refactoring, cleanup and improvement

This commit is contained in:
Miroslav Stampar 2011-03-29 21:54:15 +00:00
parent adfbfef8c1
commit b6af80bab3
7 changed files with 135 additions and 134 deletions

View File

@ -2444,3 +2444,37 @@ def normalizeUnicode(value):
if isinstance(value, unicode): if isinstance(value, unicode):
retVal = unicodedata.normalize('NFKD', value).encode('ascii','ignore') retVal = unicodedata.normalize('NFKD', value).encode('ascii','ignore')
return retVal return retVal
def safeSQLIdentificatorNaming(name, isTable=False):
"""
Returns a safe representation of SQL identificator name
"""
retVal = name
if isinstance(name, basestring):
if isTable and Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and '.' not in name:
name = "%s.%s" % (DEFAULT_MSSQL_SCHEMA, name)
parts = name.split('.')
for i in range(len(parts)):
if not re.match(r"\A[A-Za-z0-9_]+\Z", parts[i]):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS):
parts[i] = "`%s`" % parts[i].strip("`")
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.PGSQL):
parts[i] = "\"%s\"" % parts[i].strip("\"")
retVal = ".".join(parts)
return retVal
def unsafeSQLIdentificatorNaming(name):
"""
Extracts identificator's name from it's safe SQL representation
"""
retVal = name
if isinstance(name, basestring):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS):
retVal = name.replace("`", "")
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.PGSQL):
retVal = name.replace("\"", "")
if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
retVal = retVal.lstrip("%s." % DEFAULT_MSSQL_SCHEMA)
return retVal

View File

@ -1307,6 +1307,7 @@ def __useWizardInterface():
map(lambda x: conf.__setitem__(x, True), ['getBanner', 'getCurrentUser', 'getCurrentDb', 'isDba']) map(lambda x: conf.__setitem__(x, True), ['getBanner', 'getCurrentUser', 'getCurrentDb', 'isDba'])
conf.batch = True conf.batch = True
conf.threads = 4
print print
def __saveCmdline(): def __saveCmdline():

View File

@ -22,6 +22,7 @@ from lib.core.common import pushValue
from lib.core.common import randomInt from lib.core.common import randomInt
from lib.core.common import readInput from lib.core.common import readInput
from lib.core.common import safeStringFormat from lib.core.common import safeStringFormat
from lib.core.common import safeSQLIdentificatorNaming
from lib.core.data import conf from lib.core.data import conf
from lib.core.data import kb from lib.core.data import kb
from lib.core.data import logger from lib.core.data import logger
@ -60,7 +61,7 @@ def tableExists(tableFile, regex=None):
def tableExistsThread(): def tableExistsThread():
while count[0] < length and kb.threadContinue: while count[0] < length and kb.threadContinue:
tbllock.acquire() tbllock.acquire()
table = tables[count[0]] table = safeSQLIdentificatorNaming(tables[count[0]])
count[0] += 1 count[0] += 1
tbllock.release() tbllock.release()
@ -165,6 +166,7 @@ def columnExists(columnFile, regex=None):
table = "%s%s%s" % (conf.db, '..' if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) else '.', conf.tbl) table = "%s%s%s" % (conf.db, '..' if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) else '.', conf.tbl)
else: else:
table = conf.tbl table = conf.tbl
table = safeSQLIdentificatorNaming(table)
retVal = [] retVal = []
infoMsg = "checking column existence using items from '%s'" % columnFile infoMsg = "checking column existence using items from '%s'" % columnFile
@ -180,7 +182,7 @@ def columnExists(columnFile, regex=None):
def columnExistsThread(): def columnExistsThread():
while count[0] < length and kb.threadContinue: while count[0] < length and kb.threadContinue:
collock.acquire() collock.acquire()
column = columns[count[0]] column = safeSQLIdentificatorNaming(columns[count[0]])
count[0] += 1 count[0] += 1
collock.release() collock.release()

