From de31688c4f72bfdca901fc61841a17254d2f12cf Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Mon, 29 Jul 2013 18:25:27 +0200
Subject: [PATCH] Update for an Issue #481

---
 lib/core/optiondict.py       |  1 +
 lib/parse/cmdline.py         |  3 +++
 plugins/generic/databases.py | 26 ++++++++++++++++++++++++++
 sqlmap.conf                  |  4 ++++
 xml/queries.xml              | 20 +++++++++++++++++---
 5 files changed, 51 insertions(+), 3 deletions(-)

diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py
index acf14c88f..07f9321de 100644
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@@ -121,6 +121,7 @@ optDict = {
                                "dumpTable":         "boolean",
                                "dumpAll":           "boolean",
                                "search":            "boolean",
+                               "getComments":       "boolean",
                                "db":                "string",
                                "tbl":               "string",
                                "col":               "string",
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
index cb1c99efe..5f4503c24 100644
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@@ -386,6 +386,9 @@ def cmdLineParser():
         enumeration.add_option("--search", dest="search", action="store_true",
                                help="Search column(s), table(s) and/or database name(s)")
 
+        enumeration.add_option("--comments", dest="getComments", action="store_true",
+                               help="Retrieve DBMS comments")
+
         enumeration.add_option("-D", dest="db",
                                help="DBMS database to enumerate")
 
diff --git a/plugins/generic/databases.py b/plugins/generic/databases.py
index 90fc7d7bd..df03dbf3c 100644
--- a/plugins/generic/databases.py
+++ b/plugins/generic/databases.py
@@ -554,6 +554,19 @@ class Databases:
                             name = safeSQLIdentificatorNaming(columnData[0])
 
                             if name:
+                                if conf.getComments:
+                                    _ = queries[Backend.getIdentifiedDbms()].column_comment
+                                    if hasattr(_, "query"):
+                                        if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
+                                            query = _.query % (unsafeSQLIdentificatorNaming(conf.db.upper()), unsafeSQLIdentificatorNaming(tbl.upper()), unsafeSQLIdentificatorNaming(name.upper()))
+                                        else:
+                                            query = _.query % (unsafeSQLIdentificatorNaming(conf.db), unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(name))
+                                        comment = unArrayizeValue(inject.getValue(query, blind=False, time=False))
+                                    else:
+                                        warnMsg = "on %s it is not " % Backend.getIdentifiedDbms()
+                                        warnMsg += "possible to get column comments"
+                                        singleTimeWarnMessage(warnMsg)
+
                                 if len(columnData) == 1:
                                     columns[name] = None
                                 else:
@@ -666,6 +679,19 @@ class Databases:
                     column = unArrayizeValue(inject.getValue(query, union=False, error=False))
 
                     if not isNoneValue(column):
+                        if conf.getComments:
+                            _ = queries[Backend.getIdentifiedDbms()].column_comment
+                            if hasattr(_, "query"):
+                                if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
+                                    query = _.query % (unsafeSQLIdentificatorNaming(conf.db.upper()), unsafeSQLIdentificatorNaming(tbl.upper()), unsafeSQLIdentificatorNaming(column.upper()))
+                                else:
+                                    query = _.query % (unsafeSQLIdentificatorNaming(conf.db), unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(column))
+                                comment = unArrayizeValue(inject.getValue(query, union=False, error=False))
+                            else:
+                                warnMsg = "on %s it is not " % Backend.getIdentifiedDbms()
+                                warnMsg += "possible to get column comments"
+                                singleTimeWarnMessage(warnMsg)
+
                         if not onlyColNames:
                             if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
                                 query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl), column, unsafeSQLIdentificatorNaming(conf.db))
diff --git a/sqlmap.conf b/sqlmap.conf
index f88d4cb15..5f363c567 100644
--- a/sqlmap.conf
+++ b/sqlmap.conf
@@ -429,6 +429,10 @@ dumpAll = False
 # Valid: True or False
 search = False
 
