Minor bug fixes and code restyling for --privileges and --passwords

This commit is contained in:
Bernardo Damele 2011-04-30 14:50:27 +00:00
parent f56d135438
commit 36a9ddaacc
2 changed files with 71 additions and 76 deletions

View File

@ -226,6 +226,21 @@ class Enumeration:
logger.info(infoMsg) logger.info(infoMsg)
if conf.user and Backend.isDbms(DBMS.ORACLE):
conf.user = conf.user.upper()
if conf.user:
users = conf.user.split(",")
if Backend.isDbms(DBMS.MYSQL):
for user in users:
parsedUser = re.search("[\047]*(.*?)[\047]*\@", user)
if parsedUser:
users[users.index(user)] = parsedUser.groups()[0]
else:
users = []
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct: if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:
if Backend.getIdentifiedDbms() == DBMS.MSSQL and Backend.isVersionWithin(("2005", "2008")): if Backend.getIdentifiedDbms() == DBMS.MSSQL and Backend.isVersionWithin(("2005", "2008")):
query = rootQuery.inband.query2 query = rootQuery.inband.query2
@ -235,27 +250,18 @@ class Enumeration:
condition = rootQuery.inband.condition condition = rootQuery.inband.condition
if conf.user: if conf.user:
if "," in conf.user: query += " WHERE "
users = conf.user.split(",") query += " OR ".join("%s = '%s'" % (condition, user) for user in users)
query += " WHERE "
query += " OR ".join("%s = '%s'" % (condition, user) for user in users)
else:
if Backend.getIdentifiedDbms() == DBMS.MYSQL:
parsedUser = re.search("[\047]*(.*?)[\047]*\@", conf.user)
if parsedUser:
conf.user = parsedUser.groups()[0]
query += " WHERE %s = '%s'" % (condition, conf.user)
if Backend.getIdentifiedDbms() == DBMS.SYBASE: if Backend.getIdentifiedDbms() == DBMS.SYBASE:
randStr = randomStr() randStr = randomStr()
getCurrentThreadData().disableStdOut = True getCurrentThreadData().disableStdOut = True
retVal = self.__pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr,'%s.password' % randStr], blind=False) retVal = self.__pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr,'%s.password' % randStr], blind=False)
if retVal: if retVal:
for user, password in zip(retVal[0]["%s.name" % randStr], retVal[0]["%s.password" % randStr]): for user, password in zip(retVal[0]["%s.name" % randStr], retVal[0]["%s.password" % randStr]):
#password = "0x%s" % strToHex(password) # password = "0x%s" % strToHex(password)
if not kb.data.cachedUsersPasswords.has_key(user): if not kb.data.cachedUsersPasswords.has_key(user):
kb.data.cachedUsersPasswords[user] = [password] kb.data.cachedUsersPasswords[user] = [password]
else: else:
@ -278,16 +284,15 @@ class Enumeration:
kb.data.cachedUsersPasswords[user].append(password) kb.data.cachedUsersPasswords[user].append(password)
if not kb.data.cachedUsersPasswords and not conf.direct: if not kb.data.cachedUsersPasswords and not conf.direct:
if conf.user: if not len(users):
if "," in conf.user: users = self.getUsers()
users = conf.user.split(",")
else: if Backend.isDbms(DBMS.MYSQL):
users = [conf.user] for user in users:
else: parsedUser = re.search("[\047]*(.*?)[\047]*\@", user)
if not len(kb.data.cachedUsers):
users = self.getUsers() if parsedUser:
else: users[users.index(user)] = parsedUser.groups()[0]
users = kb.data.cachedUsers
if Backend.getIdentifiedDbms() == DBMS.SYBASE: if Backend.getIdentifiedDbms() == DBMS.SYBASE:
getCurrentThreadData().disableStdOut = True getCurrentThreadData().disableStdOut = True
@ -296,27 +301,22 @@ class Enumeration:
query = rootQuery.inband.query query = rootQuery.inband.query
retVal = self.__pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr,'%s.password' % randStr], blind=True) retVal = self.__pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr,'%s.password' % randStr], blind=True)
if retVal: if retVal:
for user, password in zip(retVal[0]["%s.name" % randStr], retVal[0]["%s.password" % randStr]): for user, password in zip(retVal[0]["%s.name" % randStr], retVal[0]["%s.password" % randStr]):
password = "0x%s" % strToHex(password) password = "0x%s" % strToHex(password)
if not kb.data.cachedUsersPasswords.has_key(user): if not kb.data.cachedUsersPasswords.has_key(user):
kb.data.cachedUsersPasswords[user] = [password] kb.data.cachedUsersPasswords[user] = [password]
else: else:
kb.data.cachedUsersPasswords[user].append(password) kb.data.cachedUsersPasswords[user].append(password)
getCurrentThreadData().disableStdOut = False getCurrentThreadData().disableStdOut = False
else: else:
retrievedUsers = set() retrievedUsers = set()
for user in users: for user in users:
if Backend.getIdentifiedDbms() == DBMS.MYSQL: if user in retrievedUsers:
parsedUser = re.search("[\047]*(.*?)[\047]*\@", user)
if parsedUser:
user = parsedUser.groups()[0]
if not user or user in retrievedUsers:
continue continue
infoMsg = "fetching number of password hashes " infoMsg = "fetching number of password hashes "
@ -419,6 +419,21 @@ class Enumeration:
logger.info(infoMsg) logger.info(infoMsg)
if conf.user and Backend.isDbms(DBMS.ORACLE):
conf.user = conf.user.upper()
if conf.user:
users = conf.user.split(",")
if Backend.isDbms(DBMS.MYSQL):
for user in users:
parsedUser = re.search("[\047]*(.*?)[\047]*\@", user)
if parsedUser:
users[users.index(user)] = parsedUser.groups()[0]
else:
users = []
# Set containing the list of DBMS administrators # Set containing the list of DBMS administrators
areAdmins = set() areAdmins = set()
@ -434,13 +449,10 @@ class Enumeration:
condition = rootQuery.inband.condition condition = rootQuery.inband.condition
if conf.user: if conf.user:
users = conf.user.split(",")
query += " WHERE " query += " WHERE "
# NOTE: I assume that the user provided is not in
# MySQL >= 5.0 syntax 'user'@'host'
if Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema: if Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema:
queryUser = "%" + conf.user + "%" query += " OR ".join("%s LIKE '%%%s%%'" % (condition, user) for user in users)
query += " OR ".join("%s LIKE '%s'" % (condition, "%" + user + "%") for user in users)
else: else:
query += " OR ".join("%s = '%s'" % (condition, user) for user in users) query += " OR ".join("%s = '%s'" % (condition, user) for user in users)
@ -492,59 +504,42 @@ class Enumeration:
kb.data.cachedUsersPrivileges[user] = list(privileges) kb.data.cachedUsersPrivileges[user] = list(privileges)
if not kb.data.cachedUsersPrivileges and not conf.direct: if not kb.data.cachedUsersPrivileges and not conf.direct:
conditionChar = "=" if Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema:
conditionChar = " LIKE "
else:
conditionChar = "="
if conf.user: if not len(users):
if Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema: users = self.getUsers()
conditionChar = " LIKE "
if "," in conf.user: if Backend.isDbms(DBMS.MYSQL):
users = set() for user in users:
for user in conf.user.split(","): parsedUser = re.search("[\047]*(.*?)[\047]*\@", user)
users.add("%" + user + "%")
else:
parsedUser = re.search("[\047]*(.*?)[\047]*\@", conf.user)
if parsedUser: if parsedUser:
conf.user = parsedUser.groups()[0] users[users.index(user)] = parsedUser.groups()[0]
users = [ "%" + conf.user + "%" ]
else:
users = conf.user.split(",")
else:
if not len(kb.data.cachedUsers):
users = self.getUsers()
else:
users = kb.data.cachedUsers
retrievedUsers = set() retrievedUsers = set()
for user in users: for user in users:
unescapedUser = None if user in retrievedUsers:
continue
if Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema: if Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema:
unescapedUser = unescaper.unescape(user, quote=False) user = "%%%s%%" % user
if not user or user in retrievedUsers:
continue
infoMsg = "fetching number of privileges " infoMsg = "fetching number of privileges "
infoMsg += "for user '%s'" % user infoMsg += "for user '%s'" % user
logger.info(infoMsg) logger.info(infoMsg)
if unescapedUser:
queryUser = unescapedUser
else:
queryUser = user
if Backend.getIdentifiedDbms() == DBMS.MYSQL and not kb.data.has_information_schema: if Backend.getIdentifiedDbms() == DBMS.MYSQL and not kb.data.has_information_schema:
query = rootQuery.blind.count2 % queryUser query = rootQuery.blind.count2 % user
elif Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema: elif Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema:
query = rootQuery.blind.count % (conditionChar, queryUser) query = rootQuery.blind.count % (conditionChar, user)
elif Backend.getIdentifiedDbms() == DBMS.ORACLE and query2: elif Backend.getIdentifiedDbms() == DBMS.ORACLE and query2:
query = rootQuery.blind.count2 % queryUser query = rootQuery.blind.count2 % user
else: else:
query = rootQuery.blind.count % queryUser query = rootQuery.blind.count % user
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2) count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
@ -572,15 +567,15 @@ class Enumeration:
for index in indexRange: for index in indexRange:
if Backend.getIdentifiedDbms() == DBMS.MYSQL and not kb.data.has_information_schema: if Backend.getIdentifiedDbms() == DBMS.MYSQL and not kb.data.has_information_schema:
query = rootQuery.blind.query2 % (queryUser, index) query = rootQuery.blind.query2 % (user, index)
elif Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema: elif Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema:
query = rootQuery.blind.query % (conditionChar, queryUser, index) query = rootQuery.blind.query % (conditionChar, user, index)
elif Backend.getIdentifiedDbms() == DBMS.ORACLE and query2: elif Backend.getIdentifiedDbms() == DBMS.ORACLE and query2:
query = rootQuery.blind.query2 % (queryUser, index) query = rootQuery.blind.query2 % (user, index)
elif Backend.getIdentifiedDbms() == DBMS.FIREBIRD: elif Backend.getIdentifiedDbms() == DBMS.FIREBIRD:
query = rootQuery.blind.query % (index, queryUser) query = rootQuery.blind.query % (index, user)
else: else:
query = rootQuery.blind.query % (queryUser, index) query = rootQuery.blind.query % (user, index)
privilege = inject.getValue(query, inband=False, error=False) privilege = inject.getValue(query, inband=False, error=False)
# In PostgreSQL we get 1 if the privilege is True, # In PostgreSQL we get 1 if the privilege is True,

