sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-03 13:14:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

minor update

Browse Source
This commit is contained in:
Miroslav Stampar 2011-02-20 16:00:13 +00:00
parent 823e4351b5
commit cc47737c44
1 changed files with 66 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
plugins/generic/enumeration.py
View File

@ -251,21 +251,20 @@ class Enumeration:
else: else:
kb.data.cachedUsersPasswords[user].append(password) kb.data.cachedUsersPasswords[user].append(password)
getCurrentThreadData().disableStdOut = False getCurrentThreadData().disableStdOut = False
return kb.data.cachedUsersPasswords
else: else:
value = inject.getValue(query, blind=False) value = inject.getValue(query, blind=False)
if value: if value:
for user, password in value: for user, password in value:
if not user or user == " ": if not user or user == " ":
continue continue
password = parsePasswordHash(password) password = parsePasswordHash(password)
if not kb.data.cachedUsersPasswords.has_key(user): if not kb.data.cachedUsersPasswords.has_key(user):
kb.data.cachedUsersPasswords[user] = [password] kb.data.cachedUsersPasswords[user] = [password]
else: else:
kb.data.cachedUsersPasswords[user].append(password) kb.data.cachedUsersPasswords[user].append(password)
if not kb.data.cachedUsersPasswords and not conf.direct: if not kb.data.cachedUsersPasswords and not conf.direct:
if conf.user: if conf.user:
@ -280,10 +279,13 @@ class Enumeration:
users = kb.data.cachedUsers users = kb.data.cachedUsers
if Backend.getIdentifiedDbms() == DBMS.SYBASE: if Backend.getIdentifiedDbms() == DBMS.SYBASE:
getCurrentThreadData().disableStdOut = True
randStr = randomStr() randStr = randomStr()
query = rootQuery.inband.query query = rootQuery.inband.query
getCurrentThreadData().disableStdOut = True
retVal = self.__pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr,'%s.password' % randStr], blind=True) retVal = self.__pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr,'%s.password' % randStr], blind=True)
if retVal: if retVal:
for user, password in zip(retVal[0]["%s.name" % randStr], retVal[0]["%s.password" % randStr]): for user, password in zip(retVal[0]["%s.name" % randStr], retVal[0]["%s.password" % randStr]):
password = "0x%s" % strToHex(password) password = "0x%s" % strToHex(password)
@ -291,68 +293,69 @@ class Enumeration:
kb.data.cachedUsersPasswords[user] = [password] kb.data.cachedUsersPasswords[user] = [password]
else: else:
kb.data.cachedUsersPasswords[user].append(password) kb.data.cachedUsersPasswords[user].append(password)
getCurrentThreadData().disableStdOut = False getCurrentThreadData().disableStdOut = False
return kb.data.cachedUsersPasswords
retrievedUsers = set() else:
retrievedUsers = set()
for user in users: for user in users:
if Backend.getIdentifiedDbms() == DBMS.MYSQL: if Backend.getIdentifiedDbms() == DBMS.MYSQL:
parsedUser = re.search("[\047]*(.*?)[\047]*\@", user) parsedUser = re.search("[\047]*(.*?)[\047]*\@", user)
if parsedUser: if parsedUser:
user = parsedUser.groups()[0] user = parsedUser.groups()[0]
if not user or user in retrievedUsers: if not user or user in retrievedUsers:
continue continue
infoMsg = "fetching number of password hashes " infoMsg = "fetching number of password hashes "
infoMsg += "for user '%s'" % user infoMsg += "for user '%s'" % user
logger.info(infoMsg) logger.info(infoMsg)
if Backend.getIdentifiedDbms() == DBMS.MSSQL and Backend.isVersionWithin(("2005", "2008")): if Backend.getIdentifiedDbms() == DBMS.MSSQL and Backend.isVersionWithin(("2005", "2008")):
query = rootQuery.blind.count2 % user query = rootQuery.blind.count2 % user
else:
query = rootQuery.blind.count % user
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2)
if not isNumPosStrValue(count):
warnMsg = "unable to retrieve the number of password "
warnMsg += "hashes for user '%s'" % user
logger.warn(warnMsg)
continue
infoMsg = "fetching password hashes for user '%s'" % user
logger.info(infoMsg)
passwords = []
if Backend.getIdentifiedDbms() == DBMS.ORACLE:
plusOne = True
else:
plusOne = False
indexRange = getRange(count, plusOne=plusOne)
for index in indexRange:
if Backend.getIdentifiedDbms() == DBMS.MSSQL:
if Backend.isVersionWithin(("2005", "2008")):
query = rootQuery.blind.query2 % (user, index, user)
else:
query = rootQuery.blind.query % (user, index, user)
else: else:
query = rootQuery.blind.query % (user, index) query = rootQuery.blind.count % user
password = inject.getValue(query, inband=False, error=False) count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2)
password = parsePasswordHash(password)
passwords.append(password)
if passwords: if not isNumPosStrValue(count):
kb.data.cachedUsersPasswords[user] = passwords warnMsg = "unable to retrieve the number of password "
else: warnMsg += "hashes for user '%s'" % user
warnMsg = "unable to retrieve the password " logger.warn(warnMsg)
warnMsg += "hashes for user '%s'" % user continue
logger.warn(warnMsg)
retrievedUsers.add(user) infoMsg = "fetching password hashes for user '%s'" % user
logger.info(infoMsg)
passwords = []
if Backend.getIdentifiedDbms() == DBMS.ORACLE:
plusOne = True
else:
plusOne = False
indexRange = getRange(count, plusOne=plusOne)
for index in indexRange:
if Backend.getIdentifiedDbms() == DBMS.MSSQL:
if Backend.isVersionWithin(("2005", "2008")):
query = rootQuery.blind.query2 % (user, index, user)
else:
query = rootQuery.blind.query % (user, index, user)
else:
query = rootQuery.blind.query % (user, index)
password = inject.getValue(query, inband=False, error=False)
password = parsePasswordHash(password)
passwords.append(password)
if passwords:
kb.data.cachedUsersPasswords[user] = passwords
else:
warnMsg = "unable to retrieve the password "
warnMsg += "hashes for user '%s'" % user
logger.warn(warnMsg)
retrievedUsers.add(user)
if not kb.data.cachedUsersPasswords: if not kb.data.cachedUsersPasswords:
errMsg = "unable to retrieve the password " errMsg = "unable to retrieve the password "