Minor enhancements and bug fixes to "good samaritan" feature - see #4

lib/core/common.py

@@ -1228,19 +1228,16 @@ def initCommonOutputs():
 
     cfile.close()
 
-def goGoodSamaritan(part, prevValue, originalCharset):
+def goGoodSamaritan(prevValue, originalCharset):
     """
     Function for retrieving parameters needed for common prediction (good
     samaritan) feature.
 
-    part is for instance Users, Databases, Tables and corresponds to the
-    header (e.g. [Users]) in txt/common-outputs.txt.
-
     prevValue: retrieved query output so far (e.g. 'i').
 
-    Returns singleValue if there is a complete single match (in part of
+    Returns commonValue if there is a complete single match (in kb.partRun
-    txt/common-outputs.txt under 'part') regarding parameter prevValue. If
+    of txt/common-outputs.txt under kb.partRun) regarding parameter
-    there is no single value match, but multiple, commonCharset is
+    prevValue. If there is no single value match, but multiple, commonCharset is
     returned containing more probable characters (retrieved from matched
     values in txt/common-outputs.txt) together with the rest of charset as
     otherCharset.
@@ -1250,29 +1247,28 @@ def goGoodSamaritan(part, prevValue, originalCharset):
         initCommonOutputs()
 
     predictionSet = set()
-    wildIndexes = []
+    commonValue = None
-    singleValue = None
+    commonPattern = None
-    commonPatternValue = None
+    countCommonValue = 0
-    countSingleValues = 0
 
     # If the header (e.g. Databases) we are looking for has common
     # outputs defined
-    if part in kb.commonOutputs:
+    if kb.partRun in kb.commonOutputs:
-        commonPartOutputs = kb.commonOutputs[part]
+        commonPartOutputs = kb.commonOutputs[kb.partRun]
-        commonPatternValue = common_finder_only(prevValue, commonPartOutputs)
+        commonPattern = common_finder_only(prevValue, commonPartOutputs)
 
         # If the longest common prefix is the same as previous value then
         # do not consider it
-        if commonPatternValue and commonPatternValue == prevValue:
+        if commonPattern and commonPattern == prevValue:
-            commonPatternValue = None
+            commonPattern = None
 
         # For each common output
         for item in commonPartOutputs:
             # Check if the common output (item) starts with prevValue
             # where prevValue is the enumerated character(s) so far
             if item.startswith(prevValue):
-                singleValue = item
+                commonValue = item
-                countSingleValues += 1
+                countCommonValue += 1
 
                 if len(item) > len(prevValue):
                     char = item[len(prevValue)]
@@ -1280,8 +1276,8 @@ def goGoodSamaritan(part, prevValue, originalCharset):
 
         # Reset single value if there is more than one possible common
         # output
-        if countSingleValues > 1:
+        if countCommonValue > 1:
-            singleValue = None
+            commonValue = None
 
         commonCharset = []
         otherCharset = []
@@ -1296,7 +1292,7 @@ def goGoodSamaritan(part, prevValue, originalCharset):
 
         commonCharset.sort()
 
-        return singleValue, commonPatternValue, commonCharset, originalCharset
+        return commonValue, commonPattern, commonCharset, originalCharset
     else:
         return None, None, None, originalCharset
 
@@ -1322,18 +1318,25 @@ def getPartRun():
     retVal = None
     commonPartsDict = optDict["Enumeration"]
     stack = [item[4][0] if isinstance(item[4], list) else '' for item in inspect.stack()]
-    reobj = getCompiledRegex('conf\.dbmsHandler\.([^(]+)\(\)')
+    reobj1 = getCompiledRegex('conf\.dbmsHandler\.([^(]+)\(\)')
+    reobj2 = getCompiledRegex('self\.(get[^(]+)\(\)')
 
     # Goes backwards through the stack to find the conf.dbmsHandler method
     # calling this function
-    for i in xrange(len(stack) - 1, 0, -1):
+    for i in xrange(0, len(stack)-1):
-        match = reobj.search(stack[i])
+        for reobj in (reobj2, reobj1):
+            match = reobj.search(stack[i])
 
