o [NSE] Added an Informix library and three scripts that make use of it:

- informix-brute uses the brute framework to perform password guessing - informix-query add support for running SQL queries against Informix - informix-tables lists table- and column-names for a given database [Patrik]
2025-12-07 21:21:31 +00:00 · 2010-08-19 22:47:52 +00:00
parent b5f645c2c7
commit 73b01af10a
6 changed files with 1717 additions and 0 deletions
--- a/6
+++ b/6
@@ -1,5 +1,11 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Added an Informix library and three scripts that make use of it:
+  - informix-brute uses the brute framework to perform password guessing
+  - informix-query add support for running SQL queries against Informix
+  - informix-tables lists table- and column-names for a given database
+  [Patrik]
+
 o [NSE] Added two new scripts http-brute.nse and http-form-brute that attempt
  to perform password guessing against web servers and applications. [Patrik]

--- a/nselib/informix.lua
+++ b/nselib/informix.lua
--- a/scripts/informix-brute.nse
+++ b/scripts/informix-brute.nse
@@ -0,0 +1,115 @@
+description = [[
+Performs password guessing against Informix Dynamic Server
+]]
+
+---
+-- @usage
+-- nmap --script informix-brute -p 9088 <host>
+--
+-- @output
+-- PORT     STATE SERVICE
+-- 9088/tcp open  unknown
+-- | informix-brute:  
+-- |   Accounts
+-- |     ifxnoob:ifxnoob => Login correct
+-- |   Statistics
+-- |_    Perfomed 25024 guesses in 75 seconds, average tps: 320
+--
+-- Summary
+-- -------
+--   x The Driver class contains the driver implementation used by the brute
+--     library
+--
+
+--
+-- Version 0.1
+-- Created 07/23/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+--
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "auth"}
+
+require 'shortport'
+require 'brute'
+require 'informix'
+
+portrule = shortport.port_or_service( { 1526, 9088, 9090, 9092 }, "informix", "tcp", "open") 
+
+Driver = 
+{
+
+	new = function(self, host, port)
+		local o = {}
+       	setmetatable(o, self)
+        self.__index = self
+		o.host = host
+		o.port = port
+		return o
+	end,
+	
+	--- Connects performs protocol negotiation
+	--
+	-- @return true on success, false on failure
+	connect = function( self )
+		local status, data 
+		self.helper = informix.Helper:new( self.host, self.port, "on_nmap_dummy" )
+		
+		status, data = self.helper:Connect()
+		if ( not(status) ) then
+			return status, data
+		end
+		
+		return true
+	end,
+	
+	--- Attempts to login to the Oracle server
+	--
+	-- @param username string containing the login username
+	-- @param password string containing the login password
+	-- @return status, true on success, false on failure
+	-- @return brute.Error object on failure
+	--         brute.Account object on success
+	login = function( self, username, password )
+		local status, data = self.helper:Login( username, password, {} )
+		
+		if ( status ) then
+			if ( not(nmap.registry['informix-brute']) ) then
+				nmap.registry['informix-brute'] = {}
+			end
+			table.insert( nmap.registry['informix-brute'], { ["username"] = username, ["password"] = password } )
+			return true, brute.Account:new(username, password, "OPEN")
+		-- Check for account locked message
+		elseif ( data:match("INFORMIXSERVER does not match either DBSERVERNAME or DBSERVERALIASES") ) then
+			return true, brute.Account:new(username, password, "OPEN")
+		end
+
+		return false, brute.Error:new( data )
+
+	end,
+	
+	--- Disconnects and terminates the Oracle TNS communication
+	disconnect = function( self )
+		self.helper:Close()
+	end,
+	
+	--- Perform a connection with the helper, this makes sure that the Oracle
+	-- instance is correct.
+	--
+	-- @return status true on success false on failure
+	-- @return err containing the error message on failure
+	check = function( self )
+		return true
+	end,
+	
+}
+
+
+action = function(host, port)
+	local status, result 
+	local engine = brute.Engine:new(Driver, host, port )
+	
+	status, result = engine:start()
+
+	return result
+end
--- a/scripts/informix-query.nse
+++ b/scripts/informix-query.nse
@@ -0,0 +1,88 @@
+description = [[
+Runs a query against IBM Informix Dynamic Server.
