Added option --search to work in conjunction with -D (done), -T (soon) or -C (replaces --dump -C) - See #190:

* --search -D foobar: searches all database names like the ones provided * --search -T foobar: searches all databases' table names like the ones provided (soon) * --search -C foobar: replaces --dump -C
2024-11-22 17:46:37 +03:00 · 2010-05-07 13:40:57 +00:00 · 2010-05-07 13:40:57 +00:00 · 65a05452f7
commit 65a05452f7
parent 7b6050f3c1
13 changed files with 516 additions and 338 deletions
--- a/lib/controller/action.py
+++ b/lib/controller/action.py
@ -120,6 +120,9 @@ def action():
    if conf.dumpAll:
        conf.dbmsHandler.dumpAll()
    if conf.search:
        conf.dbmsHandler.search()
    if conf.query:
        dumper.string(conf.query, conf.dbmsHandler.sqlQuery(conf.query))
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -1006,7 +1006,7 @@ def normalizePath(path):
    return retVal
 def safeStringFormat(formatStr, params):
-    retVal = formatStr.replace('%d', '%s')
+    retVal = formatStr.replace("%d", "%s")
    if isinstance(params, str):
        retVal = retVal.replace("%s", params)
@ -1015,7 +1015,7 @@ def safeStringFormat(formatStr, params):
        index = 0
        while index != -1:
-            index = retVal.find('%s')
+            index = retVal.find("%s")
            if index != -1:
                if count < len(params):
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@ -96,6 +96,7 @@ optDict = {
                               "getColumns":        "boolean",
                               "dumpTable":         "boolean",
                               "dumpAll":           "boolean",
                               "search":            "boolean",
                               "user":              "string",
                               "db":                "string",
                               "tbl":               "string",
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@ -275,6 +275,9 @@ def cmdLineParser():
        enumeration.add_option("--dump-all", dest="dumpAll", action="store_true",
                               help="Dump all DBMS databases tables entries")
        enumeration.add_option("--search", dest="search", action="store_true",
                               help="Search column(s), table(s) and/or database name(s)")
        enumeration.add_option("-D", dest="db",
                               help="DBMS database to enumerate")
--- a/lib/parse/queriesfile.py
+++ b/lib/parse/queriesfile.py
@ -207,13 +207,6 @@ class queriesHandler(ContentHandler):
            self.__queries.columns = self.__columns
        elif name == "dump_column":
            self.__dumpColumn = {}
            self.__dumpColumn["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
            self.__dumpColumn["blind"]  = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }
            self.__queries.dumpColumn = self.__dumpColumn
        elif name == "dump_table":
            self.__dumpTable = {}
            self.__dumpTable["inband"] = { "query": self.__inband }
@ -221,6 +214,27 @@ class queriesHandler(ContentHandler):
            self.__queries.dumpTable = self.__dumpTable
        elif name == "search_db":
            self.__searchDb = {}
            self.__searchDb["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
            self.__searchDb["blind"]  = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }
            self.__queries.searchDb = self.__searchDb
        elif name == "search_table":
            self.__searchTable = {}
            self.__searchTable["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
            self.__searchTable["blind"]  = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }
            self.__queries.searchTable = self.__searchTable
        elif name == "search_column":
            self.__searchColumn = {}
            self.__searchColumn["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
            self.__searchColumn["blind"]  = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }
            self.__queries.searchColumn = self.__searchColumn
 def queriesParser():
    """
    This function calls a class to parse the default DBMS queries
--- a/plugins/dbms/access/enumeration.py
+++ b/plugins/dbms/access/enumeration.py
@ -47,3 +47,9 @@ class Enumeration(GenericEnumeration):
        logger.warn(warnMsg)
        return {}
    def searchDb(self):
        warnMsg = "on Microsoft Access it is not possible to search databases"
        logger.warn(warnMsg)
        return []
--- a/plugins/dbms/firebird/enumeration.py
+++ b/plugins/dbms/firebird/enumeration.py
@ -41,3 +41,9 @@ class Enumeration(GenericEnumeration):
        logger.warn(warnMsg)
        return {}
    def searchDb(self):
        warnMsg = "on Firebird it is not possible to search databases"
        logger.warn(warnMsg)
        return []
--- a/plugins/dbms/oracle/enumeration.py
+++ b/plugins/dbms/oracle/enumeration.py
@ -180,3 +180,9 @@ class Enumeration(GenericEnumeration):
        logger.warn(warnMsg)
        return []
    def searchDb(self):
        warnMsg = "on Oracle it is not possible to search databases"
        logger.warn(warnMsg)
        return []
--- a/plugins/dbms/sqlite/enumeration.py
+++ b/plugins/dbms/sqlite/enumeration.py
@ -78,10 +78,16 @@ class Enumeration(GenericEnumeration):
        logger.warn(errMsg)
    def dumpColumn(self):
        errMsg = "on SQLite you must specify the table and columns to dump"
        raise sqlmapUnsupportedFeatureException, errMsg