View File

@ -13,6 +13,8 @@ from lib.core.common import Backend
from lib.core.common import getRange from lib.core.common import getRange
from lib.core.common import isNumPosStrValue from lib.core.common import isNumPosStrValue
from lib.core.common import isTechniqueAvailable from lib.core.common import isTechniqueAvailable
from lib.core.common import safeSQLIdentificatorNaming
from lib.core.common import unsafeSQLIdentificatorNaming
from lib.core.data import conf from lib.core.data import conf
from lib.core.data import kb from lib.core.data import kb
from lib.core.data import logger from lib.core.data import logger
@ -78,7 +80,7 @@ class Enumeration(GenericEnumeration):
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct: if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:
for db in dbs: for db in dbs:
db = self.__safeSQLIdentificatorNaming(db) db = safeSQLIdentificatorNaming(db)
if conf.excludeSysDbs and db in self.excludeDbsList: if conf.excludeSysDbs and db in self.excludeDbsList:
infoMsg = "skipping system database '%s'" % db infoMsg = "skipping system database '%s'" % db
@ -94,7 +96,7 @@ class Enumeration(GenericEnumeration):
if not kb.data.cachedTables and not conf.direct: if not kb.data.cachedTables and not conf.direct:
for db in dbs: for db in dbs:
db = self.__safeSQLIdentificatorNaming(db) db = safeSQLIdentificatorNaming(db)
if conf.excludeSysDbs and db in self.excludeDbsList: if conf.excludeSysDbs and db in self.excludeDbsList:
infoMsg = "skipping system database '%s'" % db infoMsg = "skipping system database '%s'" % db
@ -154,23 +156,23 @@ class Enumeration(GenericEnumeration):
if isinstance(db, list): if isinstance(db, list):
db = db[0] db = db[0]
db = self.__safeSQLIdentificatorNaming(db) db = safeSQLIdentificatorNaming(db)
foundTbls[db] = [] foundTbls[db] = []
for tbl in tblList: for tbl in tblList:
tbl = self.__safeSQLIdentificatorNaming(tbl, True) tbl = safeSQLIdentificatorNaming(tbl, True)
infoMsg = "searching table" infoMsg = "searching table"
if tblConsider == "1": if tblConsider == "1":
infoMsg += "s like" infoMsg += "s like"
infoMsg += " '%s'" % self.__unsafeSQLIdentificatorNaming(tbl) infoMsg += " '%s'" % unsafeSQLIdentificatorNaming(tbl)
logger.info(infoMsg) logger.info(infoMsg)
tblQuery = "%s%s" % (tblCond, tblCondParam) tblQuery = "%s%s" % (tblCond, tblCondParam)
tblQuery = tblQuery % self.__unsafeSQLIdentificatorNaming(tbl) tblQuery = tblQuery % unsafeSQLIdentificatorNaming(tbl)
for db in foundTbls.keys(): for db in foundTbls.keys():
db = self.__safeSQLIdentificatorNaming(db) db = safeSQLIdentificatorNaming(db)
if conf.excludeSysDbs and db in self.excludeDbsList: if conf.excludeSysDbs and db in self.excludeDbsList:
infoMsg = "skipping system database '%s'" % db infoMsg = "skipping system database '%s'" % db
@ -196,7 +198,7 @@ class Enumeration(GenericEnumeration):
infoMsg = "fetching number of table" infoMsg = "fetching number of table"
if tblConsider == "1": if tblConsider == "1":
infoMsg += "s like" infoMsg += "s like"
infoMsg += " '%s' in database '%s'" % (self.__unsafeSQLIdentificatorNaming(tbl), self.__unsafeSQLIdentificatorNaming(db)) infoMsg += " '%s' in database '%s'" % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(db))
logger.info(infoMsg) logger.info(infoMsg)
query = rootQuery.blind.count2 query = rootQuery.blind.count2
@ -208,8 +210,8 @@ class Enumeration(GenericEnumeration):
warnMsg = "no table" warnMsg = "no table"
if tblConsider == "1": if tblConsider == "1":
warnMsg += "s like" warnMsg += "s like"
warnMsg += " '%s' " % self.__unsafeSQLIdentificatorNaming(tbl) warnMsg += " '%s' " % unsafeSQLIdentificatorNaming(tbl)
warnMsg += "in database '%s'" % self.__unsafeSQLIdentificatorNaming(db) warnMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(db)
logger.warn(warnMsg) logger.warn(warnMsg)
continue continue
@ -245,25 +247,25 @@ class Enumeration(GenericEnumeration):
enumDbs = kb.data.cachedDbs enumDbs = kb.data.cachedDbs
for db in enumDbs: for db in enumDbs:
db = self.__safeSQLIdentificatorNaming(db) db = safeSQLIdentificatorNaming(db)
dbs[db] = {} dbs[db] = {}
for column in colList: for column in colList:
column = self.__safeSQLIdentificatorNaming(column) column = safeSQLIdentificatorNaming(column)
infoMsg = "searching column" infoMsg = "searching column"
if colConsider == "1": if colConsider == "1":
infoMsg += "s like" infoMsg += "s like"
infoMsg += " '%s'" % self.__unsafeSQLIdentificatorNaming(column) infoMsg += " '%s'" % unsafeSQLIdentificatorNaming(column)
logger.info(infoMsg) logger.info(infoMsg)
foundCols[column] = {} foundCols[column] = {}
colQuery = "%s%s" % (colCond, colCondParam) colQuery = "%s%s" % (colCond, colCondParam)
colQuery = colQuery % self.__unsafeSQLIdentificatorNaming(column) colQuery = colQuery % unsafeSQLIdentificatorNaming(column)
for db in dbs.keys(): for db in dbs.keys():
db = self.__safeSQLIdentificatorNaming(db) db = safeSQLIdentificatorNaming(db)
if conf.excludeSysDbs and db in self.excludeDbsList: if conf.excludeSysDbs and db in self.excludeDbsList:
infoMsg = "skipping system database '%s'" % db infoMsg = "skipping system database '%s'" % db
@ -281,7 +283,7 @@ class Enumeration(GenericEnumeration):
values = [ values ] values = [ values ]
for foundTbl in values: for foundTbl in values:
foundTbl = self.__safeSQLIdentificatorNaming(foundTbl, True) foundTbl = safeSQLIdentificatorNaming(foundTbl, True)
if foundTbl is None: if foundTbl is None:
continue continue
@ -339,7 +341,7 @@ class Enumeration(GenericEnumeration):
tbl = inject.getValue(query, inband=False, error=False) tbl = inject.getValue(query, inband=False, error=False)
kb.hintValue = tbl kb.hintValue = tbl
tbl = self.__safeSQLIdentificatorNaming(tbl, True) tbl = safeSQLIdentificatorNaming(tbl, True)
if tbl not in dbs[db]: if tbl not in dbs[db]:
dbs[db][tbl] = {} dbs[db][tbl] = {}

