
|
|
|
else:
|
|
|
|
|
warnMsg = "unable to retrieve the password "
|
|
|
|
|
warnMsg += "hashes for user '%s'" % user
|
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
|
|
|
|
|
retrievedUsers.add(user)
|
|
|
|
|
|
|
|
|
|
if not kb.data.cachedUsersPasswords:
|
|
|
|
|
errMsg = "unable to retrieve the password hashes for the "
|
2017-12-04 15:59:35 +03:00
|
|
|
errMsg += "database users (probably because the DBMS "
|
|
|
|
|
errMsg += "current user has no read privileges over the relevant "
|
|
|
|
|
errMsg += "system database table(s))"
|
2013-02-11 22:07:58 +04:00
|
|
|
logger.error(errMsg)
|
2012-07-20 22:17:35 +04:00
|
|
|
else:
|
|
|
|
|
for user in kb.data.cachedUsersPasswords:
|
|
|
|
|
kb.data.cachedUsersPasswords[user] = list(set(kb.data.cachedUsersPasswords[user]))
|
|
|
|
|
|
2013-02-11 22:07:58 +04:00
|
|
|
storeHashesToFile(kb.data.cachedUsersPasswords)
|
2012-12-04 20:04:32 +04:00
|
|
|
|
2013-02-11 22:07:58 +04:00
|
|
|
message = "do you want to perform a dictionary-based attack "
|
|
|
|
|
message += "against retrieved password hashes? [Y/n/q]"
|
2017-04-19 15:46:27 +03:00
|
|
|
choice = readInput(message, default='Y').upper()
|
2012-07-20 22:17:35 +04:00
|
|
|
|
2017-04-18 16:48:05 +03:00
|
|
|
if choice == 'N':
|
2013-02-11 22:07:58 +04:00
|
|
|
pass
|
2017-04-18 16:48:05 +03:00
|
|
|
elif choice == 'Q':
|
2013-02-11 22:07:58 +04:00
|
|
|
raise SqlmapUserQuitException
|
|
|
|
|
else:
|
|
|
|
|
attackCachedUsersPasswords()
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
return kb.data.cachedUsersPasswords
|
|
|
|
|
|
|
|
|
|
def getPrivileges(self, query2=False):
|
|
|
|
|
infoMsg = "fetching database users privileges"
|
|
|
|
|
|
|
|
|
|
rootQuery = queries[Backend.getIdentifiedDbms()].privileges
|
|
|
|
|
|
|
|
|
|
if conf.user == "CU":
|
|
|
|
|
infoMsg += " for current user"
|
|
|
|
|
conf.user = self.getCurrentUser()
|
|
|
|
|
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
|
|
if conf.user and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
|
|
|
|
|
conf.user = conf.user.upper()
|
|
|
|
|
|
|
|
|
|
if conf.user:
|
2017-04-18 16:48:05 +03:00
|
|
|
users = conf.user.split(',')
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
if Backend.isDbms(DBMS.MYSQL):
|
|
|
|
|
for user in users:
|
2017-10-31 13:38:09 +03:00
|
|
|
parsedUser = re.search(r"['\"]?(.*?)['\"]?\@", user)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
if parsedUser:
|
|
|
|
|
users[users.index(user)] = parsedUser.groups()[0]
|
|
|
|
|
else:
|
|
|
|
|
users = []
|
|
|
|
|
|
|
|
|
|
users = filter(None, users)
|
|
|
|
|
|
|
|
|
|
# Set containing the list of DBMS administrators
|
|
|
|
|
areAdmins = set()
|
|
|
|
|
|
2013-01-14 14:24:45 +04:00
|
|
|
if not kb.data.cachedUsersPrivileges and any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
2012-07-20 22:17:35 +04:00
|
|
|
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
|
|
|
|
|