    def dumpAll(self):
        errMsg = "on SQLite you must specify the table and columns to dump"
        raise sqlmapUnsupportedFeatureException, errMsg
    def searchDb(self):
        warnMsg = "on SQLite it is not possible to search databases"
        logger.warn(warnMsg)
        return []
    def searchColumn(self):
        errMsg = "on SQLite you must specify the table and columns to dump"
        raise sqlmapUnsupportedFeatureException, errMsg
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@ -28,6 +28,7 @@ from lib.core.agent import agent
 from lib.core.common import getRange
 from lib.core.common import parsePasswordHash
 from lib.core.common import readInput
 from lib.core.common import safeStringFormat
 from lib.core.convert import urlencode
 from lib.core.data import conf
 from lib.core.data import kb
@ -971,313 +972,18 @@ class Enumeration:
        return kb.data.cachedColumns
    def dumpColumn(self):
        if kb.dbms == "MySQL" and not kb.data.has_information_schema:
            errMsg  = "information_schema not available, "
            errMsg += "back-end DBMS is MySQL < 5.0"
            raise sqlmapUnsupportedFeatureException, errMsg
        if not conf.col:
            errMsg = "missing column parameter"
            raise sqlmapMissingMandatoryOptionException, errMsg
        rootQuery = queries[kb.dbms].dumpColumn
        foundCols = {}
        dbs = {}
        colList = conf.col.split(",")
        colCond = rootQuery["inband"]["condition"]
        dbCond = rootQuery["inband"]["condition2"]
        message = "do you want sqlmap to consider provided column(s):\n"
        message += "[1] as LIKE column names (default)\n"
        message += "[2] as exact column names"
        colConsider = readInput(message, default="1")
        if not colConsider or colConsider.isdigit() and colConsider == "1":
            colConsider = "1"
            colCondParam = " LIKE '%%%s%%'"
        elif colConsider.isdigit() and colConsider == "2":
            colCondParam = "='%s'"
        else:
            errMsg = "invalid value"
            raise sqlmapNoneDataException, errMsg
        for column in colList:
            if kb.dbms == "Oracle":
                column = column.upper()
                conf.db = "USERS"
            elif kb.dbms == "Microsoft SQL Server":
                if not conf.db:
                    if not len(kb.data.cachedDbs):
                        enumDbs = self.getDbs()
                    else:
                        enumDbs = kb.data.cachedDbs
                    conf.db = ",".join(db for db in enumDbs)
            foundCols[column] = {}
            if conf.db:
                for db in conf.db.split(","):
                    dbs[db] = {}
                    foundCols[column][db] = []
                continue
            infoMsg = "fetching databases with tables containing column"
            if colConsider == "1":
                infoMsg += "s like"
            infoMsg += " '%s'" % column
            logger.info(infoMsg)
            if conf.excludeSysDbs and kb.dbms != "Oracle":
                dbsQuery = "".join(" AND '%s' != %s" % (db, dbCond) for db in self.excludeDbsList)
                infoMsg = "skipping system databases '%s'" % ", ".join(db for db in self.excludeDbsList)
                logger.info(infoMsg)
            else:
                dbsQuery = ""
            colQuery = "%s%s" % (colCond, colCondParam)
            colQuery = colQuery % column
            if kb.unionPosition or conf.direct:
                query = rootQuery["inband"]["query"]
                query += colQuery
                query += dbsQuery
                values = inject.getValue(query, blind=False)
                if values:
                    if isinstance(values, str):
                        values = [ values ]
                    for value in values:
                        dbs[value] = {}
                        foundCols[column][value] = []
            else:
                infoMsg = "fetching number of databases with tables containing column"
                if colConsider == "1":
                    infoMsg += "s like"
                infoMsg += " '%s'" % column
                logger.info(infoMsg)
                query = rootQuery["blind"]["count"]
                query += colQuery
                query += dbsQuery
                count = inject.getValue(query, inband=False, expected="int", charsetType=2)
                if not count.isdigit() or not len(count) or count == "0":
                    warnMsg  = "no databases have tables containing column"
                    if colConsider == "1":
                        warnMsg += "s like"
                    warnMsg += " '%s'" % column
                    logger.warn(warnMsg)
                    continue
                indexRange = getRange(count)
                for index in indexRange:
                    query = rootQuery["blind"]["query"]
                    query += colQuery
                    query += dbsQuery
                    query = agent.limitQuery(index, query)
                    db = inject.getValue(query, inband=False)
                    dbs[db] = {}
                    foundCols[column][db] = []
        for column, dbData in foundCols.items():
            colQuery = "%s%s" % (colCond, colCondParam)
            colQuery = colQuery % column
            for db in dbData:
                infoMsg = "fetching tables containing column"
                if colConsider == "1":
                    infoMsg += "s like"