View File

@ -40,7 +40,7 @@
</passwords> </passwords>
<privileges> <privileges>
<inband query="SELECT grantee,privilege_type FROM information_schema.USER_PRIVILEGES" condition="grantee" query2="SELECT user,select_priv,insert_priv,update_priv,delete_priv,create_priv,drop_priv,reload_priv,shutdown_priv,process_priv,file_priv,grant_priv,references_priv,index_priv,alter_priv,show_db_priv,super_priv,create_tmp_table_priv,lock_tables_priv,execute_priv,repl_slave_priv,repl_client_priv,create_view_priv,show_view_priv,create_routine_priv,alter_routine_priv,create_user_priv FROM mysql.user" condition2="user"/> <inband query="SELECT grantee,privilege_type FROM information_schema.USER_PRIVILEGES" condition="grantee" query2="SELECT user,select_priv,insert_priv,update_priv,delete_priv,create_priv,drop_priv,reload_priv,shutdown_priv,process_priv,file_priv,grant_priv,references_priv,index_priv,alter_priv,show_db_priv,super_priv,create_tmp_table_priv,lock_tables_priv,execute_priv,repl_slave_priv,repl_client_priv,create_view_priv,show_view_priv,create_routine_priv,alter_routine_priv,create_user_priv FROM mysql.user" condition2="user"/>
<blind query="SELECT DISTINCT(privilege_type) FROM information_schema.USER_PRIVILEGES WHERE grantee%s%s LIMIT %d,1" query2="SELECT select_priv,insert_priv,update_priv,delete_priv,create_priv,drop_priv,reload_priv,shutdown_priv,process_priv,file_priv,grant_priv,references_priv,index_priv,alter_priv,show_db_priv,super_priv,create_tmp_table_priv,lock_tables_priv,execute_priv,repl_slave_priv,repl_client_priv,create_view_priv,show_view_priv,create_routine_priv,alter_routine_priv,create_user_priv FROM mysql.user WHERE user='%s' LIMIT %d,1" count="SELECT COUNT(DISTINCT(privilege_type)) FROM information_schema.USER_PRIVILEGES WHERE grantee%s%s" count2="SELECT COUNT(*) FROM mysql.user WHERE user='%s'"/> <blind query="SELECT DISTINCT(privilege_type) FROM information_schema.USER_PRIVILEGES WHERE grantee%s'%s' LIMIT %d,1" query2="SELECT select_priv,insert_priv,update_priv,delete_priv,create_priv,drop_priv,reload_priv,shutdown_priv,process_priv,file_priv,grant_priv,references_priv,index_priv,alter_priv,show_db_priv,super_priv,create_tmp_table_priv,lock_tables_priv,execute_priv,repl_slave_priv,repl_client_priv,create_view_priv,show_view_priv,create_routine_priv,alter_routine_priv,create_user_priv FROM mysql.user WHERE user='%s' LIMIT %d,1" count="SELECT COUNT(DISTINCT(privilege_type)) FROM information_schema.USER_PRIVILEGES WHERE grantee%s'%s'" count2="SELECT COUNT(*) FROM mysql.user WHERE user='%s'"/>
</privileges> </privileges>
<roles/> <roles/>
<dbs> <dbs>