sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-01-24 08:14:24 +03:00
Code Issues Packages Projects Releases Wiki Activity

Minor enhancements and bug fixes to "good samaritan" feature - see #4

Browse Source
This commit is contained in:
Bernardo Damele 2010-06-21 14:40:12 +00:00
parent b98f6ac71c
commit 17e228024b
3 changed files with 444 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
lib/core/common.py
View File

@ -1228,19 +1228,16 @@ def initCommonOutputs():
cfile.close()
def goGoodSamaritan(part, prevValue, originalCharset):
def goGoodSamaritan(prevValue, originalCharset):
"""
Function for retrieving parameters needed for common prediction (good
samaritan) feature.
part is for instance Users, Databases, Tables and corresponds to the
header (e.g. [Users]) in txt/common-outputs.txt.
prevValue: retrieved query output so far (e.g. 'i').
Returns singleValue if there is a complete single match (in part of
txt/common-outputs.txt under 'part') regarding parameter prevValue. If
there is no single value match, but multiple, commonCharset is
Returns commonValue if there is a complete single match (in kb.partRun
of txt/common-outputs.txt under kb.partRun) regarding parameter
prevValue. If there is no single value match, but multiple, commonCharset is
returned containing more probable characters (retrieved from matched
values in txt/common-outputs.txt) together with the rest of charset as
otherCharset.
@ -1250,29 +1247,28 @@ def goGoodSamaritan(part, prevValue, originalCharset):
initCommonOutputs()
predictionSet = set()
wildIndexes = []
singleValue = None
commonPatternValue = None
countSingleValues = 0
commonValue = None
commonPattern = None
countCommonValue = 0
# If the header (e.g. Databases) we are looking for has common
# outputs defined
if part in kb.commonOutputs:
commonPartOutputs = kb.commonOutputs[part]
commonPatternValue = common_finder_only(prevValue, commonPartOutputs)
if kb.partRun in kb.commonOutputs:
commonPartOutputs = kb.commonOutputs[kb.partRun]
commonPattern = common_finder_only(prevValue, commonPartOutputs)
# If the longest common prefix is the same as previous value then
# do not consider it
if commonPatternValue and commonPatternValue == prevValue:
commonPatternValue = None
if commonPattern and commonPattern == prevValue:
commonPattern = None
# For each common output
for item in commonPartOutputs:
# Check if the common output (item) starts with prevValue
# where prevValue is the enumerated character(s) so far
if item.startswith(prevValue):
singleValue = item
countSingleValues += 1
commonValue = item
countCommonValue += 1
if len(item) > len(prevValue):
char = item[len(prevValue)]
@ -1280,8 +1276,8 @@ def goGoodSamaritan(part, prevValue, originalCharset):
# Reset single value if there is more than one possible common
# output
if countSingleValues > 1:
singleValue = None
if countCommonValue > 1:
commonValue = None
commonCharset = []
otherCharset = []
@ -1296,7 +1292,7 @@ def goGoodSamaritan(part, prevValue, originalCharset):
commonCharset.sort()
return singleValue, commonPatternValue, commonCharset, originalCharset
return commonValue, commonPattern, commonCharset, originalCharset
else:
return None, None, None, originalCharset
@ -1322,18 +1318,25 @@ def getPartRun():
retVal = None
commonPartsDict = optDict["Enumeration"]
stack = [item[4][0] if isinstance(item[4], list) else '' for item in inspect.stack()]
reobj = getCompiledRegex('conf\.dbmsHandler\.([^(]+)\(\)')
reobj1 = getCompiledRegex('conf\.dbmsHandler\.([^(]+)\(\)')
reobj2 = getCompiledRegex('self\.(get[^(]+)\(\)')
# Goes backwards through the stack to find the conf.dbmsHandler method
# calling this function
for i in xrange(len(stack) - 1, 0, -1):
match = reobj.search(stack[i])
for i in xrange(0, len(stack)-1):
for reobj in (reobj2, reobj1):
match = reobj.search(stack[i])
if match:
# This is the calling conf.dbmsHandler method (e.g. 'getDbms')
retVal = match.groups()[0]
if match:
# This is the calling conf.dbmsHandler or self method
# (e.g. 'getDbms')
retVal = match.groups()[0]
break
if retVal is not None:
break
# Return the INI tag to consider for common outputs (e.g. 'Databases')
return commonPartsDict[retVal][1] if retVal in commonPartsDict else retVal
def getCommonStart(strings=[]):

