mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-23 01:56:36 +03:00
Minor enhancement to speedup active dbms fingerprint (-f).
Code cleanup and refactoring.
This commit is contained in:
parent
207f63cebc
commit
a02dd6b55b
|
@ -97,15 +97,15 @@ def __goInferenceFields(expression, expressionFields, expressionFieldsList, payl
|
||||||
return outputs
|
return outputs
|
||||||
|
|
||||||
def __goBooleanProxy(expression, resumeValue=True):
|
def __goBooleanProxy(expression, resumeValue=True):
|
||||||
vector = kb.injection.data[kb.technique].vector
|
|
||||||
|
|
||||||
kb.pageTemplate = getPageTemplate(kb.injection.data[kb.technique].templatePayload, kb.injection.place)
|
kb.pageTemplate = getPageTemplate(kb.injection.data[kb.technique].templatePayload, kb.injection.place)
|
||||||
vector = vector.replace("[INFERENCE]", "%s" % expression)
|
|
||||||
vector = agent.cleanupPayload(vector)
|
|
||||||
|
|
||||||
|
vector = kb.injection.data[kb.technique].vector
|
||||||
|
vector = vector.replace("[INFERENCE]", expression)
|
||||||
|
vector = agent.cleanupPayload(vector)
|
||||||
query = agent.prefixQuery(vector)
|
query = agent.prefixQuery(vector)
|
||||||
query = agent.suffixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
|
|
||||||
if resumeValue:
|
if resumeValue:
|
||||||
output = resume(expression, payload)
|
output = resume(expression, payload)
|
||||||
else:
|
else:
|
||||||
|
@ -116,7 +116,6 @@ def __goBooleanProxy(expression, resumeValue=True):
|
||||||
|
|
||||||
return output
|
return output
|
||||||
|
|
||||||
|
|
||||||
def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, resumeValue=True, unpack=True, charsetType=None, firstChar=None, lastChar=None):
|
def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, resumeValue=True, unpack=True, charsetType=None, firstChar=None, lastChar=None):
|
||||||
"""
|
"""
|
||||||
Retrieve the output of a SQL query characted by character taking
|
Retrieve the output of a SQL query characted by character taking
|
||||||
|
@ -124,13 +123,8 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
|
||||||
parameter through a bisection algorithm.
|
parameter through a bisection algorithm.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
if kb.technique and kb.injection.data[kb.technique].vector is not None:
|
|
||||||
vector = agent.cleanupPayload(kb.injection.data[kb.technique].vector)
|
|
||||||
kb.pageTemplate = getPageTemplate(kb.injection.data[kb.technique].templatePayload, kb.injection.place)
|
kb.pageTemplate = getPageTemplate(kb.injection.data[kb.technique].templatePayload, kb.injection.place)
|
||||||
else:
|
vector = agent.cleanupPayload(kb.injection.data[kb.technique].vector)
|
||||||
vector = queries[kb.misc.testedDbms].inference.query
|
|
||||||
kb.pageTemplate = kb.originalPage
|
|
||||||
|
|
||||||
query = agent.prefixQuery(vector)
|
query = agent.prefixQuery(vector)
|
||||||
query = agent.suffixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
|
@ -398,7 +392,7 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
|
||||||
(if selected).
|
(if selected).
|
||||||
"""
|
"""
|
||||||
|
|
||||||
if suppressOutput or expected == EXPECTED.BOOL:
|
if suppressOutput:
|
||||||
pushValue(conf.verbose)
|
pushValue(conf.verbose)
|
||||||
conf.verbose = 0
|
conf.verbose = 0
|
||||||
|
|
||||||
|
@ -414,6 +408,7 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
|
||||||
|
|
||||||
if expected == EXPECTED.BOOL:
|
if expected == EXPECTED.BOOL:
|
||||||
forgeCaseExpression = booleanExpression = expression
|
forgeCaseExpression = booleanExpression = expression
|
||||||
|
|
||||||
if expression.upper().startswith("SELECT "):
|
if expression.upper().startswith("SELECT "):
|
||||||
booleanExpression = expression[len("SELECT "):]
|
booleanExpression = expression[len("SELECT "):]
|
||||||
else:
|
else:
|
||||||
|
@ -421,35 +416,35 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
|
||||||
|
|
||||||
if inband and kb.unionTest is not None:
|
if inband and kb.unionTest is not None:
|
||||||
kb.technique = PAYLOAD.TECHNIQUE.UNION
|
kb.technique = PAYLOAD.TECHNIQUE.UNION
|
||||||
|
|
||||||
if expected == EXPECTED.BOOL:
|
if expected == EXPECTED.BOOL:
|
||||||
value = __goInband(forgeCaseExpression, expected, sort, resumeValue, unpack, dump)
|
value = __goInband(forgeCaseExpression, expected, sort, resumeValue, unpack, dump)
