sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 01:26:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

added --hostname switch to retrieve DBMS server hostname - closes issue #69

Browse Source
This commit is contained in:
Bernardo Damele 2012-07-12 00:01:57 +01:00
parent 4e64c1126d
commit 53c0336b48
7 changed files with 39 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/controller/action.py
View File

@ -64,6 +64,9 @@ def action():
if conf.getCurrentDb:
conf.dumper.currentDb(conf.dbmsHandler.getCurrentDb())
if conf.getHostname:
conf.dumper.hostname(conf.dbmsHandler.getHostname())
if conf.isDba:
conf.dumper.dba(conf.dbmsHandler.isDba())

5
lib/core/dump.py
View File

@ -74,7 +74,7 @@ class Dump:
def string(self, header, data, sort=True):
if isListLike(data):
self.lister(header, data, sort)
elif data is not None:
elif data is not None and len(data) > 0:
data = getUnicode(data)
if data[-1] == '\n':
@ -125,6 +125,9 @@ class Dump:
else:
self.string("current database", data)
def hostname(self,data):
self.string("hostname", data)
def dba(self,data):
self.string("current user is DBA", data)

1
lib/core/optiondict.py
View File

@ -96,6 +96,7 @@ optDict = {
"getBanner": ("boolean", "Banners"),
"getCurrentUser": ("boolean", "Users"),
"getCurrentDb": ("boolean", "Databases"),
"getHostname": "boolean",
"isDba": "boolean",
"getUsers": ("boolean", "Users"),
"getPasswordHashes": ("boolean", "Passwords"),

4
lib/parse/cmdline.py
View File

@ -304,6 +304,10 @@ def cmdLineParser():
action="store_true",
help="Retrieve DBMS current database")
enumeration.add_option("--hostname", dest="getHostname",
action="store_true",
help="Retrieve DBMS server hostname")
enumeration.add_option("--is-dba", dest="isDba",
action="store_true",
help="Detect if the DBMS current user is DBA")

12
plugins/generic/enumeration.py
View File

@ -83,6 +83,7 @@ class Enumeration:
kb.data.banner = None
kb.data.currentUser = ""
kb.data.currentDb = ""
kb.data.hostname = ""
kb.data.cachedUsers = []
kb.data.cachedUsersPasswords = {}
kb.data.cachedUsersPrivileges = {}
@ -150,6 +151,17 @@ class Enumeration:
return kb.data.currentDb
def getHostname(self):
infoMsg = "fetching server hostname"
logger.info(infoMsg)
query = queries[Backend.getIdentifiedDbms()].hostname.query
if not kb.data.hostname:
kb.data.hostname = unArrayizeValue(inject.getValue(query, safeCharEncode=False))
return kb.data.hostname
def isDba(self, user=None):
infoMsg = "testing if current user is DBA"
logger.info(infoMsg)

4
sqlmap.conf
View File

@ -327,6 +327,10 @@ getCurrentUser = False
# Valid: True or False
getCurrentDb = False
# Retrieve back-end database management system server hostname.
# Valid: True or False
getHostname = False
# Detect if the DBMS current user is DBA.
# Valid: True or False
isDba = False