+# Retrieve back-end database management system comments.
+# Valid: True or False
+getComments = False
+
 # Back-end database management system database to enumerate.
 db = 
 
diff --git a/xml/queries.xml b/xml/queries.xml
index ee0f61086..05f53cc65 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -240,9 +240,9 @@
              NOTE: in Oracle to check if the session user is DBA you can use:
              SELECT USERENV('ISDBA') FROM DUAL
         -->
-        <hostname query="SELECT UTL_INADDR.get_host_name FROM DUAL"/>
-        <table_comment query="SELECT comments FROM user_tab_comments WHERE table_name='%s'"/>
-        <column_comment query="SELECT comments FROM user_col_comments WHERE table_name='%s' AND column_name='%s'"/>
+        <hostname query="SELECT UTL_INADDR.GET_HOST_NAME FROM DUAL"/>
+        <table_comment query="SELECT COMMENTS FROM ALL_TAB_COMMENTS WHERE OWNER='%s' AND TABLE_NAME='%s'"/>
+        <column_comment query="SELECT COMMENTS FROM ALL_COL_COMMENTS WHERE OWNER='%s' AND TABLE_NAME='%s' AND COLUMN_NAME='%s'"/>
         <is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=USER AND GRANTED_ROLE='DBA')='DBA'"/>
         <users>
             <inband query="SELECT USERNAME FROM SYS.ALL_USERS"/>
@@ -324,6 +324,8 @@
         <current_user/>
         <current_db/>
         <hostname/>
+        <table_comment/>
+        <column_comment/>
         <is_dba/>
         <check_udf/>
         <users/>
@@ -374,6 +376,8 @@
         <current_user/>
         <current_db/>
         <hostname/>
+        <table_comment/>
+        <column_comment/>
         <is_dba/>
         <dbs/>
         <!--MSysObjects have no read permission by default-->
@@ -415,6 +419,8 @@
         <current_user query="SELECT CURRENT_USER FROM RDB$DATABASE"/>
         <current_db query="SELECT RDB$GET_CONTEXT('SYSTEM','DB_NAME') FROM RDB$DATABASE"/>
         <hostname/>
+        <table_comment/>
+        <column_comment/>
         <is_dba query="CURRENT_USER='SYSDBA'"/>
         <users>
             <inband query="SELECT RDB$USER FROM RDB$USER_PRIVILEGES"/>
@@ -471,6 +477,8 @@
         <current_user query="SELECT USER() FROM DUAL"/>
         <current_db query="SELECT DATABASE() FROM DUAL"/>
         <hostname/>
+        <table_comment/>
+        <column_comment/>
         <is_dba/>
         <users>
             <inband query="SELECT username FROM domain.users"/>
@@ -521,6 +529,8 @@
         <current_user query="SELECT SUSER_NAME()"/>
         <current_db query="SELECT DB_NAME()"/>
         <hostname/>
+        <table_comment/>
+        <column_comment/>
         <is_dba query="PATINDEX('%sa_role%',SHOW_ROLE())>0" query2="EXISTS(SELECT * FROM master..syslogins,master..sysloginroles WHERE srid=0 and name='%s')"/>
         <users>
             <inband query="SELECT name FROM master..syslogins"/>
@@ -592,6 +602,8 @@
         <!-- NOTE: On DB2 we use the current user as default schema (database) -->
         <current_db query="SELECT current server FROM SYSIBM.SYSDUMMY1"/>
         <hostname query="SELECT host_name FROM TABLE(sysproc.env_get_sys_info())"/>
+        <table_comment/>
+        <column_comment/>
         <is_dba query="(SELECT dbadmauth FROM syscat.dbauth WHERE grantee=current user)='Y'"/>
         <users>
             <inband query="SELECT grantee FROM sysibm.sysdbauth WHERE grantee!='SYSTEM' AND grantee!='PUBLIC'"/>
@@ -657,6 +669,8 @@
         <current_user query="CURRENT_USER"/>
         <current_db query="DATABASE()"/>
         <hostname/>
+        <table_comment/>
+        <column_comment/>
         <is_dba query="SELECT ADMIN FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE USER=CURRENT_USER"/>
         <check_udf/>
         <users>