sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-21 14:02:49 +03:00
Code Issues Packages Projects Releases Wiki Activity

Sybase update (--passwords)

Browse Source
This commit is contained in:
Miroslav Stampar 2011-02-20 12:07:32 +00:00
parent 6e1a08a805
commit 2f9227bcce
1 changed files with 31 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
plugins/generic/enumeration.py
View File

@ -239,6 +239,20 @@ class Enumeration:
query += " WHERE %s = '%s'" % (condition, conf.user) query += " WHERE %s = '%s'" % (condition, conf.user)
if Backend.getIdentifiedDbms() == DBMS.SYBASE:
randStr = randomStr()
getCurrentThreadData().disableStdOut = True
retVal = self.__pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr,'%s.password' % randStr], blind=False)
if retVal:
for user, password in zip(retVal[0]["%s.name" % randStr], retVal[0]["%s.password" % randStr]):
password = "0x%s" % strToHex(password)
if not kb.data.cachedUsersPasswords.has_key(user):
kb.data.cachedUsersPasswords[user] = [password]
else:
kb.data.cachedUsersPasswords[user].append(password)
getCurrentThreadData().disableStdOut = False
return kb.data.cachedUsersPasswords
else:
value = inject.getValue(query, blind=False) value = inject.getValue(query, blind=False)
if value: if value:
@ -265,6 +279,21 @@ class Enumeration:
else: else:
users = kb.data.cachedUsers users = kb.data.cachedUsers
if Backend.getIdentifiedDbms() == DBMS.SYBASE:
randStr = randomStr()
query = rootQuery.inband.query
getCurrentThreadData().disableStdOut = True
retVal = self.__pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr,'%s.password' % randStr], blind=True)
if retVal:
for user, password in zip(retVal[0]["%s.name" % randStr], retVal[0]["%s.password" % randStr]):
password = "0x%s" % strToHex(password)
if not kb.data.cachedUsersPasswords.has_key(user):
kb.data.cachedUsersPasswords[user] = [password]
else:
kb.data.cachedUsersPasswords[user].append(password)
getCurrentThreadData().disableStdOut = False
return kb.data.cachedUsersPasswords
retrievedUsers = set() retrievedUsers = set()
for user in users: for user in users:
@ -305,16 +334,7 @@ class Enumeration:
indexRange = getRange(count, plusOne=plusOne) indexRange = getRange(count, plusOne=plusOne)
for index in indexRange: for index in indexRange:
if Backend.getIdentifiedDbms() == DBMS.SYBASE: if Backend.getIdentifiedDbms() == DBMS.MSSQL:
if index > 0:
warnMsg = "unable to retrieve other password "
warnMsg += "hashes for user '%s'" % user
logger.warn(warnMsg)
break
else:
query = rootQuery.blind.query % user
getCurrentThreadData().disableStdOut = True
elif Backend.getIdentifiedDbms() == DBMS.MSSQL:
if Backend.isVersionWithin(("2005", "2008")): if Backend.isVersionWithin(("2005", "2008")):
query = rootQuery.blind.query2 % (user, index, user) query = rootQuery.blind.query2 % (user, index, user)
else: else:
@ -322,11 +342,6 @@ class Enumeration:
else: else:
query = rootQuery.blind.query % (user, index) query = rootQuery.blind.query % (user, index)
password = inject.getValue(query, inband=False, error=False) password = inject.getValue(query, inband=False, error=False)
if Backend.getIdentifiedDbms() == DBMS.SYBASE:
getCurrentThreadData().disableStdOut = False
password = "0x%s" % strToHex(password)
infoMsg = "retrieved: %s" % password
logger.info(infoMsg)
password = parsePasswordHash(password) password = parsePasswordHash(password)
passwords.append(password) passwords.append(password)