From 3fe493b63ddfd507a6332528357455f092cc4be7 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Thu, 18 Dec 2008 20:41:11 +0000
Subject: [PATCH] Minor enhancement to support an option (--is-dba) to show if
 the current user is a database management system administrator.

---
 doc/ChangeLog                  | 11 +++++++++++
 lib/controller/action.py       |  3 +++
 lib/core/optiondict.py         |  1 +
 lib/parse/cmdline.py           |  4 ++++
 lib/parse/queriesfile.py       |  4 ++++
 plugins/generic/enumeration.py | 11 +++++++++++
 sqlmap.conf                    |  4 ++++
 xml/queries.xml                |  4 ++++
 8 files changed, 42 insertions(+)

diff --git a/doc/ChangeLog b/doc/ChangeLog
index 6d9271075..c5263a367 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,14 @@
+sqlmap (0.6.4-1) stable; urgency=low
+
+  * Minor enhancement to support an option (--is-dba) to show if the
+    current user is a database management system administrator;
+  * Major bug fix to avoid tracebacks when multiple targets are specified
+    and one of them is not reachable;
+  * Minor bug fix to make the --postfix work even if --prefix is not
+    provided;
+
+ -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Day, DD MMM 2009 10:00:00 +0000
+
 sqlmap (0.6.3-1) stable; urgency=low
 
   * Major enhancement to get list of targets to test from Burp proxy
diff --git a/lib/controller/action.py b/lib/controller/action.py
index 6a139c6bb..e3d5bd8d3 100644
--- a/lib/controller/action.py
+++ b/lib/controller/action.py
@@ -90,6 +90,9 @@ def action():
     if conf.getCurrentDb:
         dumper.string("current database", conf.dbmsHandler.getCurrentDb())
 
+    if conf.isDba:
+        dumper.string("current user is DBA", conf.dbmsHandler.isDba())
+
     if conf.getUsers:
         dumper.lister("database management system users", conf.dbmsHandler.getUsers())
 
diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py
index b5d25499b..7583b9d4b 100644
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@@ -74,6 +74,7 @@ optDict = {
                                "getBanner":         "boolean",
                                "getCurrentUser":    "boolean",
                                "getCurrentDb":      "boolean",
+                               "isDba":             "boolean",
                                "getUsers":          "boolean",
                                "getPasswordHashes": "boolean",
                                "getPrivileges":     "boolean",
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
index 53268c1a0..857a8500c 100644
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@@ -202,6 +202,10 @@ def cmdLineParser():
                                action="store_true",
                                help="Retrieve DBMS current database")
 
+        enumeration.add_option("--is-dba", dest="isDba",
+                               action="store_true",
+                               help="Detect if the DBMS current user is DBA")
+
         enumeration.add_option("--users", dest="getUsers", action="store_true",
                                help="Enumerate DBMS users")
 
diff --git a/lib/parse/queriesfile.py b/lib/parse/queriesfile.py
index 92cc00d2d..96cbe1f1e 100644
--- a/lib/parse/queriesfile.py
+++ b/lib/parse/queriesfile.py
@@ -123,6 +123,10 @@ class queriesHandler(ContentHandler):
             data = sanitizeStr(attrs.get("query"))
             self.__queries.currentDb = data
 
+        elif name == "is_dba":
+            data = sanitizeStr(attrs.get("query"))
+            self.__queries.isDba = data
+
         elif name == "inband":
             self.__inband    = sanitizeStr(attrs.get("query"))
             self.__inband2   = sanitizeStr(attrs.get("query2"))
diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py
index 454a23eb7..7db4defde 100644
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@@ -116,6 +116,17 @@ class Enumeration:
         return self.currentDb
 