-        if match:
+            if match:
-            # This is the calling conf.dbmsHandler method (e.g. 'getDbms')
+                # This is the calling conf.dbmsHandler or self method
-            retVal = match.groups()[0]
+                # (e.g. 'getDbms')
+                retVal = match.groups()[0]
+                break
+
+        if retVal is not None:
             break
 
+    # Return the INI tag to consider for common outputs (e.g. 'Databases')
     return commonPartsDict[retVal][1] if retVal in commonPartsDict else retVal
 
 def getCommonStart(strings=[]):

lib/techniques/blind/inference.py

@@ -417,53 +417,58 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
             # the moment
             if conf.useCommonPrediction and len(finalValue) > 0 and kb.partRun is not None:
                 val = None
-                singleValue, commonPatternValue, commonCharset, otherCharset = goGoodSamaritan(kb.partRun, finalValue, asciiTbl)
+                commonValue, commonPattern, commonCharset, otherCharset = goGoodSamaritan(finalValue, asciiTbl)
+
+                # Debug print
+                #print "\ncommonValue, commonPattern, commonCharset:", commonValue, commonPattern, commonCharset
 
                 # If there is one single output in common-outputs, check
                 # it via equal against the query output
-                if singleValue is not None:
+                if commonValue is not None:
-                    # One-shot query containing equals singleValue
+                    # One-shot query containing equals commonValue
-                    query = agent.prefixQuery(" %s" % safeStringFormat('AND (%s) = %s', (expressionUnescaped, unescaper.unescape('\'%s\'' % singleValue))))
+                    testValue = unescaper.unescape("'%s'" % commonValue) if "'" not in commonValue else unescaper.unescape("%s" % commonValue, quote=False)
+                    query = agent.prefixQuery(" %s" % safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue)))
                     query = agent.postfixQuery(query)
                     queriesCount[0] += 1
                     result = Request.queryPage(urlencode(agent.payload(newValue=query)))
 
                     # Did we have luck?
                     if result:
-                        dataToSessionFile(replaceNewlineTabs(singleValue[index-1:]))
+                        dataToSessionFile(replaceNewlineTabs(commonValue[index-1:]))
 
                         if showEta:
-                            etaProgressUpdate(time.time() - charStart, len(singleValue))
+                            etaProgressUpdate(time.time() - charStart, len(commonValue))
                         elif conf.verbose >= 1:
-                            dataToStdout(singleValue[index-1:])
+                            dataToStdout(commonValue[index-1:])
 
-                        finalValue = singleValue
+                        finalValue = commonValue
 
                         break
 
                 # If there is a common pattern starting with finalValue,
                 # check it via equal against the substring-query output
-                if commonPatternValue is not None:
+                if commonPattern is not None:
-                    # Substring-query containing equals commonPatternValue
+                    # Substring-query containing equals commonPattern
-                    subquery = queries[kb.dbms].substring % (expressionUnescaped, 1, len(commonPatternValue))
+                    subquery = queries[kb.dbms].substring % (expressionUnescaped, 1, len(commonPattern))
-                    query = agent.prefixQuery(" %s" % safeStringFormat('AND (%s) = %s', (subquery, unescaper.unescape('\'%s\'' % commonPatternValue))))
+                    testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False)
+                    query = agent.prefixQuery(" %s" % safeStringFormat("AND (%s) = %s", (subquery, testValue)))
                     query = agent.postfixQuery(query)
                     queriesCount[0] += 1
                     result = Request.queryPage(urlencode(agent.payload(newValue=query)))
 
                     # Did we have luck?
                     if result:
-                        val = commonPatternValue[index-1:]
+                        val = commonPattern[index-1:]
                         index += len(val)-1
 
-                # Otherwise if there is no singleValue (single match from
+                # Otherwise if there is no commonValue (single match from
-                # txt/common-outputs.txt) and no commonPatternValue
+                # txt/common-outputs.txt) and no commonPattern
                 # (common pattern) use the returned common charset only
                 # to retrieve the query output
                 if not val and commonCharset:
                     val = getChar(index, commonCharset, False)
 
