diff --git a/CHANGELOG b/CHANGELOG
index 208ca3705..4452eb3de 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,11 @@
# Nmap Changelog ($Id$); -*-text-*-
+o [NSE] Added an Informix library and three scripts that make use of it:
+ - informix-brute uses the brute framework to perform password guessing
+ - informix-query add support for running SQL queries against Informix
+ - informix-tables lists table- and column-names for a given database
+ [Patrik]
+
o [NSE] Added two new scripts http-brute.nse and http-form-brute that attempt
to perform password guessing against web servers and applications. [Patrik]
diff --git a/nselib/informix.lua b/nselib/informix.lua
new file mode 100644
index 000000000..f1ce41a70
--- /dev/null
+++ b/nselib/informix.lua
@@ -0,0 +1,1390 @@
+---
+-- Informix Library supporting a very limited subset of Informix operations
+--
+-- Summary
+-- -------
+-- Informix supports both The Open Group Distributed Relational Database
+-- Architecture (DRDA) protocol, and their own. This library attempts to
+-- implement a basic subset of operations. It currently supports;
+-- o Authentication using plain-text usernames and passwords
+-- o Simple SELECT, INSERT and UPDATE queries, possible more ...
+--
+-- Overview
+-- --------
+-- The library contains the following classes:
+--
+-- o Packet.*
+-- - The Packet classes contain specific packets and function to serialize
+-- them to strings that can be sent over the wire. Each class may also
+-- contain a function to parse the servers response.
+--
+-- o ColMetaData
+-- - A class holding the meta data for each column
+--
+-- o Comm
+-- - Implements a number of functions to handle communication over the
+-- the Socket class.
+--
+-- o Helper
+-- - A helper class that provides easy access to the rest of the library
+--
+-- o Socket
+-- - This is a copy of the DB2Socket class which provides fundamental
+-- buffering
+--
+-- In addition the library contains the following tables with decoder functions
+--
+-- o MetaDataDecoders
+-- - Contains functions to decode the column metadata per data type
+--
+-- o DataTypeDecoders
+-- - Contains function to decode each data-type in the query resultset
+--
+-- o MessageDecoders
+-- - Contains a decoder for each supported protocol message
+--
+-- Example
+-- -------
+-- The following sample code illustrates how scripts can use the Helper class
+-- to interface the library:
+--
+--
+-- helper = informix.Helper:new( host, port, "on_demo" )
+-- status, err = helper:Connect()
+-- status, res = helper:Login("informix", "informix")
+-- status, err = helper:Close()
+--
+--
+-- Additional information
+-- ----------------------
+-- The implementation is based on analysis of packet dumps and has been tested
+-- against:
+--
+-- x IBM Informix Dynamic Server Express Edition v11.50 32-bit on Ubuntu
+-- x IBM Informix Dynamic Server xxx 32-bit on Windows 2003
+--
+-- @copyright Same as Nmap--See http://nmap.org/book/man-legal.html
+-- @author "Patrik Karlsson "
+--
+-- @args informix.instance specifies the Informix instance to connect to
+
+--
+-- Version 0.1
+-- Created 07/23/2010 - v0.1 - created by Patrik Karlsson
+-- Revised 07/28/2010 - v0.2 - added support for SELECT, INSERT and UPDATE
+-- queries
+--
+
+module(... or "informix", package.seeall)
+
+-- A bunch of constants
+Constants =
+{
+ -- A subset of supported messages
+ Message = {
+ SQ_COMMAND = 0x01,
+ SQ_PREPARE = 0x02,
+ SQ_ID = 0x04,
+ SQ_DESCRIBE = 0x08,
+ SQ_EOT = 0x0c,
+ SQ_ERR = 0x0d,
+ SQ_TUPLE = 0x0e,
+ SQ_DONE = 0x0f,
+ SQ_DBLIST = 0x1a,
+ SQ_DBOPEN = 0x24,
+ SQ_EXIT = 0x38,
+ SQ_INFO = 0x51,
+ SQ_PROTOCOLS = 0x7e,
+ },
+
+ -- A subset of supported data types
+ DataType = {
+ CHAR = 0x00,
+ SMALLINT = 0x01,
+ INT = 0x02,
+ FLOAT = 0x03,
+ SERIAL = 0x06,
+ DATE = 0x07,
+ DATETIME = 0x0a,
+ VARCHAR = 0x0d,
+ },
+
+ -- These were the ones I ran into when developing :-)
+ ErrorMsg = {
+ [-201] = "A syntax error has occurred.",
+ [-206] = "The specified table is not in the database.",
+ [-208] = "Memory allocation failed during query processing.",
+ [-258] = "System error - invalid statement id received by the sqlexec process.",
+ [-217] = "Column (%s) not found in any table in the query (or SLV is undefined).",
+ [-310] = "Table (%s) already exists in database.",
+ [-363] = "CURSOR not on SELECT statement.",
+ [-555] = "Cannot use a select or any of the database statements in a multi-query prepare.",
+ [-664] = "Wrong number of arguments to system function(%s).",
+ [-761] = "INFORMIXSERVER does not match either DBSERVERNAME or DBSERVERALIASES.",
+ [-951] = "Incorrect password or user is not known on the database server.",
+ [-329] = "Database not found or no system permission.",
+ [-9628] = "Type (%s) not found.",
+ [-23101] = "Unable to load locale categories.",
+ }
+}
+
+-- A socket implementation that provides fundamental buffering and allows for
+-- reading of an exact number of bytes, instead of atleast ...
+Socket =
+{
+ new = function(self, socket)
+ local o = {}
+ setmetatable(o, self)
+ self.__index = self
+ o.Socket = socket or nmap.new_socket()
+ o.Buffer = nil
+ return o
+ end,
+
+
+ --- Establishes a connection.
+ --
+ -- @param hostid Hostname or IP address.
+ -- @param port Port number.
+ -- @param protocol "tcp", "udp", or
+ -- @return Status (true or false).
+ -- @return Error code (if status is false).
+ connect = function( self, hostid, port, protocol )
+ -- Some Informix server seem to take a LOT of time to respond?!
+ local status = self.Socket:set_timeout(20000)
+ return self.Socket:connect( hostid, port, protocol )
+ end,
+
+ --- Closes an open connection.
+ --
+ -- @return Status (true or false).
+ -- @return Error code (if status is false).
+ close = function( self )
+ return self.Socket:close()
+ end,
+
+ --- Opposed to the socket:receive_bytes function, that returns
+ -- at least x bytes, this function returns the amount of bytes requested.
+ --
+ -- @param count of bytes to read
+ -- @return true on success, false on failure
+ -- @return data containing bytes read from the socket
+ -- err containing error message if status is false
+ recv = function( self, count )
+ local status, data
+
+ self.Buffer = self.Buffer or ""
+
+ if ( #self.Buffer < count ) then
+ status, data = self.Socket:receive_bytes( count - #self.Buffer )
+ if ( not(status) ) then
+ return false, data
+ end
+ self.Buffer = self.Buffer .. data
+ end
+
+ data = self.Buffer:sub( 1, count )
+ self.Buffer = self.Buffer:sub( count + 1)
+
+ return true, data
+ end,
+
+ --- Sends data over the socket
+ --
+ -- @return Status (true or false).