                infoMsg += " '%s' in database '%s'" % (column, db)
                logger.info(infoMsg)
                if kb.unionPosition or conf.direct:
                    query = rootQuery["inband"]["query2"]
                    if kb.dbms in ( "MySQL", "PostgreSQL" ):
                        query = query % db
                        query += " AND %s" % colQuery
                    elif kb.dbms == "Oracle":
                        query += " WHERE %s" % colQuery
                    elif kb.dbms == "Microsoft SQL Server":
                        query = query % (db, db, db, db, db)
                        query += " AND %s" % colQuery.replace("[DB]", db)
                    values = inject.getValue(query, blind=False)
                    if values:
                        if isinstance(values, str):
                            values = [ values ]
                        for value in values:
                            if value not in dbs[db]:
                                dbs[db][value] = {}
                            dbs[db][value][column] = None
                            foundCols[column][db].append(value)
                else:
                    infoMsg = "fetching number of tables containing column"
                    if colConsider == "1":
                        infoMsg += "s like"
                    infoMsg += " '%s' in database '%s'" % (column, db)
                    logger.info(infoMsg)
                    query = rootQuery["blind"]["count2"]
                    if kb.dbms in ( "MySQL", "PostgreSQL" ):
                        query = query % db
                        query += " AND %s" % colQuery
                    elif kb.dbms == "Oracle":
                        query += " WHERE %s" % colQuery
                    elif kb.dbms == "Microsoft SQL Server":
                        query = query % (db, db, db, db, db)
                        query += " AND %s" % colQuery.replace("[DB]", db)
                    count = inject.getValue(query, inband=False, expected="int", charsetType=2)
                    if not count.isdigit() or not len(count) or count == "0":
                        warnMsg = "no tables contain column"
                        if colConsider == "1":
                            warnMsg += "s like"
                        warnMsg += " '%s' " % column
                        warnMsg += "in database '%s'" % db
                        logger.warn(warnMsg)
                        continue
                    indexRange = getRange(count)
                    for index in indexRange:
                        query = rootQuery["blind"]["query2"]
                        if kb.dbms in ( "MySQL", "PostgreSQL" ):
                            query = query % db
                            query += " AND %s" % colQuery
                            field = None
                        elif kb.dbms == "Oracle":
                            query += " WHERE %s" % colQuery
                            field = None
                        elif kb.dbms == "Microsoft SQL Server":
                            query = query % (db, db, db, db, db)
                            query += " AND %s" % colQuery.replace("[DB]", db)
                            field = colCond.replace("[DB]", db)
                        query = agent.limitQuery(index, query, field)
                        tbl = inject.getValue(query, inband=False)
                        if tbl not in dbs[db]:
                            dbs[db][tbl] = {}
                        dbs[db][tbl][column] = None
                        foundCols[column][db].append(tbl)
        if colConsider == "1":
            okDbs = {}
            for db, tableData in dbs.items():
                conf.db = db
                okDbs[db] = {}
                for tbl, columns in tableData.items():
                    conf.tbl = tbl
                    for column in columns:
                        conf.col = column
                        self.getColumns(onlyColNames=True)
                        if tbl in okDbs[db]:
                            okDbs[db][tbl].update(kb.data.cachedColumns[db][tbl])
                        else:
                            okDbs[db][tbl] = kb.data.cachedColumns[db][tbl]
                        kb.data.cachedColumns = {}
            dbs = okDbs
        if not dbs:
            warnMsg = "no databases have tables containing any of the "
            warnMsg += "provided columns"
            logger.warn(warnMsg)
            return
        dumper.dbColumns(foundCols, colConsider, dbs)
        message = "do you want to dump entries? [Y/n] "
        output = readInput(message, default="Y")
        if output and output[0] not in ("y", "Y"):
            return
        dumpFromDbs = []
        message = "which database(s)?\n[a]ll (default)\n"
        for db, tblData in dbs.items():
            if tblData:
                message += "[%s]\n" % db
        message += "[q]uit"
        test = readInput(message, default="a")
        if not test or test in ("a", "A"):
            dumpFromDbs = dbs.keys()
        elif test in ("q", "Q"):
            return
        else:
            dumpFromDbs = test.replace(" ", "").split(",")
        for db, tblData in dbs.items():
            if db not in dumpFromDbs or not tblData:
                continue
            conf.db = db
            dumpFromTbls = []
            message = "which table(s) of database '%s'?\n" % db
            message += "[a]ll (default)\n"
            for tbl in tblData:
                message += "[%s]\n" % tbl
            message += "[s]kip\n"
            message += "[q]uit"
            test = readInput(message, default="a")
            if not test or test in ("a", "A"):
                dumpFromTbls = tblData
            elif test in ("s", "S"):
                continue
            elif test in ("q", "Q"):
                return
            else:
                dumpFromTbls = test.replace(" ", "").split(",")
            for table, columns in tblData.items():
                if table not in dumpFromTbls:
                    continue
                conf.tbl = table
                conf.col = ",".join(column for column in columns)
                kb.data.cachedColumns = {}
                kb.data.dumpedTable = {}
                data = self.dumpTable()
                if data:
                    dumper.dbTableValues(data)
    def dumpTable(self):
        if not conf.tbl and not conf.col:
-            errMsg = "missing both table and column parameters, please "
+            errMsg = "missing table parameter"
            errMsg += "provide at least one of them"
            raise sqlmapMissingMandatoryOptionException, errMsg
        if conf.col and not conf.tbl:
-            self.dumpColumn()
+            warnMsg = "missing table parameter. You only provided "
            warnMsg += "column(s). sqlmap will search for all databases' "
            warnMsg += "tables containing the provided column(s)"
            logger.warn(warnMsg)
            self.searchColumn()
            return
        if "." in conf.tbl:
@ -1479,6 +1185,391 @@ class Enumeration:
                if data:
                    dumper.dbTableValues(data)
    def searchDb(self):
        foundDbs = []
        rootQuery = queries[kb.dbms].searchDb
        dbList = conf.db.split(",")
        if kb.dbms == "MySQL" and not kb.data.has_information_schema:
            dbCond = rootQuery["inband"]["condition2"]
        else:
            dbCond = rootQuery["inband"]["condition"]
        dbConsider, dbCondParam = self.likeOrExact("database")
        for db in dbList:
            infoMsg = "searching database"
            if dbConsider == "1":
                infoMsg += "s like"
            infoMsg += " '%s'" % db
            logger.info(infoMsg)
            if conf.excludeSysDbs:
                exclDbsQuery = "".join(" AND '%s' != %s" % (db, dbCond) for db in self.excludeDbsList)
                infoMsg = "skipping system databases '%s'" % ", ".join(db for db in self.excludeDbsList)
                logger.info(infoMsg)
            else:
                exclDbsQuery = ""
            dbQuery = "%s%s" % (dbCond, dbCondParam)
            dbQuery = dbQuery % db
            if kb.unionPosition or conf.direct:
                if kb.dbms == "MySQL" and not kb.data.has_information_schema:
                    query = rootQuery["inband"]["query2"]
                else:
                    query = rootQuery["inband"]["query"]
                query += dbQuery
                query += exclDbsQuery
                values = inject.getValue(query, blind=False)
                if values:
                    if isinstance(values, str):
                        values = [ values ]
                    for value in values:
                        foundDbs.append(value)
            else:
                infoMsg = "fetching number of databases"
                if dbConsider == "1":
                    infoMsg += "s like"
                infoMsg += " '%s'" % db
                logger.info(infoMsg)
                if kb.dbms == "MySQL" and not kb.data.has_information_schema:
                    query = rootQuery["blind"]["count2"]
                else:
                    query = rootQuery["blind"]["count"]
                query += dbQuery
                query += exclDbsQuery
                count = inject.getValue(query, inband=False, expected="int", charsetType=2)
                if not count.isdigit() or not len(count) or count == "0":
                    warnMsg  = "no database"
                    if dbConsider == "1":
                        warnMsg += "s like"
                    warnMsg += " '%s' found" % db
                    logger.warn(warnMsg)
                    continue
                indexRange = getRange(count)
                for index in indexRange:
                    if kb.dbms == "MySQL" and not kb.data.has_information_schema:
                        query = rootQuery["blind"]["query2"]
                    else:
                        query = rootQuery["blind"]["query"]
                    query += dbQuery
                    query += exclDbsQuery
                    query = agent.limitQuery(index, query, dbCond)
                    foundDbs.append(inject.getValue(query, inband=False))
        return foundDbs
    def searchTable(self):
        errMsg = "search for table names is not supported yet"
        raise sqlmapUnsupportedFeatureException, errMsg
    def searchColumn(self):
        if kb.dbms == "MySQL" and not kb.data.has_information_schema:
            errMsg  = "information_schema not available, "
            errMsg += "back-end DBMS is MySQL < 5.0"
            raise sqlmapUnsupportedFeatureException, errMsg
        rootQuery = queries[kb.dbms].searchColumn
        foundCols = {}
        dbs = {}
        colList = conf.col.split(",")
        colCond = rootQuery["inband"]["condition"]
        dbCond = rootQuery["inband"]["condition2"]
        colConsider, colCondParam = self.likeOrExact("column")
        for column in colList:
            if kb.dbms == "Oracle":
                column = column.upper()
                conf.db = "USERS"
            elif kb.dbms == "Microsoft SQL Server":
                if not conf.db:
                    if not len(kb.data.cachedDbs):
                        enumDbs = self.getDbs()
                    else:
                        enumDbs = kb.data.cachedDbs
                    conf.db = ",".join(db for db in enumDbs)
            foundCols[column] = {}
            if conf.db:
                for db in conf.db.split(","):
                    dbs[db] = {}
                    foundCols[column][db] = []
                continue
            infoMsg = "fetching databases with tables containing column"
            if colConsider == "1":
                infoMsg += "s like"
            infoMsg += " '%s'" % column
            logger.info(infoMsg)
            if conf.excludeSysDbs and kb.dbms != "Oracle":
                exclDbsQuery = "".join(" AND '%s' != %s" % (db, dbCond) for db in self.excludeDbsList)
                infoMsg = "skipping system databases '%s'" % ", ".join(db for db in self.excludeDbsList)
                logger.info(infoMsg)
            else:
                exclDbsQuery = ""
            colQuery = "%s%s" % (colCond, colCondParam)
            colQuery = colQuery % column
            if kb.unionPosition or conf.direct:
                query = rootQuery["inband"]["query"]
                query += colQuery
                query += exclDbsQuery
                values = inject.getValue(query, blind=False)
                if values:
                    if isinstance(values, str):
                        values = [ values ]
                    for value in values:
                        dbs[value] = {}
                        foundCols[column][value] = []
            else:
                infoMsg = "fetching number of databases with tables containing column"
                if colConsider == "1":
                    infoMsg += "s like"
                infoMsg += " '%s'" % column
                logger.info(infoMsg)
                query = rootQuery["blind"]["count"]
                query += colQuery
                query += exclDbsQuery
                count = inject.getValue(query, inband=False, expected="int", charsetType=2)
                if not count.isdigit() or not len(count) or count == "0":
                    warnMsg  = "no databases have tables containing column"
                    if colConsider == "1":
                        warnMsg += "s like"
                    warnMsg += " '%s'" % column
                    logger.warn(warnMsg)
                    continue
                indexRange = getRange(count)
                for index in indexRange:
                    query = rootQuery["blind"]["query"]
                    query += colQuery
                    query += exclDbsQuery
                    query = agent.limitQuery(index, query)
                    db = inject.getValue(query, inband=False)
                    dbs[db] = {}
                    foundCols[column][db] = []
        for column, dbData in foundCols.items():
            colQuery = "%s%s" % (colCond, colCondParam)
            colQuery = colQuery % column
            for db in dbData:
                infoMsg = "fetching tables containing column"
                if colConsider == "1":
                    infoMsg += "s like"
                infoMsg += " '%s' in database '%s'" % (column, db)
                logger.info(infoMsg)
                if kb.unionPosition or conf.direct:
                    query = rootQuery["inband"]["query2"]
                    if kb.dbms in ( "MySQL", "PostgreSQL" ):
                        query = query % db
                        query += " AND %s" % colQuery
                    elif kb.dbms == "Oracle":
                        query += " WHERE %s" % colQuery
                    elif kb.dbms == "Microsoft SQL Server":
                        query = query % (db, db, db, db, db)
                        query += " AND %s" % colQuery.replace("[DB]", db)
                    values = inject.getValue(query, blind=False)
                    if values:
                        if isinstance(values, str):
                            values = [ values ]
                        for value in values:
                            if value not in dbs[db]:
                                dbs[db][value] = {}
                            dbs[db][value][column] = None
                            foundCols[column][db].append(value)
                else:
                    infoMsg = "fetching number of tables containing column"
                    if colConsider == "1":
                        infoMsg += "s like"
                    infoMsg += " '%s' in database '%s'" % (column, db)
                    logger.info(infoMsg)
                    query = rootQuery["blind"]["count2"]
                    if kb.dbms in ( "MySQL", "PostgreSQL" ):
                        query = query % db
                        query += " AND %s" % colQuery
                    elif kb.dbms == "Oracle":
                        query += " WHERE %s" % colQuery
                    elif kb.dbms == "Microsoft SQL Server":
                        query = query % (db, db, db, db, db)
                        query += " AND %s" % colQuery.replace("[DB]", db)
                    count = inject.getValue(query, inband=False, expected="int", charsetType=2)
                    if not count.isdigit() or not len(count) or count == "0":
