diff --git a/lib/core/common.py b/lib/core/common.py index b742c2cbd..cce0b6e8f 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -1228,19 +1228,16 @@ def initCommonOutputs(): cfile.close() -def goGoodSamaritan(part, prevValue, originalCharset): +def goGoodSamaritan(prevValue, originalCharset): """ Function for retrieving parameters needed for common prediction (good samaritan) feature. - part is for instance Users, Databases, Tables and corresponds to the - header (e.g. [Users]) in txt/common-outputs.txt. - prevValue: retrieved query output so far (e.g. 'i'). - Returns singleValue if there is a complete single match (in part of - txt/common-outputs.txt under 'part') regarding parameter prevValue. If - there is no single value match, but multiple, commonCharset is + Returns commonValue if there is a complete single match (in kb.partRun + of txt/common-outputs.txt under kb.partRun) regarding parameter + prevValue. If there is no single value match, but multiple, commonCharset is returned containing more probable characters (retrieved from matched values in txt/common-outputs.txt) together with the rest of charset as otherCharset. @@ -1250,29 +1247,28 @@ def goGoodSamaritan(part, prevValue, originalCharset): initCommonOutputs() predictionSet = set() - wildIndexes = [] - singleValue = None - commonPatternValue = None - countSingleValues = 0 + commonValue = None + commonPattern = None + countCommonValue = 0 # If the header (e.g. Databases) we are looking for has common # outputs defined - if part in kb.commonOutputs: - commonPartOutputs = kb.commonOutputs[part] - commonPatternValue = common_finder_only(prevValue, commonPartOutputs) + if kb.partRun in kb.commonOutputs: + commonPartOutputs = kb.commonOutputs[kb.partRun] + commonPattern = common_finder_only(prevValue, commonPartOutputs) # If the longest common prefix is the same as previous value then # do not consider it - if commonPatternValue and commonPatternValue == prevValue: - commonPatternValue = None + if commonPattern and commonPattern == prevValue: + commonPattern = None # For each common output for item in commonPartOutputs: # Check if the common output (item) starts with prevValue # where prevValue is the enumerated character(s) so far if item.startswith(prevValue): - singleValue = item - countSingleValues += 1 + commonValue = item + countCommonValue += 1 if len(item) > len(prevValue): char = item[len(prevValue)] @@ -1280,8 +1276,8 @@ def goGoodSamaritan(part, prevValue, originalCharset): # Reset single value if there is more than one possible common # output - if countSingleValues > 1: - singleValue = None + if countCommonValue > 1: + commonValue = None commonCharset = [] otherCharset = [] @@ -1296,7 +1292,7 @@ def goGoodSamaritan(part, prevValue, originalCharset): commonCharset.sort() - return singleValue, commonPatternValue, commonCharset, originalCharset + return commonValue, commonPattern, commonCharset, originalCharset else: return None, None, None, originalCharset @@ -1322,18 +1318,25 @@ def getPartRun(): retVal = None commonPartsDict = optDict["Enumeration"] stack = [item[4][0] if isinstance(item[4], list) else '' for item in inspect.stack()] - reobj = getCompiledRegex('conf\.dbmsHandler\.([^(]+)\(\)') + reobj1 = getCompiledRegex('conf\.dbmsHandler\.([^(]+)\(\)') + reobj2 = getCompiledRegex('self\.(get[^(]+)\(\)') # Goes backwards through the stack to find the conf.dbmsHandler method # calling this function - for i in xrange(len(stack) - 1, 0, -1): - match = reobj.search(stack[i]) + for i in xrange(0, len(stack)-1): + for reobj in (reobj2, reobj1): + match = reobj.search(stack[i]) - if match: - # This is the calling conf.dbmsHandler method (e.g. 