+ -- @return Error code (if status is false).
+ send = function( self, data )
+ return self.Socket:send( data )
+ end,
+}
+
+-- The ColMetaData class
+ColMetaData = {
+
+ ---Creates a new ColMetaData instance
+ --
+ -- @return object a new instance of ColMetaData
+ new = function(self)
+ local o = {}
+ setmetatable(o, self)
+ self.__index = self
+ return o
+ end,
+
+ --- Sets the datatype
+ --
+ -- @param typ number containing the datatype
+ setType = function( self, typ ) self.type = typ end,
+
+ --- Sets the name
+ --
+ -- @param name string containing the name
+ setName = function( self, name) self.name = name end,
+
+
+ --- Sets the length
+ --
+ -- @param len number containing the length of the column
+ setLength = function( self, len ) self.len = len end,
+
+ --- Gets the column type
+ --
+ -- @return typ the column type
+ getType = function( self ) return self.type end,
+
+ --- Gets the column name
+ --
+ -- @return name the column name
+ getName = function( self ) return self.name end,
+
+ --- Gets the column length
+ --
+ -- @return len the column length
+ getLength = function( self ) return self.len end,
+}
+
+Packet = {}
+
+-- MetaData decoders used to decode the information for each data type in the
+-- meta data returned by the server
+--
+-- The decoders, should be self explanatory
+MetaDataDecoders = {
+
+ [Constants.DataType.INT] = function( data )
+ local col_md = ColMetaData:new( )
+ local pos = 19
+
+ if ( #data < pos ) then return false, "Failed to decode meta data for data type INT" end
+
+ local _, len = bin.unpack(">S", data, pos)
+ col_md:setLength(len)
+ col_md:setType( Constants.DataType.INT )
+
+ return true, col_md
+ end,
+
+ [Constants.DataType.CHAR] = function( data )
+ local status, col_md = MetaDataDecoders[Constants.DataType.INT]( data )
+ if( not(status) ) then
+ return false, "Failed to decode metadata for data type CHAR"
+ end
+ col_md:setType( Constants.DataType.CHAR )
+
+ return true, col_md
+ end,
+
+ [Constants.DataType.VARCHAR] = function( data )
+ local status, col_md = MetaDataDecoders[Constants.DataType.INT]( data )
+ if( not(status) ) then return false, "Failed to decode metadata for data type CHAR" end
+ col_md:setType( Constants.DataType.VARCHAR )
+
+ return true, col_md
+ end,
+
+ [Constants.DataType.SMALLINT] = function( data )
+ local status, col_md = MetaDataDecoders[Constants.DataType.INT]( data )
+ if( not(status) ) then return false, "Failed to decode metadata for data type SMALLINT" end
+ col_md:setType( Constants.DataType.SMALLINT )
+
+ return true, col_md
+ end,
+
+ [Constants.DataType.SERIAL] = function( data )
+ local status, col_md = MetaDataDecoders[Constants.DataType.INT]( data )
+ if( not(status) ) then return false, "Failed to decode metadata for data type SMALLINT" end
+ col_md:setType( Constants.DataType.SERIAL )
+
+ return true, col_md
+ end,
+
+ [Constants.DataType.DATETIME] = function( data )
+ local status, col_md = MetaDataDecoders[Constants.DataType.INT]( data )
+ if( not(status) ) then return false, "Failed to decode metadata for data type DATETIME" end
+ col_md:setType( Constants.DataType.DATETIME )
+ col_md:setLength(10)
+
+ return true, col_md
+ end,
+
+ [Constants.DataType.FLOAT] = function( data )
+ local status, col_md = MetaDataDecoders[Constants.DataType.INT]( data )
+ if( not(status) ) then return false, "Failed to decode metadata for data type DATETIME" end
+ col_md:setType( Constants.DataType.FLOAT )
+
+ return true, col_md
+ end,
+
+ [Constants.DataType.DATE] = function( data )
+ local status, col_md = MetaDataDecoders[Constants.DataType.INT]( data )
+ if( not(status) ) then return false, "Failed to decode metadata for data type DATETIME" end
+ col_md:setType( Constants.DataType.DATE )
+
+ return true, col_md
+ end,
+
+
+}
+
+-- DataType decoders used to decode result set returned from the server
+-- This class is still incomplete and some decoders just adjust the offset
+-- position rather than decode the value.
+--
+-- The decoders, should be self explanatory
+DataTypeDecoders = {
+
+ [Constants.DataType.INT] = function( data, pos )
+ return bin.unpack(">i", data, pos)
+ end,
+
+ [Constants.DataType.FLOAT] = function( data, pos )
+ return bin.unpack(">d", data, pos)
+ end,
+
+ [Constants.DataType.DATE] = function( data, pos )
+ return pos + 4, "DATE"
+ end,
+
+ [Constants.DataType.SERIAL] = function( data, pos )
+ return bin.unpack(">I", data, pos)
+ end,
+
+ [Constants.DataType.SMALLINT] = function( data, pos )
+ return bin.unpack(">s", data, pos)
+ end,
+
+ [Constants.DataType.CHAR] = function( data, pos, len )
+ local pos, ret = bin.unpack("A" .. len, data, pos)
+ return pos, Util.ifxToLuaString( ret )
+ end,
+
+ [Constants.DataType.VARCHAR] = function( data, pos, len )
+ local pos, len = bin.unpack("C", data, pos)
+ local ret
+
+ pos, ret = bin.unpack("A" .. len, data, pos)
+ return pos, Util.ifxToLuaString( ret )
+ end,
+
+ [Constants.DataType.DATETIME] = function( data, pos )
+ return pos + 10, "DATETIME"
+ end,
+
+}
+
+
+-- The MessageDecoders class "holding" the Response Decoders
+MessageDecoders = {
+
+ --- Decodes the SQ_ERR error message
+ --
+ -- @param socket already connected to the Informix database server
+ -- @return status true on success, false on failure
+ -- @return errmsg, Informix error message or decoding error message if
+ -- status is false
+ [Constants.Message.SQ_ERR] = function( socket )
+ local status, data = socket:recv(8)
+ local _, svcerr, oserr, errmsg, str, len, pos
+
+ if( not(status) ) then return false, "Failed to decode error response" end
+
+ pos, svcerr, oserr, _, len = bin.unpack(">ssss", data )
+
+ if( len and len > 0 ) then
+ status, data = socket:recv(len)
+ if( not(status) ) then return false, "Failed to decode error response" end
+ _, str = bin.unpack("A" .. len, data)
+ end
+
+ status, data = socket:recv(2)
+
+ errmsg = Constants.ErrorMsg[svcerr]
+ if ( errmsg and str ) then
+ errmsg = errmsg:format(str)
+ end
+ return false, errmsg or ("Informix returned an error (svcerror: %d, oserror: %d)"):format( svcerr, oserr )
+ end,
+
+ --- Decodes the SQ_PROTOCOLS message
+ --
+ -- @param socket already connected to the Informix database server
+ -- @return status true on success, false on failure
+ -- @return err error message if status is false
+ [Constants.Message.SQ_PROTOCOLS] = function( socket )
+ local status, data
+ local len, _
+
+ status, data = socket:recv(2)
+ if( not(status) ) then return false, "Failed to decode SQ_PROTOCOLS response" end
+ _, len = bin.unpack(">S", data )
+
+ -- read the remaining data
+ return socket:recv(len + 2)
+ end,
+
+ --- Decodes the SQ_EOT message
+ --
+ -- @return status, always true
+ [Constants.Message.SQ_EOT] = function( socket )
+ return true
+ end,
+
+ --- Decodes the SQ_DONE message
+ --
+ -- @param socket already connected to the Informix database server
+ -- @return status true on success, false on failure
+ -- @return err error message if status is false
+ [Constants.Message.SQ_DONE] = function( socket )
+ local status, data = socket:recv(2)
+ local _, len, tmp
+ if( not(status) ) then return false, "Failed to decode SQ_DONE response" end
+ _, len = bin.unpack(">S", data )
+
+ -- For some *@#! reason the SQ_DONE packet sometimes contains an
+ -- length exeeding the length of the packet by one. Attempt to
+ -- detect this and fix.