37
lib/techniques/blind/inference.py
View File

@ -417,53 +417,58 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
# the moment
if conf.useCommonPrediction and len(finalValue) > 0 and kb.partRun is not None:
val = None
singleValue, commonPatternValue, commonCharset, otherCharset = goGoodSamaritan(kb.partRun, finalValue, asciiTbl)
commonValue, commonPattern, commonCharset, otherCharset = goGoodSamaritan(finalValue, asciiTbl)
# Debug print
#print "\ncommonValue, commonPattern, commonCharset:", commonValue, commonPattern, commonCharset
# If there is one single output in common-outputs, check
# it via equal against the query output
if singleValue is not None:
# One-shot query containing equals singleValue
query = agent.prefixQuery(" %s" % safeStringFormat('AND (%s) = %s', (expressionUnescaped, unescaper.unescape('\'%s\'' % singleValue))))
if commonValue is not None:
# One-shot query containing equals commonValue
testValue = unescaper.unescape("'%s'" % commonValue) if "'" not in commonValue else unescaper.unescape("%s" % commonValue, quote=False)
query = agent.prefixQuery(" %s" % safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue)))
query = agent.postfixQuery(query)
queriesCount[0] += 1
result = Request.queryPage(urlencode(agent.payload(newValue=query)))
# Did we have luck?
if result:
dataToSessionFile(replaceNewlineTabs(singleValue[index-1:]))
dataToSessionFile(replaceNewlineTabs(commonValue[index-1:]))
if showEta:
etaProgressUpdate(time.time() - charStart, len(singleValue))
etaProgressUpdate(time.time() - charStart, len(commonValue))
elif conf.verbose >= 1:
dataToStdout(singleValue[index-1:])
dataToStdout(commonValue[index-1:])
finalValue = singleValue
finalValue = commonValue
break
# If there is a common pattern starting with finalValue,
# check it via equal against the substring-query output
if commonPatternValue is not None:
# Substring-query containing equals commonPatternValue
subquery = queries[kb.dbms].substring % (expressionUnescaped, 1, len(commonPatternValue))
query = agent.prefixQuery(" %s" % safeStringFormat('AND (%s) = %s', (subquery, unescaper.unescape('\'%s\'' % commonPatternValue))))
if commonPattern is not None:
# Substring-query containing equals commonPattern
subquery = queries[kb.dbms].substring % (expressionUnescaped, 1, len(commonPattern))
testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False)
query = agent.prefixQuery(" %s" % safeStringFormat("AND (%s) = %s", (subquery, testValue)))
query = agent.postfixQuery(query)
queriesCount[0] += 1
result = Request.queryPage(urlencode(agent.payload(newValue=query)))
# Did we have luck?
if result:
val = commonPatternValue[index-1:]
val = commonPattern[index-1:]
index += len(val)-1
# Otherwise if there is no singleValue (single match from
# txt/common-outputs.txt) and no commonPatternValue
# Otherwise if there is no commonValue (single match from
# txt/common-outputs.txt) and no commonPattern
# (common pattern) use the returned common charset only
# to retrieve the query output
if not val and commonCharset:
val = getChar(index, commonCharset, False)
# If we had no luck with singleValue and common charset,
# If we had no luck with commonValue and common charset,
# use the returned other charset
if not val:
val = getChar(index, otherCharset, otherCharset == asciiTbl)

