From c078de894f040eef7a1359b2ceb7d8e50f374c5e Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Thu, 10 Feb 2011 14:24:04 +0000 Subject: [PATCH] Added support for --privileges on MSSQL to test wheter or not the DBMS users are DBA --- lib/core/dump.py | 18 ++++++++++------ plugins/dbms/mssqlserver/enumeration.py | 28 ++++++++++++++++++++++--- plugins/generic/enumeration.py | 10 ++++++--- 3 files changed, 44 insertions(+), 12 deletions(-) diff --git a/lib/core/dump.py b/lib/core/dump.py index dd486a754..318639ccd 100644 --- a/lib/core/dump.py +++ b/lib/core/dump.py @@ -125,15 +125,21 @@ class Dump: for user in users: settings = userSettings[user] - if user in self.__areAdmins: - self.__write("[*] %s (administrator) [%d]:" % (user, len(settings))) + if settings is None: + stringSettings = "" else: - self.__write("[*] %s [%d]:" % (user, len(settings))) + stringSettings = " [%d]:" % len(settings) - settings.sort() + if user in self.__areAdmins: + self.__write("[*] %s (administrator)%s" % (user, stringSettings)) + else: + self.__write("[*] %s%s" % (user, stringSettings)) - for setting in settings: - self.__write(" %s: %s" % (subHeader, setting)) + if settings: + settings.sort() + + for setting in settings: + self.__write(" %s: %s" % (subHeader, setting)) print def dbs(self,dbs): diff --git a/plugins/dbms/mssqlserver/enumeration.py b/plugins/dbms/mssqlserver/enumeration.py index 920ad9efa..f2d31d4dc 100644 --- a/plugins/dbms/mssqlserver/enumeration.py +++ b/plugins/dbms/mssqlserver/enumeration.py @@ -29,11 +29,33 @@ class Enumeration(GenericEnumeration): GenericEnumeration.__init__(self) def getPrivileges(self, *args): - warnMsg = "on Microsoft SQL Server it is not possible to fetch " - warnMsg += "database users privileges" + warnMsg = "on Microsoft SQL Server it is not possible to fetch " + warnMsg += "database users privileges, sqlmap will check whether " + warnMsg += "or not the database users are database administrators" logger.warn(warnMsg) - return {} + users = [] + areAdmins = set() + + if conf.user: + users = [ conf.user ] + elif not len(kb.data.cachedUsers): + users = self.getUsers() + else: + users = kb.data.cachedUsers + + for user in users: + if user is None: + continue + + isDba = self.isDba(user) + + if isDba is True: + areAdmins.add(user) + + kb.data.cachedUsersPrivileges[user] = None + + return ( kb.data.cachedUsersPrivileges, areAdmins ) def getTables(self): infoMsg = "fetching tables" diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py index f2bdc19d0..4998bd2ae 100644 --- a/plugins/generic/enumeration.py +++ b/plugins/generic/enumeration.py @@ -126,21 +126,25 @@ class Enumeration: return kb.data.currentDb - def isDba(self): + def isDba(self, user=None): infoMsg = "testing if current user is DBA" logger.info(infoMsg) if Backend.getIdentifiedDbms() == DBMS.MYSQL: self.getCurrentUser() query = queries[Backend.getIdentifiedDbms()].is_dba.query % kb.data.currentUser.split("@")[0] + elif Backend.getIdentifiedDbms() == DBMS.MSSQL and user is not None: + query = queries[Backend.getIdentifiedDbms()].is_dba.query2 % user else: query = queries[Backend.getIdentifiedDbms()].is_dba.query query = agent.forgeCaseStatement(query) + isDba = inject.getValue(query, unpack=False, charsetType=1) - kb.data.isDba = inject.getValue(query, unpack=False, charsetType=1) + if user is None: + kb.data.isDba = isDba - return kb.data.isDba == "1" + return isDba == "1" def getUsers(self): infoMsg = "fetching database users"