View File

@ -12,6 +12,8 @@ from lib.core.common import Backend
from lib.core.common import getRange from lib.core.common import getRange
from lib.core.common import isNumPosStrValue from lib.core.common import isNumPosStrValue
from lib.core.common import isTechniqueAvailable from lib.core.common import isTechniqueAvailable
from lib.core.common import safeSQLIdentificatorNaming
from lib.core.common import unsafeSQLIdentificatorNaming
from lib.core.data import conf from lib.core.data import conf
from lib.core.data import kb from lib.core.data import kb
from lib.core.data import logger from lib.core.data import logger
@ -181,21 +183,21 @@ class Enumeration(GenericEnumeration):
colConsider, colCondParam = self.likeOrExact("column") colConsider, colCondParam = self.likeOrExact("column")
for column in colList: for column in colList:
column = self.__safeSQLIdentificatorNaming(column) column = safeSQLIdentificatorNaming(column)
infoMsg = "searching column" infoMsg = "searching column"
if colConsider == "1": if colConsider == "1":
infoMsg += "s like" infoMsg += "s like"
infoMsg += " '%s'" % self.__unsafeSQLIdentificatorNaming(column) infoMsg += " '%s'" % unsafeSQLIdentificatorNaming(column)
logger.info(infoMsg) logger.info(infoMsg)
foundCols[column] = {} foundCols[column] = {}
colQuery = "%s%s" % (colCond, colCondParam) colQuery = "%s%s" % (colCond, colCondParam)
colQuery = colQuery % self.__unsafeSQLIdentificatorNaming(column) colQuery = colQuery % unsafeSQLIdentificatorNaming(column)
for db in dbs.keys(): for db in dbs.keys():
db = self.__safeSQLIdentificatorNaming(db) db = safeSQLIdentificatorNaming(db)
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct: if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:
query = rootQuery.inband.query query = rootQuery.inband.query
@ -207,7 +209,7 @@ class Enumeration(GenericEnumeration):
values = [ values ] values = [ values ]
for foundTbl in values: for foundTbl in values:
foundTbl = self.__safeSQLIdentificatorNaming(foundTbl, True) foundTbl = safeSQLIdentificatorNaming(foundTbl, True)
if foundTbl is None: if foundTbl is None:
continue continue
@ -263,7 +265,7 @@ class Enumeration(GenericEnumeration):
tbl = inject.getValue(query, inband=False, error=False) tbl = inject.getValue(query, inband=False, error=False)
kb.hintValue = tbl kb.hintValue = tbl
tbl = self.__safeSQLIdentificatorNaming(tbl, True) tbl = safeSQLIdentificatorNaming(tbl, True)
if tbl not in dbs[db]: if tbl not in dbs[db]:
dbs[db][tbl] = {} dbs[db][tbl] = {}

