sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-11-04 01:47:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

SVN roll back, DB2 patch will be recommitted after testing:

Browse Source 
$ svn merge https://svn.sqlmap.org/sqlmap/trunk/sqlmap@HEAD https://svn.sqlmap.org/sqlmap/trunk/sqlmap@3847 .
This commit is contained in:
Bernardo Damele 2011-05-06 10:27:43 +00:00
parent 42bca80968
commit aae140080e
17 changed files with 30 additions and 505 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/controller/handler.py
View File

@ -23,7 +23,6 @@ from lib.core.settings import ACCESS_ALIASES
from lib.core.settings import FIREBIRD_ALIASES from lib.core.settings import FIREBIRD_ALIASES
from lib.core.settings import MAXDB_ALIASES from lib.core.settings import MAXDB_ALIASES
from lib.core.settings import SYBASE_ALIASES from lib.core.settings import SYBASE_ALIASES
from lib.core.settings import DB2_ALIASES
from plugins.dbms.mssqlserver import MSSQLServerMap from plugins.dbms.mssqlserver import MSSQLServerMap
from plugins.dbms.mssqlserver.connector import Connector as MSSQLServerConn from plugins.dbms.mssqlserver.connector import Connector as MSSQLServerConn
@ -43,8 +42,6 @@ from plugins.dbms.maxdb import MaxDBMap
from plugins.dbms.maxdb.connector import Connector as MaxDBConn from plugins.dbms.maxdb.connector import Connector as MaxDBConn
from plugins.dbms.sybase import SybaseMap from plugins.dbms.sybase import SybaseMap
from plugins.dbms.sybase.connector import Connector as SybaseConn from plugins.dbms.sybase.connector import Connector as SybaseConn
from plugins.dbms.db2 import DB2Map
from plugins.dbms.db2.connector import Connector as DB2Conn
def setHandler(): def setHandler():
""" """
@ -53,7 +50,7 @@ def setHandler():
""" """
count = 0 count = 0
dbmsNames = ( "MySQL", "Oracle", "PostgreSQL", "Microsoft SQL Server", "SQLite", "Microsoft Access", "Firebird", "SAP MaxDB", "Sybase", "DB2" ) dbmsNames = ( "MySQL", "Oracle", "PostgreSQL", "Microsoft SQL Server", "SQLite", "Microsoft Access", "Firebird", "SAP MaxDB", "Sybase" )
dbmsObj = [ dbmsObj = [
( MYSQL_ALIASES, MySQLMap, MySQLConn ), ( MYSQL_ALIASES, MySQLMap, MySQLConn ),
( ORACLE_ALIASES, OracleMap, OracleConn ), ( ORACLE_ALIASES, OracleMap, OracleConn ),
@ -64,7 +61,6 @@ def setHandler():
( FIREBIRD_ALIASES, FirebirdMap, FirebirdConn ), ( FIREBIRD_ALIASES, FirebirdMap, FirebirdConn ),
( MAXDB_ALIASES, MaxDBMap, MaxDBConn ), ( MAXDB_ALIASES, MaxDBMap, MaxDBConn ),
( SYBASE_ALIASES, SybaseMap, SybaseConn ), ( SYBASE_ALIASES, SybaseMap, SybaseConn ),
( DB2_ALIASES, DB2Map, DB2Conn )
] ]
if Backend.getIdentifiedDbms() is not None: if Backend.getIdentifiedDbms() is not None:

6
lib/core/agent.py
View File

@ -407,7 +407,7 @@ class Agent:
if Backend.isDbms(DBMS.MYSQL): if Backend.isDbms(DBMS.MYSQL):
concatenatedQuery = "CONCAT(%s,%s)" % (query1, query2) concatenatedQuery = "CONCAT(%s,%s)" % (query1, query2)
elif Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.ORACLE, DBMS.SQLITE, DBMS.DB2): elif Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.ORACLE, DBMS.SQLITE):
concatenatedQuery = "%s||%s" % (query1, query2) concatenatedQuery = "%s||%s" % (query1, query2)
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE): elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
@ -466,7 +466,7 @@ class Agent:
elif fieldsNoSelect: elif fieldsNoSelect:
concatenatedQuery = "CONCAT('%s',%s,'%s')" % (kb.misc.start, concatenatedQuery, kb.misc.stop) concatenatedQuery = "CONCAT('%s',%s,'%s')" % (kb.misc.start, concatenatedQuery, kb.misc.stop)
elif Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.ORACLE, DBMS.SQLITE, DBMS.DB2): elif Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.ORACLE, DBMS.SQLITE):
if fieldsExists: if fieldsExists:
concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % kb.misc.start, 1) concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % kb.misc.start, 1)
concatenatedQuery += "||'%s'" % kb.misc.stop concatenatedQuery += "||'%s'" % kb.misc.stop
@ -643,7 +643,7 @@ class Agent:
limitStr = queries[Backend.getIdentifiedDbms()].limit.query % (num+1, num+1) limitStr = queries[Backend.getIdentifiedDbms()].limit.query % (num+1, num+1)
limitedQuery += " %s" % limitStr limitedQuery += " %s" % limitStr
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): elif Backend.isDbms(DBMS.ORACLE):
if " ORDER BY " in limitedQuery and "(SELECT " in limitedQuery: if " ORDER BY " in limitedQuery and "(SELECT " in limitedQuery:
orderBy = limitedQuery[limitedQuery.index(" ORDER BY "):] orderBy = limitedQuery[limitedQuery.index(" ORDER BY "):]
limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")] limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]