-                # If we had no luck with singleValue and common charset,
+                # If we had no luck with commonValue and common charset,
                 # use the returned other charset
                 if not val:
                     val = getChar(index, otherCharset, otherCharset == asciiTbl)

txt/common-outputs.txt

@@ -1,3 +1,348 @@
+[Banners]
+
+# MySQL
+4.0.
+4.1.
+5.0.
+5.1.
+5.5.
+
+# PostgreSQL
+PostgreSQL 7.
+PostgreSQL 8.1
+PostgreSQL 8.2
+PostgreSQL 8.3
+PostgreSQL 8.4
+
+# Oracle
+Oracle Database 9i Standard Edition Release
+Oracle Database 9i Express Edition Release
+Oracle Database 9i Enterprise Edition Release
+Oracle Database 10g Standard Edition Release
+Oracle Database 10g Express Edition Release
+Oracle Database 10g Enterprise Edition Release
+Oracle Database 11g Standard Edition Release
+Oracle Database 11g Express Edition Release
+Oracle Database 11g Enterprise Edition Release
+
+
+[Users]
+
+# MySQL >= 5.0
+'debian-sys-maint'@'localhost'
+'root'@'%'
+'root'@'localhost'
+
+# MySQL < 5.0
+debian-sys-maint
+root
+
+# PostgreSQL
+postgres
+
+# Oracle
+ANONYMOUS
+CTXSYS
+DBSNMP
+DIP
+DMSYS
+EXFSYS
+MDDATA
+MDSYS
+MGMT_VIEW
+OLAPSYS
+ORDPLUGINS
+ORDSYS
+OUTLN
+SCOTT
+SI_INFORMTN_SCHEMA
+SYS
+SYSMAN
+SYSTEM
+TSMSYS
+WMSYS
+XDB
+
+
+[Passwords]
+
+# MySQL
+*00E247AC5F9AF26AE0194B41E1E769DEE1429A29 # testpass
+
+# PostgreSQL
+md599e5ea7a6f7c3269995cba3927fd0093
+
+# Oracle
+2D5A0C491B634F1B # testpass
+
+
+[Privileges]
+
+# MySQL >= 5.0
+ALTER
+ALTER ROUTINE
+CREATE
+CREATE ROUTINE
+CREATE TEMPORARY TABLES
+CREATE USER
+CREATE VIEW
+DELETE
+DROP
+EVENT
+EXECUTE
+FILE
+INDEX
+INSERT
+LOCK TABLES
+PROCESS
+REFERENCES
+RELOAD
+REPLICATION CLIENT
+REPLICATION SLAVE
+SELECT
+SHOW DATABASES
+SHOW VIEW
+SHUTDOWN
+SUPER
+TRIGGER
+UPDATE
+USAGE
+
+# MySQL < 5.0
+select_priv
+insert_priv
+update_priv
+delete_priv
+create_priv
+drop_priv
+reload_priv
+shutdown_priv
+process_priv
+file_priv
+grant_priv
+references_priv
+index_priv
+alter_priv
+show_db_priv
+super_priv
+create_tmp_table_priv
+lock_tables_priv
+execute_priv
+repl_slave_priv
+repl_client_priv
+create_view_priv
+show_view_priv
+create_routine_priv
+alter_routine_priv
+create_user_priv
+
+# PostgreSQL
+catupd
+createdb
+super
+
+# Oracle
+ADMINISTER ANY SQL TUNING SET
+ADMINISTER DATABASE TRIGGER
+ADMINISTER RESOURCE MANAGER
+ADMINISTER SQL TUNING SET
+ADVISOR
+ALTER ANY CLUSTER
+ALTER ANY DIMENSION
+ALTER ANY EVALUATION CONTEXT
+ALTER ANY INDEX
+ALTER ANY INDEXTYPE
+ALTER ANY LIBRARY
+ALTER ANY MATERIALIZED VIEW
+ALTER ANY OUTLINE
+ALTER ANY PROCEDURE
+ALTER ANY ROLE
+ALTER ANY RULE
+ALTER ANY RULE SET
+ALTER ANY SEQUENCE
+ALTER ANY SQL PROFILE
+ALTER ANY TABLE
+ALTER ANY TRIGGER
+ALTER ANY TYPE
+ALTER DATABASE
+ALTER PROFILE
+ALTER RESOURCE COST
+ALTER ROLLBACK SEGMENT
+ALTER SESSION
+ALTER SYSTEM
+ALTER TABLESPACE
+ALTER USER
+ANALYZE ANY
+ANALYZE ANY DICTIONARY
+AUDIT ANY
+AUDIT SYSTEM
+BACKUP ANY TABLE
+BECOME USER
+CHANGE NOTIFICATION