                        warnMsg = "no tables contain column"
                        if colConsider == "1":
                            warnMsg += "s like"
                        warnMsg += " '%s' " % column
                        warnMsg += "in database '%s'" % db
                        logger.warn(warnMsg)
                        continue
                    indexRange = getRange(count)
                    for index in indexRange:
                        query = rootQuery["blind"]["query2"]
                        if kb.dbms in ( "MySQL", "PostgreSQL" ):
                            query = query % db
                            query += " AND %s" % colQuery
                            field = None
                        elif kb.dbms == "Oracle":
                            query += " WHERE %s" % colQuery
                            field = None
                        elif kb.dbms == "Microsoft SQL Server":
                            query = query % (db, db, db, db, db)
                            query += " AND %s" % colQuery.replace("[DB]", db)
                            field = colCond.replace("[DB]", db)
                        query = agent.limitQuery(index, query, field)
                        tbl = inject.getValue(query, inband=False)
                        if tbl not in dbs[db]:
                            dbs[db][tbl] = {}
                        dbs[db][tbl][column] = None
                        foundCols[column][db].append(tbl)
        if colConsider == "1":
            okDbs = {}
            for db, tableData in dbs.items():
                conf.db = db
                okDbs[db] = {}
                for tbl, columns in tableData.items():
                    conf.tbl = tbl
                    for column in columns:
                        conf.col = column
                        self.getColumns(onlyColNames=True)
                        if tbl in okDbs[db]:
                            okDbs[db][tbl].update(kb.data.cachedColumns[db][tbl])
                        else:
                            okDbs[db][tbl] = kb.data.cachedColumns[db][tbl]
                        kb.data.cachedColumns = {}
            dbs = okDbs
        if not dbs:
            warnMsg = "no databases have tables containing any of the "
            warnMsg += "provided columns"
            logger.warn(warnMsg)
            return
        dumper.dbColumns(foundCols, colConsider, dbs)
        message = "do you want to dump entries? [Y/n] "
        output = readInput(message, default="Y")
        if output and output[0] not in ("y", "Y"):
            return
        dumpFromDbs = []
        message = "which database(s)?\n[a]ll (default)\n"
        for db, tblData in dbs.items():
            if tblData:
                message += "[%s]\n" % db
        message += "[q]uit"
        test = readInput(message, default="a")
        if not test or test in ("a", "A"):
            dumpFromDbs = dbs.keys()
        elif test in ("q", "Q"):
            return
        else:
            dumpFromDbs = test.replace(" ", "").split(",")
        for db, tblData in dbs.items():
            if db not in dumpFromDbs or not tblData:
                continue
            conf.db = db
            dumpFromTbls = []
            message = "which table(s) of database '%s'?\n" % db
            message += "[a]ll (default)\n"
            for tbl in tblData:
                message += "[%s]\n" % tbl
            message += "[s]kip\n"
            message += "[q]uit"
            test = readInput(message, default="a")
            if not test or test in ("a", "A"):
                dumpFromTbls = tblData
            elif test in ("s", "S"):
                continue
            elif test in ("q", "Q"):
                return
            else:
                dumpFromTbls = test.replace(" ", "").split(",")
            for table, columns in tblData.items():
                if table not in dumpFromTbls:
                    continue
                conf.tbl = table
                conf.col = ",".join(column for column in columns)
                kb.data.cachedColumns = {}
                kb.data.dumpedTable = {}
                data = self.dumpTable()
                if data:
                    dumper.dbTableValues(data)
    def search(self):
        if conf.db:
            dumper.lister("found databases", self.searchDb())
        if conf.tbl:
            dumper.dbTables(self.searchTable())
        if conf.col:
            self.searchColumn()
        if not conf.db and not conf.tbl and not conf.col:
            errMsg = "missing parameter, provide -D, -T or -C together "
            errMsg += "with --search"
            raise sqlmapMissingMandatoryOptionException, errMsg
    def sqlQuery(self, query):
        output  = None
        sqlType = None
--- a/plugins/generic/misc.py
+++ b/plugins/generic/misc.py
@ -184,3 +184,21 @@ class Miscellaneous:
            warnMsg += "saved on the file system can only be deleted "
            warnMsg += "manually"
            logger.warn(warnMsg)
    def likeOrExact(self, what):
        message = "do you want sqlmap to consider provided %s(s):\n" % what
        message += "[1] as LIKE column names (default)\n"
        message += "[2] as exact column names"
        choice = readInput(message, default="1")
        if not choice or choice == "1":
            choice = "1"
            condParam = " LIKE '%%%s%%'"
        elif choice.isdigit() and choice == "2":
            condParam = "='%s'"
        else:
            errMsg = "invalid value"