 
+    def isDba(self):
+        infoMsg = "testing if current user is DBA"
+        logger.info(infoMsg)
+
+        query = queries[kb.dbms].isDba
+
+        self.isDba = inject.getValue(query)
+
+        return str(self.isDba == "1")
+
+
     def getUsers(self):
         infoMsg = "fetching database users"
         logger.info(infoMsg)
diff --git a/sqlmap.conf b/sqlmap.conf
index e5dd71581..47d07cef3 100644
--- a/sqlmap.conf
+++ b/sqlmap.conf
@@ -170,6 +170,10 @@ getCurrentUser = False
 # Valid: True or False
 getCurrentDb = False
 
+# Detect if the DBMS current user is DBA.
+# Valid: True or False
+isDba = False
+
 # Enumerate back-end database management system users.
 # Valid: True or False
 getUsers = False
diff --git a/xml/queries.xml b/xml/queries.xml
index a1a6276d9..b38065946 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -27,6 +27,7 @@
         <banner query="VERSION()"/>
         <current_user query="CURRENT_USER()"/>
         <current_db query="DATABASE()"/>
+        <is_dba query="SELECT (CASE WHEN super_priv='Y' THEN 1 ELSE 0 END) FROM mysql.user WHERE user=(SUBSTRING_INDEX(CURRENT_USER(), '@', 1)) LIMIT 0, 1" query2="SELECT IF((SELECT privilege_type FROM information_schema.USER_PRIVILEGES WHERE grantee LIKE '%s' AND privilege_type='SUPER' LIMIT 0, 1)='SUPER', 1, 0)"/>
         <users>
             <inband query="SELECT grantee FROM information_schema.USER_PRIVILEGES" query2="SELECT user FROM mysql.user"/>
             <blind query="SELECT DISTINCT(grantee) FROM information_schema.USER_PRIVILEGES LIMIT %d, 1" query2="SELECT DISTINCT(user) FROM mysql.user LIMIT %d, 1" count="SELECT COUNT(DISTINCT(grantee)) FROM information_schema.USER_PRIVILEGES" count2="SELECT COUNT(DISTINCT(user)) FROM mysql.user"/>
@@ -77,6 +78,7 @@
         <banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
         <current_user query="SELECT SYS.LOGIN_USER FROM DUAL"/>
         <current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
+        <is_dba query="SELECT CASE WHEN ((SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=SYS.LOGIN_USER AND GRANTED_ROLE='DBA')='DBA') THEN 1 ELSE 0 END FROM DUAL"/>
         <users>
             <inband query="SELECT USERNAME FROM SYS.ALL_USERS"/>
             <blind query="SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS limit FROM SYS.ALL_USERS) WHERE limit=%d" count="SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS"/>
@@ -126,6 +128,7 @@
         <banner query="VERSION()"/>
         <current_user query="CURRENT_USER"/>
         <current_db query="CURRENT_DATABASE()"/>
+        <is_dba query="SELECT (CASE WHEN usesuper=true THEN 1 ELSE 0 END) FROM pg_user WHERE usename=CURRENT_USER OFFSET 0 LIMIT 1"/>
         <users>
             <inband query="SELECT usename FROM pg_user"/>
             <blind query="SELECT DISTINCT(usename) FROM pg_user OFFSET %d LIMIT 1" count="SELECT COUNT(DISTINCT(usename)) FROM pg_user"/>
@@ -176,6 +179,7 @@
         <banner query="@@VERSION"/>
         <current_user query="SYSTEM_USER"/>
         <current_db query="DB_NAME()"/>
+        <is_dba query="SELECT (CASE WHEN is_srvrolemember('sysadmin')=1 THEN 1 ELSE 0 END)"/>
         <users>
             <inband query="SELECT name FROM master..syslogins" query2="SELECT name FROM sys.sql_logins"/>
             <blind query="SELECT TOP 1 name FROM master..syslogins WHERE name NOT IN (SELECT TOP %d name FROM master..syslogins)" query2="SELECT TOP 1 name FROM sys.sql_logins WHERE name NOT IN (SELECT TOP %d name FROM sys.sql_logins)" count="SELECT LTRIM(STR(COUNT(name))) FROM master..syslogins" count2="SELECT LTRIM(STR(COUNT(name))) FROM sys.sql_logins"/>