12
xml/queries.xml
View File

@ -29,6 +29,7 @@
<banner query="VERSION()"/>
<current_user query="CURRENT_USER()"/>
<current_db query="DATABASE()"/>
<hostname query="@@HOSTNAME"/>
<is_dba query="(SELECT super_priv FROM mysql.user WHERE user='%s' LIMIT 0,1)='Y'"/>
<check_udf query="(SELECT name FROM mysql.func WHERE name='%s' LIMIT 0,1)='%s'"/>
<users>
@ -102,6 +103,7 @@
<banner query="VERSION()"/>
<current_user query="CURRENT_USER"/>
<current_db query="CURRENT_DATABASE()"/>
<hostname/>
<is_dba query="(SELECT usesuper=true FROM pg_user WHERE usename=CURRENT_USER OFFSET 0 LIMIT 1)"/>
<check_udf query="(SELECT proname='%s' FROM pg_proc WHERE proname='%s' OFFSET 0 LIMIT 1)"/>
<users>
@ -169,6 +171,7 @@
<banner query="SELECT @@VERSION"/>
<current_user query="SELECT SYSTEM_USER"/>
<current_db query="SELECT DB_NAME()"/>
<hostname query="@@SERVERNAME"/>
<is_dba query="IS_SRVROLEMEMBER('sysadmin')=1" query2="IS_SRVROLEMEMBER('sysadmin','%s')=1"/>
<users>
<inband query="SELECT name FROM master..syslogins" query2="SELECT name FROM sys.sql_logins"/>
@ -242,6 +245,7 @@
NOTE: in Oracle to check if the session user is DBA you can use:
SELECT USERENV('ISDBA') FROM DUAL
-->
<hostname query="SELECT UTL_INADDR.get_host_name FROM DUAL"/>
<is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=USER AND GRANTED_ROLE='DBA')='DBA'"/>
<users>
<inband query="SELECT USERNAME FROM SYS.ALL_USERS"/>
@ -321,6 +325,7 @@
<banner query="SELECT SQLITE_VERSION()"/>
<current_user/>
<current_db/>
<hostname/>
<is_dba/>
<check_udf/>
<users/>
@ -366,6 +371,7 @@
<!--CURRENTUSER() is not available outside the MS Access query tool itself-->
<current_user/>
<current_db/>
<hostname/>
<inference query="ASCW(MID((%s),%d,1)) > %d"/>
<is_dba/>
<dbs/>
@ -407,6 +413,7 @@
<banner query="SELECT RDB$GET_CONTEXT('SYSTEM','ENGINE_VERSION') FROM RDB$DATABASE" dbms_version="&gt;=2.1"/>
<current_user query="SELECT CURRENT_USER FROM RDB$DATABASE"/>
<current_db query="SELECT RDB$GET_CONTEXT('SYSTEM','DB_NAME') FROM RDB$DATABASE"/>
<hostname/>
<users>
<inband query="SELECT DISTINCT RDB$USER FROM RDB$USER_PRIVILEGES"/>
<blind query="SELECT FIRST 1 SKIP %d DISTINCT(RDB$USER) FROM RDB$USER_PRIVILEGES" count="SELECT COUNT(DISTINCT(RDB$USER)) FROM RDB$USER_PRIVILEGES"/>
@ -455,6 +462,7 @@
<cast query="REPLACE(CHR(%s),' ','_')"/>
<current_user query="SELECT USER() FROM DUAL"/>
<current_db query="SELECT DATABASE() FROM DUAL"/>
<hostname/>
<order query="ORDER BY %s ASC"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<hex query="HEX(%s)"/>
@ -509,6 +517,7 @@
<banner query="SELECT @@VERSION"/>
<current_user query="SELECT SUSER_NAME()"/>
<current_db query="SELECT DB_NAME()"/>
<hostname/>
<is_dba query="PATINDEX('%sa_role%',SHOW_ROLE())>0" query2="EXISTS(SELECT * FROM master..syslogins,master..sysloginroles WHERE srid=0 and name='%s')"/>
<users>
<inband query="SELECT name FROM master..syslogins"/>
@ -575,10 +584,11 @@
<hex query="HEX(%s)"/>
<inference query="SUBSTR((%s),%d,1) > '%c'"/>
<!-- NOTE: We have to use the complicated UDB OLAP functions in query2 because sqlmap injects isnull query inside MAX function, else we would use: SELECT MAX(versionnumber) FROM sysibm.sysversions -->
<banner query="SELECT service_level FROM TABLE (sysproc.env_get_inst_info())" query2="SELECT versionnumber FROM (SELECT ROW_NUMBER() OVER (ORDER BY versionnumber DESC) AS LIMIT, versionnumber FROM sysibm.sysversions) AS foobar WHERE LIMIT=1"/>
<banner query="SELECT service_level FROM TABLE(sysproc.env_get_inst_info())" query2="SELECT versionnumber FROM (SELECT ROW_NUMBER() OVER (ORDER BY versionnumber DESC) AS LIMIT, versionnumber FROM sysibm.sysversions) AS foobar WHERE LIMIT=1"/>
<current_user query="SELECT user FROM SYSIBM.SYSDUMMY1"/>
<!-- NOTE: On DB2 we use the current user as default schema (database) -->
<current_db query="SELECT user FROM SYSIBM.SYSDUMMY1"/>
<hostname query="SELECT host_name FROM TABLE(sysproc.env_get_sys_info())"/>
<is_dba query="(SELECT dbadmauth FROM syscat.dbauth WHERE grantee=current user)='Y'"/>
<users>
<inband query="SELECT grantee FROM sysibm.sysdbauth WHERE grantee!='SYSTEM' AND grantee!='PUBLIC'"/>