+ status, data = socket:recv( len )
+ _, tmp = bin.unpack(">S", data, len - 2)
+ return socket:recv( (tmp == 0) and 3 or 4 )
+ end,
+
+ --- Decodes the metadata for a result set
+ --
+ -- @param socket already connected to the Informix database server
+ -- @return status true on success, false on failure
+ -- @return column_meta table containing the metadata
+ [Constants.Message.SQ_DESCRIBE] = function( socket )
+ local status, data = socket:recv(14)
+ local pos, cols, col_type, col_name, col_len, col_md, stmt_id
+ local coldesc_len, x
+ local column_meta = {}
+
+ if( not(status) ) then return false, "Failed to decode SQ_DESCRIBE response" end
+ pos, cols, coldesc_len = bin.unpack(">SS", data, 11)
+ pos, stmt_id = bin.unpack(">S", data, 3)
+
+ if ( cols <= 0 ) then
+ -- We can end up here if we executed a CREATE, UPDATE OR INSERT statement
+ local tmp
+ status, data = socket:recv(2)
+ if( not(status) ) then return false, "Failed to decode SQ_DESCRIBE response" end
+
+ pos, tmp = bin.unpack(">S", data)
+
+ -- This was the result of a CREATE or UPDATE statement
+ if ( tmp == 0x0f ) then
+ status, data = socket:recv(26)
+ -- This was the result of a INSERT statement
+ elseif( tmp == 0x5e ) then
+ status, data = socket:recv(46)
+ end
+ return true
+ end
+
+ status, data = socket:recv(6)
+ if( not(status) ) then return false, "Failed to decode SQ_DESCRIBE response" end
+
+ for i=1, cols do
+
+ status, data = socket:recv(2)
+ if( not(status) ) then return false, "Failed to decode SQ_DESCRIBE response" end
+ pos, col_type = bin.unpack("C", data, 2)
+
+ if ( MetaDataDecoders[col_type] ) then
+
+ status, data = socket:recv(20)
+ if( not(status) ) then
+ return false, "Failed to read column meta data"
+ end
+
+ status, col_md = MetaDataDecoders[col_type]( data )
+ if ( not(status) ) then
+ return false, col_md
+ end
+ else
+ return false, ("No metadata decoder for column type: %d"):format(col_type)
+ end
+
+ if ( iS", data)
+ if( data == Constants.Message.SQ_DONE ) then
+ status, data = socket:recv(26)
+ else
+ status, data = socket:recv(10)
+ end
+ return true, { metadata = column_meta, stmt_id = stmt_id }
+ end,
+
+ --- Processes the result from a query
+ --
+ -- @param socket already connected to the Informix database server
+ -- @param info table containing the following fields:
+ -- metadata as recieved from SQ_DESCRIBE
+ -- rows containing already retrieved rows
+ -- id containing the statement id as sent to SQ_ID
+ -- @return status true on success, false on failure
+ -- @return rows table containing the resulting columns and rows as:
+ -- { { col, col2, col3 } }
+ -- or error message if status is false
+ [Constants.Message.SQ_TUPLE] = function( socket, info )
+ local status, data
+ local row = {}
+ local count = 1
+
+ if ( not( info.rows ) ) then info.rows = {} end
+
+ while (true) do
+ local pos = 1
+
+ status, data = socket:recv(6)
+ if( not(status) ) then return false, "Failed to read column data" end
+
+ local _, total_len = bin.unpack(">I", data, 3)
+ status, data = socket:recv( ( total_len % 2 == 0 ) and total_len or total_len + 1)
+ if( not(status) ) then return false, "Failed to read column data" end
+
+ row = {}
+ for _, col in ipairs(info.metadata) do
+ local typ, len, name = col:getType(), col:getLength(), col:getName()
+ local val
+
+ if( DataTypeDecoders[typ] ) then
+ pos, val = DataTypeDecoders[typ]( data, pos, len )
+ else
+ return false, ("No data type decoder for type: 0x%d"):format(typ)
+ end
+ table.insert( row, val )
+ end
+
+ status, data = socket:recv(2)
+
+ local _, flags = bin.unpack(">S", data)
+
+ count = count + 1
+ table.insert( info.rows, row )
+
+ -- Check if we're done
+ if ( Constants.Message.SQ_DONE == flags ) then
+ break
+ end
+
+ -- If there's more data we need to send a new SQ_ID packet
+ if ( flags == Constants.Message.SQ_EOT ) then
+ local status, tmp = socket:send( tostring(Packet.SQ_ID:new( info.id, nil, "continue" ) ) )
+ local pkt_type
+
+ status, tmp = socket:recv( 2 )
+ pos, pkt_type = bin.unpack(">S", tmp)
+
+ return MessageDecoders[pkt_type]( socket, info )
+ end
+
+ end
+
+ -- read the remaining data
+ status, data = socket:recv( 26 )
+ if( not(status) ) then return false, "Failed to read column data" end
+
+ -- signal finnish reading
+ status, data = socket:send( tostring(Packet.SQ_ID:new( info.id, nil, "end" ) ) )
+ status, data = socket:recv( 2 )
+
+ return true, info
+
+ end,
+
+ --- Decodes a SQ_DBLIST response
+ --
+ -- @param socket already connected to the Informix database server
+ -- @return status true on success, false on failure
+ -- @return databases array of database names
+ [Constants.Message.SQ_DBLIST] = function( socket )
+