View File

@ -29,8 +29,10 @@ from lib.core.common import pushValue
from lib.core.common import randomStr from lib.core.common import randomStr
from lib.core.common import readInput from lib.core.common import readInput
from lib.core.common import safeStringFormat from lib.core.common import safeStringFormat
from lib.core.common import safeSQLIdentificatorNaming
from lib.core.common import strToHex from lib.core.common import strToHex
from lib.core.common import unArrayizeValue from lib.core.common import unArrayizeValue
from lib.core.common import unsafeSQLIdentificatorNaming
from lib.core.convert import utf8decode from lib.core.convert import utf8decode
from lib.core.data import conf from lib.core.data import conf
from lib.core.data import kb from lib.core.data import kb
@ -750,7 +752,7 @@ class Enumeration:
else: else:
return tables return tables
conf.db = self.__safeSQLIdentificatorNaming(conf.db) conf.db = safeSQLIdentificatorNaming(conf.db)
if bruteForce: if bruteForce:
resumeAvailable = False resumeAvailable = False
@ -807,12 +809,12 @@ class Enumeration:
if "," in conf.db: if "," in conf.db:
dbs = conf.db.split(",") dbs = conf.db.split(",")
query += " WHERE " query += " WHERE "
query += " OR ".join("%s = '%s'" % (condition, self.__unsafeSQLIdentificatorNaming(db)) for db in dbs) query += " OR ".join("%s = '%s'" % (condition, unsafeSQLIdentificatorNaming(db)) for db in dbs)
else: else:
query += " WHERE %s='%s'" % (condition, self.__unsafeSQLIdentificatorNaming(conf.db)) query += " WHERE %s='%s'" % (condition, unsafeSQLIdentificatorNaming(conf.db))
elif conf.excludeSysDbs: elif conf.excludeSysDbs:
query += " WHERE " query += " WHERE "
query += " AND ".join("%s != '%s'" % (condition, self.__unsafeSQLIdentificatorNaming(db)) for db in self.excludeDbsList) query += " AND ".join("%s != '%s'" % (condition, unsafeSQLIdentificatorNaming(db)) for db in self.excludeDbsList)
infoMsg = "skipping system databases '%s'" % ", ".join(db for db in self.excludeDbsList) infoMsg = "skipping system databases '%s'" % ", ".join(db for db in self.excludeDbsList)
logger.info(infoMsg) logger.info(infoMsg)
@ -835,8 +837,8 @@ class Enumeration:
value = newValue value = newValue
for db, table in value: for db, table in value:
db = self.__safeSQLIdentificatorNaming(db) db = safeSQLIdentificatorNaming(db)
table = self.__safeSQLIdentificatorNaming(table, True) table = safeSQLIdentificatorNaming(table, True)
if not kb.data.cachedTables.has_key(db): if not kb.data.cachedTables.has_key(db):
kb.data.cachedTables[db] = [table] kb.data.cachedTables[db] = [table]
else: else:
@ -857,7 +859,7 @@ class Enumeration:
if Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.FIREBIRD, DBMS.MAXDB, DBMS.ACCESS): if Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.FIREBIRD, DBMS.MAXDB, DBMS.ACCESS):
query = rootQuery.blind.count query = rootQuery.blind.count
else: else:
query = rootQuery.blind.count % self.__unsafeSQLIdentificatorNaming(db) query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(db)
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2) count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
@ -882,10 +884,10 @@ class Enumeration:
elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.FIREBIRD): elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.FIREBIRD):
query = rootQuery.blind.query % index query = rootQuery.blind.query % index
else: else:
query = rootQuery.blind.query % (self.__unsafeSQLIdentificatorNaming(db), index) query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(db), index)
table = inject.getValue(query, inband=False, error=False) table = inject.getValue(query, inband=False, error=False)
kb.hintValue = table kb.hintValue = table
table = self.__safeSQLIdentificatorNaming(table, True) table = safeSQLIdentificatorNaming(table, True)
tables.append(table) tables.append(table)
if tables: if tables:
@ -934,8 +936,8 @@ class Enumeration:
logger.error(errMsg) logger.error(errMsg)
bruteForce = True bruteForce = True
conf.tbl = self.__safeSQLIdentificatorNaming(conf.tbl, True) conf.tbl = safeSQLIdentificatorNaming(conf.tbl, True)
conf.db = self.__safeSQLIdentificatorNaming(conf.db) conf.db = safeSQLIdentificatorNaming(conf.db)
if bruteForce: if bruteForce:
resumeAvailable = False resumeAvailable = False
@ -974,8 +976,8 @@ class Enumeration:
if Backend.getIdentifiedDbms() == DBMS.ORACLE: if Backend.getIdentifiedDbms() == DBMS.ORACLE:
conf.col = conf.col.upper() conf.col = conf.col.upper()
colList = conf.col.split(",") colList = conf.col.split(",")
condQuery = " AND (" + " OR ".join("%s LIKE '%s'" % (condition, "%" + self.__unsafeSQLIdentificatorNaming(col) + "%") for col in colList) + ")" condQuery = " AND (" + " OR ".join("%s LIKE '%s'" % (condition, "%" + unsafeSQLIdentificatorNaming(col) + "%") for col in colList) + ")"
infoMsg += "like '%s' " % ", ".join(self.__unsafeSQLIdentificatorNaming(col) for col in colList) infoMsg += "like '%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in colList)
else: else:
condQuery = "" condQuery = ""
@ -985,16 +987,16 @@ class Enumeration:
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct: if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:
if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ): if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
query = rootQuery.inband.query % (self.__unsafeSQLIdentificatorNaming(conf.tbl), self.__unsafeSQLIdentificatorNaming(conf.db)) query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(conf.tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery query += condQuery
elif Backend.getIdentifiedDbms() == DBMS.ORACLE: elif Backend.getIdentifiedDbms() == DBMS.ORACLE:
query = rootQuery.inband.query % self.__unsafeSQLIdentificatorNaming(conf.tbl.upper()) query = rootQuery.inband.query % unsafeSQLIdentificatorNaming(conf.tbl.upper())
query += condQuery query += condQuery
elif Backend.getIdentifiedDbms() == DBMS.MSSQL: elif Backend.getIdentifiedDbms() == DBMS.MSSQL:
query = rootQuery.inband.query % (conf.db, conf.db, query = rootQuery.inband.query % (conf.db, conf.db,
conf.db, conf.db, conf.db, conf.db,
conf.db, conf.db, conf.db, conf.db,