|
||||||
else:
|
else:
|
||||||
value = __goInband(query, expected, sort, resumeValue, unpack, dump)
|
value = __goInband(query, expected, sort, resumeValue, unpack, dump)
|
||||||
found = value or (value is None and expectingNone)
|
|
||||||
|
|
||||||
if not found:
|
found = value or (value is None and expectingNone)
|
||||||
warnMsg = "for some reason(s) it was not possible to retrieve "
|
|
||||||
warnMsg += "the query output through inband SQL injection "
|
|
||||||
warnMsg += "technique, sqlmap is going blind"
|
|
||||||
logger.warn(warnMsg)
|
|
||||||
|
|
||||||
oldParamNegative = kb.unionNegative
|
oldParamNegative = kb.unionNegative
|
||||||
kb.unionNegative = False
|
kb.unionNegative = False
|
||||||
|
|
||||||
if error and kb.errorTest and not found:
|
if error and kb.errorTest and not found:
|
||||||
kb.technique = PAYLOAD.TECHNIQUE.ERROR
|
kb.technique = PAYLOAD.TECHNIQUE.ERROR
|
||||||
|
|
||||||
if expected == EXPECTED.BOOL:
|
if expected == EXPECTED.BOOL:
|
||||||
value = __goError(forgeCaseExpression, resumeValue)
|
value = __goError(forgeCaseExpression, resumeValue)
|
||||||
else:
|
else:
|
||||||
value = __goError(query, resumeValue)
|
value = __goError(query, resumeValue)
|
||||||
|
|
||||||
found = value or (value is None and expectingNone)
|
found = value or (value is None and expectingNone)
|
||||||
|
|
||||||
if blind and kb.booleanTest and not found:
|
if blind and kb.booleanTest and not found:
|
||||||
kb.technique = PAYLOAD.TECHNIQUE.BOOLEAN
|
kb.technique = PAYLOAD.TECHNIQUE.BOOLEAN
|
||||||
|
|
||||||
if expected == EXPECTED.BOOL:
|
if expected == EXPECTED.BOOL:
|
||||||
value = __goBooleanProxy(booleanExpression, resumeValue)
|
value = __goBooleanProxy(booleanExpression, resumeValue)
|
||||||
else:
|
else:
|
||||||
value = __goInferenceProxy(query, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
|
value = __goInferenceProxy(query, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
|
||||||
|
|
||||||
found = value or (value is None and expectingNone)
|
found = value or (value is None and expectingNone)
|
||||||
|
|
||||||
if time and (kb.timeTest or kb.stackedTest) and not found:
|
if time and (kb.timeTest or kb.stackedTest) and not found:
|
||||||
|
@ -472,12 +467,13 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
|
||||||
errMsg += "leveraged to retrieve queries output"
|
errMsg += "leveraged to retrieve queries output"
|
||||||
raise sqlmapNotVulnerableException, errMsg
|
raise sqlmapNotVulnerableException, errMsg
|
||||||
finally:
|
finally:
|
||||||
if suppressOutput or expected == EXPECTED.BOOL:
|
if suppressOutput:
|
||||||
conf.verbose = popValue()
|
conf.verbose = popValue()
|
||||||
|
|
||||||
if value and expected == EXPECTED.BOOL:
|
if value and expected == EXPECTED.BOOL:
|
||||||
if isinstance(value, basestring):
|
if isinstance(value, basestring):
|
||||||
value = value.lower()
|
value = value.lower()
|
||||||
|
|
||||||
if value in ("true", "false"):
|
if value in ("true", "false"):
|
||||||
value = bool(value)
|
value = bool(value)
|
||||||
else:
|
else:
|
||||||
|
@ -506,5 +502,5 @@ def goStacked(expression, silent=False):
|
||||||
|
|
||||||
return payload, page
|
return payload, page
|
||||||
|
|
||||||
def checkBooleanExpression(expression, expectingNone=False):
|
def checkBooleanExpression(expression):
|
||||||
return getValue(unescaper.unescape(expression), expected=EXPECTED.BOOL, expectingNone=expectingNone)
|
return getValue(unescaper.unescape(expression), expected=EXPECTED.BOOL, suppressOutput=True, expectingNone=True)
|
||||||
|
|
|
@ -42,7 +42,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
elif kb.dbmsVersion[0] in ("2002-2003", "2007"):
|
elif kb.dbmsVersion[0] in ("2002-2003", "2007"):
|
||||||
table = "MSysAccessStorage"
|
table = "MSysAccessStorage"
|
||||||
if table:
|
if table:
|
||||||
result = inject.checkBooleanExpression("EXISTS(SELECT CURDIR() FROM %s)" % table, expectingNone=True)
|
result = inject.checkBooleanExpression("EXISTS(SELECT CURDIR() FROM %s)" % table)
|
||||||
retVal = "not sandboxed" if result else "sandboxed"
|
retVal = "not sandboxed" if result else "sandboxed"
|
||||||
|
|
||||||
return retVal
|
return retVal
|
||||||
|
@ -69,7 +69,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
negate = True
|
negate = True
|
||||||
table = table[1:]
|
table = table[1:]