+ local status, data, pos, len, db
+ local databases = {}
+
+ while( true ) do
+ status, data = socket:recv(2)
+ if ( not(status) ) then return false, "Failed to parse SQ_DBLIST response" end
+
+ pos, len = bin.unpack(">S", data)
+ if ( 0 == len ) then break end
+
+ status, data = socket:recv(len)
+ if ( not(status) ) then return false, "Failed to parse SQ_DBLIST response" end
+
+ pos, db = bin.unpack("A" .. len, data )
+ table.insert( databases, db )
+
+ if ( len %2 == 1 ) then
+ socket:recv(1)
+ if ( not(status) ) then return false, "Failed to parse SQ_DBLIST response" end
+ end
+ end
+
+ -- read SQ_EOT
+ status, data = socket:recv(2)
+
+ return true, databases
+ end,
+
+ [Constants.Message.SQ_EXIT] = function( socket )
+ local status, data = socket:recv(2)
+ if ( not(status) ) then return false, "Failed to parse SQ_EXIT response" end
+
+ return true
+ end
+
+
+}
+
+-- Packet used to request a list of available databases
+Packet.SQ_DBLIST =
+{
+ --- Creates a new Packet.SQ_DBLIST instance
+ --
+ -- @return object new instance of Packet.SQ_DBLIST
+ new = function( self )
+ local o = {}
+ setmetatable(o, self)
+ self.__index = self
+ return o
+ end,
+
+ --- Converts the class to a string suitable to send over the socket
+ --
+ -- @return string containing the packet data
+ __tostring = function(self)
+ return bin.pack(">SS", Constants.Message.SQ_DBLIST, Constants.Message.SQ_EOT)
+ end
+
+}
+
+-- Packet used to open the database
+Packet.SQ_DBOPEN =
+{
+
+ --- Creates a new Packet.SQ_DBOPEN instance
+ --
+ -- @param database string containing the name of the database to open
+ -- @return object new instance of Packet.SQ_DBOPEN
+ new = function( self, database )
+ local o = {}
+ setmetatable(o, self)
+ self.__index = self
+ o.database = database
+ return o
+ end,
+
+ --- Converts the class to a string suitable to send over the socket
+ --
+ -- @return string containing the packet data
+ __tostring = function(self)
+ return bin.pack(">SSASS", Constants.Message.SQ_DBOPEN, #self.database,
+ Util.padToOdd(self.database), 0x00,
+ Constants.Message.SQ_EOT)
+ end
+
+}
+
+-- This packet is "a mess" and requires further analysis
+Packet.SQ_ID =
+{
+ --- Creates a new Packet.SQ_ID instance
+ --
+ -- @param id number containing the statement identifier
+ -- @param s1 number unknown, should be 0 on first call and 1 when more data is requested
+ -- @return object new instance of Packet.SQ_ID
+ new = function( self, id, id2, mode )
+ local o = {}
+ setmetatable(o, self)
+ self.__index = self
+ o.id = ("_ifxc%.13d"):format( id2 or 0 )
+ o.seq = id
+ o.mode = mode
+ return o
+ end,
+
+ --- Converts the class to a string suitable to send over the socket
+ --
+ -- @return string containing the packet data
+ __tostring = function(self)
+ if ( self.mode == "continue" ) then
+ return bin.pack( ">SSSSSS", Constants.Message.SQ_ID, self.seq, 0x0009, 0x1000, 0x0000, Constants.Message.SQ_EOT )
+ elseif ( self.mode == "end" ) then
+ return bin.pack( ">SSSS", Constants.Message.SQ_ID, self.seq, 0x000a, Constants.Message.SQ_EOT)
+ else
+ return bin.pack(">SSSSASSSSSSS", Constants.Message.SQ_ID, self.seq, 0x0003, #self.id, self.id,
+ 0x0006, 0x0004, self.seq, 0x0009, 0x1000, 0x0000, Constants.Message.SQ_EOT )
+ end
+ end
+
+}
+
+Packet.SQ_INFO =
+{
+
+ -- The default parameters
+ DEFAULT_PARAMETERS = {
+ [1] = { ["DBTEMP"] = "/tmp" },
+ [2] = { ["SUBQCACHESZ"] = "10" },
+ },
+
+ --- Creates a new Packet.SQ_INFO instance
+ --
+ -- @param params containing any additional parameters to use
+ -- @return object new instance of Packet.SQ_INFO
+ new = function( self, params )
+ local o = {}
+ local params = params or Packet.SQ_INFO.DEFAULT_PARAMETERS
+ setmetatable(o, self)
+ self.__index = self
+ o.parameters = {}
+
+ for _, v in ipairs( params ) do
+ for k2, v2 in pairs(v) do
+ o:addParameter( k2, v2 )
+ end
+ end
+ return o
+ end,
+
+ addParameter = function( self, key, value )
+ table.insert( self.parameters, { [key] = value } )
+ end,
+
+ paramToString = function( self, key, value )
+ return bin.pack(">SASA", #key, Util.padToOdd(key), #value, Util.padToOdd( value ) )
+ end,
+
+ --- Converts the class to a string suitable to send over the socket
+ --
+ -- @return string containing the packet data
+ __tostring = function( self )
+ local params = ""
+ local data
+
+ for _, v in ipairs( self.parameters ) do
+ for k2, v2 in pairs( v ) do
+ params = params .. self:paramToString( k2, v2 )
+ end
+ end
+
+ data = bin.pack(">SSSSS", Constants.Message.SQ_INFO, 0x0006, #params + 6, 0x000c, 0x0004 )
+ data = data .. params .. bin.pack(">SSS", 0x0000, 0x0000, Constants.Message.SQ_EOT)
+ return data
+ end
+}
+
+-- Performs protocol negotiation?
