--dump now works on MaxDB too

plugins/dbms/maxdb/enumeration.py

@@ -7,8 +7,14 @@ Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
 See the file 'doc/COPYING' for copying permission
 """
 
+from lib.core.common import Backend
+from lib.core.common import isTechniqueAvailable
+from lib.core.common import randomStr
+from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
+from lib.core.data import queries
+from lib.core.enums import PAYLOAD
 from plugins.generic.enumeration import Enumeration as GenericEnumeration
 
 class Enumeration(GenericEnumeration):
@@ -34,3 +40,37 @@ class Enumeration(GenericEnumeration):
         logger.warn(warnMsg)
 
         return []
+
+    def getColumns(self, onlyColNames=False):
+        self.forceDbmsEnum()
+
+        rootQuery = queries[Backend.getIdentifiedDbms()].columns
+        condition = rootQuery.blind.condition if 'condition' in rootQuery.blind else None
+
+        infoMsg = "fetching columns "
+        infoMsg += "for table '%s' " % conf.tbl
+        logger.info(infoMsg)
+
+        if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:
+            blinds = [False, True]
+        else:
+            blinds = [True]
+
+        for blind in blinds:
+            randStr = randomStr()
+            query = rootQuery.inband.query % conf.tbl
+            retVal = self.__pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.columnname' % randStr,'%s.datatype' % randStr,'%s.len' % randStr], blind=blind)
+
+            if retVal:
+                table = {}
+                columns = {}
+
+                for columnname, datatype, length in zip(retVal[0]["%s.columnname" % randStr], retVal[0]["%s.datatype" % randStr], retVal[0]["%s.len" % randStr]):
+                    columns[columnname] = "%s(%s)" % (datatype, length)
+
+                table[conf.tbl] = columns
+                kb.data.cachedColumns[conf.db] = table
+
+                break
+
+        return kb.data.cachedColumns

plugins/dbms/maxdb/fingerprint.py

@@ -136,3 +136,6 @@ class Fingerprint(GenericFingerprint):
 
     def forceDbmsEnum(self):
         conf.db = "%s%s" % (DBMS.MAXDB, METADB_SUFFIX)
+
+        if conf.tbl:
+            conf.tbl = conf.tbl.upper() 

plugins/generic/enumeration.py

@@ -1364,6 +1364,8 @@ class Enumeration:
                 query = rootQuery.blind.count % conf.tbl
             elif Backend.getIdentifiedDbms() == DBMS.SYBASE:
                 query = rootQuery.blind.count % ("%s..%s" % (conf.db, conf.tbl))
+            elif Backend.getIdentifiedDbms() == DBMS.MAXDB:
+                query = rootQuery.blind.count % ("%s" % conf.tbl)
             else:
                 query = rootQuery.blind.count % (conf.db, conf.tbl)
             count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2)
@@ -1383,10 +1385,10 @@ class Enumeration:
             entries = {}
 
             try:
-                if Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.SYBASE):
-                    if DBMS.ACCESS:
+                if Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.SYBASE, DBMS.MAXDB):
+                    if Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.MAXDB):
                         table = conf.tbl
-                    elif DBMS.SYBASE:
+                    elif Backend.getIdentifiedDbms() == DBMS.SYBASE:
                         table = "%s..%s" % (conf.db, conf.tbl)
                     entries, lengths = self.__pivotDumpTable(table, colList, count, blind=True)
 

xml/queries.xml

@@ -437,7 +437,7 @@
         <comment query="--" query2="#"/>
         <count query="COUNT(%s)"/>
         <!-- No real cast on SAP MaxDB -->
-        <cast query="REPLACE(%s, ' ', '_')"/>
+        <cast query="REPLACE(CHR(%s), ' ', '_')"/>
         <current_user query="SELECT USER() FROM DUAL"/>
         <current_db query="SELECT DATABASE() FROM DUAL"/>
         <order query="ORDER BY %s ASC"/>
@@ -450,7 +450,7 @@
             <blind query="SELECT MIN(username) FROM domain.users WHERE username > '%s'" count="SELECT CHR(COUNT(*)) FROM domain.users"/>
         </users>
         <columns>
-            <inband query="SELECT columnname, datatype, len FROM domain.columns WHERE tablename = '%s' AND schemaname=user ORDER BY pos"/>
+            <inband query="SELECT columnname, datatype, len FROM domain.columns WHERE tablename = '%s' AND schemaname=user"/>
             <blind query="SELECT columnname FROM domain.columns WHERE tablename = '%s' AND schemaname=user ORDER BY pos" query2="SELECT datatype FROM domain.columns WHERE tablename = '%s' AND schemaname=user ORDER BY pos"/>
         </columns>
         <tables>
@@ -461,8 +461,8 @@
             <inband query="SELECT owner, role FROM domain.roles" condition="owner"/>
         </roles>
         <dump_table>
-            <inband query="SELECT %s FROM %s"/>
-            <blind query="SELECT MIN(%s) FROM %s WHERE %s > '%s'" count="SELECT CHR(COUNT(*)) FROM %s"/>
+            <inband query="SELECT %s FROM %%s"/>
+            <blind query="SELECT MIN(%s) FROM %s WHERE CHR(%s)>'%s'" query2="SELECT MAX(%s) FROM %s WHERE CHR(%s) LIKE '%s'" count="SELECT COUNT(*) FROM %s" count2="SELECT COUNT(*) FROM (SELECT DISTINCT %s FROM %s) AS value_table"/>
         </dump_table>
    </dbms>