|
||||||
randInt = randomInt()
|
randInt = randomInt()
|
||||||
result = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s WHERE %d=%d)" % (table, randInt, randInt), expectingNone=True)
|
result = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s WHERE %d=%d)" % (table, randInt, randInt))
|
||||||
if result is None:
|
if result is None:
|
||||||
result = False
|
result = False
|
||||||
if negate:
|
if negate:
|
||||||
|
@ -90,7 +90,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
|
|
||||||
randInt = randomInt()
|
randInt = randomInt()
|
||||||
randStr = randomStr()
|
randStr = randomStr()
|
||||||
_ = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s.%s WHERE %d=%d)" % (randStr, randStr, randInt, randInt), expectingNone=True)
|
_ = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s.%s WHERE %d=%d)" % (randStr, randStr, randInt, randInt))
|
||||||
|
|
||||||
if wasLastRequestDBMSError():
|
if wasLastRequestDBMSError():
|
||||||
match = re.search("Could not find file\s+'([^']+?)'", kb.lastErrorPage[1])
|
match = re.search("Could not find file\s+'([^']+?)'", kb.lastErrorPage[1])
|
||||||
|
@ -154,13 +154,13 @@ class Fingerprint(GenericFingerprint):
|
||||||
logMsg = "testing Microsoft Access"
|
logMsg = "testing Microsoft Access"
|
||||||
logger.info(logMsg)
|
logger.info(logMsg)
|
||||||
|
|
||||||
result = inject.checkBooleanExpression("VAL(CVAR(1))=1", expectingNone=True)
|
result = inject.checkBooleanExpression("VAL(CVAR(1))=1")
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
logMsg = "confirming Microsoft Access"
|
logMsg = "confirming Microsoft Access"
|
||||||
logger.info(logMsg)
|
logger.info(logMsg)
|
||||||
|
|
||||||
result = inject.checkBooleanExpression("IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0", expectingNone=True)
|
result = inject.checkBooleanExpression("IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0")
|
||||||
|
|
||||||
if not result:
|
if not result:
|
||||||
warnMsg = "the back-end DBMS is not Microsoft Access"
|
warnMsg = "the back-end DBMS is not Microsoft Access"
|
||||||
|
|
|
@ -84,7 +84,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
version, checks = table[i]
|
version, checks = table[i]
|
||||||
failed = False
|
failed = False
|
||||||
check = checks[randomRange(0,len(checks)-1)].replace("%d", getUnicode(randomRange(1,100)))
|
check = checks[randomRange(0,len(checks)-1)].replace("%d", getUnicode(randomRange(1,100)))
|
||||||
result = inject.checkBooleanExpression(check, expectingNone=True)
|
result = inject.checkBooleanExpression(check)
|
||||||
if result:
|
if result:
|
||||||
retVal = version
|
retVal = version
|
||||||
else:
|
else:
|
||||||
|
@ -98,7 +98,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
def __dialectCheck(self):
|
def __dialectCheck(self):
|
||||||
retVal = None
|
retVal = None
|
||||||
if kb.dbms:
|
if kb.dbms:
|
||||||
result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_DATE FROM RDB$DATABASE)", expectingNone=True)
|
result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_DATE FROM RDB$DATABASE)")
|
||||||
retVal = "dialect 3" if result else "dialect 1"
|
retVal = "dialect 3" if result else "dialect 1"
|
||||||
return retVal
|
return retVal
|
||||||
|
|
||||||
|
@ -115,13 +115,13 @@ class Fingerprint(GenericFingerprint):
|
||||||
logger.info(logMsg)
|
logger.info(logMsg)
|
||||||
|
|
||||||
randInt = randomInt()
|
randInt = randomInt()
|
||||||
result = inject.checkBooleanExpression("EXISTS(SELECT * FROM RDB$DATABASE WHERE %d=%d)" % (randInt, randInt), expectingNone=True)
|
result = inject.checkBooleanExpression("EXISTS(SELECT * FROM RDB$DATABASE WHERE %d=%d)" % (randInt, randInt))
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
logMsg = "confirming Firebird"
|
logMsg = "confirming Firebird"
|
||||||
logger.info(logMsg)
|
logger.info(logMsg)
|
||||||
|
|
||||||
result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)", expectingNone=True)
|
result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)")
|
||||||
|
|
||||||
if not result:
|
if not result:
|
||||||
warnMsg = "the back-end DBMS is not Firebird"
|
warnMsg = "the back-end DBMS is not Firebird"
|
||||||
|
|
|
@ -50,13 +50,13 @@ class Fingerprint(GenericFingerprint):
|
||||||
minor, major = None, None
|
minor, major = None, None
|
||||||
|
|
||||||
for version in [6, 7]:
|