            raise sqlmapNoneDataException, errMsg
        return choice, condParam
--- a/sqlmap.conf
+++ b/sqlmap.conf
@ -290,6 +290,11 @@ dumpTable = False
 # Valid: True or False
 dumpAll = False
 # Search column(s), table(s) and/or database name(s).
 # Requires: db, tbl or col
 # Valid: True or False
 search = False
 # Back-end database management system database to enumerate.
 db = 
--- a/xml/queries.xml
+++ b/xml/queries.xml
@ -55,14 +55,19 @@
            <inband query="SELECT column_name, column_type FROM information_schema.COLUMNS WHERE table_name='%s' AND table_schema='%s'" condition="column_name"/>
            <blind query="SELECT column_name FROM information_schema.COLUMNS WHERE table_name='%s' AND table_schema='%s'" query2="SELECT column_type FROM information_schema.COLUMNS WHERE table_name='%s' AND column_name='%s' AND table_schema='%s'" count="SELECT COUNT(column_name) FROM information_schema.COLUMNS WHERE table_name='%s' AND table_schema='%s'" condition="column_name"/>
        </columns>
        <dump_column>
            <inband query="SELECT table_schema FROM information_schema.COLUMNS WHERE " query2="SELECT table_name FROM information_schema.COLUMNS WHERE table_schema='%s'" condition="column_name" condition2="table_schema"/>
            <blind query="SELECT DISTINCT(table_schema) FROM information_schema.COLUMNS WHERE " query2="SELECT DISTINCT(table_name) FROM information_schema.COLUMNS WHERE table_schema='%s'" count="SELECT COUNT(DISTINCT(table_schema)) FROM information_schema.COLUMNS WHERE " count2="SELECT COUNT(DISTINCT(table_name)) FROM information_schema.COLUMNS WHERE table_schema='%s'" condition="column_name" condition2="table_schema"/>
        </dump_column>
        <dump_table>
            <inband query="SELECT %s FROM %s.%s"/>
            <blind query="SELECT %s FROM %s.%s LIMIT %d, 1" count="SELECT COUNT(*) FROM %s.%s"/>
        </dump_table>
        <search_db>
            <inband query="SELECT schema_name FROM information_schema.SCHEMATA WHERE " query2="SELECT db FROM mysql.db WHERE " condition="schema_name" condition2="db"/>
            <blind query="SELECT DISTINCT(schema_name) FROM information_schema.SCHEMATA WHERE " query2="SELECT DISTINCT(db) FROM mysql.db WHERE " count="SELECT COUNT(DISTINCT(schema_name)) FROM information_schema.SCHEMATA WHERE " count2="SELECT COUNT(DISTINCT(db)) FROM mysql.db WHERE " condition="schema_name" condition2="db"/>
        </search_db>
        <search_table/>
        <search_column>
            <inband query="SELECT table_schema FROM information_schema.COLUMNS WHERE " query2="SELECT table_name FROM information_schema.COLUMNS WHERE table_schema='%s'" condition="column_name" condition2="table_schema"/>
            <blind query="SELECT DISTINCT(table_schema) FROM information_schema.COLUMNS WHERE " query2="SELECT DISTINCT(table_name) FROM information_schema.COLUMNS WHERE table_schema='%s'" count="SELECT COUNT(DISTINCT(table_schema)) FROM information_schema.COLUMNS WHERE " count2="SELECT COUNT(DISTINCT(table_name)) FROM information_schema.COLUMNS WHERE table_schema='%s'" condition="column_name" condition2="table_schema"/>
        </search_column>
    </dbms>
    <!-- Oracle -->
@ -126,14 +131,16 @@
            <inband query="SELECT COLUMN_NAME, DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
            <blind query="SELECT COLUMN_NAME FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
        </columns>
        <dump_column>
            <inband query="" query2="SELECT TABLE_NAME FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME" condition2="TABLESPACE_NAME"/>
            <blind query="" query2="SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TAB_COLUMNS" count="" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME" condition2="TABLESPACE_NAME"/>
        </dump_column>
        <dump_table>
            <inband query="SELECT %s FROM %s"/>
            <blind query="SELECT %s FROM (SELECT %s, ROWNUM AS LIMIT FROM %s) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
        </dump_table>
        <search_db/>
        <search_table/>
        <search_column>
            <inband query="" query2="SELECT TABLE_NAME FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME" condition2="TABLESPACE_NAME"/>
            <blind query="" query2="SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TAB_COLUMNS" count="" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME" condition2="TABLESPACE_NAME"/>
        </search_column>
    </dbms>
    <!-- PostgreSQL -->
@ -190,14 +197,19 @@
            <inband query="SELECT attname, typname FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname='%s' AND nspname='%s'" condition="attname"/>
            <blind query="SELECT attname FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname='%s' AND nspname='%s'" query2="SELECT typname FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relname='%s' AND a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND attname='%s' AND nspname='%s'" count="SELECT COUNT(attname) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname='%s' AND nspname='%s'" condition="attname"/>
        </columns>
        <dump_column>
            <inband query="SELECT nspname FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND " query2="SELECT relname FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND nspname='%s'" condition="attname" condition2="nspname"/>
            <blind query="SELECT DISTINCT(nspname) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND " query2="SELECT DISTINCT(relname) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND nspname='%s'" count="SELECT COUNT(DISTINCT(nspname)) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND " count2="SELECT COUNT(DISTINCT(relname)) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND nspname='%s'" condition="attname" condition2="nspname"/>