422
txt/common-outputs.txt
View File

@ -1,3 +1,348 @@
[Banners]
# MySQL
4.0.
4.1.
5.0.
5.1.
5.5.
# PostgreSQL
PostgreSQL 7.
PostgreSQL 8.1
PostgreSQL 8.2
PostgreSQL 8.3
PostgreSQL 8.4
# Oracle
Oracle Database 9i Standard Edition Release
Oracle Database 9i Express Edition Release
Oracle Database 9i Enterprise Edition Release
Oracle Database 10g Standard Edition Release
Oracle Database 10g Express Edition Release
Oracle Database 10g Enterprise Edition Release
Oracle Database 11g Standard Edition Release
Oracle Database 11g Express Edition Release
Oracle Database 11g Enterprise Edition Release
[Users]
# MySQL >= 5.0
'debian-sys-maint'@'localhost'
'root'@'%'
'root'@'localhost'
# MySQL < 5.0
debian-sys-maint
root
# PostgreSQL
postgres
# Oracle
ANONYMOUS
CTXSYS
DBSNMP
DIP
DMSYS
EXFSYS
MDDATA
MDSYS
MGMT_VIEW
OLAPSYS
ORDPLUGINS
ORDSYS
OUTLN
SCOTT
SI_INFORMTN_SCHEMA
SYS
SYSMAN
SYSTEM
TSMSYS
WMSYS
XDB
[Passwords]
# MySQL
*00E247AC5F9AF26AE0194B41E1E769DEE1429A29 # testpass
# PostgreSQL
md599e5ea7a6f7c3269995cba3927fd0093
# Oracle
2D5A0C491B634F1B # testpass
[Privileges]
# MySQL >= 5.0
ALTER
ALTER ROUTINE
CREATE
CREATE ROUTINE
CREATE TEMPORARY TABLES
CREATE USER
CREATE VIEW
DELETE
DROP
EVENT
EXECUTE
FILE
INDEX
INSERT
LOCK TABLES
PROCESS
REFERENCES
RELOAD
REPLICATION CLIENT
REPLICATION SLAVE
SELECT
SHOW DATABASES
SHOW VIEW
SHUTDOWN
SUPER
TRIGGER
UPDATE
USAGE
# MySQL < 5.0
select_priv
insert_priv
update_priv
delete_priv
create_priv
drop_priv
reload_priv
shutdown_priv
process_priv
file_priv
grant_priv
references_priv
index_priv
alter_priv
show_db_priv
super_priv
create_tmp_table_priv
lock_tables_priv
execute_priv
repl_slave_priv
repl_client_priv
create_view_priv
show_view_priv
create_routine_priv
alter_routine_priv
create_user_priv
# PostgreSQL
catupd
createdb
super
# Oracle
ADMINISTER ANY SQL TUNING SET
ADMINISTER DATABASE TRIGGER
ADMINISTER RESOURCE MANAGER
ADMINISTER SQL TUNING SET
ADVISOR
ALTER ANY CLUSTER
ALTER ANY DIMENSION
ALTER ANY EVALUATION CONTEXT
ALTER ANY INDEX
ALTER ANY INDEXTYPE
ALTER ANY LIBRARY
ALTER ANY MATERIALIZED VIEW
ALTER ANY OUTLINE
ALTER ANY PROCEDURE
ALTER ANY ROLE
ALTER ANY RULE
ALTER ANY RULE SET
ALTER ANY SEQUENCE
ALTER ANY SQL PROFILE
ALTER ANY TABLE
ALTER ANY TRIGGER
ALTER ANY TYPE
ALTER DATABASE
ALTER PROFILE
ALTER RESOURCE COST
ALTER ROLLBACK SEGMENT
ALTER SESSION
ALTER SYSTEM
ALTER TABLESPACE
ALTER USER
ANALYZE ANY
ANALYZE ANY DICTIONARY
AUDIT ANY
AUDIT SYSTEM
BACKUP ANY TABLE
BECOME USER
CHANGE NOTIFICATION
COMMENT ANY TABLE
CREATE ANY CLUSTER
CREATE ANY CONTEXT
CREATE ANY DIMENSION
CREATE ANY DIRECTORY
CREATE ANY EVALUATION CONTEXT
CREATE ANY INDEX
CREATE ANY INDEXTYPE
CREATE ANY JOB
CREATE ANY LIBRARY
CREATE ANY MATERIALIZED VIEW
CREATE ANY OPERATOR
CREATE ANY OUTLINE
CREATE ANY PROCEDURE
CREATE ANY RULE
CREATE ANY RULE SET
CREATE ANY SEQUENCE
CREATE ANY SQL PROFILE
CREATE ANY SYNONYM
CREATE ANY TABLE
CREATE ANY TRIGGER
CREATE ANY TYPE
CREATE ANY VIEW
CREATE CLUSTER
CREATE DATABASE LINK
CREATE DIMENSION
CREATE EVALUATION CONTEXT
CREATE EXTERNAL JOB
CREATE INDEXTYPE
CREATE JOB
CREATE LIBRARY
CREATE MATERIALIZED VIEW
CREATE OPERATOR
CREATE PROCEDURE
CREATE PROFILE
CREATE PUBLIC DATABASE LINK
CREATE PUBLIC SYNONYM
CREATE ROLE
CREATE ROLLBACK SEGMENT
CREATE RULE