query = rootQuery.inband.query2
|
|
|
|
|
condition = rootQuery.inband.condition2
|
|
|
|
|
elif Backend.isDbms(DBMS.ORACLE) and query2:
|
|
|
|
|
query = rootQuery.inband.query2
|
|
|
|
|
condition = rootQuery.inband.condition2
|
|
|
|
|
else:
|
|
|
|
|
query = rootQuery.inband.query
|
|
|
|
|
condition = rootQuery.inband.condition
|
|
|
|
|
|
|
|
|
|
if conf.user:
|
|
|
|
|
query += " WHERE "
|
|
|
|
|
|
|
|
|
|
if Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
|
|
|
|
|
query += " OR ".join("%s LIKE '%%%s%%'" % (condition, user) for user in sorted(users))
|
|
|
|
|
else:
|
|
|
|
|
query += " OR ".join("%s = '%s'" % (condition, user) for user in sorted(users))
|
|
|
|
|
|
2012-10-28 01:16:25 +04:00
|
|
|
values = inject.getValue(query, blind=False, time=False)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
if not values and Backend.isDbms(DBMS.ORACLE) and not query2:
|
|
|
|
|
infoMsg = "trying with table USER_SYS_PRIVS"
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
|
|
return self.getPrivileges(query2=True)
|
|
|
|
|
|
|
|
|
|
if not isNoneValue(values):
|
|
|
|
|
for value in values:
|
|
|
|
|
user = None
|
|
|
|
|
privileges = set()
|
|
|
|
|
|
2017-07-05 12:31:42 +03:00
|
|
|
for count in xrange(0, len(value or [])):
|
2012-07-20 22:17:35 +04:00
|
|
|
# The first column is always the username
|
|
|
|
|
if count == 0:
|
|
|
|
|
user = value[count]
|
|
|
|
|
|
|
|
|
|
# The other columns are the privileges
|
|
|
|
|
else:
|
|
|
|
|
privilege = value[count]
|
|
|
|
|
|
2013-10-16 13:25:26 +04:00
|
|
|
if privilege is None:
|
|
|
|
|
continue
|
|
|
|
|
|
2012-07-20 22:17:35 +04:00
|
|
|
# In PostgreSQL we get 1 if the privilege is
|
|
|
|
|
# True, 0 otherwise
|
|
|
|
|
if Backend.isDbms(DBMS.PGSQL) and getUnicode(privilege).isdigit():
|
|
|
|
|
if int(privilege) == 1:
|
2012-08-21 13:30:01 +04:00
|
|
|
privileges.add(PGSQL_PRIVS[count])
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
# In MySQL >= 5.0 and Oracle we get the list
|
|
|
|
|
# of privileges as string
|
|
|
|
|
elif Backend.isDbms(DBMS.ORACLE) or (Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema):
|
|
|
|
|
privileges.add(privilege)
|
|
|
|
|
|
|
|
|
|
# In MySQL < 5.0 we get Y if the privilege is
|
|
|
|
|
# True, N otherwise
|
|
|
|
|
elif Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
|
|
|
|
|
if privilege.upper() == "Y":
|
2012-08-21 13:30:01 +04:00
|
|
|
privileges.add(MYSQL_PRIVS[count])
|
2012-07-20 22:17:35 +04:00
|
|
|
|
2013-01-21 19:46:48 +04:00
|
|
|
# In Firebird we get one letter for each privilege
|
|
|
|
|
elif Backend.isDbms(DBMS.FIREBIRD):
|
2017-05-29 11:57:27 +03:00
|
|
|
if privilege.strip() in FIREBIRD_PRIVS:
|
|
|
|
|
privileges.add(FIREBIRD_PRIVS[privilege.strip()])
|
2013-01-21 19:46:48 +04:00
|
|
|
|
2012-07-20 22:17:35 +04:00
|
|
|
# In DB2 we get Y or G if the privilege is
|
|
|
|
|
# True, N otherwise
|
|
|
|
|
elif Backend.isDbms(DBMS.DB2):
|
2017-04-18 16:56:24 +03:00