+COMMENT ANY TABLE
+CREATE ANY CLUSTER
+CREATE ANY CONTEXT
+CREATE ANY DIMENSION
+CREATE ANY DIRECTORY
+CREATE ANY EVALUATION CONTEXT
+CREATE ANY INDEX
+CREATE ANY INDEXTYPE
+CREATE ANY JOB
+CREATE ANY LIBRARY
+CREATE ANY MATERIALIZED VIEW
+CREATE ANY OPERATOR
+CREATE ANY OUTLINE
+CREATE ANY PROCEDURE
+CREATE ANY RULE
+CREATE ANY RULE SET
+CREATE ANY SEQUENCE
+CREATE ANY SQL PROFILE
+CREATE ANY SYNONYM
+CREATE ANY TABLE
+CREATE ANY TRIGGER
+CREATE ANY TYPE
+CREATE ANY VIEW
+CREATE CLUSTER
+CREATE DATABASE LINK
+CREATE DIMENSION
+CREATE EVALUATION CONTEXT
+CREATE EXTERNAL JOB
+CREATE INDEXTYPE
+CREATE JOB
+CREATE LIBRARY
+CREATE MATERIALIZED VIEW
+CREATE OPERATOR
+CREATE PROCEDURE
+CREATE PROFILE
+CREATE PUBLIC DATABASE LINK
+CREATE PUBLIC SYNONYM
+CREATE ROLE
+CREATE ROLLBACK SEGMENT
+CREATE RULE
+CREATE RULE SET
+CREATE SEQUENCE
+CREATE SESSION
+CREATE SYNONYM
+CREATE TABLE
+CREATE TABLESPACE
+CREATE TRIGGER
+CREATE TYPE
+CREATE USER
+CREATE VIEW
+DEBUG ANY PROCEDURE
+DEBUG CONNECT SESSION
+DELETE ANY TABLE
+DEQUEUE ANY QUEUE
+DROP ANY CLUSTER
+DROP ANY CONTEXT
+DROP ANY DIMENSION
+DROP ANY DIRECTORY
+DROP ANY EVALUATION CONTEXT
+DROP ANY INDEX
+DROP ANY INDEXTYPE
+DROP ANY LIBRARY
+DROP ANY MATERIALIZED VIEW
+DROP ANY OPERATOR
+DROP ANY OUTLINE
+DROP ANY PROCEDURE
+DROP ANY ROLE
+DROP ANY RULE
+DROP ANY RULE SET
+DROP ANY SEQUENCE
+DROP ANY SQL PROFILE
+DROP ANY SYNONYM
+DROP ANY TABLE
+DROP ANY TRIGGER
+DROP ANY TYPE
+DROP ANY VIEW
+DROP PROFILE
+DROP PUBLIC DATABASE LINK
+DROP PUBLIC SYNONYM
+DROP ROLLBACK SEGMENT
+DROP TABLESPACE
+DROP USER
+ENQUEUE ANY QUEUE
+EXECUTE ANY CLASS
+EXECUTE ANY EVALUATION CONTEXT
+EXECUTE ANY INDEXTYPE
+EXECUTE ANY LIBRARY
+EXECUTE ANY OPERATOR
+EXECUTE ANY PROCEDURE
+EXECUTE ANY PROGRAM
+EXECUTE ANY RULE
+EXECUTE ANY RULE SET
+EXECUTE ANY TYPE
+EXPORT FULL DATABASE
+FLASHBACK ANY TABLE
+FORCE ANY TRANSACTION
+FORCE TRANSACTION
+GLOBAL QUERY REWRITE
+GRANT ANY OBJECT PRIVILEGE
+GRANT ANY PRIVILEGE
+GRANT ANY ROLE
+IMPORT FULL DATABASE
+INSERT ANY TABLE
+LOCK ANY TABLE
+MANAGE ANY FILE GROUP
+MANAGE ANY QUEUE
+MANAGE FILE GROUP
+MANAGE SCHEDULER
+MANAGE TABLESPACE
+MERGE ANY VIEW
+ON COMMIT REFRESH
+QUERY REWRITE
+READ ANY FILE GROUP
+RESTRICTED SESSION
+RESUMABLE
+SELECT ANY DICTIONARY
+SELECT ANY SEQUENCE
+SELECT ANY TABLE
+SELECT ANY TRANSACTION
+UNDER ANY TABLE
+UNDER ANY TYPE
+UNDER ANY VIEW
+UNLIMITED TABLESPACE
+UPDATE ANY TABLE
+
+
+[Roles]
+
+# Oracle
+AQ_ADMINISTRATOR_ROLE
+AQ_USER_ROLE
+AUTHENTICATEDUSER
+CONNECT
+CTXAPP
+DBA
+DELETE_CATALOG_ROLE
+EJBCLIENT
+EXECUTE_CATALOG_ROLE
+EXP_FULL_DATABASE
+GATHER_SYSTEM_STATISTICS
+HS_ADMIN_ROLE
+IMP_FULL_DATABASE
+JAVA_ADMIN
+JAVADEBUGPRIV
+JAVA_DEPLOY
+JAVAIDPRIV
+JAVASYSPRIV
+JAVAUSERPRIV
+LOGSTDBY_ADMINISTRATOR
+MGMT_USER
+OEM_ADVISOR
+OEM_MONITOR
+OLAP_DBA
+OLAP_USER
+RECOVERY_CATALOG_OWNER
+RESOURCE
+SCHEDULER_ADMIN
+SELECT_CATALOG_ROLE
+TABLE_ACCESSERS
+WM_ADMIN_ROLE
+XDBADMIN
+XDBWEBSERVICES
+
+
 [Databases]
 