for version in [6, 7]:
|
||||||
result = inject.checkBooleanExpression("(SELECT MAJORVERSION FROM SYSINFO.VERSION)=%d" % version)
|
result = inject.checkBooleanExpression("%d=(SELECT MAJORVERSION FROM SYSINFO.VERSION)" % version)
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
major = version
|
major = version
|
||||||
|
|
||||||
for version in xrange(0, 10):
|
for version in xrange(0, 10):
|
||||||
result = inject.checkBooleanExpression("(SELECT MINORVERSION FROM SYSINFO.VERSION)=%d" % version)
|
result = inject.checkBooleanExpression("%d=(SELECT MINORVERSION FROM SYSINFO.VERSION)" % version)
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
minor = version
|
minor = version
|
||||||
|
@ -113,13 +113,13 @@ class Fingerprint(GenericFingerprint):
|
||||||
logger.info(logMsg)
|
logger.info(logMsg)
|
||||||
|
|
||||||
randInt = randomInt()
|
randInt = randomInt()
|
||||||
result = inject.checkBooleanExpression("NOROUND(%d)=%d" % (randInt, randInt), expectingNone=True)
|
result = inject.checkBooleanExpression("%d=NOROUND(%d)" % (randInt, randInt))
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
logMsg = "confirming SAP MaxDB"
|
logMsg = "confirming SAP MaxDB"
|
||||||
logger.info(logMsg)
|
logger.info(logMsg)
|
||||||
|
|
||||||
result = inject.checkBooleanExpression("MAPCHAR(NULL,1,DEFAULTMAP) IS NULL", expectingNone=True)
|
result = inject.checkBooleanExpression("MAPCHAR(NULL,1,DEFAULTMAP) IS NULL")
|
||||||
|
|
||||||
if not result:
|
if not result:
|
||||||
warnMsg = "the back-end DBMS is not SAP MaxDB"
|
warnMsg = "the back-end DBMS is not SAP MaxDB"
|
||||||
|
|
|
@ -92,7 +92,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
result = True
|
result = True
|
||||||
else:
|
else:
|
||||||
randInt = randomInt()
|
randInt = randomInt()
|
||||||
result = inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" % (randInt, randInt), expectingNone=True)
|
result = inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" % (randInt, randInt))
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
infoMsg = "confirming Microsoft SQL Server"
|
infoMsg = "confirming Microsoft SQL Server"
|
||||||
|
@ -178,12 +178,10 @@ class Fingerprint(GenericFingerprint):
|
||||||
for version, data in versions.items():
|
for version, data in versions.items():
|
||||||
query = "(SELECT LEN(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField)
|
query = "(SELECT LEN(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField)
|
||||||
query += "LIKE '%Windows NT " + data[0] + "%')>0"
|
query += "LIKE '%Windows NT " + data[0] + "%')>0"
|
||||||
query = agent.forgeCaseStatement(query)
|
|
||||||
|
|
||||||
if inject.getValue(query, charsetType=1, suppressOutput=True) == "1":
|
if inject.checkBooleanExpression(query):
|
||||||
kb.osVersion = version
|
|
||||||
infoMsg += " %s" % kb.osVersion
|
infoMsg += " %s" % kb.osVersion
|
||||||
|
kb.osVersion = version
|
||||||
break
|
break
|
||||||
|
|
||||||
if not kb.osVersion:
|
if not kb.osVersion:
|
||||||
|
@ -205,9 +203,8 @@ class Fingerprint(GenericFingerprint):
|
||||||
for sp in sps:
|
for sp in sps:
|
||||||
query = "(SELECT LEN(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField)
|
query = "(SELECT LEN(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField)
|
||||||
query += "LIKE '%Service Pack " + getUnicode(sp) + "%')>0"
|
query += "LIKE '%Service Pack " + getUnicode(sp) + "%')>0"
|
||||||
query = agent.forgeCaseStatement(query)
|
|
||||||
|
|
||||||
if inject.getValue(query, charsetType=1, suppressOutput=True) == "1":
|
if inject.checkBooleanExpression(query):
|
||||||
kb.osSP = sp
|
kb.osSP = sp
|
||||||
break
|
break
|
||||||
|
|
||||||
|
|
|
@ -163,13 +163,13 @@ class Fingerprint(GenericFingerprint):
|
||||||
logger.info(infoMsg)
|
logger.info(infoMsg)
|
||||||
|
|
||||||
randInt = getUnicode(randomInt(1))
|
randInt = getUnicode(randomInt(1))
|
||||||
result = inject.checkBooleanExpression("CONNECTION_ID()=CONNECTION_ID()", expectingNone=True)
|
result = inject.checkBooleanExpression("CONNECTION_ID()=CONNECTION_ID()")
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
infoMsg = "confirming MySQL"
|
infoMsg = "confirming MySQL"
|
||||||
logger.info(infoMsg)
|
logger.info(infoMsg)
|
||||||
|
|
||||||
result = inject.checkBooleanExpression("ISNULL(1/0)" if kb.injection.place != PLACE.URI else "ISNULL(1 DIV 0)", expectingNone=True)
