From f700692c7432847951dae422faf46ce3ddabb7b7 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Wed, 13 Oct 2010 18:55:17 +0000 Subject: [PATCH] added missing files for Sybase --- lib/controller/handler.py | 6 +- plugins/dbms/sybase/__init__.py | 50 +++++++++++ plugins/dbms/sybase/connector.py | 90 +++++++++++++++++++ plugins/dbms/sybase/enumeration.py | 39 +++++++++ plugins/dbms/sybase/filesystem.py | 39 +++++++++ plugins/dbms/sybase/fingerprint.py | 133 +++++++++++++++++++++++++++++ plugins/dbms/sybase/syntax.py | 86 +++++++++++++++++++ plugins/dbms/sybase/takeover.py | 49 +++++++++++ 8 files changed, 489 insertions(+), 3 deletions(-) create mode 100644 plugins/dbms/sybase/__init__.py create mode 100644 plugins/dbms/sybase/connector.py create mode 100644 plugins/dbms/sybase/enumeration.py create mode 100644 plugins/dbms/sybase/filesystem.py create mode 100644 plugins/dbms/sybase/fingerprint.py create mode 100644 plugins/dbms/sybase/syntax.py create mode 100644 plugins/dbms/sybase/takeover.py diff --git a/lib/controller/handler.py b/lib/controller/handler.py index 1396ccdc7..359eeef51 100644 --- a/lib/controller/handler.py +++ b/lib/controller/handler.py @@ -51,8 +51,8 @@ from plugins.dbms.firebird import FirebirdMap from plugins.dbms.firebird.connector import Connector as FirebirdConn from plugins.dbms.maxdb import MaxDBMap from plugins.dbms.maxdb.connector import Connector as MaxDBConn -#from plugins.dbms.sybase import SybaseMap -#from plugins.dbms.sybase.connector import Connector as SybaseConn +from plugins.dbms.sybase import SybaseMap +from plugins.dbms.sybase.connector import Connector as SybaseConn def setHandler(): """ @@ -71,7 +71,7 @@ def setHandler(): ( ACCESS_ALIASES, AccessMap, AccessConn ), ( FIREBIRD_ALIASES, FirebirdMap, FirebirdConn ), ( MAXDB_ALIASES, MaxDBMap, MaxDBConn ), -# ( SYBASE_ALIASES, SybaseMap, SybaseConn ), + ( SYBASE_ALIASES, SybaseMap, SybaseConn ), ) for dbmsAliases, dbmsMap, dbmsConn in dbmsMap: diff --git a/plugins/dbms/sybase/__init__.py b/plugins/dbms/sybase/__init__.py new file mode 100644 index 000000000..c9c82d3c7 --- /dev/null +++ b/plugins/dbms/sybase/__init__.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python + +""" +$Id: __init__.py 1505 2010-03-23 21:26:45Z inquisb $ + +This file is part of the sqlmap project, http://sqlmap.sourceforge.net. + +Copyright (c) 2007-2009 Bernardo Damele A. G. +Copyright (c) 2006 Daniele Bellucci + +sqlmap is free software; you can redistribute it and/or modify it under +the terms of the GNU General Public License as published by the Free +Software Foundation version 2 of the License. + +sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +details. + +You should have received a copy of the GNU General Public License along +with sqlmap; if not, write to the Free Software Foundation, Inc., 51 +Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +""" + +from lib.core.settings import SYBASE_SYSTEM_DBS +from lib.core.unescaper import unescaper + +from plugins.dbms.sybase.enumeration import Enumeration +from plugins.dbms.sybase.filesystem import Filesystem +from plugins.dbms.sybase.fingerprint import Fingerprint +from plugins.dbms.sybase.syntax import Syntax +from plugins.dbms.sybase.takeover import Takeover +from plugins.generic.misc import Miscellaneous + +class SybaseMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeover): + """ + This class defines Sybase methods + """ + + def __init__(self): + self.excludeDbsList = SYBASE_SYSTEM_DBS + + Syntax.__init__(self) + Fingerprint.__init__(self) + Enumeration.__init__(self) + Filesystem.__init__(self) + Miscellaneous.__init__(self) + Takeover.__init__(self) + + unescaper.setUnescape(SybaseMap.unescape) diff --git a/plugins/dbms/sybase/connector.py b/plugins/dbms/sybase/connector.py new file mode 100644 index 000000000..aa2723528 --- /dev/null +++ b/plugins/dbms/sybase/connector.py @@ -0,0 +1,90 @@ +#!