 # MySQL
@@ -5,6 +350,11 @@ information_schema
 mysql
 phpmyadmin
 
+# PostgreSQL
+postgres
+template0
+template1
+
 # Microsoft SQL Server
 tempdb
 model
@@ -13,6 +363,7 @@ msdb
 
 
 [Tables]
+
 # MySQL
 CHARACTER_SETS
 COLLATION_CHARACTER_SET_APPLICABILITY
@@ -66,7 +417,7 @@ time_zone_transition
 time_zone_transition_type
 user
 
-# PHPMyAdmin
+# phpMyAdmin
 pma_bookmark
 pma_column_info
 pma_designer_coords
@@ -468,33 +819,46 @@ systargetservers_view
 systaskids
 
 
-[Passwords]
+[Columns]
 
 # MySQL
-*00E247AC5F9AF26AE0194B41E1E769DEE1429A29 # testpass
+## 'mysql.user' table
-
+Alter_priv
-
+Alter_routine_priv
-[Users]
+Create_priv
-
+Create_routine_priv
-# Oracle
+Create_tmp_table_priv
-SCOTT
+Create_user_priv
-MGMT_VIEW
+Create_view_priv
-MDDATA
+Delete_priv
-SYSMAN
+Drop_priv
-MDSYS
+Event_priv
-SI_INFORMTN_SCHEMA
+Execute_priv
-ORDPLUGINS
+File_priv
-ORDSYS
+Grant_priv
-OLAPSYS
+Host
-ANONYMOUS
+Index_priv
-XDB
+Insert_priv
-CTXSYS
+Lock_tables_priv
-EXFSYS
+max_connections
-WMSYS
+max_questions
-DBSNMP
+max_updates
-TSMSYS
+max_user_connections
-DMSYS
+Password
-DIP
+Process_priv
-OUTLN
+References_priv
-SYSTEM
+Reload_priv
-SYS
+Repl_client_priv
+Repl_slave_priv
+Select_priv
+Show_db_priv
+Show_view_priv
+Shutdown_priv
+ssl_cipher
+ssl_type
+Super_priv
+Trigger_priv
+Update_priv
+User
+x509_issuer
+x509_subject