|
result = inject.checkBooleanExpression("ISNULL(1 DIV 0)")
|
||||||
|
|
||||||
if not result:
|
if not result:
|
||||||
warnMsg = "the back-end DBMS is not MySQL"
|
warnMsg = "the back-end DBMS is not MySQL"
|
||||||
|
@ -178,7 +178,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
# Determine if it is MySQL >= 5.0.0
|
# Determine if it is MySQL >= 5.0.0
|
||||||
if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.TABLES LIMIT 0, 1)" % (randInt, randInt), expectingNone=True):
|
if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.TABLES LIMIT 0, 1)" % (randInt, randInt)):
|
||||||
kb.data.has_information_schema = True
|
kb.data.has_information_schema = True
|
||||||
kb.dbmsVersion = [">= 5.0.0"]
|
kb.dbmsVersion = [">= 5.0.0"]
|
||||||
|
|
||||||
|
@ -190,28 +190,28 @@ class Fingerprint(GenericFingerprint):
|
||||||
return True
|
return True
|
||||||
|
|
||||||
# Check if it is MySQL >= 5.5.0
|
# Check if it is MySQL >= 5.5.0
|
||||||
if inject.checkBooleanExpression("TO_SECONDS(950501)>0", expectingNone=True):
|
if inject.checkBooleanExpression("TO_SECONDS(950501)>0"):
|
||||||
kb.dbmsVersion = [">= 5.5.0"]
|
kb.dbmsVersion = [">= 5.5.0"]
|
||||||
|
|
||||||
# Check if it is MySQL >= 5.1.2 and < 5.5.0
|
# Check if it is MySQL >= 5.1.2 and < 5.5.0
|
||||||
elif inject.checkBooleanExpression("@@table_open_cache=@@table_open_cache", expectingNone=True):
|
elif inject.checkBooleanExpression("@@table_open_cache=@@table_open_cache"):
|
||||||
if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.GLOBAL_STATUS LIMIT 0, 1)" % (randInt, randInt), expectingNone=True):
|
if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.GLOBAL_STATUS LIMIT 0, 1)" % (randInt, randInt)):
|
||||||
kb.dbmsVersion = [">= 5.1.12", "< 5.5.0"]
|
kb.dbmsVersion = [">= 5.1.12", "< 5.5.0"]
|
||||||
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1)" % (randInt,randInt), expectingNone=True):
|
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1)" % (randInt,randInt)):
|
||||||
kb.dbmsVersion = [">= 5.1.7", "< 5.1.12"]
|
kb.dbmsVersion = [">= 5.1.7", "< 5.1.12"]
|
||||||
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PARTITIONS LIMIT 0, 1)" % (randInt, randInt), expectingNone=True):
|
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PARTITIONS LIMIT 0, 1)" % (randInt, randInt)):
|
||||||
kb.dbmsVersion = ["= 5.1.6"]
|
kb.dbmsVersion = ["= 5.1.6"]
|
||||||
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PLUGINS LIMIT 0, 1)" % (randInt, randInt), expectingNone=True):
|
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PLUGINS LIMIT 0, 1)" % (randInt, randInt)):
|
||||||
kb.dbmsVersion = [">= 5.1.5", "< 5.1.6"]
|
kb.dbmsVersion = [">= 5.1.5", "< 5.1.6"]
|
||||||
else:
|
else:
|
||||||
kb.dbmsVersion = [">= 5.1.2", "< 5.1.5"]
|
kb.dbmsVersion = [">= 5.1.2", "< 5.1.5"]
|
||||||
|
|
||||||
# Check if it is MySQL >= 5.0.0 and < 5.1.2
|
# Check if it is MySQL >= 5.0.0 and < 5.1.2
|
||||||
elif inject.checkBooleanExpression("@@hostname=@@hostname", expectingNone=True):
|
elif inject.checkBooleanExpression("@@hostname=@@hostname"):
|
||||||
kb.dbmsVersion = [">= 5.0.38", "< 5.1.2"]
|
kb.dbmsVersion = [">= 5.0.38", "< 5.1.2"]
|
||||||
elif inject.checkBooleanExpression("%s=(SELECT %s FROM DUAL)" % (randInt, randInt), expectingNone=True):
|
elif inject.checkBooleanExpression("%s=(SELECT %s FROM DUAL)" % (randInt, randInt)):
|
||||||
kb.dbmsVersion = [">= 5.0.11", "< 5.0.38"]
|
kb.dbmsVersion = [">= 5.0.11", "< 5.0.38"]
|
||||||
elif inject.checkBooleanExpression("DATABASE() LIKE SCHEMA()", expectingNone=True):
|
elif inject.checkBooleanExpression("DATABASE() LIKE SCHEMA()"):
|
||||||
kb.dbmsVersion = [">= 5.0.2", "< 5.0.11"]
|
kb.dbmsVersion = [">= 5.0.2", "< 5.0.11"]
|
||||||
else:
|
else:
|
||||||
kb.dbmsVersion = [">= 5.0.0", "<= 5.0.1"]
|
kb.dbmsVersion = [">= 5.0.0", "<= 5.0.1"]
|
||||||
|
@ -228,22 +228,22 @@ class Fingerprint(GenericFingerprint):
|
||||||
return True
|
return True
|
||||||
|
|
||||||
# Check which version of MySQL < 5.0.0 it is
|
# Check which version of MySQL < 5.0.0 it is
|
||||||
if inject.checkBooleanExpression("3=(SELECT COERCIBILITY(USER()))", expectingNone=True):
|
if inject.checkBooleanExpression("3=(SELECT COERCIBILITY(USER()))"):
|
||||||
kb.dbmsVersion = [">= 4.1.11", "< 5.0.0"]
|
kb.dbmsVersion = [">= 4.1.11", "< 5.0.0"]