4
lib/core/common.py
View File

@ -2546,7 +2546,7 @@ def safeSQLIdentificatorNaming(name, isTable=False):
if not re.match(r"\A[A-Za-z0-9_]+\Z", parts[i]): if not re.match(r"\A[A-Za-z0-9_]+\Z", parts[i]):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS): if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS):
parts[i] = "`%s`" % parts[i].strip("`") parts[i] = "`%s`" % parts[i].strip("`")
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.PGSQL, DBMS.DB2): elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.PGSQL):
parts[i] = "\"%s\"" % parts[i].strip("\"") parts[i] = "\"%s\"" % parts[i].strip("\"")
retVal = ".".join(parts) retVal = ".".join(parts)
@ -2563,7 +2563,7 @@ def unsafeSQLIdentificatorNaming(name):
if isinstance(name, basestring): if isinstance(name, basestring):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS): if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS):
retVal = name.replace("`", "") retVal = name.replace("`", "")
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.PGSQL, DBMS.DB2): elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.PGSQL):
retVal = name.replace("\"", "") retVal = name.replace("\"", "")
if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE): if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
prefix = "%s." % DEFAULT_MSSQL_SCHEMA prefix = "%s." % DEFAULT_MSSQL_SCHEMA

1
lib/core/data.py
View File

@ -19,7 +19,6 @@ from lib.core.settings import ACCESS_ALIASES
from lib.core.settings import FIREBIRD_ALIASES from lib.core.settings import FIREBIRD_ALIASES
from lib.core.settings import MAXDB_ALIASES from lib.core.settings import MAXDB_ALIASES
from lib.core.settings import SYBASE_ALIASES from lib.core.settings import SYBASE_ALIASES
from lib.core.settings import DB2_ALIASES
# sqlmap paths # sqlmap paths
paths = advancedDict() paths = advancedDict()

11
lib/core/dicts.py
View File

@ -98,14 +98,3 @@ firebirdPrivs = {
"R": "REFERENCES", "R": "REFERENCES",
"E": "EXECUTE" "E": "EXECUTE"
} }
db2Privs = {
1:"CONTROLAUTH",
2:"ALTERAUTH",
3:"DELETEAUTH",
4:"INDEXAUTH",
5:"INSERTAUTH",
6:"REFAUTH",
7:"SELECTAUTH",
8:"UPDATEAUTH"
}

1
lib/core/enums.py
View File

@ -34,7 +34,6 @@ class DBMS:
PGSQL = "PostgreSQL" PGSQL = "PostgreSQL"
SQLITE = "SQLite" SQLITE = "SQLite"
SYBASE = "Sybase" SYBASE = "Sybase"
DB2 = "IBM DB2"
class OS: class OS:
LINUX = "Linux" LINUX = "Linux"

3
lib/core/option.py
View File

@ -89,7 +89,6 @@ from lib.core.settings import ACCESS_ALIASES
from lib.core.settings import FIREBIRD_ALIASES from lib.core.settings import FIREBIRD_ALIASES
from lib.core.settings import MAXDB_ALIASES from lib.core.settings import MAXDB_ALIASES
from lib.core.settings import SYBASE_ALIASES from lib.core.settings import SYBASE_ALIASES
from lib.core.settings import DB2_ALIASES
from lib.core.settings import BURP_SPLITTER from lib.core.settings import BURP_SPLITTER
from lib.core.settings import MAX_NUMBER_OF_THREADS from lib.core.settings import MAX_NUMBER_OF_THREADS
from lib.core.settings import TIME_DEFAULT_DELAY from lib.core.settings import TIME_DEFAULT_DELAY
@ -683,7 +682,7 @@ def __setDBMS():
for aliases in (MSSQL_ALIASES, MYSQL_ALIASES, PGSQL_ALIASES, \ for aliases in (MSSQL_ALIASES, MYSQL_ALIASES, PGSQL_ALIASES, \
ORACLE_ALIASES, SQLITE_ALIASES, ACCESS_ALIASES, \ ORACLE_ALIASES, SQLITE_ALIASES, ACCESS_ALIASES, \
FIREBIRD_ALIASES, MAXDB_ALIASES, SYBASE_ALIASES, DB2_ALIASES): FIREBIRD_ALIASES, MAXDB_ALIASES, SYBASE_ALIASES):
if conf.dbms in aliases: if conf.dbms in aliases:
conf.dbms = aliases[0] conf.dbms = aliases[0]