CREATE RULE SET
CREATE SEQUENCE
CREATE SESSION
CREATE SYNONYM
CREATE TABLE
CREATE TABLESPACE
CREATE TRIGGER
CREATE TYPE
CREATE USER
CREATE VIEW
DEBUG ANY PROCEDURE
DEBUG CONNECT SESSION
DELETE ANY TABLE
DEQUEUE ANY QUEUE
DROP ANY CLUSTER
DROP ANY CONTEXT
DROP ANY DIMENSION
DROP ANY DIRECTORY
DROP ANY EVALUATION CONTEXT
DROP ANY INDEX
DROP ANY INDEXTYPE
DROP ANY LIBRARY
DROP ANY MATERIALIZED VIEW
DROP ANY OPERATOR
DROP ANY OUTLINE
DROP ANY PROCEDURE
DROP ANY ROLE
DROP ANY RULE
DROP ANY RULE SET
DROP ANY SEQUENCE
DROP ANY SQL PROFILE
DROP ANY SYNONYM
DROP ANY TABLE
DROP ANY TRIGGER
DROP ANY TYPE
DROP ANY VIEW
DROP PROFILE
DROP PUBLIC DATABASE LINK
DROP PUBLIC SYNONYM
DROP ROLLBACK SEGMENT
DROP TABLESPACE
DROP USER
ENQUEUE ANY QUEUE
EXECUTE ANY CLASS
EXECUTE ANY EVALUATION CONTEXT
EXECUTE ANY INDEXTYPE
EXECUTE ANY LIBRARY
EXECUTE ANY OPERATOR
EXECUTE ANY PROCEDURE
EXECUTE ANY PROGRAM
EXECUTE ANY RULE
EXECUTE ANY RULE SET
EXECUTE ANY TYPE
EXPORT FULL DATABASE
FLASHBACK ANY TABLE
FORCE ANY TRANSACTION
FORCE TRANSACTION
GLOBAL QUERY REWRITE
GRANT ANY OBJECT PRIVILEGE
GRANT ANY PRIVILEGE
GRANT ANY ROLE
IMPORT FULL DATABASE
INSERT ANY TABLE
LOCK ANY TABLE
MANAGE ANY FILE GROUP
MANAGE ANY QUEUE
MANAGE FILE GROUP
MANAGE SCHEDULER
MANAGE TABLESPACE
MERGE ANY VIEW
ON COMMIT REFRESH
QUERY REWRITE
READ ANY FILE GROUP
RESTRICTED SESSION
RESUMABLE
SELECT ANY DICTIONARY
SELECT ANY SEQUENCE
SELECT ANY TABLE
SELECT ANY TRANSACTION
UNDER ANY TABLE
UNDER ANY TYPE
UNDER ANY VIEW
UNLIMITED TABLESPACE
UPDATE ANY TABLE
[Roles]
# Oracle
AQ_ADMINISTRATOR_ROLE
AQ_USER_ROLE
AUTHENTICATEDUSER
CONNECT
CTXAPP
DBA
DELETE_CATALOG_ROLE
EJBCLIENT
EXECUTE_CATALOG_ROLE
EXP_FULL_DATABASE
GATHER_SYSTEM_STATISTICS
HS_ADMIN_ROLE
IMP_FULL_DATABASE
JAVA_ADMIN
JAVADEBUGPRIV
JAVA_DEPLOY
JAVAIDPRIV
JAVASYSPRIV
JAVAUSERPRIV
LOGSTDBY_ADMINISTRATOR
MGMT_USER
OEM_ADVISOR
OEM_MONITOR
OLAP_DBA
OLAP_USER
RECOVERY_CATALOG_OWNER
RESOURCE
SCHEDULER_ADMIN
SELECT_CATALOG_ROLE
TABLE_ACCESSERS
WM_ADMIN_ROLE
XDBADMIN
XDBWEBSERVICES
[Databases]
# MySQL
@ -5,6 +350,11 @@ information_schema
mysql
phpmyadmin
# PostgreSQL
postgres
template0
template1
# Microsoft SQL Server
tempdb
model
@ -13,6 +363,7 @@ msdb
[Tables]
# MySQL
CHARACTER_SETS
COLLATION_CHARACTER_SET_APPLICABILITY
@ -66,7 +417,7 @@ time_zone_transition
time_zone_transition_type
user
# PHPMyAdmin
# phpMyAdmin
pma_bookmark
pma_column_info
pma_designer_coords
@ -468,33 +819,46 @@ systargetservers_view
systaskids
[Passwords]
[Columns]
# MySQL
*00E247AC5F9AF26AE0194B41E1E769DEE1429A29 # testpass
[Users]
# Oracle
SCOTT
MGMT_VIEW
MDDATA
SYSMAN
MDSYS
SI_INFORMTN_SCHEMA
ORDPLUGINS
ORDSYS
OLAPSYS
ANONYMOUS
XDB
CTXSYS
EXFSYS
WMSYS
DBSNMP
TSMSYS
DMSYS
DIP
OUTLN
SYSTEM
SYS
## 'mysql.user' table
Alter_priv
Alter_routine_priv
Create_priv
Create_routine_priv
Create_tmp_table_priv
Create_user_priv
Create_view_priv
Delete_priv
Drop_priv
Event_priv
Execute_priv
File_priv
Grant_priv
Host
Index_priv
Insert_priv
Lock_tables_priv
max_connections
max_questions
max_updates
max_user_connections
Password
Process_priv
References_priv
Reload_priv
Repl_client_priv
Repl_slave_priv
Select_priv
Show_db_priv
Show_view_priv
Shutdown_priv
ssl_cipher
ssl_type
Super_priv
Trigger_priv
Update_priv
User
x509_issuer
x509_subject