+Packet.SQ_PROTOCOLS =
+{
+ -- hex-encoded data to send as protocol negotiation
+ data = "0007fffc7ffc3c8c8a00000c",
+
+ --- Creates a new Packet.SQ_PROTOCOLS instance
+ --
+ -- @return object new instance of Packet.SQ_PROTOCOLS
+ new = function( self )
+ local o = {}
+ setmetatable(o, self)
+ self.__index = self
+ return o
+ end,
+
+ --- Converts the class to a string suitable to send over the socket
+ --
+ -- @return string containing the packet data
+ __tostring = function(self)
+ return bin.pack(">SH", Constants.Message.SQ_PROTOCOLS, self.data)
+ end
+
+}
+
+-- Packet used to execute SELECT Queries
+Packet.SQ_PREPARE =
+{
+
+ --- Creates a new Packet.SQ_PREPARE instance
+ --
+ -- @param query string containing the query to execute
+ -- @return object new instance of Packet.SQ_PREPARE
+ new = function( self, query )
+ local o = {}
+ setmetatable(o, self)
+ self.__index = self
+ o.query = Util.padToEven(query)
+ return o
+ end,
+
+ --- Converts the class to a string suitable to send over the socket
+ --
+ -- @return string containing the packet data
+ __tostring = function(self)
+ return bin.pack(">SIACSSS", Constants.Message.SQ_PREPARE, #self.query, self.query, 0, 0x0016, 0x0031, Constants.Message.SQ_EOT)
+ end
+
+}
+
+-- Packet used to execute commands other than SELECT
+Packet.SQ_COMMAND =
+{
+
+ --- Creates a new Packet.SQ_COMMAND instance
+ --
+ -- @param query string containing the query to execute
+ -- @return object new instance of Packet.SQ_COMMAND
+ new = function( self, query )
+ local o = {}
+ setmetatable(o, self)
+ self.__index = self
+ o.query = Util.padToEven(query)
+ return o
+ end,
+
+ --- Converts the class to a string suitable to send over the socket
+ --
+ -- @return string containing the packet data
+ __tostring = function(self)
+ return bin.pack(">SIACSSSS", Constants.Message.SQ_COMMAND, #self.query, self.query, 0, 0x0016, 0x0007, 0x000b, Constants.Message.SQ_EOT)
+ end
+
+}
+
+Packet.SQ_EXIT = {
+
+ --- Creates a new Packet.SQ_EXIT instance
+ --
+ -- @return object new instance of Packet.SQ_EXIT
+ new = function( self )
+ local o = {}
+ setmetatable(o, self)
+ self.__index = self
+ return o
+ end,
+
+ --- Converts the class to a string suitable to send over the socket
+ --
+ -- @return string containing the packet data
+ __tostring = function(self)
+ return bin.pack(">S", Constants.Message.SQ_EXIT)
+ end
+
+}
+
+-- The Utility Class
+Util =
+{
+ --- Converts a connection parameter to string
+ --
+ -- @param param string containing the parameter name
+ -- @param value string containing the parameter value
+ -- @return string containing the encoded parameter as string
+ paramToString = function( param, value )
+ return bin.pack(">PP", param, value )
+ end,
+
+ --- Pads a string to an even number of characters
+ --
+ -- @param str the string to pad
+ -- @param pad the character to pad with
+ -- @return result the padded string
+ padToEven = function( str, pad )
+ return (#str % 2 == 1) and str or str .. ( pad and pad or "\0")
+ end,
+
+ --- Pads a string to an odd number of characters
+ --
+ -- @param str the string to pad
+ -- @param pad the character to pad with
+ -- @return result the padded string
+ padToOdd = function( str, pad )
+ return (#str % 2 == 0) and str or str .. ( pad and pad or "\0")
+ end,
+
+ --- Formats a table to suitable script output
+ --
+ -- @param info as returned from ExecutePrepare
+ -- @return table suitable for use by stdnse.format_output
+ formatTable = function( info )
+ local header, row = "", ""
+ local result = {}
+ local metadata = info.metadata
+ local rows = info.rows
+
+ if ( info.error ) then
+ table.insert(result, info.error)
+ return result
+ end
+
+ if ( info.info ) then
+ table.insert(result, info.info)
+ return result
+ end
+
+ if ( not(metadata) ) then return "" end
+
+ for i=1, #metadata do
+ if ( metadata[i]:getType() == Constants.DataType.CHAR and metadata[i]:getLength() < 50) then
+ header = header .. ("%-" .. metadata[i]:getLength() .. "s "):format(metadata[i]:getName())
+ else
+ header = header .. metadata[i]:getName()
+ if ( i<#metadata ) then
+ header = header .. "\t"
+ end
+ end
+ end
+ table.insert( result, header )
+
+ for j=1, #rows do
+ row = ""
+ for i=1, #metadata do
+ row = row .. rows[j][i] .. " "
+ if ( metadata[i]:getType() ~= Constants.DataType.CHAR and i<#metadata and metadata[i]:getLength() < 50 ) then row = row .. "\t" end
+ end
+ table.insert( result, row )
+ end
+
+ return result
+ end,
+
+ -- Removes trailing nulls
+ --
+ -- @param str containing the informix string
+ -- @return ret the string with any trailing nulls removed
+ ifxToLuaString = function( str )
+ local ret
+
+ if ( not(str) ) then return "" end
+
+ if ( str:sub(-1, -1 ) ~= "\0" ) then
+ return str
+ end
+
+ for i=1, #str do
+ if ( str:sub(-i,-i) == "\0" ) then
+ ret = str:sub(1, -i - 1)
+ else
+ break
+ end
+ end
+
+ return ret
+ end,
+}
+
+-- The connection Class, used to connect and authenticate to the server
+-- Currently only supports plain-text authentication
+--
+-- The unknown portions in the __tostring method have been derived from Java
+-- code connecting to Informix using JDBC.
+Packet.Connect = {
+
+ -- default parameters sent using JDBC
+ DEFAULT_PARAMETERS = {
+ [1] = { ['LOCKDOWN'] = 'no' },
+ [2] = { ['DBDATE'] = 'Y4MD-' },
+ [3] = { ['SINGLELEVEL'] = 'no' },
+ [4] = { ['NODEFDAC'] = 'no' },
+ [5] = { ['CLNT_PAM_CAPABLE'] = '1' },
+ [6] = { ['SKALL'] = '0' },
+ [7] = { ['LKNOTIFY'] = 'yes' },
+ [8] = { ['SKSHOW'] = '0' },
+ [9] = { ['IFX_UPDDESC'] = '1' },
+ [10] = { ['DBPATH'] = '.' },
+ [11] = { ['CLIENT_LOCALE'] = 'en_US.8859-1' },
+ [12] = { ['SKINHIBIT'] = '0' },
+ },
+
+ --- Creates a new Connection packet
+ --
+ -- @param username string containing the username for authentication
+ -- @param password string containing the password for authentication
+ -- @param instance string containing the instance to connect to
+ -- @return a new Packet.Connect instance
+ new = function(self, username, password, instance, parameters)
+ local o = {}
+ setmetatable(o, self)
+ self.__index = self
+ o.username = username and username .. "\0"
+ o.password = password and password .. "\0"
+ o.instance = instance and instance .. "\0"
+ o.parameters = parameters
+ return o
+ end,
+
+ --- Adds the default set of parameters
+ addDefaultParameters = function( self )
+ for _, v in ipairs( self.DEFAULT_PARAMETERS ) do
+ for k2, v2 in pairs( v ) do
+ self:addParameter( k2, v2 )
+ end
+ end
+ end,
+
+ --- Adds a parameter to the connection packet
+ --
+ -- @param param string containing the parameter name
+ -- @param value string containing the parameter value
+ -- @return status, always true
+ addParameter = function( self, param, value )
+ local tbl = {}
+ tbl[param] = value
+ table.insert( self.parameters, tbl )
+
+ return true
+ end,
+
+ --- Retrieves the OS error code
+ --
+ -- @return oserror number containing the OS error code
+ getOsError = function( self ) return self.oserror end,
+
+ --- Retrieves the Informix service error
+ --
+ -- @return svcerror number containing the service error
+ getSvcError = function( self ) return self.svcerror end,
+
+ --- Retrieves the Informix error message
+ --
+ -- @return errmsg string containing the "mapped" error message
+ getErrMsg = function( self ) return self.errmsg end,
+
+ --- Reads and decodes the response to the connect packet from the server.
+ -- The function will return true even if the response contains an Informix
+ -- error. In order to verify if the connection was successful, check for OS
+ -- or service errors using the getSvcError and getOsError methods.
