Added support for --privileges on MSSQL to test wheter or not the DBMS users are DBA

2024-11-22 01:26:42 +03:00 · 2011-02-10 14:24:04 +00:00 · 2011-02-10 14:24:04 +00:00 · c078de894f
commit c078de894f
parent a2c20acf94
3 changed files with 44 additions and 12 deletions
--- a/lib/core/dump.py
+++ b/lib/core/dump.py
@ -125,15 +125,21 @@ class Dump:
        for user in users:
            settings = userSettings[user]

-            if user in self.__areAdmins:
-                self.__write("[*] %s (administrator) [%d]:" % (user, len(settings)))
+            if settings is None:
+                stringSettings = ""
            else:
-                self.__write("[*] %s [%d]:" % (user, len(settings)))
+                stringSettings = " [%d]:" % len(settings)

-            settings.sort()
+            if user in self.__areAdmins:
+                self.__write("[*] %s (administrator)%s" % (user, stringSettings))
+            else:
+                self.__write("[*] %s%s" % (user, stringSettings))

-            for setting in settings:
-                self.__write("    %s: %s" % (subHeader, setting))
+            if settings:
+                settings.sort()
+
+                for setting in settings:
+                    self.__write("    %s: %s" % (subHeader, setting))
        print

    def dbs(self,dbs):
--- a/plugins/dbms/mssqlserver/enumeration.py
+++ b/plugins/dbms/mssqlserver/enumeration.py
@ -29,11 +29,33 @@ class Enumeration(GenericEnumeration):
        GenericEnumeration.__init__(self)

    def getPrivileges(self, *args):
-        warnMsg  = "on Microsoft SQL Server it is not possible to fetch "
-        warnMsg += "database users privileges"
+        warnMsg = "on Microsoft SQL Server it is not possible to fetch "
+        warnMsg += "database users privileges, sqlmap will check whether "
+        warnMsg += "or not the database users are database administrators"
        logger.warn(warnMsg)

-        return {}
+        users = []
+        areAdmins = set()
+
+        if conf.user:
+            users = [ conf.user ]
+        elif not len(kb.data.cachedUsers):
+            users = self.getUsers()
+        else:
+            users = kb.data.cachedUsers
+
+        for user in users:
+            if user is None:
+                continue
+
+            isDba = self.isDba(user)
+
+            if isDba is True:
+                areAdmins.add(user)
+
+            kb.data.cachedUsersPrivileges[user] = None
+
+        return ( kb.data.cachedUsersPrivileges, areAdmins )

    def getTables(self):
        infoMsg = "fetching tables"
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@ -126,21 +126,25 @@ class Enumeration:

        return kb.data.currentDb

-    def isDba(self):
+    def isDba(self, user=None):
        infoMsg = "testing if current user is DBA"
        logger.info(infoMsg)

        if Backend.getIdentifiedDbms() == DBMS.MYSQL:
            self.getCurrentUser()
            query = queries[Backend.getIdentifiedDbms()].is_dba.query % kb.data.currentUser.split("@")[0]
+        elif Backend.getIdentifiedDbms() == DBMS.MSSQL and user is not None:
+            query = queries[Backend.getIdentifiedDbms()].is_dba.query2 % user
        else:
            query = queries[Backend.getIdentifiedDbms()].is_dba.query

        query = agent.forgeCaseStatement(query)
+        isDba = inject.getValue(query, unpack=False, charsetType=1)

-        kb.data.isDba = inject.getValue(query, unpack=False, charsetType=1)
+        if user is None:
+            kb.data.isDba = isDba

-        return kb.data.isDba == "1"
+        return isDba == "1"

    def getUsers(self):
        infoMsg = "fetching database users"