2019-05-08 13:47:52 +03:00
|
|
|
#!/usr/bin/env python
|
2010-03-23 01:57:57 +03:00
|
|
|
|
|
|
|
"""
|
2020-12-31 13:46:27 +03:00
|
|
|
Copyright (c) 2006-2021 sqlmap developers (http://sqlmap.org/)
|
2017-10-11 15:50:46 +03:00
|
|
|
See the file 'LICENSE' for copying permission
|
2010-03-23 01:57:57 +03:00
|
|
|
"""
|
|
|
|
|
2012-02-16 18:42:28 +04:00
|
|
|
from lib.core.common import getLimitRange
|
2012-10-25 00:59:46 +04:00
|
|
|
from lib.core.common import isAdminFromPrivileges
|
2012-01-07 23:30:35 +04:00
|
|
|
from lib.core.common import isInferenceAvailable
|
2011-05-26 12:17:21 +04:00
|
|
|
from lib.core.common import isNoneValue
|
2010-12-18 00:45:20 +03:00
|
|
|
from lib.core.common import isNumPosStrValue
|
2011-01-12 04:13:32 +03:00
|
|
|
from lib.core.common import isTechniqueAvailable
|
2019-03-28 18:04:38 +03:00
|
|
|
from lib.core.compat import xrange
|
2010-03-25 18:46:06 +03:00
|
|
|
from lib.core.data import conf
|
|
|
|
from lib.core.data import kb
|
2010-03-23 01:57:57 +03:00
|
|
|
from lib.core.data import logger
|
2010-03-25 18:46:06 +03:00
|
|
|
from lib.core.data import queries
|
2012-02-29 18:36:23 +04:00
|
|
|
from lib.core.enums import CHARSET_TYPE
|
2016-12-21 12:33:35 +03:00
|
|
|
from lib.core.enums import DBMS
|
2010-12-10 16:04:36 +03:00
|
|
|
from lib.core.enums import EXPECTED
|
2011-01-15 13:14:05 +03:00
|
|
|
from lib.core.enums import PAYLOAD
|
2012-12-06 17:14:19 +04:00
|
|
|
from lib.core.exception import SqlmapNoneDataException
|
2019-08-30 15:43:56 +03:00
|
|
|
from lib.core.settings import CURRENT_USER
|
2010-03-25 18:46:06 +03:00
|
|
|
from lib.request import inject
|
2010-03-23 01:57:57 +03:00
|
|
|
from plugins.generic.enumeration import Enumeration as GenericEnumeration
|
|
|
|
|
|
|
|
class Enumeration(GenericEnumeration):
|
2010-03-25 18:46:06 +03:00
|
|
|
def getRoles(self, query2=False):
|
|
|
|
infoMsg = "fetching database users roles"
|
|
|
|
|
2016-12-21 12:33:35 +03:00
|
|
|
rootQuery = queries[DBMS.ORACLE].roles
|
2010-03-25 18:46:06 +03:00
|
|
|
|
2019-08-30 15:43:56 +03:00
|
|
|
if conf.user == CURRENT_USER:
|
2010-03-25 18:46:06 +03:00
|
|
|
infoMsg += " for current user"
|
|
|
|
conf.user = self.getCurrentUser()
|
|
|
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
# Set containing the list of DBMS administrators
|
|
|
|
areAdmins = set()
|
|
|
|
|
2012-12-05 13:45:17 +04:00
|
|
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
2010-03-25 18:46:06 +03:00
|
|
|
if query2:
|
2011-04-30 17:20:05 +04:00
|
|
|
query = rootQuery.inband.query2
|
2010-10-21 17:13:12 +04:00
|
|
|
condition = rootQuery.inband.condition2
|
2010-03-25 18:46:06 +03:00
|
|
|
else:
|
2011-04-30 17:20:05 +04:00
|
|
|
query = rootQuery.inband.query
|
2010-10-21 17:13:12 +04:00
|
|
|
condition = rootQuery.inband.condition
|
2010-03-25 18:46:06 +03:00
|
|
|
|
|
|
|
if conf.user:
|
2017-04-18 16:56:24 +03:00
|
|
|
users = conf.user.split(',')
|
2010-03-25 18:46:06 +03:00
|
|
|
query += " WHERE "
|
2011-06-18 16:23:18 +04:00
|
|
|
query += " OR ".join("%s = '%s'" % (condition, user) for user in sorted(users))
|
2010-03-25 18:46:06 +03:00
|
|
|
|
2012-10-28 01:16:25 +04:00
|
|
|
values = inject.getValue(query, blind=False, time=False)
|
2010-03-25 18:46:06 +03:00
|
|
|
|
|
|
|
if not values and not query2:
|
2019-08-30 15:43:56 +03:00
|
|
|
infoMsg = "trying with table 'USER_ROLE_PRIVS'"
|
2010-03-25 18:46:06 +03:00
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
return self.getRoles(query2=True)
|
|
|
|
|
2011-05-26 12:17:21 +04:00
|
|
|
if not isNoneValue(values):
|
2010-03-25 18:46:06 +03:00
|
|
|
for value in values:
|
2011-04-30 17:20:05 +04:00
|
|
|
user = None
|
2010-03-25 18:46:06 +03:00
|
|
|
roles = set()
|
|
|
|
|
2017-07-05 12:31:42 +03:00
|
|
|
for count in xrange(0, len(value or [])):
|
2010-03-25 18:46:06 +03:00
|
|
|
# The first column is always the username
|