'getDbms') - retVal = match.groups()[0] + if match: + # This is the calling conf.dbmsHandler or self method + # (e.g. 'getDbms') + retVal = match.groups()[0] + break + + if retVal is not None: break + # Return the INI tag to consider for common outputs (e.g. 'Databases') return commonPartsDict[retVal][1] if retVal in commonPartsDict else retVal def getCommonStart(strings=[]): diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py index affa41214..f02988673 100644 --- a/lib/techniques/blind/inference.py +++ b/lib/techniques/blind/inference.py @@ -417,53 +417,58 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None # the moment if conf.useCommonPrediction and len(finalValue) > 0 and kb.partRun is not None: val = None - singleValue, commonPatternValue, commonCharset, otherCharset = goGoodSamaritan(kb.partRun, finalValue, asciiTbl) + commonValue, commonPattern, commonCharset, otherCharset = goGoodSamaritan(finalValue, asciiTbl) + + # Debug print + #print "\ncommonValue, commonPattern, commonCharset:", commonValue, commonPattern, commonCharset # If there is one single output in common-outputs, check # it via equal against the query output - if singleValue is not None: - # One-shot query containing equals singleValue - query = agent.prefixQuery(" %s" % safeStringFormat('AND (%s) = %s', (expressionUnescaped, unescaper.unescape('\'%s\'' % singleValue)))) + if commonValue is not None: + # One-shot query containing equals commonValue + testValue = unescaper.unescape("'%s'" % commonValue) if "'" not in commonValue else unescaper.unescape("%s" % commonValue, quote=False) + query = agent.prefixQuery(" %s" % safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue))) query = agent.postfixQuery(query) queriesCount[0] += 1 result = Request.queryPage(urlencode(agent.payload(newValue=query))) # Did we have luck? if result: - dataToSessionFile(replaceNewlineTabs(singleValue[index-1:])) + dataToSessionFile(replaceNewlineTabs(commonValue[index-1:])) if showEta: - etaProgressUpdate(time.time() - charStart, len(singleValue)) + etaProgressUpdate(time.time() - charStart, len(commonValue)) elif conf.verbose >= 1: - dataToStdout(singleValue[index-1:]) + dataToStdout(commonValue[index-1:]) - finalValue = singleValue + finalValue = commonValue break # If there is a common pattern starting with finalValue, # check it via equal against the substring-query output - if commonPatternValue is not None: - # Substring-query containing equals commonPatternValue - subquery = queries[kb.dbms].substring % (expressionUnescaped, 1, len(commonPatternValue)) - query = agent.prefixQuery(" %s" % safeStringFormat('AND (%s) = %s', (subquery, unescaper.unescape('\'%s\'' % commonPatternValue)))) + if commonPattern is not None: + # Substring-query containing equals commonPattern + subquery = queries[kb.dbms].substring % (expressionUnescaped, 1, len(commonPattern)) + testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False) + query = agent.prefixQuery(" %s" % safeStringFormat("AND (%s) = %s", (subquery, testValue))) query = agent.postfixQuery(query) queriesCount[0] += 1 result = Request.queryPage(urlencode(agent.payload(newValue=query))) # Did we have luck? if result: - val = commonPatternValue[index-1:] + val = commonPattern[index-1:] index += len(val)-1 - # Otherwise if there is no singleValue (single match from - # txt/common-outputs.txt) and no commonPatternValue + # Otherwise if there is no commonValue (single match from + # txt/common-outputs.txt) and no commonPattern # (common pattern) use the returned common charset only # to retrieve the query output if not val and commonCharset: val = getChar(index, commonCharset, False) - # If we had no luck with singleValue and common charset, + # If we had no luck with commonValue and common charset, # use the returned other charset if not val: val = getChar(index, otherCharset, otherCharset == asciiTbl) diff --git a/txt/common-outputs.txt b/txt/common-outputs.txt index 250571847..7dfc9010c 100644 --- a/txt/common-outputs.txt +++ b/txt/common-outputs.txt @@ -1,3 +1,348 @@ +[Banners] + +# MySQL +4.0. +4.1. +5.0. +5.1. +5.5. + +# PostgreSQL +PostgreSQL 7. +PostgreSQL 8.1 +PostgreSQL 8.2 +PostgreSQL 8.3 +PostgreSQL 8.4 + +# Oracle +Oracle Database 9i Standard Edition Release +Oracle Database 9i Express Edition Release +Oracle Database 9i Enterprise Edition Release +Oracle Database 10g Standard Edition Release +Oracle Database 10g Express Edition Release +Oracle Database 10g Enterprise Edition Release +Oracle Database 11g Standard Edition Release +Oracle Database 11g Express Edition Release +Oracle Database 11g Enterprise Edition Release + + +[Users] + +# MySQL >= 5.0 +'debian-sys-maint'@'localhost' +'root'@'%' +'root'@'localhost' + +# MySQL < 5.0 +debian-sys-maint +root + +# PostgreSQL +postgres + +# Oracle +ANONYMOUS +CTXSYS +DBSNMP +DIP +DMSYS +EXFSYS +MDDATA +MDSYS +MGMT_VIEW +OLAPSYS +ORDPLUGINS +ORDSYS +OUTLN +SCOTT +SI_INFORMTN_SCHEMA +SYS +SYSMAN +SYSTEM +TSMSYS +WMSYS +XDB + + +[Passwords] + +# MySQL +*00E247AC5F9AF26AE0194B41E1E769DEE1429A29 # testpass + +# PostgreSQL +md599e5ea7a6f7c3269995cba3927fd0093 + +# Oracle +2D5A0C491B634F1B # testpass + + +[Privileges] + +# MySQL >= 5.0 +ALTER +ALTER ROUTINE +CREATE +CREATE ROUTINE +CREATE TEMPORARY TABLES +CREATE USER +CREATE VIEW +DELETE +DROP +EVENT +EXECUTE +FILE +INDEX +INSERT +LOCK TABLES +PROCESS +REFERENCES +RELOAD +REPLICATION CLIENT +REPLICATION SLAVE +SELECT +SHOW DATABASES +SHOW VIEW +SHUTDOWN +SUPER +TRIGGER +UPDATE +USAGE + +# MySQL < 5.0 +select_priv +insert_priv +update_priv +delete_priv +create_priv +drop_priv +reload_priv +shutdown_priv +process_priv +file_priv +grant_priv +references_priv +index_priv +alter_priv +show_db_priv +super_priv +create_tmp_table_priv +lock_tables_priv +execute_priv +repl_slave_priv +repl_client_priv +create_view_priv +show_view_priv +create_routine_priv +alter_routine_priv +create_user_priv + +# PostgreSQL +catupd +createdb +super + +# Oracle +ADMINISTER ANY SQL TUNING SET +ADMINISTER DATABASE TRIGGER +ADMINISTER RESOURCE MANAGER +ADMINISTER SQL TUNING SET +ADVISOR +ALTER ANY CLUSTER +ALTER ANY DIMENSION +ALTER ANY EVALUATION CONTEXT +ALTER ANY INDEX +ALTER ANY INDEXTYPE +ALTER ANY LIBRARY +ALTER ANY MATERIALIZED VIEW +ALTER ANY OUTLINE +ALTER ANY PROCEDURE +ALTER ANY ROLE +ALTER ANY RULE +ALTER ANY RULE SET +ALTER ANY SEQUENCE +ALTER ANY SQL PROFILE +ALTER ANY TABLE +ALTER ANY TRIGGER +ALTER ANY TYPE +ALTER DATABASE +ALTER PROFILE +ALTER RESOURCE COST +ALTER ROLLBACK SEGMENT +ALTER SESSION +ALTER SYSTEM +ALTER TABLESPACE +ALTER USER +ANALYZE ANY +ANALYZE ANY DICTIONARY +AUDIT ANY +AUDIT SYSTEM +BACKUP ANY TABLE +BECOME USER +CHANGE NOTIFICATION +COMMENT ANY TABLE +CREATE ANY CLUSTER +CREATE ANY CONTEXT +CREATE ANY DIMENSION +CREATE ANY DIRECTORY +CREATE ANY EVALUATION CONTEXT +CREATE ANY INDEX +CREATE ANY INDEXTYPE +CREATE ANY JOB +CREATE ANY LIBRARY +CREATE ANY MATERIALIZED VIEW +CREATE ANY OPERATOR +CREATE ANY OUTLINE +CREATE ANY PROCEDURE +CREATE ANY RULE +CREATE ANY RULE SET +CREATE ANY SEQUENCE +CREATE ANY SQL PROFILE +CREATE ANY SYNONYM +CREATE ANY TABLE +CREATE ANY TRIGGER +CREATE ANY TYPE +CREATE ANY VIEW +CREATE CLUSTER +CREATE DATABASE LINK +CREATE DIMENSION +CREATE EVALUATION CONTEXT +CREATE EXTERNAL JOB +CREATE INDEXTYPE +CREATE JOB +CREATE LIBRARY +CREATE MATERIALIZED VIEW +CREATE OPERATOR +CREATE PROCEDURE +CREATE PROFILE +CREATE PUBLIC DATABASE LINK +CREATE PUBLIC SYNONYM +CREATE ROLE +CREATE ROLLBACK SEGMENT +CREATE RULE +CREATE RULE SET +CREATE SEQUENCE +CREATE SESSION +CREATE SYNONYM +CREATE TABLE +CREATE TABLESPACE +CREATE TRIGGER +CREATE TYPE +CREATE USER +CREATE VIEW +DEBUG ANY PROCEDURE +DEBUG CONNECT SESSION +DELETE ANY TABLE +DEQUEUE ANY QUEUE +DROP ANY CLUSTER +DROP ANY CONTEXT +DROP ANY DIMENSION +DROP ANY DIRECTORY +DROP ANY EVALUATION CONTEXT +DROP ANY INDEX +DROP ANY INDEXTYPE +DROP ANY LIBRARY +DROP ANY MATERIALIZED VIEW +DROP ANY OPERATOR +DROP ANY OUTLINE +DROP ANY PROCEDURE +DROP ANY ROLE +DROP ANY RULE +DROP ANY RULE SET +DROP ANY SEQUENCE +DROP ANY SQL PROFILE +DROP ANY SYNONYM +DROP ANY TABLE +DROP ANY TRIGGER +DROP ANY TYPE +DROP ANY VIEW +DROP PROFILE +DROP PUBLIC DATABASE LINK +DROP PUBLIC SYNONYM +DROP ROLLBACK SEGMENT +DROP TABLESPACE +DROP USER +ENQUEUE ANY QUEUE +EXECUTE ANY CLASS +EXECUTE ANY EVALUATION CONTEXT +EXECUTE ANY INDEXTYPE +EXECUTE ANY LIBRARY +EXECUTE ANY OPERATOR +EXECUTE ANY PROCEDURE +EXECUTE ANY PROGRAM +EXECUTE ANY RULE +EXECUTE ANY RULE SET +EXECUTE ANY TYPE +EXPORT FULL DATABASE +FLASHBACK ANY TABLE +FORCE ANY TRANSACTION +FORCE TRANSACTION +GLOBAL QUERY REWRITE +GRANT ANY OBJECT PRIVILEGE +GRANT ANY PRIVILEGE +GRANT ANY ROLE +IMPORT FULL DATABASE +INSERT ANY TABLE +LOCK ANY TABLE +MANAGE ANY FILE GROUP +MANAGE ANY QUEUE +MANAGE FILE GROUP +MANAGE SCHEDULER +MANAGE TABLESPACE +MERGE ANY VIEW +ON COMMIT REFRESH +QUERY REWRITE +READ ANY FILE GROUP +RESTRICTED SESSION +RESUMABLE +SELECT ANY DICTIONARY +SELECT ANY SEQUENCE +SELECT ANY TABLE +SELECT ANY TRANSACTION +UNDER ANY TABLE +UNDER ANY TYPE +UNDER ANY VIEW +UNLIMITED TABLESPACE +UPDATE ANY TABLE + + +[Roles] + +# Oracle +AQ_ADMINISTRATOR_ROLE +AQ_USER_ROLE +AUTHENTICATEDUSER +CONNECT +CTXAPP +DBA +DELETE_CATALOG_ROLE +EJBCLIENT +EXECUTE_CATALOG_ROLE +EXP_FULL_DATABASE +GATHER_SYSTEM_STATISTICS +HS_ADMIN_ROLE +IMP_FULL_DATABASE +JAVA_ADMIN +JAVADEBUGPRIV +JAVA_DEPLOY +JAVAIDPRIV +JAVASYSPRIV +JAVAUSERPRIV +LOGSTDBY_ADMINISTRATOR +MGMT_USER +OEM_ADVISOR +OEM_MONITOR +OLAP_DBA +OLAP_USER +RECOVERY_CATALOG_OWNER +RESOURCE +SCHEDULER_ADMIN +SELECT_CATALOG_ROLE +TABLE_ACCESSERS +WM_ADMIN_ROLE +XDBADMIN +XDBWEBSERVICES + + [Databases] # MySQL @@ -5,6 +350,11 @@ information_schema mysql phpmyadmin +# PostgreSQL +postgres +template0 +template1 + # Microsoft SQL Server tempdb model @@ -13,6 +363,7 @@ msdb [Tables] + # MySQL CHARACTER_SETS COLLATION_CHARACTER_SET_APPLICABILITY @@ -66,7 +417,7 @@ time_zone_transition time_zone_transition_type user -# PHPMyAdmin +# phpMyAdmin pma_bookmark pma_column_info pma_designer_coords @@ -468,33 +819,46 @@ systargetservers_view systaskids -[Passwords] +[Columns] # MySQL -*00E247AC5F9AF26AE0194B41E1E769DEE1429A29 # testpass - - -[Users] - -# Oracle -SCOTT -MGMT_VIEW -MDDATA -SYSMAN -MDSYS -SI_INFORMTN_SCHEMA -ORDPLUGINS -ORDSYS -OLAPSYS -ANONYMOUS -XDB -CTXSYS -EXFSYS -WMSYS -DBSNMP -TSMSYS -DMSYS -DIP -OUTLN -SYSTEM -SYS +## 'mysql.user' table +Alter_priv +Alter_routine_priv +Create_priv +Create_routine_priv +Create_tmp_table_priv +Create_user_priv +Create_view_priv +Delete_priv +Drop_priv +Event_priv +Execute_priv +File_priv +Grant_priv +Host +Index_priv +Insert_priv +Lock_tables_priv +max_connections +max_questions +max_updates +max_user_connections +Password +Process_priv +References_priv +Reload_priv +Repl_client_priv +Repl_slave_priv +Select_priv +Show_db_priv +Show_view_priv +Shutdown_priv +ssl_cipher +ssl_type +Super_priv +Trigger_priv +Update_priv +User +x509_issuer +x509_subject