conf.db, self.__unsafeSQLIdentificatorNaming(conf.tbl)) conf.db, unsafeSQLIdentificatorNaming(conf.tbl))
query += condQuery.replace("[DB]", conf.db) query += condQuery.replace("[DB]", conf.db)
elif Backend.getIdentifiedDbms() == DBMS.SQLITE: elif Backend.getIdentifiedDbms() == DBMS.SQLITE:
query = rootQuery.inband.query % conf.tbl query = rootQuery.inband.query % conf.tbl
@ -1008,7 +1010,7 @@ class Enumeration:
columns = {} columns = {}
for columnData in value: for columnData in value:
name = self.__safeSQLIdentificatorNaming(columnData[0]) name = safeSQLIdentificatorNaming(columnData[0])
if len(columnData) == 1: if len(columnData) == 1:
columns[name] = "" columns[name] = ""
@ -1025,16 +1027,16 @@ class Enumeration:
logger.info(infoMsg) logger.info(infoMsg)
if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ): if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
query = rootQuery.blind.count % (self.__unsafeSQLIdentificatorNaming(conf.tbl), self.__unsafeSQLIdentificatorNaming(conf.db)) query = rootQuery.blind.count % (unsafeSQLIdentificatorNaming(conf.tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery query += condQuery
elif Backend.getIdentifiedDbms() == DBMS.ORACLE: elif Backend.getIdentifiedDbms() == DBMS.ORACLE:
query = rootQuery.blind.count % self.__unsafeSQLIdentificatorNaming(conf.tbl.upper()) query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(conf.tbl.upper())
query += condQuery query += condQuery
elif Backend.getIdentifiedDbms() in DBMS.MSSQL: elif Backend.getIdentifiedDbms() in DBMS.MSSQL:
query = rootQuery.blind.count % (conf.db, conf.db, \ query = rootQuery.blind.count % (conf.db, conf.db, \
self.__unsafeSQLIdentificatorNaming(conf.tbl)) unsafeSQLIdentificatorNaming(conf.tbl))
query += condQuery.replace("[DB]", conf.db) query += condQuery.replace("[DB]", conf.db)
elif Backend.getIdentifiedDbms() == DBMS.FIREBIRD: elif Backend.getIdentifiedDbms() == DBMS.FIREBIRD:
@ -1062,18 +1064,18 @@ class Enumeration:
for index in indexRange: for index in indexRange:
if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ): if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
query = rootQuery.blind.query % (self.__unsafeSQLIdentificatorNaming(conf.tbl), self.__unsafeSQLIdentificatorNaming(conf.db)) query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(conf.tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery query += condQuery
field = None field = None
elif Backend.getIdentifiedDbms() == DBMS.ORACLE: elif Backend.getIdentifiedDbms() == DBMS.ORACLE:
query = rootQuery.blind.query % self.__unsafeSQLIdentificatorNaming(conf.tbl.upper()) query = rootQuery.blind.query % unsafeSQLIdentificatorNaming(conf.tbl.upper())
query += condQuery query += condQuery
field = None field = None
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE): elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
query = rootQuery.blind.query % (conf.db, conf.db, query = rootQuery.blind.query % (conf.db, conf.db,
conf.db, conf.db, conf.db, conf.db,
conf.db, conf.db, conf.db, conf.db,
self.__unsafeSQLIdentificatorNaming(conf.tbl)) unsafeSQLIdentificatorNaming(conf.tbl))
query += condQuery.replace("[DB]", conf.db) query += condQuery.replace("[DB]", conf.db)
field = condition.replace("[DB]", conf.db) field = condition.replace("[DB]", conf.db)
elif Backend.getIdentifiedDbms() == DBMS.FIREBIRD: elif Backend.getIdentifiedDbms() == DBMS.FIREBIRD:
@ -1086,13 +1088,13 @@ class Enumeration:
if not onlyColNames: if not onlyColNames:
if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ): if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
query = rootQuery.blind.query2 % (self.__unsafeSQLIdentificatorNaming(conf.tbl), column, self.__unsafeSQLIdentificatorNaming(conf.db)) query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(conf.tbl), column, unsafeSQLIdentificatorNaming(conf.db))
elif Backend.getIdentifiedDbms() == DBMS.ORACLE: elif Backend.getIdentifiedDbms() == DBMS.ORACLE:
query = rootQuery.blind.query2 % (self.__unsafeSQLIdentificatorNaming(conf.tbl.upper()), column) query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(conf.tbl.upper()), column)
elif Backend.getIdentifiedDbms() == DBMS.MSSQL: elif Backend.getIdentifiedDbms() == DBMS.MSSQL:
query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db, query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db,
conf.db, column, conf.db, conf.db, column, conf.db,
conf.db, conf.db, self.__unsafeSQLIdentificatorNaming(conf.tbl)) conf.db, conf.db, unsafeSQLIdentificatorNaming(conf.tbl))
elif Backend.getIdentifiedDbms() == DBMS.FIREBIRD: elif Backend.getIdentifiedDbms() == DBMS.FIREBIRD:
query = rootQuery.blind.query2 % (conf.tbl, column) query = rootQuery.blind.query2 % (conf.tbl, column)
@ -1101,10 +1103,10 @@ class Enumeration:
if Backend.getIdentifiedDbms() == DBMS.FIREBIRD: if Backend.getIdentifiedDbms() == DBMS.FIREBIRD:
colType = firebirdTypes[colType] if colType in firebirdTypes else colType colType = firebirdTypes[colType] if colType in firebirdTypes else colType
column = self.__safeSQLIdentificatorNaming(column) column = safeSQLIdentificatorNaming(column)
columns[column] = colType columns[column] = colType
else: else:
column = self.__safeSQLIdentificatorNaming(column) column = safeSQLIdentificatorNaming(column)
columns[column] = None columns[column] = None
if columns: if columns:
@ -1209,40 +1211,6 @@ class Enumeration:
return entries, lengths return entries, lengths
def __safeSQLIdentificatorNaming(self, value, isTable=False):
"""
Returns a safe representation of SQL identificator name
"""
retVal = value
if isinstance(value, basestring):
if isTable and Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and '.' not in value:
value = "%s.%s" % (DEFAULT_MSSQL_SCHEMA, value)
parts = value.split('.')
for i in range(len(parts)):
if not re.match(r"\A[A-Za-z0-9_]+\Z", parts[i]):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS):
parts[i] = "`%s`" % parts[i].strip("`")
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.PGSQL):
parts[i] = "\"%s\"" % parts[i].strip("\"")
retVal = ".".join(parts)
return retVal
def __unsafeSQLIdentificatorNaming(self, value):
"""
Extracts identificator's name from it's safe SQL representation