|
|
|
if count == 0:
|
|
|
|
user = value[count]
|
|
|
|
|
|
|
|
# The other columns are the roles
|
|
|
|
else:
|
|
|
|
role = value[count]
|
|
|
|
|
|
|
|
# In Oracle we get the list of roles as string
|
|
|
|
roles.add(role)
|
|
|
|
|
2012-12-18 15:47:06 +04:00
|
|
|
if user in kb.data.cachedUsersRoles:
|
|
|
|
kb.data.cachedUsersRoles[user] = list(roles.union(kb.data.cachedUsersRoles[user]))
|
2010-03-25 18:46:06 +03:00
|
|
|
else:
|
|
|
|
kb.data.cachedUsersRoles[user] = list(roles)
|
|
|
|
|
2012-01-07 23:30:35 +04:00
|
|
|
if not kb.data.cachedUsersRoles and isInferenceAvailable() and not conf.direct:
|
2010-03-25 18:46:06 +03:00
|
|
|
if conf.user:
|
2017-04-18 16:56:24 +03:00
|
|
|
users = conf.user.split(',')
|
2010-03-25 18:46:06 +03:00
|
|
|
else:
|
|
|
|
if not len(kb.data.cachedUsers):
|
|
|
|
users = self.getUsers()
|
|
|
|
else:
|
|
|
|
users = kb.data.cachedUsers
|
|
|
|
|
|
|
|
retrievedUsers = set()
|
|
|
|
|
|
|
|
for user in users:
|
|
|
|
unescapedUser = None
|
|
|
|
|
|
|
|
if user in retrievedUsers:
|
|
|
|
continue
|
|
|
|
|
2011-04-30 17:20:05 +04:00
|
|
|
infoMsg = "fetching number of roles "
|
2010-03-25 18:46:06 +03:00
|
|
|
infoMsg += "for user '%s'" % user
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
if unescapedUser:
|
|
|
|
queryUser = unescapedUser
|
|
|
|
else:
|
|
|
|
queryUser = user
|
|
|
|
|
|
|
|
if query2:
|
2010-10-21 17:13:12 +04:00
|
|
|
query = rootQuery.blind.count2 % queryUser
|
2010-03-25 18:46:06 +03:00
|
|
|
else:
|
2010-10-21 17:13:12 +04:00
|
|
|
query = rootQuery.blind.count % queryUser
|
2012-10-28 02:36:09 +04:00
|
|
|
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
2010-03-25 18:46:06 +03:00
|
|
|
|
2010-12-18 00:45:20 +03:00
|
|
|
if not isNumPosStrValue(count):
|
2012-04-04 13:25:05 +04:00
|
|
|
if count != 0 and not query2:
|
2019-08-30 15:43:56 +03:00
|
|
|
infoMsg = "trying with table 'USER_SYS_PRIVS'"
|
2010-03-25 18:46:06 +03:00
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
return self.getPrivileges(query2=True)
|
|
|
|
|
2011-04-30 17:20:05 +04:00
|
|
|
warnMsg = "unable to retrieve the number of "
|
2010-03-25 18:46:06 +03:00
|
|
|
warnMsg += "roles for user '%s'" % user
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
continue
|
|
|
|
|
|
|
|
infoMsg = "fetching roles for user '%s'" % user
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
roles = set()
|
|
|
|
|
2012-02-16 18:42:28 +04:00
|
|
|
indexRange = getLimitRange(count, plusOne=True)
|
2010-03-25 18:46:06 +03:00
|
|
|
|
|
|
|
for index in indexRange:
|
|
|
|
if query2:
|
2010-10-21 17:13:12 +04:00
|
|
|
query = rootQuery.blind.query2 % (queryUser, index)
|
2010-03-25 18:46:06 +03:00
|
|
|
else:
|
2010-10-21 17:13:12 +04:00
|
|
|
query = rootQuery.blind.query % (queryUser, index)
|
2012-10-28 02:36:09 +04:00
|
|
|
role = inject.getValue(query, union=False, error=False)
|
2010-03-25 18:46:06 +03:00
|
|
|
|
|
|
|
# In Oracle we get the list of roles as string
|
|
|
|
roles.add(role)
|
|
|
|
|
|
|
|
if roles:
|
|
|
|
kb.data.cachedUsersRoles[user] = list(roles)
|
|
|
|
else:
|
2011-04-30 17:20:05 +04:00
|
|
|
warnMsg = "unable to retrieve the roles "
|
2010-03-25 18:46:06 +03:00
|
|
|
warnMsg += "for user '%s'" % user
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
|
|
|
retrievedUsers.add(user)
|
|
|
|
|
|
|
|
if not kb.data.cachedUsersRoles:
|
2011-04-30 17:20:05 +04:00
|
|
|
errMsg = "unable to retrieve the roles "
|
2010-03-25 18:46:06 +03:00
|
|
|
errMsg += "for the database users"
|
2013-01-04 02:20:55 +04:00
|
|
|
raise SqlmapNoneDataException(errMsg)
|
2010-03-25 18:46:06 +03:00
|
|
|
|
2013-01-18 13:22:53 +04:00
|
|
|
for user, privileges in kb.data.cachedUsersRoles.items():
|
|
|
|
if isAdminFromPrivileges(privileges):
|
|
|
|
areAdmins.add(user)
|
|
|
|
|
2012-12-06 13:21:53 +04:00
|
|
|
return kb.data.cachedUsersRoles, areAdmins
|