+ --
+ -- @param socket already connected to the server
+ -- @return status true on success, false on failure
+ -- @return err msg if status is false
+ readResponse = function( self, socket )
+ local status, data = socket:recv( 2 )
+ local len, pos, tmp
+
+ if ( not(status) ) then return false, data end
+ pos, len = bin.unpack(">S", data)
+ status, data = socket:recv( len - 2 )
+ if ( not(status) ) then return false, data end
+
+ pos = 13
+ pos, tmp = bin.unpack(">S", data, pos)
+ pos = pos + tmp
+
+ pos, tmp = bin.unpack(">S", data, pos)
+
+ if ( 108 ~= tmp ) then
+ return false, "Connect recieved unexpected response"
+ end
+
+ pos = pos + 12
+ -- version
+ pos, len = bin.unpack(">S", data, pos)
+ pos, self.version = bin.unpack("A" .. len, data, pos)
+
+ -- serial
+ pos, len = bin.unpack(">S", data, pos)
+ pos, self.serial = bin.unpack("A" .. len, data, pos)
+
+ -- applid
+ pos, len = bin.unpack(">S", data, pos)
+ pos, self.applid = bin.unpack("A" .. len, data, pos)
+
+ -- skip 14 bytes ahead
+ pos = pos + 14
+
+ -- do some more skipping
+ pos, tmp = bin.unpack(">S", data, pos)
+ pos = pos + tmp
+
+ -- do some more skipping
+ pos, tmp = bin.unpack(">S", data, pos)
+ pos = pos + tmp
+
+ -- skip another 24 bytes
+ pos = pos + 24
+ pos, tmp = bin.unpack(">S", data, pos)
+
+ if ( tmp ~= 102 ) then
+ return false, "Connect recieved unexpected response"
+ end
+
+ pos = pos + 6
+ pos, self.svcerror = bin.unpack(">s", data, pos)
+ pos, self.oserror = bin.unpack(">s", data, pos )
+
+ if ( self.svcerror ~= 0 ) then
+ self.errmsg = Constants.ErrorMsg[self.svcerror] or ("Unknown error %d occured"):format( self.svcerror )
+ end
+
+ return true
+ end,
+
+ --- Converts the class to a string suitable to send over the socket
+ --
+ -- @return string containing the packet data
+ __tostring = function( self )
+ local data
+ local unknown = [[
+ 013c0000006400650000003d0006494545454d00006c73716c65786563000000
+ 00000006392e32383000000c524453235230303030303000000573716c690000
+ 00013300000000000000000001
+ ]]
+
+ local unknown2 = [[
+ 6f6c0000000000000000003d746c697463700000000000010068000b
+ 00000003
+ ]]
+
+ local unknown3 = [[
+ 00000000000000000000006a
+ ]]
+
+ local unknown4 = [[ 007f ]]
+
+ if ( not(self.parameters) ) then
+ self.parameters = {}
+ self:addDefaultParameters()
+ end
+
+ data = bin.pack(">HPPHPHS", unknown, self.username, self.password, unknown2, self.instance, unknown3, #self.parameters )
+
+ if ( self.parameters ) then
+ for _, v in ipairs( self.parameters ) do
+ for k2, v2 in pairs( v ) do
+ data = data .. Util.paramToString( k2 .. "\0", v2 .. "\0" )
+ end
+ end
+ end
+
+ data = data .. bin.pack("H", unknown4)
+ data = bin.pack(">S", #data + 2) .. data
+
+ return data
+ end,
+
+
+}
+
+-- The communication class
+Comm =
+{
+ --- Creates a new Comm instance
+ --
+ -- @param socket containing a buffered socket connected to the server
+ -- @return a new Comm instance
+ new = function(self, socket)
+ local o = {}
+ setmetatable(o, self)
+ self.__index = self
+ o.socket = socket
+ return o
+ end,
+
+ --- Sends and packet and attempts to handle the response
+ --
+ -- @param packets an instance of a Packet.* class
+ -- @param info any additional info to pass as the second parameter to the
+ -- decoder
+ -- @return status true on success, false on failure
+ -- @return data returned from the ResponseDecoder
+ exchIfxPacket = function( self, packet, info )
+ local _, typ
+ local status, data = self.socket:send( tostring(packet) )
+ if ( not(status) ) then return false, data end
+
+ status, data = self.socket:recv( 2 )
+ _, typ = bin.unpack(">S", data)
+
+ if ( MessageDecoders[typ] ) then
+ status, data = MessageDecoders[typ]( self.socket, info )
+ else
+ return false, ("Unsupported data returned from server (type: 0x%x)"):format(typ)
+ end
+
+ return status, data
+ end
+
+}
+
+-- The Helper class providing easy access to the other db functionality
+Helper = {
+
+ --- Creates a new Helper instance
+ --
+ -- @param host table as passed to the action script function
+ -- @param port table as passed to the action script function
+ -- @param instance [optional] string containing the instance to connect to
+ -- in case left empty it's populated by the informix.instance script
+ -- argument.
+ -- @return Helper instance
+ new = function(self, host, port, instance)
+ local o = {}
+ setmetatable(o, self)
+ self.__index = self
+ o.host = host
+ o.port = port
+ o.socket = Socket:new()
+ o.instance = instance or "nmap_probe"
+ return o
+ end,
+
+ --- Connects to the Informix server
+ --
+ -- @return true on success, false on failure
+ -- @return err containing error message when status is false
+ Connect = function( self )
+ local status, data
+ local conn, packet
+
+ status, data = self.socket:connect( self.host.ip, self.port.number, "tcp" )
+
+ if( not(status) ) then
+ return status, data
+ end
+
+ self.comm = Comm:new( self.socket )
+
+ return true
+ end,
+
+ --- Attempts to login to the Informix database server
+ -- The optional parameters parameter takes any informix specific parameters
+ -- used to connect to the database. In case it's ommited a set of default
+ -- parameters are set. Parameters should be past as key, value pairs inside
+ -- of a table array as the following example:
+ --
+ -- local params = {
+ -- [1] = { ["PARAM1"] = "VALUE1" },
+ -- [2] = { ["PARAM2"] = "VALUE2" },
+ -- }
+ --
+ -- @param username string containing the username for authentication
+ -- @param password string containing the password for authentication
+ -- @param parameters [optional] table of informix specific parameters
+ -- @param database [optional] database to connect to
+ -- @param retry [optional] used when autodetecting instance
+ -- @return status true on success, false on failure
+ -- @return err containing the error message if status is false
+ Login = function( self, username, password, parameters, database, retry )
+ local conn, status, data, len, packet
+
+ conn = Packet.Connect:new( username, password, self.instance, parameters )
+
+ status, data = self.socket:send( tostring(conn) )
+ if ( not(status) ) then return false, "Helper.Login failed to send login request" end
+ status = conn:readResponse( self.socket )
+ if ( not(status) ) then return false, "Helper.Login failed to read response" end
+
+ if ( status and ( conn:getOsError() ~= 0 or conn:getSvcError() ~= 0 ) ) then
+ -- Check if we didn't supply the correct instance name, if not attempt to
+ -- reconnect using the instance name returned by the server
+ if ( conn:getSvcError() == -761 and not(retry) ) then
+ self.instance = conn.applid
+ self:Close()
+ self:Connect()
+ return self:Login( username, password, parameters, database, 1 )
+ end
+ return false, conn:getErrMsg()
+ end
+
+ status, packet = self.comm:exchIfxPacket( Packet.SQ_PROTOCOLS:new() )
+ if ( not(status) ) then return false, packet end
+
+ status, packet = self.comm:exchIfxPacket( Packet.SQ_INFO:new() )
+ if ( not(status) ) then return false, packet end
+
+ -- If a database was supplied continue further protocol negotiation and
+ -- attempt to open the database.