|
|
|
privs = privilege.split(',')
|
2012-07-20 22:17:35 +04:00
|
|
|
privilege = privs[0]
|
2014-12-18 17:13:44 +03:00
|
|
|
if len(privs) > 1:
|
|
|
|
|
privs = privs[1]
|
|
|
|
|
privs = list(privs.strip())
|
|
|
|
|
i = 1
|
|
|
|
|
|
|
|
|
|
for priv in privs:
|
|
|
|
|
if priv.upper() in ("Y", "G"):
|
|
|
|
|
for position, db2Priv in DB2_PRIVS.items():
|
|
|
|
|
if position == i:
|
|
|
|
|
privilege += ", " + db2Priv
|
|
|
|
|
|
|
|
|
|
i += 1
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
privileges.add(privilege)
|
|
|
|
|
|
|
|
|
|
if user in kb.data.cachedUsersPrivileges:
|
2012-12-18 15:43:23 +04:00
|
|
|
kb.data.cachedUsersPrivileges[user] = list(privileges.union(kb.data.cachedUsersPrivileges[user]))
|
2012-07-20 22:17:35 +04:00
|
|
|
else:
|
|
|
|
|
kb.data.cachedUsersPrivileges[user] = list(privileges)
|
|
|
|
|
|
|
|
|
|
if not kb.data.cachedUsersPrivileges and isInferenceAvailable() and not conf.direct:
|
|
|
|
|
if Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
|
2014-08-13 15:32:17 +04:00
|
|
|
conditionChar = "LIKE"
|
2012-07-20 22:17:35 +04:00
|
|
|
else:
|
|
|
|
|
conditionChar = "="
|
|
|
|
|
|
|
|
|
|
if not len(users):
|
|
|
|
|
users = self.getUsers()
|
|
|
|
|
|
|
|
|
|
if Backend.isDbms(DBMS.MYSQL):
|
|
|
|
|
for user in users:
|
2017-10-31 13:38:09 +03:00
|
|
|
parsedUser = re.search(r"['\"]?(.*?)['\"]?\@", user)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
|
|
|
|
if parsedUser:
|
|
|
|
|
users[users.index(user)] = parsedUser.groups()[0]
|
|
|
|
|
|
|
|
|
|
retrievedUsers = set()
|
|
|
|
|
|
|
|
|
|
for user in users:
|
2012-12-17 17:51:46 +04:00
|
|
|
outuser = user
|
2012-07-20 22:17:35 +04:00
|
|
|
if user in retrievedUsers:
|
|
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
if Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
|
|
|
|
|
user = "%%%s%%" % user
|
|
|
|
|
|
2016-09-26 15:20:04 +03:00
|
|
|
if Backend.isDbms(DBMS.INFORMIX):
|
|
|
|
|
count = 1
|
2012-07-20 22:17:35 +04:00
|
|
|
else:
|
2016-09-26 15:20:04 +03:00
|
|
|
infoMsg = "fetching number of privileges "
|
|
|
|
|
infoMsg += "for user '%s'" % outuser
|
|
|
|
|
logger.info(infoMsg)
|
2012-10-25 11:56:36 +04:00
|
|
|
|
2016-09-26 15:20:04 +03:00
|
|
|
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
|
|
|
|
|
query = rootQuery.blind.count2 % user
|
|
|
|
|
elif Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
|
|
|
|
|
query = rootQuery.blind.count % (conditionChar, user)
|
|
|
|
|
elif Backend.isDbms(DBMS.ORACLE) and query2:
|
|
|
|
|
query = rootQuery.blind.count2 % user
|
|
|
|
|
else:
|
|
|
|
|
query = rootQuery.blind.count % user
|
|
|
|
|
|
|
|
|
|
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
2016-09-26 15:20:04 +03:00
|
|
|
if not isNumPosStrValue(count):
|
|
|
|
|
if not retrievedUsers and Backend.isDbms(DBMS.ORACLE) and not query2:
|
|
|
|
|
infoMsg = "trying with table USER_SYS_PRIVS"
|
|
|
|
|