"""
retVal = value
if isinstance(value, basestring):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS):
retVal = value.replace("`", "")
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.PGSQL):
retVal = value.replace("\"", "")
if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
retVal = retVal.lstrip("%s." % DEFAULT_MSSQL_SCHEMA)
return retVal
def dumpTable(self): def dumpTable(self):
if not conf.tbl and not conf.col: if not conf.tbl and not conf.col:
errMsg = "missing table parameter" errMsg = "missing table parameter"
@ -1273,8 +1241,8 @@ class Enumeration:
rootQuery = queries[Backend.getIdentifiedDbms()].dump_table rootQuery = queries[Backend.getIdentifiedDbms()].dump_table
conf.tbl = self.__safeSQLIdentificatorNaming(conf.tbl, True) conf.tbl = safeSQLIdentificatorNaming(conf.tbl, True)
conf.db = self.__safeSQLIdentificatorNaming(conf.db) conf.db = safeSQLIdentificatorNaming(conf.db)
if conf.col: if conf.col:
colList = conf.col.split(",") colList = conf.col.split(",")
@ -1605,23 +1573,23 @@ class Enumeration:
dbConsider, dbCondParam = self.likeOrExact("database") dbConsider, dbCondParam = self.likeOrExact("database")
for db in dbList: for db in dbList:
db = self.__safeSQLIdentificatorNaming(db) db = safeSQLIdentificatorNaming(db)
infoMsg = "searching database" infoMsg = "searching database"
if dbConsider == "1": if dbConsider == "1":
infoMsg += "s like" infoMsg += "s like"
infoMsg += " '%s'" % self.__unsafeSQLIdentificatorNaming(db) infoMsg += " '%s'" % unsafeSQLIdentificatorNaming(db)
logger.info(infoMsg) logger.info(infoMsg)
if conf.excludeSysDbs: if conf.excludeSysDbs:
exclDbsQuery = "".join(" AND '%s' != %s" % (self.__unsafeSQLIdentificatorNaming(db), dbCond) for db in self.excludeDbsList) exclDbsQuery = "".join(" AND '%s' != %s" % (unsafeSQLIdentificatorNaming(db), dbCond) for db in self.excludeDbsList)
infoMsg = "skipping system databases '%s'" % ", ".join(db for db in self.excludeDbsList) infoMsg = "skipping system databases '%s'" % ", ".join(db for db in self.excludeDbsList)
logger.info(infoMsg) logger.info(infoMsg)
else: else:
exclDbsQuery = "" exclDbsQuery = ""
dbQuery = "%s%s" % (dbCond, dbCondParam) dbQuery = "%s%s" % (dbCond, dbCondParam)
dbQuery = dbQuery % self.__unsafeSQLIdentificatorNaming(db) dbQuery = dbQuery % unsafeSQLIdentificatorNaming(db)
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct: if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:
if Backend.getIdentifiedDbms() == DBMS.MYSQL and not kb.data.has_information_schema: if Backend.getIdentifiedDbms() == DBMS.MYSQL and not kb.data.has_information_schema:
@ -1637,13 +1605,13 @@ class Enumeration:
values = [ values ] values = [ values ]
for value in values: for value in values:
value = self.__safeSQLIdentificatorNaming(value) value = safeSQLIdentificatorNaming(value)
foundDbs.append(value) foundDbs.append(value)
else: else:
infoMsg = "fetching number of databases" infoMsg = "fetching number of databases"
if dbConsider == "1": if dbConsider == "1":
infoMsg += "s like" infoMsg += "s like"
infoMsg += " '%s'" % self.__unsafeSQLIdentificatorNaming(db) infoMsg += " '%s'" % unsafeSQLIdentificatorNaming(db)
logger.info(infoMsg) logger.info(infoMsg)
if Backend.getIdentifiedDbms() == DBMS.MYSQL and not kb.data.has_information_schema: if Backend.getIdentifiedDbms() == DBMS.MYSQL and not kb.data.has_information_schema:
@ -1658,7 +1626,7 @@ class Enumeration:
warnMsg = "no database" warnMsg = "no database"
if dbConsider == "1": if dbConsider == "1":
warnMsg += "s like" warnMsg += "s like"
warnMsg += " '%s' found" % self.__unsafeSQLIdentificatorNaming(db) warnMsg += " '%s' found" % unsafeSQLIdentificatorNaming(db)
logger.warn(warnMsg) logger.warn(warnMsg)
continue continue
@ -1675,7 +1643,7 @@ class Enumeration:
query = agent.limitQuery(index, query, dbCond) query = agent.limitQuery(index, query, dbCond)
value = inject.getValue(query, inband=False, error=False) value = inject.getValue(query, inband=False, error=False)
value = self.__safeSQLIdentificatorNaming(value) value = safeSQLIdentificatorNaming(value)
foundDbs.append(value) foundDbs.append(value)
return foundDbs return foundDbs
@ -1715,7 +1683,7 @@ class Enumeration:
tblConsider, tblCondParam = self.likeOrExact("table") tblConsider, tblCondParam = self.likeOrExact("table")
for tbl in tblList: for tbl in tblList:
tbl = self.__safeSQLIdentificatorNaming(tbl, True) tbl = safeSQLIdentificatorNaming(tbl, True)
if Backend.getIdentifiedDbms() == DBMS.ORACLE: if Backend.getIdentifiedDbms() == DBMS.ORACLE:
tbl = tbl.upper() tbl = tbl.upper()
@ -1723,11 +1691,11 @@ class Enumeration:
infoMsg = "searching table" infoMsg = "searching table"
if tblConsider == "1": if tblConsider == "1":
infoMsg += "s like" infoMsg += "s like"
infoMsg += " '%s'" % self.__unsafeSQLIdentificatorNaming(tbl) infoMsg += " '%s'" % unsafeSQLIdentificatorNaming(tbl)
logger.info(infoMsg) logger.info(infoMsg)
if conf.excludeSysDbs: if conf.excludeSysDbs:
exclDbsQuery = "".join(" AND '%s' != %s" % (self.__unsafeSQLIdentificatorNaming(db), dbCond) for db in self.excludeDbsList) exclDbsQuery = "".join(" AND '%s' != %s" % (unsafeSQLIdentificatorNaming(db), dbCond) for db in self.excludeDbsList)
infoMsg = "skipping system databases '%s'" % ", ".join(db for db in self.excludeDbsList) infoMsg = "skipping system databases '%s'" % ", ".join(db for db in self.excludeDbsList)
logger.info(infoMsg) logger.info(infoMsg)
else: else:
@ -1747,8 +1715,8 @@ class Enumeration:
values = [ values ] values = [ values ]
for foundDb, foundTbl in values: for foundDb, foundTbl in values:
foundDb = self.__safeSQLIdentificatorNaming(foundDb) foundDb = safeSQLIdentificatorNaming(foundDb)
foundTbl = self.__safeSQLIdentificatorNaming(foundTbl, True) foundTbl = safeSQLIdentificatorNaming(foundTbl, True)
if foundDb is None or foundTbl is None: if foundDb is None or foundTbl is None:
continue continue
@ -1761,7 +1729,7 @@ class Enumeration:
infoMsg = "fetching number of databases with table" infoMsg = "fetching number of databases with table"
if tblConsider == "1": if tblConsider == "1":
infoMsg += "s like" infoMsg += "s like"