        </dump_column>
        <dump_table>
            <inband query="SELECT %s FROM %s.%s"/>
            <blind query="SELECT %s FROM %s.%s OFFSET %d LIMIT 1" count="SELECT COUNT(*) FROM %s.%s"/>
        </dump_table>
        <search_db>
            <inband query="SELECT datname FROM pg_database WHERE " query2="" condition="datname" condition2=""/>
            <blind query="SELECT DISTINCT(datname) FROM pg_database WHERE " query2="" count="SELECT COUNT(DISTINCT(datname)) FROM pg_database WHERE " count2="" condition="datname" condition2=""/>
        </search_db>
        <search_table/>
        <search_column>
            <inband query="SELECT nspname FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND " query2="SELECT relname FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND nspname='%s'" condition="attname" condition2="nspname"/>
            <blind query="SELECT DISTINCT(nspname) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND " query2="SELECT DISTINCT(relname) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND nspname='%s'" count="SELECT COUNT(DISTINCT(nspname)) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND " count2="SELECT COUNT(DISTINCT(relname)) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND nspname='%s'" condition="attname" condition2="nspname"/>
        </search_column>
    </dbms>
    <!-- Microsoft SQL Server -->
@ -245,14 +257,19 @@
            <inband query="SELECT %s..syscolumns.name, TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" condition="[DB]..syscolumns.name"/>
            <blind query="SELECT %s..syscolumns.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" query2="SELECT TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.name='%s' AND %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..syscolumns WHERE id=(SELECT id FROM %s..sysobjects WHERE name='%s')" condition="[DB]..syscolumns.name"/>
        </columns>
        <dump_column>
            <inband query="" query2="SELECT %s..sysobjects.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" condition="[DB]..syscolumns.name"/>
            <blind query="" query2="SELECT %s..sysobjects.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" count="" count2="SELECT COUNT(%s..sysobjects.name) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" condition="[DB]..syscolumns.name"/>
        </dump_column>
        <dump_table>
            <inband query="SELECT %s FROM %s..%s"/>
            <blind query="SELECT TOP 1 %s FROM %s..%s WHERE %s NOT IN (SELECT TOP %d %s FROM %s..%s)" count="SELECT LTRIM(STR(COUNT(*))) FROM %s..%s"/>
        </dump_table>
        <search_db>
            <inband query="SELECT name FROM master..sysdatabases WHERE " condition="name"/>
            <blind query="SELECT name FROM master..sysdatabases WHERE " count="SELECT LTRIM(STR(COUNT(name))) FROM master..sysdatabases WHERE " condition="name"/>
        </search_db>
        <search_table/>
        <search_column>
            <inband query="" query2="SELECT %s..sysobjects.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" condition="[DB]..syscolumns.name"/>
            <blind query="" query2="SELECT %s..sysobjects.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" count="" count2="SELECT COUNT(%s..sysobjects.name) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" condition="[DB]..syscolumns.name"/>
        </search_column>
    </dbms>
    <!-- SQLite -->
@ -291,11 +308,13 @@
            <blind query="SELECT tbl_name FROM sqlite_master WHERE type='table' LIMIT %d, 1" count="SELECT COUNT(tbl_name) FROM sqlite_master WHERE type='table'"/>
        </tables>
        <columns/>
        <dump_column/>
        <dump_table>
            <inband query="SELECT %s FROM %s"/>
            <blind query="SELECT %s FROM %s LIMIT %d, 1" count="SELECT COUNT(*) FROM %s"/>
        </dump_table>
        <search_db/>
        <search_table/>
        <search_column/>
    </dbms>
    <!-- Microsoft Access -->
@ -355,10 +374,6 @@
            <inband query="SELECT RDB$RELATION_NAME FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)"/>
            <blind query="SELECT FIRST 1 SKIP %d RDB$RELATION_NAME FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)" count="SELECT COUNT(RDB$RELATION_NAME) FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)"/>
        </tables>
        <dump_table>
            <inband query="SELECT %s FROM %s"/>
            <blind query="SELECT FIRST 1 SKIP %d %s FROM %s" count="SELECT COUNT(*) FROM %s"/>
        </dump_table>    
        <privileges>
            <inband query="SELECT RDB$USER, RDB$PRIVILEGE FROM RDB$USER_PRIVILEGES" condition="RDB$USER"/>
            <blind query="SELECT FIRST 1 SKIP %d DISTINCT(RDB$PRIVILEGE) FROM RDB$USER_PRIVILEGES WHERE RDB$USER='%s'" count="SELECT COUNT(DISTINCT(RDB$PRIVILEGE)) FROM RDB$USER_PRIVILEGES WHERE RDB$USER='%s'"/>
@ -370,6 +385,10 @@
            <inband query="SELECT r.RDB$FIELD_NAME, f.RDB$FIELD_TYPE FROM RDB$RELATION_FIELDS r LEFT JOIN RDB$FIELDS f ON r.RDB$FIELD_SOURCE = f.RDB$FIELD_NAME WHERE r.RDB$RELATION_NAME='%s'"/>
            <blind query="SELECT r.RDB$FIELD_NAME FROM RDB$RELATION_FIELDS r LEFT JOIN RDB$FIELDS f ON r.RDB$FIELD_SOURCE = f.RDB$FIELD_NAME WHERE r.RDB$RELATION_NAME='%s'" query2="SELECT f.RDB$FIELD_TYPE FROM RDB$RELATION_FIELDS r LEFT JOIN RDB$FIELDS f ON r.RDB$FIELD_SOURCE = f.RDB$FIELD_NAME WHERE r.RDB$RELATION_NAME='%s' AND r.RDB$FIELD_NAME='%s'" count="SELECT COUNT(r.RDB$FIELD_NAME) FROM RDB$RELATION_FIELDS r LEFT JOIN RDB$FIELDS f ON r.RDB$FIELD_SOURCE = f.RDB$FIELD_NAME WHERE r.RDB$RELATION_NAME='%s'"/>
        </columns>
        <dump_table>
            <inband query="SELECT %s FROM %s"/>
            <blind query="SELECT FIRST 1 SKIP %d %s FROM %s" count="SELECT COUNT(*) FROM %s"/>
        </dump_table>
   </dbms>
 </root>