|
||||||
elif inject.checkBooleanExpression("2=(SELECT COERCIBILITY(USER()))", expectingNone=True):
|
elif inject.checkBooleanExpression("2=(SELECT COERCIBILITY(USER()))"):
|
||||||
kb.dbmsVersion = [">= 4.1.1", "< 4.1.11"]
|
kb.dbmsVersion = [">= 4.1.1", "< 4.1.11"]
|
||||||
elif inject.checkBooleanExpression("CURRENT_USER()=CURRENT_USER()", expectingNone=True):
|
elif inject.checkBooleanExpression("CURRENT_USER()=CURRENT_USER()"):
|
||||||
kb.dbmsVersion = [">= 4.0.6", "< 4.1.1"]
|
kb.dbmsVersion = [">= 4.0.6", "< 4.1.1"]
|
||||||
|
|
||||||
if inject.checkBooleanExpression("(SELECT CHARSET(CURRENT_USER()))='utf8'", expectingNone=True):
|
if inject.checkBooleanExpression("'utf8'=(SELECT CHARSET(CURRENT_USER()))"):
|
||||||
kb.dbmsVersion = ["= 4.1.0"]
|
kb.dbmsVersion = ["= 4.1.0"]
|
||||||
else:
|
else:
|
||||||
kb.dbmsVersion = [">= 4.0.6", "< 4.1.0"]
|
kb.dbmsVersion = [">= 4.0.6", "< 4.1.0"]
|
||||||
elif inject.checkBooleanExpression("0=(SELECT FOUND_ROWS()", expectingNone=True):
|
elif inject.checkBooleanExpression("0=(SELECT FOUND_ROWS())"):
|
||||||
kb.dbmsVersion = [">= 4.0.0", "< 4.0.6"]
|
kb.dbmsVersion = [">= 4.0.0", "< 4.0.6"]
|
||||||
elif inject.checkBooleanExpression("CONNECTION_ID()=CONNECTION_ID()", expectingNone=True):
|
elif inject.checkBooleanExpression("CONNECTION_ID()=CONNECTION_ID()"):
|
||||||
kb.dbmsVersion = [">= 3.23.14", "< 4.0.0"]
|
kb.dbmsVersion = [">= 3.23.14", "< 4.0.0"]
|
||||||
elif inject.checkBooleanExpression("USER()=USER()", expectingNone=True):
|
elif inject.checkBooleanExpression("USER()=USER()"):
|
||||||
kb.dbmsVersion = [">= 3.22.11", "< 3.23.14"]
|
kb.dbmsVersion = [">= 3.22.11", "< 3.23.14"]
|
||||||
else:
|
else:
|
||||||
kb.dbmsVersion = ["< 3.22.11"]
|
kb.dbmsVersion = ["< 3.22.11"]
|
||||||
|
@ -262,7 +262,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
infoMsg = "fingerprinting the back-end DBMS operating system"
|
infoMsg = "fingerprinting the back-end DBMS operating system"
|
||||||
logger.info(infoMsg)
|
logger.info(infoMsg)
|
||||||
|
|
||||||
if inject.checkBooleanExpression("(SELECT MID(@@datadir, 1, 1))='/'"):
|
if inject.checkBooleanExpression("'/'=(SELECT MID(@@datadir, 1, 1))"):
|
||||||
kb.os = "Linux"
|
kb.os = "Linux"
|
||||||
else:
|
else:
|
||||||
kb.os = "Windows"
|
kb.os = "Windows"
|
||||||
|
|
|
@ -80,7 +80,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
if conf.direct:
|
if conf.direct:
|
||||||
result = True
|
result = True
|
||||||
else:
|
else:
|
||||||
result = inject.checkBooleanExpression("ROWNUM=ROWNUM", expectingNone=True)
|
result = inject.checkBooleanExpression("ROWNUM=ROWNUM")
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
logMsg = "confirming Oracle"
|
logMsg = "confirming Oracle"
|
||||||
|
@ -91,7 +91,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
if conf.direct:
|
if conf.direct:
|
||||||
result = True
|
result = True
|
||||||
else:
|
else:
|
||||||
result = inject.checkBooleanExpression("LENGTH(SYSDATE)=LENGTH(SYSDATE)", expectingNone=True)
|
result = inject.checkBooleanExpression("LENGTH(SYSDATE)=LENGTH(SYSDATE)")
|
||||||
|
|
||||||
if not result:
|
if not result:
|
||||||
warnMsg = "the back-end DBMS is not Oracle"
|
warnMsg = "the back-end DBMS is not Oracle"
|
||||||
|
@ -106,17 +106,13 @@ class Fingerprint(GenericFingerprint):
|
||||||
if not conf.extensiveFp:
|
if not conf.extensiveFp:
|
||||||
return True
|
return True
|
||||||
|
|
||||||
query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1"
|
for version in ("11i", "10g", "9i", "8i"):
|
||||||
version = inject.getValue(query, unpack=False, suppressOutput=True)
|
number = re.search("([\d]+)", version).group(1)
|
||||||
|
output = inject.checkBooleanExpression("%s=(SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1)" % number)
|
||||||
|
|
||||||
if re.search("^11", version):
|
if output:
|
||||||
kb.dbmsVersion = ["11i"]
|
kb.dbmsVersion = [ version ]
|
||||||
elif re.search("^10", version):
|
break
|
||||||
kb.dbmsVersion = ["10g"]
|
|
||||||
elif re.search("^9", version):
|
|
||||||
kb.dbmsVersion = ["9i"]
|
|
||||||
elif re.search("^8", version):
|
|
||||||
kb.dbmsVersion = ["8i"]
|
|
||||||
|
|
||||||
return True
|
return True
|
||||||
else:
|
else:
|
||||||
|
|
|
@ -85,14 +85,13 @@ class Fingerprint(GenericFingerprint):
|
||||||
logger.info(infoMsg)
|
logger.info(infoMsg)
|