logger.info(infoMsg)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
2016-09-26 15:20:04 +03:00
|
|
|
return self.getPrivileges(query2=True)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
2016-09-26 15:20:04 +03:00
|
|
|
warnMsg = "unable to retrieve the number of "
|
|
|
|
|
warnMsg += "privileges for user '%s'" % outuser
|
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
continue
|
2012-07-20 22:17:35 +04:00
|
|
|
|
2012-12-17 17:51:46 +04:00
|
|
|
infoMsg = "fetching privileges for user '%s'" % outuser
|
2012-07-20 22:17:35 +04:00
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
|
|
privileges = set()
|
|
|
|
|
|
|
|
|
|
plusOne = Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2)
|
|
|
|
|
indexRange = getLimitRange(count, plusOne=plusOne)
|
|
|
|
|
|
|
|
|
|
for index in indexRange:
|
|
|
|
|
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
|
|
|
|
|
query = rootQuery.blind.query2 % (user, index)
|
|
|
|
|
elif Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
|
|
|
|
|
query = rootQuery.blind.query % (conditionChar, user, index)
|
|
|
|
|
elif Backend.isDbms(DBMS.ORACLE) and query2:
|
|
|
|
|
query = rootQuery.blind.query2 % (user, index)
|
|
|
|
|
elif Backend.isDbms(DBMS.FIREBIRD):
|
|
|
|
|
query = rootQuery.blind.query % (index, user)
|
2016-09-26 15:20:04 +03:00
|
|
|
elif Backend.isDbms(DBMS.INFORMIX):
|
|
|
|
|
query = rootQuery.blind.query % (user,)
|
2012-07-20 22:17:35 +04:00
|
|
|
else:
|
|
|
|
|
query = rootQuery.blind.query % (user, index)
|
2013-10-16 13:25:26 +04:00
|
|
|
|
2012-12-21 13:15:42 +04:00
|
|
|
privilege = unArrayizeValue(inject.getValue(query, union=False, error=False))
|
2012-07-20 22:17:35 +04:00
|
|
|
|
2013-10-16 13:25:26 +04:00
|
|
|
if privilege is None:
|
|
|
|
|
continue
|
|
|
|
|
|
2012-07-20 22:17:35 +04:00
|
|
|
# In PostgreSQL we get 1 if the privilege is True,
|
|
|
|
|
# 0 otherwise
|
|
|
|
|
if Backend.isDbms(DBMS.PGSQL) and ", " in privilege:
|
2017-04-18 16:56:24 +03:00
|
|
|
privilege = privilege.replace(", ", ',')
|
|
|
|
|
privs = privilege.split(',')
|
2012-07-20 22:17:35 +04:00
|
|
|
i = 1
|
|
|
|
|
|
|
|
|
|
for priv in privs:
|
|
|
|
|
if priv.isdigit() and int(priv) == 1:
|
2012-08-21 13:30:01 +04:00
|
|
|
for position, pgsqlPriv in PGSQL_PRIVS.items():
|
2012-07-20 22:17:35 +04:00
|
|
|
if position == i:
|
|
|
|
|
privileges.add(pgsqlPriv)
|
|
|
|
|
|
|
|
|
|
i += 1
|
|
|
|
|
|
|
|
|
|
# In MySQL >= 5.0 and Oracle we get the list
|
|
|
|
|
# of privileges as string
|
|
|
|
|
elif Backend.isDbms(DBMS.ORACLE) or (Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema):
|
|
|
|
|
privileges.add(privilege)
|
|
|
|
|
|
|
|
|
|
# In MySQL < 5.0 we get Y if the privilege is
|
|
|
|
|
# True, N otherwise
|
|
|
|
|
elif Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
|
2017-04-18 16:56:24 +03:00
|
|
|
privilege = privilege.replace(", ", ',')
|
|
|
|
|
privs = privilege.split(',')
|
2012-07-20 22:17:35 +04:00