infoMsg += " '%s'" % self.__unsafeSQLIdentificatorNaming(tbl) infoMsg += " '%s'" % unsafeSQLIdentificatorNaming(tbl)
logger.info(infoMsg) logger.info(infoMsg)
query = rootQuery.blind.count query = rootQuery.blind.count
@ -1773,7 +1741,7 @@ class Enumeration:
warnMsg = "no databases have table" warnMsg = "no databases have table"
if tblConsider == "1": if tblConsider == "1":
warnMsg += "s like" warnMsg += "s like"
warnMsg += " '%s'" % self.__unsafeSQLIdentificatorNaming(tbl) warnMsg += " '%s'" % unsafeSQLIdentificatorNaming(tbl)
logger.warn(warnMsg) logger.warn(warnMsg)
continue continue
@ -1786,7 +1754,7 @@ class Enumeration:
query += exclDbsQuery query += exclDbsQuery
query = agent.limitQuery(index, query) query = agent.limitQuery(index, query)
foundDb = inject.getValue(query, inband=False, error=False) foundDb = inject.getValue(query, inband=False, error=False)
foundDb = self.__safeSQLIdentificatorNaming(foundDb) foundDb = safeSQLIdentificatorNaming(foundDb)
if foundDb not in foundTbls: if foundDb not in foundTbls:
foundTbls[foundDb] = [] foundTbls[foundDb] = []
@ -1798,16 +1766,16 @@ class Enumeration:
continue continue
for db in foundTbls.keys(): for db in foundTbls.keys():
db = self.__safeSQLIdentificatorNaming(db) db = safeSQLIdentificatorNaming(db)
infoMsg = "fetching number of table" infoMsg = "fetching number of table"
if tblConsider == "1": if tblConsider == "1":
infoMsg += "s like" infoMsg += "s like"
infoMsg += " '%s' in database '%s'" % (self.__unsafeSQLIdentificatorNaming(tbl), db) infoMsg += " '%s' in database '%s'" % (unsafeSQLIdentificatorNaming(tbl), db)
logger.info(infoMsg) logger.info(infoMsg)
query = rootQuery.blind.count2 query = rootQuery.blind.count2
query = query % self.__unsafeSQLIdentificatorNaming(db) query = query % unsafeSQLIdentificatorNaming(db)
query += " AND %s" % tblQuery query += " AND %s" % tblQuery
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2) count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2)
@ -1815,7 +1783,7 @@ class Enumeration:
warnMsg = "no table" warnMsg = "no table"
if tblConsider == "1": if tblConsider == "1":
warnMsg += "s like" warnMsg += "s like"
warnMsg += " '%s' " % self.__unsafeSQLIdentificatorNaming(tbl) warnMsg += " '%s' " % unsafeSQLIdentificatorNaming(tbl)
warnMsg += "in database '%s'" % db warnMsg += "in database '%s'" % db
logger.warn(warnMsg) logger.warn(warnMsg)
@ -1825,12 +1793,12 @@ class Enumeration:
for index in indexRange: for index in indexRange:
query = rootQuery.blind.query2 query = rootQuery.blind.query2
query = query % self.__unsafeSQLIdentificatorNaming(db) query = query % unsafeSQLIdentificatorNaming(db)
query += " AND %s" % tblQuery query += " AND %s" % tblQuery
query = agent.limitQuery(index, query) query = agent.limitQuery(index, query)
foundTbl = inject.getValue(query, inband=False, error=False) foundTbl = inject.getValue(query, inband=False, error=False)
kb.hintValue = foundTbl kb.hintValue = foundTbl
foundTbl = self.__safeSQLIdentificatorNaming(foundTbl, True) foundTbl = safeSQLIdentificatorNaming(foundTbl, True)
foundTbls[db].append(foundTbl) foundTbls[db].append(foundTbl)
return foundTbls return foundTbls
@ -1879,12 +1847,12 @@ class Enumeration:
colConsider, colCondParam = self.likeOrExact("column") colConsider, colCondParam = self.likeOrExact("column")
for column in colList: for column in colList:
column = self.__safeSQLIdentificatorNaming(column) column = safeSQLIdentificatorNaming(column)
infoMsg = "searching column" infoMsg = "searching column"
if colConsider == "1": if colConsider == "1":
infoMsg += "s like" infoMsg += "s like"
infoMsg += " '%s'" % self.__unsafeSQLIdentificatorNaming(column) infoMsg += " '%s'" % unsafeSQLIdentificatorNaming(column)
logger.info(infoMsg) logger.info(infoMsg)
foundCols[column] = {} foundCols[column] = {}
@ -1897,7 +1865,7 @@ class Enumeration:
exclDbsQuery = "" exclDbsQuery = ""
colQuery = "%s%s" % (colCond, colCondParam) colQuery = "%s%s" % (colCond, colCondParam)
colQuery = colQuery % self.__unsafeSQLIdentificatorNaming(column) colQuery = colQuery % unsafeSQLIdentificatorNaming(column)
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct: if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:
query = rootQuery.inband.query query = rootQuery.inband.query
@ -1910,8 +1878,8 @@ class Enumeration:
values = [ values ] values = [ values ]
for foundDb, foundTbl in values: for foundDb, foundTbl in values:
foundDb = self.__safeSQLIdentificatorNaming(foundDb) foundDb = safeSQLIdentificatorNaming(foundDb)
foundTbl = self.__safeSQLIdentificatorNaming(foundTbl, True) foundTbl = safeSQLIdentificatorNaming(foundTbl, True)
if foundDb is None or foundTbl is None: if foundDb is None or foundTbl is None:
continue continue
@ -1967,7 +1935,7 @@ class Enumeration:
query += exclDbsQuery query += exclDbsQuery
query = agent.limitQuery(index, query) query = agent.limitQuery(index, query)
db = inject.getValue(query, inband=False, error=False) db = inject.getValue(query, inband=False, error=False)
db = self.__safeSQLIdentificatorNaming(db) db = safeSQLIdentificatorNaming(db)
if db not in dbs: if db not in dbs:
dbs[db] = {} dbs[db] = {}
@ -1980,12 +1948,12 @@ class Enumeration:
colQuery = colQuery % column colQuery = colQuery % column
for db in dbData: for db in dbData:
db = self.__safeSQLIdentificatorNaming(db) db = safeSQLIdentificatorNaming(db)
infoMsg = "fetching number of tables containing column" infoMsg = "fetching number of tables containing column"
if colConsider == "1": if colConsider == "1":
infoMsg += "s like" infoMsg += "s like"
infoMsg += " '%s' in database '%s'" % (self.__unsafeSQLIdentificatorNaming(column), db) infoMsg += " '%s' in database '%s'" % (unsafeSQLIdentificatorNaming(column), db)
logger.info(infoMsg) logger.info(infoMsg)
query = rootQuery.blind.count2 query = rootQuery.blind.count2
@ -2013,7 +1981,7 @@ class Enumeration:
tbl = inject.getValue(query, inband=False, error=False) tbl = inject.getValue(query, inband=False, error=False)
kb.hintValue = tbl kb.hintValue = tbl
tbl = self.__safeSQLIdentificatorNaming(tbl, True) tbl = safeSQLIdentificatorNaming(tbl, True)
if tbl not in dbs[db]: if tbl not in dbs[db]:
dbs[db][tbl] = {} dbs[db][tbl] = {}