||||||
|
|
||||||
randInt = getUnicode(randomInt(1))
|
randInt = getUnicode(randomInt(1))
|
||||||
|
result = inject.checkBooleanExpression("%s::int=%s" % (randInt, randInt))
|
||||||
result = inject.checkBooleanExpression("%s::int=%s" % (randInt, randInt), expectingNone=True)
|
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
infoMsg = "confirming PostgreSQL"
|
infoMsg = "confirming PostgreSQL"
|
||||||
logger.info(infoMsg)
|
logger.info(infoMsg)
|
||||||
|
|
||||||
result = inject.checkBooleanExpression("COALESCE(%s, NULL)=%s" % (randInt, randInt), expectingNone=True)
|
result = inject.checkBooleanExpression("COALESCE(%s, NULL)=%s" % (randInt, randInt))
|
||||||
|
|
||||||
if not result:
|
if not result:
|
||||||
warnMsg = "the back-end DBMS is not PostgreSQL"
|
warnMsg = "the back-end DBMS is not PostgreSQL"
|
||||||
|
@ -107,33 +106,33 @@ class Fingerprint(GenericFingerprint):
|
||||||
if not conf.extensiveFp:
|
if not conf.extensiveFp:
|
||||||
return True
|
return True
|
||||||
|
|
||||||
if inject.getValue("SELECT DIV(6, 3)", unpack=False, charsetType=2, suppressOutput=True) == "2":
|
if inject.checkBooleanExpression("2=(SELECT DIV(6, 3))"):
|
||||||
kb.dbmsVersion = [">= 8.4.0"]
|
kb.dbmsVersion = [">= 8.4.0"]
|
||||||
elif inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP()::text, 1, 1)", unpack=False, charsetType=2, suppressOutput=True) in ( "1", "2" ) and not inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2, suppressOutput=True) in ( "1", "2" ):
|
elif inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP()::text, 1, 1)", unpack=False, charsetType=2, suppressOutput=True) in ( "1", "2" ) and not inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2, suppressOutput=True) in ( "1", "2" ):
|
||||||
kb.dbmsVersion = [">= 8.3.0", "< 8.4"]
|
kb.dbmsVersion = [">= 8.3.0", "< 8.4"]
|
||||||
elif inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2, suppressOutput=True):
|
elif inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2, suppressOutput=True):
|
||||||
kb.dbmsVersion = [">= 8.2.0", "< 8.3.0"]
|
kb.dbmsVersion = [">= 8.2.0", "< 8.3.0"]
|
||||||
elif inject.getValue("SELECT GREATEST(5, 9, 1)", unpack=False, charsetType=2, suppressOutput=True) == "9":
|
elif inject.checkBooleanExpression("9=(SELECT GREATEST(5, 9, 1))"):
|
||||||
kb.dbmsVersion = [">= 8.1.0", "< 8.2.0"]
|
kb.dbmsVersion = [">= 8.1.0", "< 8.2.0"]
|
||||||
elif inject.getValue("SELECT WIDTH_BUCKET(5.35, 0.024, 10.06, 5)", unpack=False, charsetType=2, suppressOutput=True) == "3":
|
elif inject.checkBooleanExpression("3=(SELECT WIDTH_BUCKET(5.35, 0.024, 10.06, 5))"):
|
||||||
kb.dbmsVersion = [">= 8.0.0", "< 8.1.0"]
|
kb.dbmsVersion = [">= 8.0.0", "< 8.1.0"]
|
||||||
elif inject.getValue("SELECT SUBSTR(MD5('sqlmap'), 1, 1)", unpack=False, suppressOutput=True):
|
elif inject.checkBooleanExpression("'d'=(SELECT SUBSTR(MD5('sqlmap'), 1, 1))"):
|
||||||
kb.dbmsVersion = [">= 7.4.0", "< 8.0.0"]
|
kb.dbmsVersion = [">= 7.4.0", "< 8.0.0"]
|
||||||
elif inject.getValue("SELECT SUBSTR(CURRENT_SCHEMA(), 1, 1)", unpack=False, suppressOutput=True) == "p":
|
elif inject.checkBooleanExpression("'p'=(SELECT SUBSTR(CURRENT_SCHEMA(), 1, 1))"):
|
||||||
kb.dbmsVersion = [">= 7.3.0", "< 7.4.0"]
|
kb.dbmsVersion = [">= 7.3.0", "< 7.4.0"]
|
||||||
elif inject.getValue("SELECT BIT_LENGTH(1)") == "8":
|
elif inject.checkBooleanExpression("8=(SELECT BIT_LENGTH(1))"):
|
||||||
kb.dbmsVersion = [">= 7.2.0", "< 7.3.0"]
|
kb.dbmsVersion = [">= 7.2.0", "< 7.3.0"]
|
||||||
elif inject.getValue("SELECT SUBSTR(QUOTE_LITERAL('a'), 2, 1)", unpack=False, suppressOutput=True) == "a":
|
elif inject.checkBooleanExpression("'a'=(SELECT SUBSTR(QUOTE_LITERAL('a'), 2, 1))"):
|
||||||
kb.dbmsVersion = [">= 7.1.0", "< 7.2.0"]
|
kb.dbmsVersion = [">= 7.1.0", "< 7.2.0"]
|
||||||
elif inject.getValue("SELECT POW(2, 3)", unpack=False, charsetType=2, suppressOutput=True) == "8":
|
elif inject.checkBooleanExpression("8=(SELECT POW(2, 3))"):
|
||||||
kb.dbmsVersion = [">= 7.0.0", "< 7.1.0"]
|
kb.dbmsVersion = [">= 7.0.0", "< 7.1.0"]
|
||||||
elif inject.getValue("SELECT MAX('a')") == "a":
|
elif inject.checkBooleanExpression("'a'=(SELECT MAX('a'))"):
|
||||||
kb.dbmsVersion = [">= 6.5.0", "< 6.5.3"]
|
kb.dbmsVersion = [">= 6.5.0", "< 6.5.3"]
|
||||||
elif re.search("([\d\.]+)", inject.getValue("SELECT SUBSTR(VERSION(), 12, 5)", unpack=False, suppressOutput=True)):