8
lib/core/settings.py
View File

@ -147,8 +147,6 @@ FIREBIRD_SYSTEM_DBS = ( "RDB$BACKUP_HISTORY", "RDB$CHARACTER_SETS", "RDB$CHECK_C
"RDB$TRIGGER_MESSAGES", "RDB$TYPES", "RDB$USER_PRIVILEGES", "RDB$VIEW_RELATIONS" ) "RDB$TRIGGER_MESSAGES", "RDB$TYPES", "RDB$USER_PRIVILEGES", "RDB$VIEW_RELATIONS" )
MAXDB_SYSTEM_DBS = ( "SYSINFO", "DOMAIN" ) MAXDB_SYSTEM_DBS = ( "SYSINFO", "DOMAIN" )
SYBASE_SYSTEM_DBS = ( "master", "model", "sybsystemdb", "sybsystemprocs" ) SYBASE_SYSTEM_DBS = ( "master", "model", "sybsystemdb", "sybsystemprocs" )
DB2_SYSTEM_DBS = ( "NULLID", "SQLJ", "SYSCAT", "SYSFUN", "SYSIBM", "SYSIBMADM", "SYSIBMINTERNAL", "SYSIBMTS", "SYSPROC", "SYSPUBLIC",\
"SYSSTAT", "SYSTOOLS" )
MSSQL_ALIASES = [ "microsoft sql server", "mssqlserver", "mssql", "ms" ] MSSQL_ALIASES = [ "microsoft sql server", "mssqlserver", "mssql", "ms" ]
MYSQL_ALIASES = [ "mysql", "my" ] MYSQL_ALIASES = [ "mysql", "my" ]
@ -159,9 +157,8 @@ ACCESS_ALIASES = [ "access", "jet", "microsoft access", "msaccess" ]
FIREBIRD_ALIASES = [ "firebird", "mozilla firebird", "interbase", "ibase", "fb" ] FIREBIRD_ALIASES = [ "firebird", "mozilla firebird", "interbase", "ibase", "fb" ]
MAXDB_ALIASES = [ "maxdb", "sap maxdb", "sap db" ] MAXDB_ALIASES = [ "maxdb", "sap maxdb", "sap db" ]
SYBASE_ALIASES = [ "sybase", "sybase sql server" ] SYBASE_ALIASES = [ "sybase", "sybase sql server" ]
DB2_ALIASES = [ "ibm db2", "db2" ]
SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES + DB2_ALIASES SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES
SUPPORTED_OS = ( "linux", "windows" ) SUPPORTED_OS = ( "linux", "windows" )
DBMS_DICT = { DBMS.MSSQL: [MSSQL_ALIASES, "python-pymssql", "http://pymssql.sourceforge.net/"], DBMS_DICT = { DBMS.MSSQL: [MSSQL_ALIASES, "python-pymssql", "http://pymssql.sourceforge.net/"],
@ -172,8 +169,7 @@ DBMS_DICT = { DBMS.MSSQL: [MSSQL_ALIASES, "python-pymssql", "http://pymssql.sour
DBMS.ACCESS: [ACCESS_ALIASES, "python-pyodbc", "http://pyodbc.googlecode.com/"], DBMS.ACCESS: [ACCESS_ALIASES, "python-pyodbc", "http://pyodbc.googlecode.com/"],
DBMS.FIREBIRD: [FIREBIRD_ALIASES, "python-kinterbasdb", "http://kinterbasdb.sourceforge.net/"], DBMS.FIREBIRD: [FIREBIRD_ALIASES, "python-kinterbasdb", "http://kinterbasdb.sourceforge.net/"],
DBMS.MAXDB: [MAXDB_ALIASES, None, None], DBMS.MAXDB: [MAXDB_ALIASES, None, None],
DBMS.SYBASE: [SYBASE_ALIASES, "python-pymssql", "http://pymssql.sourceforge.net/"], DBMS.SYBASE: [SYBASE_ALIASES, "python-pymssql", "http://pymssql.sourceforge.net/"]
DBMS.DB2: [DB2_ALIASES, None, None]
} }
REFERER_ALIASES = ( "ref", "referer", "referrer" ) REFERER_ALIASES = ( "ref", "referer", "referrer" )

36
plugins/dbms/db2/__init__.py
View File

@ -1,36 +0,0 @@
#!/usr/bin/env python
"""
$Id: __init__.py 3678 2011-04-15 12:33:18Z stamparm $
Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.enums import DBMS
from lib.core.settings import DB2_SYSTEM_DBS
from lib.core.unescaper import unescaper
from plugins.dbms.db2.enumeration import Enumeration
from plugins.dbms.db2.filesystem import Filesystem
from plugins.dbms.db2.fingerprint import Fingerprint
from plugins.dbms.db2.syntax import Syntax
from plugins.dbms.db2.takeover import Takeover
from plugins.generic.misc import Miscellaneous
class DB2Map(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeover):
"""
This class defines DB2 methods
"""
def __init__(self):
self.excludeDbsList = DB2_SYSTEM_DBS
Syntax.__init__(self)
Fingerprint.__init__(self)
Enumeration.__init__(self)
Filesystem.__init__(self)
Miscellaneous.__init__(self)
Takeover.__init__(self)
unescaper[DBMS.DB2] = Syntax.unescape

31
plugins/dbms/db2/connector.py
View File

@ -1,31 +0,0 @@
#!/usr/bin/env python
"""
$Id: connector.py 3678 2011-04-15 12:33:18Z stamparm $
Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""
try:
import pyodbc
except ImportError, _:
pass
from lib.core.data import logger
from lib.core.exception import sqlmapConnectionException
from lib.core.exception import sqlmapUnsupportedFeatureException
from plugins.generic.connector import Connector as GenericConnector
class Connector(GenericConnector):
"""
Homepage: http://pyodbc.googlecode.com/
User guide: http://code.google.com/p/pyodbc/wiki/GettingStarted
API: http://code.google.com/p/pyodbc/w/list
Debian package: python-pyodbc
License: MIT
"""
def __init__(self):
GenericConnector.__init__(self)