/usr/bin/env python + +""" +$Id$ + +This file is part of the sqlmap project, http://sqlmap.sourceforge.net. + +Copyright (c) 2007-2010 Bernardo Damele A. G. +Copyright (c) 2006 Daniele Bellucci + +sqlmap is free software; you can redistribute it and/or modify it under +the terms of the GNU General Public License as published by the Free +Software Foundation version 2 of the License. + +sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +details. + +You should have received a copy of the GNU General Public License along +with sqlmap; if not, write to the Free Software Foundation, Inc., 51 +Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +""" + +try: + import _mssql + import pymssql +except ImportError, _: + pass + +from lib.core.convert import utf8encode +from lib.core.data import conf +from lib.core.data import logger +from lib.core.exception import sqlmapConnectionException + +from plugins.generic.connector import Connector as GenericConnector + +class Connector(GenericConnector): + """ + Homepage: http://pymssql.sourceforge.net/ + User guide: http://pymssql.sourceforge.net/examples_pymssql.php + API: http://pymssql.sourceforge.net/ref_pymssql.php + Debian package: python-pymssql + License: LGPL + + Possible connectors: http://wiki.python.org/moin/SQL%20Server + + Important note: pymssql library on your system MUST be version 1.0.2 + to work, get it from http://sourceforge.net/projects/pymssql/files/pymssql/1.0.2/ + """ + + def __init__(self): + GenericConnector.__init__(self) + + def connect(self): + self.initConnection() + + try: + self.connector = pymssql.connect(host="%s:%d" % (self.hostname, self.port), user=self.user, password=self.password, database=self.db, login_timeout=conf.timeout, timeout=conf.timeout) + except pymssql.OperationalError, msg: + raise sqlmapConnectionException, msg + + self.setCursor() + self.connected() + + def fetchall(self): + try: + return self.cursor.fetchall() + except (pymssql.ProgrammingError, pymssql.OperationalError, _mssql.MssqlDatabaseException), msg: + logger.log(8, msg) + return None + + def execute(self, query): + try: + self.cursor.execute(utf8encode(query)) + except (pymssql.OperationalError, pymssql.ProgrammingError), msg: + logger.log(8, msg) + except pymssql.InternalError, msg: + raise sqlmapConnectionException, msg + + def select(self, query): + self.execute(query) + value = self.fetchall() + + try: + self.connector.commit() + except pymssql.OperationalError: + pass + + return value diff --git a/plugins/dbms/sybase/enumeration.py b/plugins/dbms/sybase/enumeration.py new file mode 100644 index 000000000..b87dabcd6 --- /dev/null +++ b/plugins/dbms/sybase/enumeration.py @@ -0,0 +1,39 @@ +#!/usr/bin/env python + +""" +$Id: enumeration.py 1835 2010-08-31 14:25:37Z stamparm $ + +This file is part of the sqlmap project, http://sqlmap.sourceforge.net. + +Copyright (c) 2007-2010 Bernardo Damele A. G. +Copyright (c) 2006 Daniele Bellucci + +sqlmap is free software; you can redistribute it and/or modify it under +the terms of the GNU General Public License as published by the Free +Software Foundation version 2 of the License. + +sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +details. + +You should have received a copy of the GNU General Public License along +with sqlmap; if not, write to the Free Software Foundation, Inc., 51 +Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +""" + +from lib.core.data import conf +from lib.core.data import logger +from lib.core.exception import sqlmapUnsupportedFeatureException + +from plugins.generic.enumeration import Enumeration as GenericEnumeration + +class Enumeration(GenericEnumeration): + def __init__(self): + GenericEnumeration.__init__(self, "Sybase") + + def getPasswordHashes(self): + warnMsg = "on Sybase it is not possible to enumerate the user password hashes" + logger.warn(warnMsg) + + return {} diff --git a/plugins/dbms/sybase/filesystem.py b/plugins/dbms/sybase/filesystem.py new file mode 100644 index 000000000..28c45d372 --- /dev/null +++ b/plugins/dbms/sybase/filesystem.py @@ -0,0 +1,39 @@ +#!