|
elif re.search("([\d\.]+)", inject.getValue("SELECT SUBSTR(VERSION(), 12, 5)", unpack=False, suppressOutput=True)):
|
||||||
kb.dbmsVersion = [">= 6.4.0", "< 6.5.0"]
|
kb.dbmsVersion = [">= 6.4.0", "< 6.5.0"]
|
||||||
elif inject.getValue("SELECT SUBSTR(CURRENT_DATE, 1, 1)", unpack=False, charsetType=2, suppressOutput=True) == "2":
|
elif inject.checkBooleanExpression("2=(SELECT SUBSTR(CURRENT_DATE, 1, 1))"):
|
||||||
kb.dbmsVersion = [">= 6.3.0", "< 6.4.0"]
|
kb.dbmsVersion = [">= 6.3.0", "< 6.4.0"]
|
||||||
elif inject.getValue("SELECT SUBSTRING('sqlmap', 1, 1)", unpack=False, suppressOutput=True) == "s":
|
elif inject.checkBooleanExpression("'s'=(SELECT SUBSTRING('sqlmap', 1, 1))"):
|
||||||
kb.dbmsVersion = [">= 6.2.0", "< 6.3.0"]
|
kb.dbmsVersion = [">= 6.2.0", "< 6.3.0"]
|
||||||
else:
|
else:
|
||||||
kb.dbmsVersion = ["< 6.2.0"]
|
kb.dbmsVersion = ["< 6.2.0"]
|
||||||
|
@ -162,9 +161,8 @@ class Fingerprint(GenericFingerprint):
|
||||||
for osPattern in osWindows:
|
for osPattern in osWindows:
|
||||||
query = "(SELECT LENGTH(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField)
|
query = "(SELECT LENGTH(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField)
|
||||||
query += "LIKE '%" + osPattern + "%')>0"
|
query += "LIKE '%" + osPattern + "%')>0"
|
||||||
query = agent.forgeCaseStatement(query)
|
|
||||||
|
|
||||||
if inject.getValue(query, charsetType=1, suppressOutput=True) == "1":
|
if inject.checkBooleanExpression(query):
|
||||||
kb.os = "Windows"
|
kb.os = "Windows"
|
||||||
|
|
||||||
break
|
break
|
||||||
|
|
|
@ -81,13 +81,13 @@ class Fingerprint(GenericFingerprint):
|
||||||
logMsg = "testing SQLite"
|
logMsg = "testing SQLite"
|
||||||
logger.info(logMsg)
|
logger.info(logMsg)
|
||||||
|
|
||||||
result = inject.checkBooleanExpression("LAST_INSERT_ROWID()=LAST_INSERT_ROWID()", expectingNone=True)
|
result = inject.checkBooleanExpression("LAST_INSERT_ROWID()=LAST_INSERT_ROWID()")
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
logMsg = "confirming SQLite"
|
logMsg = "confirming SQLite"
|
||||||
logger.info(logMsg)
|
logger.info(logMsg)
|
||||||
|
|
||||||
result = inject.checkBooleanExpression("SQLITE_VERSION()=SQLITE_VERSION()", expectingNone=True)
|
result = inject.checkBooleanExpression("SQLITE_VERSION()=SQLITE_VERSION()")
|
||||||
|
|
||||||
if not result:
|
if not result:
|
||||||
warnMsg = "the back-end DBMS is not SQLite"
|
warnMsg = "the back-end DBMS is not SQLite"
|
||||||
|
@ -95,7 +95,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
|
|
||||||
return False
|
return False
|
||||||
else:
|
else:
|
||||||
result = inject.checkBooleanExpression("RANDOMBLOB(-1)>0", expectingNone=True)
|
result = inject.checkBooleanExpression("RANDOMBLOB(-1)>0")
|
||||||
kb.dbmsVersion = [ '3' if result else '2' ]
|
kb.dbmsVersion = [ '3' if result else '2' ]
|
||||||
|
|
||||||
setDbms(DBMS.SQLITE)
|
setDbms(DBMS.SQLITE)
|
||||||
|
|
|
@ -81,13 +81,13 @@ class Fingerprint(GenericFingerprint):
|
||||||
if conf.direct:
|
if conf.direct:
|
||||||
result = True
|
result = True
|
||||||
else:
|
else:
|
||||||
result = inject.checkBooleanExpression("tempdb_id()=tempdb_id()", expectingNone=True)
|
result = inject.checkBooleanExpression("tempdb_id()=tempdb_id()")
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
logMsg = "confirming Sybase"
|
logMsg = "confirming Sybase"
|
||||||
logger.info(logMsg)
|
logger.info(logMsg)
|
||||||
|
|
||||||
result = inject.checkBooleanExpression("suser_id()=suser_id()", expectingNone=True)
|
result = inject.checkBooleanExpression("suser_id()=suser_id()")
|
||||||
|
|
||||||
if not result:
|
if not result:
|
||||||
warnMsg = "the back-end DBMS is not Sybase"
|
warnMsg = "the back-end DBMS is not Sybase"
|
||||||
|
@ -103,7 +103,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
return True
|
return True
|
||||||
|
|
||||||
for version in range(12, 16):
|
for version in range(12, 16):
|
||||||
result = inject.checkBooleanExpression("@@VERSION_NUMBER/1000=%d" % version, expectingNone=True)
|
result = inject.checkBooleanExpression("@@VERSION_NUMBER/1000=%d" % version)
|
||||||
if result:
|
if result:
|
||||||
kb.dbmsVersion = ["%d" % version]
|
kb.dbmsVersion = ["%d" % version]
|
||||||
break
|
break
|
||||||
|
|
Loading…
Reference in New Issue
Block a user