+ if ( database ) then
+ status, packet = self:OpenDatabase( database )
+ if ( not(status) ) then return false, packet end
+ end
+
+ return true
+ end,
+
+ --- Opens a database
+ --
+ -- @param database string containing the database name
+ -- @return status true on success, false on failure
+ -- @return err string containing the error message if status is false
+ OpenDatabase = function( self, database )
+ return self.comm:exchIfxPacket( Packet.SQ_DBOPEN:new( database ) )
+ end,
+
+ --- Attempts to retrieve a list of available databases
+ --
+ -- @return status true on success, false on failure
+ -- @return databases array of database names or err on failure
+ GetDatabases = function( self )
+ return self.comm:exchIfxPacket( Packet.SQ_DBLIST:new() )
+ end,
+
+ Query = function( self, query )
+ local status, metadata, data, res
+ local id, seq = 0, 1
+ local result = {}
+
+ if ( type(query) == "string" ) then
+ query = stdnse.strsplit(";%s*", query)
+ end
+
+ for _, q in ipairs( query ) do
+ if ( q:upper():match("^%s*SELECT") ) then
+ status, data = self.comm:exchIfxPacket( Packet.SQ_PREPARE:new( q ) )
+ seq = seq + 1
+ else
+ status, data = self.comm:exchIfxPacket( Packet.SQ_COMMAND:new( q .. ";" ) )
+ end
+
+ if( status and data ) then
+ metadata = data.metadata
+ status, data = self.comm:exchIfxPacket( Packet.SQ_ID:new( data.stmt_id, seq, "begin" ), { metadata = metadata, id = id, rows = nil, query=q } )
+
+ -- check if any rows were returned
+ if ( not( data.rows ) ) then
+ data = { query = q, info = "No rows returned" }
+ end
+ --if( not(status) ) then return false, data end
+ elseif( not(status) ) then
+ data = { query = q, ["error"] = "ERROR: " .. data }
+ else
+ data = { query = q, info = "No rows returned" }
+ end
+ table.insert( result, data )
+ end
+
+ return true, result
+ end,
+
+ --- Closes the connection to the server
+ --
+ -- @return status true on success, false on failure
+ Close = function( self )
+ local status, packet = self.comm:exchIfxPacket( Packet.SQ_EXIT:new() )
+ return self.socket:close()
+ end,
+
+}
\ No newline at end of file
diff --git a/scripts/informix-brute.nse b/scripts/informix-brute.nse
new file mode 100644
index 000000000..4ae676331
--- /dev/null
+++ b/scripts/informix-brute.nse
@@ -0,0 +1,115 @@
+description = [[
+Performs password guessing against Informix Dynamic Server
+]]
+
+---
+-- @usage
+-- nmap --script informix-brute -p 9088
+--
+-- @output
+-- PORT STATE SERVICE
+-- 9088/tcp open unknown
+-- | informix-brute:
+-- | Accounts
+-- | ifxnoob:ifxnoob => Login correct
+-- | Statistics
+-- |_ Perfomed 25024 guesses in 75 seconds, average tps: 320
+--
+-- Summary
+-- -------
+-- x The Driver class contains the driver implementation used by the brute
+-- library
+--
+
+--
+-- Version 0.1
+-- Created 07/23/2010 - v0.1 - created by Patrik Karlsson
+--
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "auth"}
+
+require 'shortport'
+require 'brute'
+require 'informix'
+
+portrule = shortport.port_or_service( { 1526, 9088, 9090, 9092 }, "informix", "tcp", "open")
+
+Driver =
+{
+
+ new = function(self, host, port)
+ local o = {}
+ setmetatable(o, self)
+ self.__index = self
+ o.host = host
+ o.port = port
+ return o
+ end,
+
+ --- Connects performs protocol negotiation
+ --
+ -- @return true on success, false on failure
+ connect = function( self )
+ local status, data
+ self.helper = informix.Helper:new( self.host, self.port, "on_nmap_dummy" )
+
+ status, data = self.helper:Connect()
+ if ( not(status) ) then
+ return status, data
+ end
+
+ return true
+ end,
+
+ --- Attempts to login to the Oracle server
+ --
+ -- @param username string containing the login username
+ -- @param password string containing the login password
+ -- @return status, true on success, false on failure
+ -- @return brute.Error object on failure
+ -- brute.Account object on success
+ login = function( self, username, password )
+ local status, data = self.helper:Login( username, password, {} )
+
+ if ( status ) then
+ if ( not(nmap.registry['informix-brute']) ) then
+ nmap.registry['informix-brute'] = {}
+ end
+ table.insert( nmap.registry['informix-brute'], { ["username"] = username, ["password"] = password } )
+ return true, brute.Account:new(username, password, "OPEN")
+ -- Check for account locked message
+ elseif ( data:match("INFORMIXSERVER does not match either DBSERVERNAME or DBSERVERALIASES") ) then
+ return true, brute.Account:new(username, password, "OPEN")
+ end
+
+ return false, brute.Error:new( data )
+
+ end,
+
+ --- Disconnects and terminates the Oracle TNS communication
+ disconnect = function( self )
+ self.helper:Close()
+ end,
+
+ --- Perform a connection with the helper, this makes sure that the Oracle
+ -- instance is correct.
+ --
+ -- @return status true on success false on failure
+ -- @return err containing the error message on failure
+ check = function( self )
+ return true
+ end,
+
+}
+
+
+action = function(host, port)
+ local status, result
+ local engine = brute.Engine:new(Driver, host, port )
+
+ status, result = engine:start()
+
+ return result
+end
\ No newline at end of file
diff --git a/scripts/informix-query.nse b/scripts/informix-query.nse
new file mode 100644
index 000000000..1861385d5
--- /dev/null
+++ b/scripts/informix-query.nse
@@ -0,0 +1,88 @@
+description = [[
+Runs a query against IBM Informix Dynamic Server.
+]]
+
+---
+-- @usage
+-- nmap -np 9088 --script informix-query --script-args informix-query.username=informix,informix-query.password=informix
+--
+-- @output
+-- PORT STATE SERVICE
+-- 9088/tcp open unknown syn-ack
+-- | informix-query:
+-- | Information
+-- | User: informix
+-- | Database: sysmaster
+-- | Query: "SELECT FIRST 1 DBINFO('dbhostname') hostname, DBINFO('version','full') version FROM systables"
+-- | Results
+-- | hostname version
+-- |_ patrik-laptop IBM Informix Dynamic Server Version 11.50.UC4E
+--
+-- @args informix-query.username The username used for authentication
+-- @args informix-query.password The password used for authentication
+-- @args informix-query.database The name of the database to connect to
+-- (default: sysmaster)
+-- @args informix-query.query The query to run against the server
+-- (default: returns hostname and version)
+
+-- Version 0.1
+
+-- Created 07/28/2010 - v0.1 - created by Patrik Karlsson
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "auth"}
+dependencies = { "informix-brute" }
+
+require 'shortport'
+require 'informix'
+
+portrule = shortport.port_or_service( { 1526, 9088, 9090, 9092 }, "informix", "tcp", "open")
+
+action = function( host, port )
+ local instance = nmap.registry.args['informix-info.instance']
+ local helper
+ local status, data
+ local result = {}
+ local user = nmap.registry.args['informix-query.username']
+ local pass = nmap.registry.args['informix-query.password']
+ local query = nmap.registry.args['informix-query.query']
+ local db = nmap.registry.args['informix-query.database'] or "sysmaster"
+
+ query = query or "SELECT FIRST 1 DBINFO('dbhostname') hostname, " ..