View File

@ -1802,9 +1802,7 @@ dealers
diary diary
download download
Dragon_users Dragon_users
e107.e107_user
e107_user e107_user
forum.ibf_members
fusion_user_groups fusion_user_groups
fusion_users fusion_users
ibf_admin_sessions ibf_admin_sessions
@ -1815,7 +1813,6 @@ ibf_sessions
icq icq
index index
info info
ipb.ibf_members
ipb_sessions ipb_sessions
joomla_users joomla_users
jos_blastchatc_users jos_blastchatc_users
@ -1851,7 +1848,6 @@ mitglieder
movie movie
mybb_users mybb_users
mysql mysql
mysql.user
name name
names names
news_lostpass news_lostpass
@ -1873,9 +1869,7 @@ phorum_user
phorum_users phorum_users
phpads_clients phpads_clients
phpads_config phpads_config
phpBB2.forum_users forum_users
phpBB2.phpbb_users
phpmyadmin.pma_table_info
poll_user poll_user
punbb_users punbb_users
pwd pwd
@ -1885,8 +1879,7 @@ reg_users
registered registered
reguser reguser
regusers regusers
shop.cards cards
shop.orders
site_login site_login
site_logins site_logins
sitelogin sitelogin
@ -2258,7 +2251,6 @@ pwd1
jhu jhu
webapps webapps
ASP ASP
ASP.NET
Microsoft Microsoft
sing sing
singup singup
@ -3177,7 +3169,7 @@ cdb_banned
cdb_crons cdb_crons
cdb_access cdb_access
cdb_invites cdb_invites
dbo.sysmergeschemaarticles sysmergeschemaarticles
CodeRuleType CodeRuleType
cdb_membermagics cdb_membermagics
cdb_imagetypes cdb_imagetypes
@ -3189,7 +3181,7 @@ cdb_adminsessions
pw_adminset pw_adminset
seen seen
t_snap t_snap
dbo.MSmerge_altsyncpartners MSmerge_altsyncpartners
zl_deeds zl_deeds
pw_styles pw_styles
pw_announce pw_announce
@ -3222,7 +3214,7 @@ cdb_pluginhooks
mymps_member_docutype mymps_member_docutype
wp1_categories wp1_categories
cdb_magicmarket cdb_magicmarket
dbo.MSmerge_errorlineage MSmerge_errorlineage
cdb_activities cdb_activities
zl_baoming zl_baoming
cdb_orders cdb_orders
@ -3257,7 +3249,7 @@ Market
mymps_config mymps_config
mymps_mail_template mymps_mail_template
mymps_advertisement mymps_advertisement
dbo.MSrepl_identity_range MSrepl_identity_range
pw_favors pw_favors
mymps_crons mymps_crons
pw_config pw_config