/usr/bin/env python + +""" +$Id: filesystem.py 1505 2010-03-23 21:26:45Z inquisb $ + +This file is part of the sqlmap project, http://sqlmap.sourceforge.net. + +Copyright (c) 2007-2010 Bernardo Damele A. G. +Copyright (c) 2006 Daniele Bellucci + +sqlmap is free software; you can redistribute it and/or modify it under +the terms of the GNU General Public License as published by the Free +Software Foundation version 2 of the License. + +sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +details. + +You should have received a copy of the GNU General Public License along +with sqlmap; if not, write to the Free Software Foundation, Inc., 51 +Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +""" + +from lib.core.exception import sqlmapUnsupportedFeatureException + +from plugins.generic.filesystem import Filesystem as GenericFilesystem + +class Filesystem(GenericFilesystem): + def __init__(self): + GenericFilesystem.__init__(self) + + def readFile(self, rFile): + errMsg = "on Sybase it is not possible to read files" + raise sqlmapUnsupportedFeatureException, errMsg + + def writeFile(self, wFile, dFile, fileType=None, confirm=True): + errMsg = "on Sybase it is not possible to write files" + raise sqlmapUnsupportedFeatureException, errMsg diff --git a/plugins/dbms/sybase/fingerprint.py b/plugins/dbms/sybase/fingerprint.py new file mode 100644 index 000000000..703ea69ba --- /dev/null +++ b/plugins/dbms/sybase/fingerprint.py @@ -0,0 +1,133 @@ +#!/usr/bin/env python + +""" +$Id: fingerprint.py 1961 2010-10-11 13:52:32Z stamparm $ + +This file is part of the sqlmap project, http://sqlmap.sourceforge.net. + +Copyright (c) 2007-2010 Bernardo Damele A. G. +Copyright (c) 2006 Daniele Bellucci + +sqlmap is free software; you can redistribute it and/or modify it under +the terms of the GNU General Public License as published by the Free +Software Foundation version 2 of the License. + +sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +details. + +You should have received a copy of the GNU General Public License along +with sqlmap; if not, write to the Free Software Foundation, Inc., 51 +Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +""" + +from lib.core.agent import agent +from lib.core.common import formatDBMSfp +from lib.core.common import formatFingerprint +from lib.core.common import getHtmlErrorFp +from lib.core.common import randomInt +from lib.core.data import conf +from lib.core.data import kb +from lib.core.data import logger +from lib.core.session import setDbms +from lib.core.settings import SYBASE_ALIASES +from lib.request import inject +from lib.request.connect import Connect as Request + +from plugins.generic.fingerprint import Fingerprint as GenericFingerprint + +class Fingerprint(GenericFingerprint): + def __init__(self): + GenericFingerprint.__init__(self) + + def getFingerprint(self): + value = "" + wsOsFp = formatFingerprint("web server", kb.headersFp) + + if wsOsFp: + value += "%s\n" % wsOsFp + + if kb.data.banner: + dbmsOsFp = formatFingerprint("back-end DBMS", kb.bannerFp) + + if dbmsOsFp: + value += "%s\n" % dbmsOsFp + + value += "back-end DBMS: " + + if not conf.extensiveFp: + value += "Sybase" + return value + + actVer = formatDBMSfp() + blank = " " * 15 + value += "active fingerprint: %s" % actVer + + if kb.bannerFp: + banVer = kb.bannerFp["dbmsVersion"] + banVer = formatDBMSfp([banVer]) + value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) + + htmlErrorFp = getHtmlErrorFp() + + if htmlErrorFp: + value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) + + return value + + def checkDbms(self): + if conf.dbms in SYBASE_ALIASES and kb.dbmsVersion and kb.dbmsVersion[0].isdigit(): + setDbms("Sybase %s" % kb.dbmsVersion[0]) + + self.getBanner() + + if not conf.extensiveFp: + kb.os = "Windows" + + return True + + infoMsg = "testing Sybase" + logger.info(infoMsg) + + if conf.direct: + result = True + else: + payload = agent.fullPayload(" AND tempdb_id()=tempdb_id()") + result = Request.queryPage(payload) + + if result: + logMsg = "confirming Sybase" + logger.info(logMsg) + + payload = agent.fullPayload(" AND suser_id()=suser_id()") + result = Request.queryPage(payload) + + if not result: + warnMsg = "the back-end DMBS is not Sybase" + logger.warn(warnMsg) + + return False + + setDbms("Sybase") + + self.getBanner() + + if not conf.extensiveFp: + return True + + for version in range(12, 16): + randInt = randomInt() + query = " AND @@VERSION_NUMBER/1000=%d" % version + payload = agent.fullPayload(query) + result = Request.queryPage(payload) + if result: + kb.dbmsVersion = ["%d" % version] + break + + return True + else: + warnMsg = "the back-end DMBS is not Sybase" + logger.warn(warnMsg) + + return False diff --git a/plugins/dbms/sybase/syntax.py b/plugins/dbms/sybase/syntax.py new file mode 100644 index 000000000..1df8fea1e --- /dev/null +++ b/plugins/dbms/sybase/syntax.py @@ -0,0 +1,86 @@ +#!