+ "DBINFO('version','full') version FROM systables"
+
+ helper = informix.Helper:new( host, port, instance )
+
+ -- If no user was specified lookup the first user in the registry saved by
+ -- the informix-brute script
+ if ( not(user) ) then
+ if ( nmap.registry['informix-brute'] and nmap.registry['informix-brute'][1]["username"] ) then
+ user = nmap.registry['informix-brute'][1]["username"]
+ pass = nmap.registry['informix-brute'][1]["password"]
+ else
+ return " \n ERROR: No credentials specified (see informix-table.username and informix-table.password)"
+ end
+ end
+
+ status, data = helper:Connect()
+ if ( not(status) ) then
+ return stdnse.format_output(status, data)
+ end
+
+ status, data = helper:Login(user, pass, nil, db)
+ if ( not(status) ) then return stdnse.format_output(status, data) end
+
+ status, data = helper:Query(query)
+ if ( not(status) ) then return stdnse.format_output(status, data) end
+
+ for _, rs in ipairs(data) do
+ table.insert( result, { "User: " .. user, "Database: " .. db, ( "Query: \"%s\"" ):format( rs.query ), name="Information" } )
+ local tmp = informix.Util.formatTable( rs )
+ tmp.name = "Results"
+ table.insert( result, tmp )
+ end
+
+
+ return stdnse.format_output(status, result)
+end
\ No newline at end of file
diff --git a/scripts/informix-tables.nse b/scripts/informix-tables.nse
new file mode 100644
index 000000000..8034d8671
--- /dev/null
+++ b/scripts/informix-tables.nse
@@ -0,0 +1,115 @@
+description = [[
+Retrieves a list of tables and column definition for each Informix database
+]]
+
+---
+-- @usage
+-- nmap -p 9088 --script informix-tables --script-args informix-tables.username=informix,informix-tables.password=informix
+--
+-- @output
+-- PORT STATE SERVICE REASON
+-- 9088/tcp open unknown syn-ack
+-- | informix-tables:
+-- | Information
+-- | User: informix
+-- | Database: stores_demo
+-- | Results
+-- | table column rows
+-- | call_type call_code 5
+-- | call_type code_descr 5
+-- | catalog cat_advert 74
+-- | catalog cat_descr 74
+-- | catalog cat_picture 74
+-- | catalog catalog_num 74
+-- | catalog manu_code 74
+-- | catalog stock_num 74
+-- | classes class 4
+-- | classes classid 4
+-- | classes subject 4
+-- | cust_calls call_code 7
+-- | cust_calls call_descr 7
+-- | cust_calls call_dtime 7
+-- | cust_calls customer_num 7
+-- | cust_calls res_descr 7
+-- | cust_calls res_dtime 7
+-- | cust_calls user_id 7
+-- | warehouses warehouse_id 4
+-- | warehouses warehouse_name 4
+-- |_ warehouses warehouse_spec 4
+--
+-- @args informix-query.username The username used for authentication
+-- @args informix-query.password The password used for authentication
+--
+-- Version 0.1
+-- Created 27/07/2010 - v0.1 - created by Patrik Karlsson
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "auth"}
+dependencies = { "informix-brute" }
+
+require 'shortport'
+require 'informix'
+
+portrule = shortport.port_or_service( { 1526, 9088, 9090, 9092 }, "informix", "tcp", "open")
+
+action = function( host, port )
+ local helper
+ local status, data
+ local result, output = {}, {}
+ local user = nmap.registry.args['informix-tables.username']
+ local pass = nmap.registry.args['informix-tables.password'] or ""
+ local query= [[
+ SELECT cast(tabname as char(20)) table, cast(colname as char(20)) column, cast( cast(nrows as int) as char(20)) rows
+ FROM "informix".systables st, "informix".syscolumns sc
+ WHERE sc.tabid = st.tabid and st.tabid > 99 and st.tabtype='T'
+ ORDER BY table, column]]
+ local excluded_dbs = { ["sysmaster"] = true, ["sysutils"] = true, ["sysuser"] = true, ["sysadmin"] = true }
+
+ -- If no user was specified lookup the first user in the registry saved by
+ -- the informix-brute script
+ if ( not(user) ) then
+ if ( nmap.registry['informix-brute'] and nmap.registry['informix-brute'][1]["username"] ) then
+ user = nmap.registry['informix-brute'][1]["username"]
+ pass = nmap.registry['informix-brute'][1]["password"]
+ else
+ return " \n ERROR: No credentials specified (see informix-table.username and informix-table.password)"
+ end
+ end
+
+ helper = informix.Helper:new( host, port )
+
+ status, data = helper:Connect()
+ if ( not(status) ) then
+ return stdnse.format_output(status, data)
+ end
+
+ status, data = helper:Login(user, pass)
+ if ( not(status) ) then return stdnse.format_output(status, data) end
+
+ status, databases = helper:GetDatabases()
+ if ( not(status) ) then
+ return " \n ERROR: Failed to retrieve a list of databases"
+ end
+
+ for _, db in ipairs(databases) do
+ if ( not( excluded_dbs[db] ) ) then
+ status, data = helper:OpenDatabase(db)
+ if ( not(status) ) then return stdnse.format_output(status, data) end
+ status, data = helper:Query( query )
+ if ( not(status) ) then return stdnse.format_output(status, data) end
+
+ if ( status ) then
+ data = informix.Util.formatTable( data[1] )
+ data.name = "Results"
+ table.insert( result, { "User: " .. user, "Database: " .. db, name="Information" } )
+ table.insert(result, data )
+ end
+ break
+ end
+ end
+
+ helper:Close()
+
+ return stdnse.format_output( true, result )
+end
\ No newline at end of file
diff --git a/scripts/script.db b/scripts/script.db
index 46602710a..921ce14b4 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -50,6 +50,9 @@ Entry { filename = "http-userdir-enum.nse", categories = { "discovery", "intrusi
Entry { filename = "http-vmware-path-vuln.nse", categories = { "default", "safe", "vuln", } }
Entry { filename = "iax2-version.nse", categories = { "version", } }
Entry { filename = "imap-capabilities.nse", categories = { "default", "safe", } }
+Entry { filename = "informix-brute.nse", categories = { "auth", "intrusive", } }
+Entry { filename = "informix-query.nse", categories = { "auth", "intrusive", } }
+Entry { filename = "informix-tables.nse", categories = { "auth", "intrusive", } }
Entry { filename = "ipidseq.nse", categories = { "discovery", "safe", } }
Entry { filename = "irc-info.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "irc-unrealircd-backdoor.nse", categories = { "safe", "vuln", } }