22
plugins/dbms/db2/enumeration.py
View File

@ -1,22 +0,0 @@
#!/usr/bin/env python
"""
$Id: enumeration.py 3678 2011-04-15 12:33:18Z stamparm $
Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.data import logger
from plugins.generic.enumeration import Enumeration as GenericEnumeration
class Enumeration(GenericEnumeration):
def __init__(self):
GenericEnumeration.__init__(self)
def getPasswordHashes(self):
warnMsg = "on DB2 it is not possible to list password hashes"
logger.warn(warnMsg)
return {}

23
plugins/dbms/db2/filesystem.py
View File

@ -1,23 +0,0 @@
#!/usr/bin/env python
"""
$Id: filesystem.py 3678 2011-04-15 12:33:18Z stamparm $
Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.common import randomStr
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import PLACE
from lib.core.exception import sqlmapNoneDataException
from lib.request import inject
from lib.techniques.inband.union.use import unionUse
from plugins.generic.filesystem import Filesystem as GenericFilesystem
class Filesystem(GenericFilesystem):
def __init__(self):
GenericFilesystem.__init__(self)

114
plugins/dbms/db2/fingerprint.py
View File

@ -1,114 +0,0 @@
#!/usr/bin/env python
"""
$Id: fingerprint.py 3678 2011-04-15 12:33:18Z stamparm $
Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.common import Backend
from lib.core.common import Format
from lib.core.common import randomInt
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import DBMS
from lib.core.session import setDbms
from lib.core.settings import DB2_ALIASES
from lib.request import inject
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint
class Fingerprint(GenericFingerprint):
def __init__(self):
GenericFingerprint.__init__(self, DBMS.DB2)
def versionCheck(self):
minor, major = None, None
for version in reversed(xrange(5, 15)):
result = inject.checkBooleanExpression("(SELECT COUNT(*) FROM sysibm.sysversions WHERE versionnumber BETWEEN %d000000 AND %d999999)>0" % (version, version))
if result:
major = version
for version in reversed(xrange(0, 20)):
result = inject.checkBooleanExpression("(SELECT COUNT(*) FROM sysibm.sysversions WHERE versionnumber BETWEEN %d%02d0000 AND %d%02d9999)>0" % (major, version, major, version))
if result:
minor = version
version = "%s.%s" % (major, minor)
break
break
if major and minor:
return "%s.%s" % (major, minor)
else:
return None
def getFingerprint(self):
value = ""
wsOsFp = Format.getOs("web server", kb.headersFp)
if wsOsFp:
value += "%s\n" % wsOsFp
if kb.data.banner:
dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)
if dbmsOsFp:
value += "%s\n" % dbmsOsFp
value += "back-end DBMS: "
if not conf.extensiveFp:
value += DBMS.DB2
return value
actVer = Format.getDbms()
blank = " " * 15
value += "active fingerprint: %s" % actVer
if kb.bannerFp:
banVer = kb.bannerFp["dbmsVersion"] if 'dbmsVersion' in kb.bannerFp else None
banVer = Format.getDbms([banVer])
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
htmlErrorFp = Format.getErrorParsedDBMSes()
if htmlErrorFp:
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
return value
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(DB2_ALIASES) or conf.dbms in DB2_ALIASES):
setDbms(DBMS.DB2)
return True
logMsg = "testing %s" % DBMS.DB2
logger.info(logMsg)
randInt = randomInt()
result = inject.checkBooleanExpression("(SELECT %d FROM sysibm.sysdummy1) = %d" % (randInt, randInt))
if result:
logMsg = "confirming %s" % DBMS.DB2
logger.info(logMsg)
version = self.versionCheck()
if version:
Backend.setVersion(version)
setDbms("%s %s" % (DBMS.DB2, Backend.getVersion()))
else:
setDbms(DBMS.DB2)
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.DB2
logger.warn(warnMsg)
return False

72
plugins/dbms/db2/syntax.py
View File

@ -1,72 +0,0 @@
#!/usr/bin/env python
"""
$Id: syntax.py 3678 2011-04-15 12:33:18Z stamparm $
Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.data import logger
from lib.core.exception import sqlmapSyntaxException
from plugins.generic.syntax import Syntax as GenericSyntax
class Syntax(GenericSyntax):
def __init__(self):
GenericSyntax.__init__(self)
@staticmethod
def unescape(expression, quote=True):
if quote:
while True:
index = expression.find("'")
if index == -1:
break
firstIndex = index + 1
index = expression[firstIndex:].find("'")
if index == -1:
raise sqlmapSyntaxException, "Unenclosed ' in '%s'" % expression
lastIndex = firstIndex + index
old = "'%s'" % expression[firstIndex:lastIndex]
unescaped = ""
for i in range(firstIndex, lastIndex):
unescaped += "CHR(%d)" % (ord(expression[i]))
if i < lastIndex - 1:
unescaped += "||"
expression = expression.replace(old, unescaped)
else:
expression = "||".join("CHR(%d)" % ord(c) for c in expression)
return expression
@staticmethod
def escape(expression):
logMsg = "escaping %s" % expression
logger.info(logMsg)
while True:
index = expression.find("CHR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find(")")
if index == -1:
raise sqlmapSyntaxException, "Unenclosed ) in '%s'" % expression
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.lstrip("CHR(").rstrip(")")
oldUpper = oldUpper.split("||")
escaped = "'%s'" % "".join([chr(int(char)) for char in oldUpper])
expression = expression.replace(old, escaped)
return expression