/usr/bin/env python + +""" +$Id$ + +This file is part of the sqlmap project, http://sqlmap.sourceforge.net. + +Copyright (c) 2007-2010 Bernardo Damele A. G. +Copyright (c) 2006 Daniele Bellucci + +sqlmap is free software; you can redistribute it and/or modify it under +the terms of the GNU General Public License as published by the Free +Software Foundation version 2 of the License. + +sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +details. + +You should have received a copy of the GNU General Public License along +with sqlmap; if not, write to the Free Software Foundation, Inc., 51 +Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +""" + +from lib.core.exception import sqlmapSyntaxException + +from plugins.generic.syntax import Syntax as GenericSyntax + +class Syntax(GenericSyntax): + def __init__(self): + GenericSyntax.__init__(self) + + @staticmethod + def unescape(expression, quote=True): + if quote: + while True: + index = expression.find("'") + if index == -1: + break + + firstIndex = index + 1 + index = expression[firstIndex:].find("'") + + if index == -1: + raise sqlmapSyntaxException("Unenclosed ' in '%s'" % expression) + + lastIndex = firstIndex + index + old = "'%s'" % expression[firstIndex:lastIndex] + #unescaped = "(" + unescaped = "" + + for i in range(firstIndex, lastIndex): + unescaped += "CHAR(%d)" % (ord(expression[i])) + if i < lastIndex - 1: + unescaped += "+" + + #unescaped += ")" + expression = expression.replace(old, unescaped) + else: + expression = "+".join("CHAR(%d)" % ord(c) for c in expression) + + return expression + + @staticmethod + def escape(expression): + while True: + index = expression.find("CHAR(") + if index == -1: + break + + firstIndex = index + index = expression[firstIndex:].find("))") + + if index == -1: + raise sqlmapSyntaxException("Unenclosed ) in '%s'" % expression) + + lastIndex = firstIndex + index + 1 + old = expression[firstIndex:lastIndex] + oldUpper = old.upper() + oldUpper = oldUpper.replace("CHAR(", "").replace(")", "") + oldUpper = oldUpper.split("+") + + escaped = "'%s'" % "".join([chr(int(char)) for char in oldUpper]) + expression = expression.replace(old, escaped) + + return expression diff --git a/plugins/dbms/sybase/takeover.py b/plugins/dbms/sybase/takeover.py new file mode 100644 index 000000000..6d4fa6fcc --- /dev/null +++ b/plugins/dbms/sybase/takeover.py @@ -0,0 +1,49 @@ +#!/usr/bin/env python + +""" +$Id: takeover.py 1505 2010-03-23 21:26:45Z inquisb $ + +This file is part of the sqlmap project, http://sqlmap.sourceforge.net. + +Copyright (c) 2007-2010 Bernardo Damele A. G. +Copyright (c) 2006 Daniele Bellucci + +sqlmap is free software; you can redistribute it and/or modify it under +the terms of the GNU General Public License as published by the Free +Software Foundation version 2 of the License. + +sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +details. + +You should have received a copy of the GNU General Public License along +with sqlmap; if not, write to the Free Software Foundation, Inc., 51 +Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +""" + +from lib.core.exception import sqlmapUnsupportedFeatureException + +from plugins.generic.takeover import Takeover as GenericTakeover + +class Takeover(GenericTakeover): + def __init__(self): + GenericTakeover.__init__(self) + + def osCmd(self): + errMsg = "on Sybase it is not possible to execute commands" + raise sqlmapUnsupportedFeatureException, errMsg + + def osShell(self): + errMsg = "on Sybase it is not possible to execute commands" + raise sqlmapUnsupportedFeatureException, errMsg + + def osPwn(self): + errMsg = "on Sybase it is not possible to establish an " + errMsg += "out-of-band connection" + raise sqlmapUnsupportedFeatureException, errMsg + + def osSmb(self): + errMsg = "on Sybase it is not possible to establish an " + errMsg += "out-of-band connection" + raise sqlmapUnsupportedFeatureException, errMsg