|
|
|
i = 1
|
|
|
|
|
|
|
|
|
|
for priv in privs:
|
2017-04-18 16:56:24 +03:00
|
|
|
if priv.upper() == 'Y':
|
2012-08-21 13:30:01 +04:00
|
|
|
for position, mysqlPriv in MYSQL_PRIVS.items():
|
2012-07-20 22:17:35 +04:00
|
|
|
if position == i:
|
|
|
|
|
privileges.add(mysqlPriv)
|
|
|
|
|
|
|
|
|
|
i += 1
|
|
|
|
|
|
|
|
|
|
# In Firebird we get one letter for each privilege
|
|
|
|
|
elif Backend.isDbms(DBMS.FIREBIRD):
|
2012-08-21 13:30:01 +04:00
|
|
|
privileges.add(FIREBIRD_PRIVS[privilege.strip()])
|
2012-07-20 22:17:35 +04:00
|
|
|
|
2016-09-26 15:20:04 +03:00
|
|
|
# In Informix we get one letter for the highest privilege
|
|
|
|
|
elif Backend.isDbms(DBMS.INFORMIX):
|
|
|
|
|
privileges.add(INFORMIX_PRIVS[privilege.strip()])
|
|
|
|
|
|
2012-07-20 22:17:35 +04:00
|
|
|
# In DB2 we get Y or G if the privilege is
|
|
|
|
|
# True, N otherwise
|
|
|
|
|
elif Backend.isDbms(DBMS.DB2):
|
2017-04-18 16:56:24 +03:00
|
|
|
privs = privilege.split(',')
|
2012-07-20 22:17:35 +04:00
|
|
|
privilege = privs[0]
|
|
|
|
|
privs = privs[1]
|
|
|
|
|
privs = list(privs.strip())
|
|
|
|
|
i = 1
|
|
|
|
|
|
|
|
|
|
for priv in privs:
|
2017-04-18 16:56:24 +03:00
|
|
|
if priv.upper() in ('Y', 'G'):
|
2012-08-21 13:30:01 +04:00
|
|
|
for position, db2Priv in DB2_PRIVS.items():
|
2012-07-20 22:17:35 +04:00
|
|
|
if position == i:
|
|
|
|
|
privilege += ", " + db2Priv
|
|
|
|
|
|
|
|
|
|
i += 1
|
|
|
|
|
|
|
|
|
|
privileges.add(privilege)
|
|
|
|
|
|
|
|
|
|
# In MySQL < 5.0 we break the cycle after the first
|
|
|
|
|
# time we get the user's privileges otherwise we
|
|
|
|
|
# duplicate the same query
|
|
|
|
|
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
|
|
|
|
|
break
|
|
|
|
|
|
|
|
|
|
if privileges:
|
|
|
|
|
kb.data.cachedUsersPrivileges[user] = list(privileges)
|
|
|
|
|
else:
|
|
|
|
|
warnMsg = "unable to retrieve the privileges "
|
2012-12-17 17:51:46 +04:00
|
|
|
warnMsg += "for user '%s'" % outuser
|
2012-07-20 22:17:35 +04:00
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
|
|
|
|
|
retrievedUsers.add(user)
|
|
|
|
|
|
|
|
|
|
if not kb.data.cachedUsersPrivileges:
|
|
|
|
|
errMsg = "unable to retrieve the privileges "
|
|
|
|
|
errMsg += "for the database users"
|
2013-01-04 02:20:55 +04:00
|
|
|
raise SqlmapNoneDataException(errMsg)
|
2012-07-20 22:17:35 +04:00
|
|
|
|
2013-01-14 14:24:45 +04:00
|
|
|
for user, privileges in kb.data.cachedUsersPrivileges.items():
|
|
|
|
|
if isAdminFromPrivileges(privileges):
|
|
|
|
|
areAdmins.add(user)
|
|
|
|
|
|
2012-07-20 22:17:35 +04:00
|
|
|
return (kb.data.cachedUsersPrivileges, areAdmins)
|
|
|
|
|
|
|
|
|
|
def getRoles(self, query2=False):
|
|
|
|
|
warnMsg = "on %s the concept of roles does not " % Backend.getIdentifiedDbms()
|
|
|
|
|
warnMsg += "exist. sqlmap will enumerate privileges instead"
|
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
|
|
|
|
|
return self.getPrivileges(query2)
|