32
plugins/dbms/db2/takeover.py
View File

@ -1,32 +0,0 @@
#!/usr/bin/env python
"""
$Id: takeover.py 3678 2011-04-15 12:33:18Z stamparm $
Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""
import re
from lib.core.agent import agent
from lib.core.common import isTechniqueAvailable
from lib.core.common import normalizePath
from lib.core.common import ntToPosixSlashes
from lib.core.common import randomStr
from lib.core.common import readInput
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import paths
from lib.core.enums import PAYLOAD
from lib.request import inject
from lib.request.connect import Connect as Request
from plugins.generic.takeover import Takeover as GenericTakeover
class Takeover(GenericTakeover):
def __init__(self):
self.__basedir = None
self.__datadir = None
GenericTakeover.__init__(self)

88
plugins/generic/enumeration.py
View File

@ -43,7 +43,6 @@ from lib.core.dicts import firebirdTypes
from lib.core.dicts import mysqlPrivs from lib.core.dicts import mysqlPrivs
from lib.core.dicts import pgsqlPrivs from lib.core.dicts import pgsqlPrivs
from lib.core.dicts import firebirdPrivs from lib.core.dicts import firebirdPrivs
from lib.core.dicts import db2Privs
from lib.core.enums import DBMS from lib.core.enums import DBMS
from lib.core.enums import EXPECTED from lib.core.enums import EXPECTED
from lib.core.enums import PAYLOAD from lib.core.enums import PAYLOAD
@ -99,14 +98,8 @@ class Enumeration:
infoMsg = "fetching banner" infoMsg = "fetching banner"
logger.info(infoMsg) logger.info(infoMsg)
# Needed for DB2 versions < 9
if Backend.isDbms(DBMS.DB2) and int(Backend.getVersion().split(".")[0]) < 9:
query = queries[Backend.getIdentifiedDbms()].banner.query2
kb.data.banner = unArrayizeValue(inject.getValue(query, safeCharEncode=False))
else:
query = queries[Backend.getIdentifiedDbms()].banner.query query = queries[Backend.getIdentifiedDbms()].banner.query
kb.data.banner = unArrayizeValue(inject.getValue(query, safeCharEncode=False)) kb.data.banner = unArrayizeValue(inject.getValue(query, safeCharEncode=False))
bannerParser(kb.data.banner) bannerParser(kb.data.banner)
if conf.os and conf.os == "windows": if conf.os and conf.os == "windows":
@ -198,7 +191,7 @@ class Enumeration:
errMsg = "unable to retrieve the number of database users" errMsg = "unable to retrieve the number of database users"
raise sqlmapNoneDataException, errMsg raise sqlmapNoneDataException, errMsg
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): if Backend.isDbms(DBMS.ORACLE):
plusOne = True plusOne = True
else: else:
plusOne = False plusOne = False
@ -426,7 +419,7 @@ class Enumeration:
logger.info(infoMsg) logger.info(infoMsg)
if conf.user and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): if conf.user and Backend.isDbms(DBMS.ORACLE):
conf.user = conf.user.upper() conf.user = conf.user.upper()
if conf.user: if conf.user:
@ -566,7 +559,7 @@ class Enumeration:
privileges = set() privileges = set()
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): if Backend.isDbms(DBMS.ORACLE):
plusOne = True plusOne = True
else: else:
plusOne = False plusOne = False
@ -624,25 +617,6 @@ class Enumeration:
elif Backend.isDbms(DBMS.FIREBIRD): elif Backend.isDbms(DBMS.FIREBIRD):
privileges.add(firebirdPrivs[privilege.strip()]) privileges.add(firebirdPrivs[privilege.strip()])
# In DB2 we get Y or G if the privilege is
# True, N otherwise
elif Backend.isDbms(DBMS.DB2):
privs = privilege.split(",")
privilege = privs[0]
privs = privs[1]
privs = list(privs.strip())
i = 1
for priv in privs:
if priv.upper() in ("Y", "G"):
for position, db2Priv in db2Privs.items():
if position == i:
privilege += ", " + db2Priv
i += 1
privileges.add(privilege)
if self.__isAdminFromPrivileges(privileges): if self.__isAdminFromPrivileges(privileges):
areAdmins.add(user) areAdmins.add(user)
@ -691,12 +665,6 @@ class Enumeration:
warnMsg += "names on other DBMSes" warnMsg += "names on other DBMSes"
logger.warn(warnMsg) logger.warn(warnMsg)
if Backend.isDbms(DBMS.DB2):
warnMsg = "schema names are going to be used on DB2 "
warnMsg += "for enumeration as the counterpart to database "
warnMsg += "names on other DBMSes"
logger.warn(warnMsg)
infoMsg = "fetching database (schema) names" infoMsg = "fetching database (schema) names"
else: else:
infoMsg = "fetching database names" infoMsg = "fetching database names"
@ -729,7 +697,7 @@ class Enumeration:
errMsg = "unable to retrieve the number of databases" errMsg = "unable to retrieve the number of databases"
logger.error(errMsg) logger.error(errMsg)
else: else:
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): if Backend.isDbms(DBMS.ORACLE):
plusOne = True plusOne = True
else: else:
plusOne = False plusOne = False
@ -790,7 +758,7 @@ class Enumeration:
if conf.db == "CD": if conf.db == "CD":
conf.db = self.getCurrentDb() conf.db = self.getCurrentDb()
if conf.db and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): if conf.db and Backend.isDbms(DBMS.ORACLE):
conf.db = conf.db.upper() conf.db = conf.db.upper()
if conf.db: if conf.db:
@ -902,7 +870,7 @@ class Enumeration:
tables = [] tables = []
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): if Backend.isDbms(DBMS.ORACLE):
plusOne = True plusOne = True
else: else:
plusOne = False plusOne = False
@ -946,14 +914,10 @@ class Enumeration:
warnMsg += "table(s) columns" warnMsg += "table(s) columns"
logger.warn(warnMsg) logger.warn(warnMsg)
# In DB2 we use the current user as default schema (db)
if Backend.isDbms(DBMS.DB2):
conf.db = self.getCurrentUser()
else:
conf.db = self.getCurrentDb() conf.db = self.getCurrentDb()
elif conf.db is not None: elif conf.db is not None:
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): if Backend.isDbms(DBMS.ORACLE):
conf.db = conf.db.upper() conf.db = conf.db.upper()
if ',' in conf.db: if ',' in conf.db:
@ -964,7 +928,7 @@ class Enumeration:
conf.db = safeSQLIdentificatorNaming(conf.db) conf.db = safeSQLIdentificatorNaming(conf.db)
if conf.col: if conf.col:
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): if Backend.isDbms(DBMS.ORACLE):
conf.col = conf.col.upper() conf.col = conf.col.upper()
colList = conf.col.split(",") colList = conf.col.split(",")
@ -975,7 +939,7 @@ class Enumeration:
colList[colList.index(col)] = safeSQLIdentificatorNaming(col) colList[colList.index(col)] = safeSQLIdentificatorNaming(col)
if conf.tbl: if conf.tbl:
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): if Backend.isDbms(DBMS.ORACLE):
conf.tbl = conf.tbl.upper() conf.tbl = conf.tbl.upper()
tblList = conf.tbl.split(",") tblList = conf.tbl.split(",")
@ -1141,7 +1105,7 @@ class Enumeration:
query = rootQuery.blind.count % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db)) query = rootQuery.blind.count % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery query += condQuery
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): elif Backend.isDbms(DBMS.ORACLE):
query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(tbl.upper()) query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(tbl.upper())
query += condQuery query += condQuery
@ -1180,7 +1144,7 @@ class Enumeration:
query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db)) query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery query += condQuery
field = None field = None
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): elif Backend.isDbms(DBMS.ORACLE):
query = rootQuery.blind.query % unsafeSQLIdentificatorNaming(tbl.upper()) query = rootQuery.blind.query % unsafeSQLIdentificatorNaming(tbl.upper())
query += condQuery query += condQuery
field = None field = None
@ -1202,7 +1166,7 @@ class Enumeration:
if not onlyColNames: if not onlyColNames:
if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ): if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl), column, unsafeSQLIdentificatorNaming(conf.db)) query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl), column, unsafeSQLIdentificatorNaming(conf.db))
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): elif Backend.isDbms(DBMS.ORACLE):
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl.upper()), column) query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl.upper()), column)
elif Backend.isDbms(DBMS.MSSQL): elif Backend.isDbms(DBMS.MSSQL):
query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db, query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db,
@ -1302,10 +1266,6 @@ class Enumeration:
warnMsg += "number of entries for table '%s'" % conf.tbl warnMsg += "number of entries for table '%s'" % conf.tbl
logger.warn(warnMsg) logger.warn(warnMsg)
# In DB2 we use the current user as default schema (db)
if Backend.isDbms(DBMS.DB2):
conf.db = self.getCurrentUser()
else:
conf.db = self.getCurrentDb() conf.db = self.getCurrentDb()
self.forceDbmsEnum() self.forceDbmsEnum()
@ -1459,10 +1419,6 @@ class Enumeration:
warnMsg += "'%s' entries" % conf.tbl warnMsg += "'%s' entries" % conf.tbl
logger.warn(warnMsg) logger.warn(warnMsg)
# In DB2 we use the current user as default schema (db)
if Backend.isDbms(DBMS.DB2):
conf.db = self.getCurrentUser()
else:
conf.db = self.getCurrentDb() conf.db = self.getCurrentDb()
rootQuery = queries[Backend.getIdentifiedDbms()].dump_table rootQuery = queries[Backend.getIdentifiedDbms()].dump_table
@ -1585,7 +1541,7 @@ class Enumeration:
infoMsg += "on database '%s'" % conf.db infoMsg += "on database '%s'" % conf.db
logger.info(infoMsg) logger.info(infoMsg)
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): if Backend.isDbms(DBMS.ORACLE):
query = rootQuery.blind.count % (conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper()))) query = rootQuery.blind.count % (conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())))
elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD): elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
query = rootQuery.blind.count % conf.tbl query = rootQuery.blind.count % conf.tbl
@ -1625,7 +1581,7 @@ class Enumeration:
entries, lengths = retVal entries, lengths = retVal
else: else:
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): if Backend.isDbms(DBMS.ORACLE):
plusOne = True plusOne = True
else: else:
plusOne = False plusOne = False
@ -1642,7 +1598,7 @@ class Enumeration:
if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ): if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
query = rootQuery.blind.query % (column, conf.db, query = rootQuery.blind.query % (column, conf.db,
conf.tbl, index) conf.tbl, index)
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): elif Backend.isDbms(DBMS.ORACLE):
query = rootQuery.blind.query % (column, column, query = rootQuery.blind.query % (column, column,
conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())), conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())),
index) index)
@ -1818,9 +1774,6 @@ class Enumeration:
for db in dbList: for db in dbList:
db = safeSQLIdentificatorNaming(db) db = safeSQLIdentificatorNaming(db)
if Backend.isDbms(DBMS.DB2):
db = db.upper()
infoMsg = "searching database" infoMsg = "searching database"
if dbConsider == "1": if dbConsider == "1":
infoMsg += "s like" infoMsg += "s like"
@ -1886,8 +1839,6 @@ class Enumeration:
query = rootQuery.blind.query query = rootQuery.blind.query
query += dbQuery query += dbQuery
query += exclDbsQuery query += exclDbsQuery
if Backend.isDbms(DBMS.DB2):
query += ") AS foobar"
query = agent.limitQuery(index, query, dbCond) query = agent.limitQuery(index, query, dbCond)
value = inject.getValue(query, inband=False, error=False) value = inject.getValue(query, inband=False, error=False)
@ -1933,7 +1884,7 @@ class Enumeration:
for tbl in tblList: for tbl in tblList:
tbl = safeSQLIdentificatorNaming(tbl, True) tbl = safeSQLIdentificatorNaming(tbl, True)
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): if Backend.isDbms(DBMS.ORACLE):
tbl = tbl.upper() tbl = tbl.upper()
infoMsg = "searching table" infoMsg = "searching table"
@ -2000,8 +1951,6 @@ class Enumeration:
query = rootQuery.blind.query query = rootQuery.blind.query
query += tblQuery query += tblQuery
query += exclDbsQuery query += exclDbsQuery
if Backend.getIdentifiedDbms() == DBMS.DB2:
query += ") AS foobar"
query = agent.limitQuery(index, query) query = agent.limitQuery(index, query)
foundDb = inject.getValue(query, inband=False, error=False) foundDb = inject.getValue(query, inband=False, error=False)
foundDb = safeSQLIdentificatorNaming(foundDb) foundDb = safeSQLIdentificatorNaming(foundDb)
@ -2099,9 +2048,6 @@ class Enumeration:
for column in colList: for column in colList:
column = safeSQLIdentificatorNaming(column) column = safeSQLIdentificatorNaming(column)
if Backend.isDbms(DBMS.DB2):
column = column.upper()
infoMsg = "searching column" infoMsg = "searching column"
if colConsider == "1": if colConsider == "1":
infoMsg += "s like" infoMsg += "s like"
@ -2186,8 +2132,6 @@ class Enumeration:
query = rootQuery.blind.query query = rootQuery.blind.query
query += colQuery query += colQuery
query += exclDbsQuery query += exclDbsQuery
if Backend.isDbms(DBMS.DB2):
query += ") AS foobar"
query = agent.limitQuery(index, query) query = agent.limitQuery(index, query)
db = inject.getValue(query, inband=False, error=False) db = inject.getValue(query, inband=False, error=False)
db = safeSQLIdentificatorNaming(db) db = safeSQLIdentificatorNaming(db)

67
xml/queries.xml
View File

@ -540,71 +540,4 @@
<blind/> <blind/>
</search_column> </search_column>
</dbms> </dbms>
<!-- IBM DB2 -->
<dbms value="IBM DB2">
<cast query="RTRIM(CAST(%s AS CHAR(254)))"/>
<length query="LENGTH(RTRIM(CAST(%s AS CHAR(254))))"/>
<isnull query="COALESCE(%s,' ')"/>
<delimiter query="||"/>
<limit query="ROW_NUMBER() OVER () AS LIMIT %s) AS foobar WHERE LIMIT"/>
<limitregexp query="ROW_NUMBER\(\)\s+OVER\s+\(\)\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+"/>
<limitgroupstart/>
<limitgroupstop/>
<limitstring/>
<order query="ORDER BY %s ASC"/>
<count query="COUNT(%s)"/>
<comment query="--"/>
<!-- todo: timedelay -->
<timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/>
<substring query="SUBSTR((%s),%d,%d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM sysibm.sysdummy1"/>
<!-- ASCII() not supported in all versions -->
<inference query="ASCII(SUBSTR((%s),%d,1)) > %d"/>
<!-- we have to use the complicated UDB OLAP functions in query2 because sqlmap injects isnull query inside MAX function, else we'd use: SELECT MAX(versionnumber) FROM sysibm.sysversions -->
<banner query="SELECT service_level FROM TABLE (sysproc.env_get_inst_info())" query2="SELECT versionnumber FROM (SELECT ROW_NUMBER() OVER (ORDER BY versionnumber DESC) AS LIMIT, versionnumber FROM sysibm.sysversions) AS foobar WHERE LIMIT=1"/>
<current_user query="SELECT user FROM sysibm.sysdummy1"/>
<current_db query="SELECT current server FROM sysibm.sysdummy1"/>
<is_dba query="(SELECT dbadmauth FROM syscat.dbauth WHERE grantee=current user)='Y'"/>
<users>
<inband query="SELECT DISTINCT(grantee) FROM sysibm.sysdbauth"/>
<blind query="SELECT grantee FROM (SELECT ROW_NUMBER() OVER () AS LIMIT, grantee FROM sysibm.sysdbauth WHERE grantee!='SYSTEM' AND grantee!='PUBLIC') AS foobar WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(grantee)) FROM sysibm.sysdbauth WHERE grantee!='SYSTEM' AND grantee!='PUBLIC'"/>
</users>
<!-- On DB2 it is not possible to list password hashes, since they are handled by the OS -->
<passwords/>
<privileges>
<inband query="SELECT grantee,privilege FROM dba_sys_privs" query2="SELECT username,privilege FROM user_sys_privs" condition="grantee" condition2="username"/>
<blind query="SELECT tabschema||'.'||tabname||CHR(44)||controlauth||alterauth||deleteauth||indexauth||insertauth||refauth||selectauth||updateauth FROM (SELECT ROW_NUMBER() OVER () AS LIMIT, syscat.tabauth.* FROM syscat.tabauth WHERE grantee='%s') AS foobar WHERE LIMIT=%d" count="SELECT COUNT(*) FROM syscat.tabauth WHERE grantee='%s'"/>
</privileges>
<roles/>
<!-- NOTE: in DB2 schema names are the counterpart to database names on other DBMSes -->
<dbs>
<inband query="SELECT schemaname FROM syscat.schemata"/>
<blind query="SELECT schemaname FROM (SELECT ROW_NUMBER() OVER () AS LIMIT, schemaname FROM syscat.schemata) AS foobar WHERE LIMIT=%d" count="SELECT COUNT(schemaname) FROM syscat.schemata"/>
</dbs>
<tables>
<inband query="SELECT tabname FROM sysstat.tables" condition="tabschema"/>
<blind query="SELECT tabname FROM (SELECT ROW_NUMBER() OVER () AS LIMIT, tabname FROM sysstat.tables WHERE tabschema='%s') AS foobar WHERE LIMIT=INT('%d')" count="SELECT COUNT(*) FROM sysstat.tables WHERE tabschema='%s'"/>
</tables>
<columns>
<inband query="SELECT name FROM sysibm.syscolumns WHERE tbname='%s'" condition="name"/>
<blind query="SELECT name FROM sysibm.syscolumns WHERE tbname='%s'" query2="SELECT RTRIM(coltype)||CHR(40)||RTRIM(CAST(length AS CHAR(254)))||CHR(41) FROM sysibm.syscolumns WHERE tbname='%s' AND name='%s'" count="SELECT COUNT(name) FROM sysibm.syscolumns WHERE tbname='%s'" condition="name"/>
</columns>
<dump_table>
<inband query="SELECT %s FROM %s"/>
<blind query="SELECT %s FROM (SELECT ROW_NUMBER() OVER () AS LIMIT, %s FROM %s) AS foobar WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
</dump_table>
<search_db>
<inband query="SELECT schemaname FROM syscat.schemata WHERE " query2="" condition="schemaname" condition2=""/>
<blind query="SELECT schemaname FROM (SELECT DISTINCT(schemaname) FROM syscat.schemata WHERE " query2="" count="SELECT COUNT(DISTINCT(schemaname)) FROM syscat.schemata WHERE " count2="" condition="schemaname" condition2=""/>
</search_db>
<search_table>
<inband query="SELECT tabschema, tabname FROM sysstat.tables WHERE " condition="tabname" condition2="tabschema"/>
<blind query="SELECT tabschema FROM (SELECT DISTINCT(tabschema) FROM sysstat.tables WHERE " query2="SELECT DISTINCT(tabname) FROM sysstat.tables WHERE tabschema='%s'" count="SELECT COUNT(DISTINCT(tabschema)) FROM sysstat.tables WHERE " count2="SELECT COUNT(tabname) FROM sysstat.tables WHERE tabschema='%s'" condition="tabname" condition2="tabschema"/>
</search_table>
<search_column>
<inband query="SELECT tabschema, tabname FROM sysstat.columns WHERE " condition="colname" condition2="tabschema"/>
<blind query="SELECT tabschema FROM (SELECT DISTINCT(tabschema) FROM sysstat.columns WHERE " query2="SELECT DISTINCT(tabname) FROM sysstat.columns WHERE tabschema='%s'" count="SELECT COUNT(DISTINCT(tabschema)) FROM sysstat.columns WHERE " count2="SELECT COUNT(DISTINCT(tabname)) FROM sysstat.columns WHERE tabschema='%s'" condition="colname" condition2="tabschema"/>
</search_column>
</dbms>
</root> </root>