+]]
+
+---
+-- @usage
+-- nmap -np 9088 <host> --script informix-query --script-args informix-query.username=informix,informix-query.password=informix
+--
+-- @output
+-- PORT     STATE SERVICE
+-- 9088/tcp open  unknown syn-ack
+-- | informix-query:  
+-- |   Information
+-- |     User: informix
+-- |     Database: sysmaster
+-- |     Query: "SELECT FIRST 1 DBINFO('dbhostname') hostname, DBINFO('version','full') version FROM systables"
+-- |   Results
+-- |     hostname      version                                        
+-- |_    patrik-laptop IBM Informix Dynamic Server Version 11.50.UC4E 
+--
+-- @args informix-query.username The username used for authentication
+-- @args informix-query.password The password used for authentication
+-- @args informix-query.database The name of the database to connect to
+--       (default: sysmaster)
+-- @args informix-query.query The query to run against the server
+--       (default: returns hostname and version)
+
+-- Version 0.1
+
+-- Created 07/28/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "auth"}
+dependencies = { "informix-brute" }
+
+require 'shortport'
+require 'informix'
+
+portrule = shortport.port_or_service( { 1526, 9088, 9090, 9092 }, "informix", "tcp", "open") 
+
+action = function( host, port )
+	local instance = nmap.registry.args['informix-info.instance']
+	local helper
+	local status, data
+	local result = {}
+	local user = nmap.registry.args['informix-query.username']
+	local pass = nmap.registry.args['informix-query.password']
+	local query = nmap.registry.args['informix-query.query']
+	local db = nmap.registry.args['informix-query.database'] or "sysmaster"
+	
+	query = query or "SELECT FIRST 1 DBINFO('dbhostname') hostname, " ..
+					 "DBINFO('version','full') version FROM systables"
+
+	helper = informix.Helper:new( host, port, instance )
+	
+	-- If no user was specified lookup the first user in the registry saved by
+	-- the informix-brute script
+	if ( not(user) ) then
+		if ( nmap.registry['informix-brute'] and nmap.registry['informix-brute'][1]["username"] ) then
+			user = nmap.registry['informix-brute'][1]["username"]
+			pass = nmap.registry['informix-brute'][1]["password"]
+		else
+			return "  \n  ERROR: No credentials specified (see informix-table.username and informix-table.password)"
+		end
+	end
+	
+	status, data = helper:Connect()
+	if ( not(status) ) then
+		return stdnse.format_output(status, data)
+	end
+
+	status, data = helper:Login(user, pass, nil, db)
+	if ( not(status) ) then	return stdnse.format_output(status, data) end
+
+	status, data = helper:Query(query)
+	if ( not(status) ) then	return stdnse.format_output(status, data) end
+	
+	for _, rs in ipairs(data) do
+		table.insert( result, { "User: " .. user, "Database: " .. db, ( "Query: \"%s\"" ):format( rs.query ), name="Information" } )
+		local tmp = informix.Util.formatTable( rs )
+		tmp.name = "Results"
+		table.insert(  result, tmp  )
+	end
+	
+	
+	return stdnse.format_output(status, result)
+end
--- a/scripts/informix-tables.nse
+++ b/scripts/informix-tables.nse
@@ -0,0 +1,115 @@
+description = [[
+Retrieves a list of tables and column definition for each Informix database
+]]
+
+---
+-- @usage
+-- nmap -p 9088 <host> --script informix-tables --script-args informix-tables.username=informix,informix-tables.password=informix
+--
+-- @output
+-- PORT     STATE SERVICE REASON
+-- 9088/tcp open  unknown syn-ack
+-- | informix-tables:  
+-- |   Information
+-- |     User: informix
+-- |     Database: stores_demo
+-- |   Results
+-- |     table                column               rows                 
+-- |     call_type            call_code            5                    
+-- |     call_type            code_descr           5                    
+-- |     catalog              cat_advert           74                   
+-- |     catalog              cat_descr            74                   
+-- |     catalog              cat_picture          74                   
+-- |     catalog              catalog_num          74                   
+-- |     catalog              manu_code            74                   
+-- |     catalog              stock_num            74                   
+-- |     classes              class                4                    
+-- |     classes              classid              4                    
+-- |     classes              subject              4
+-- |     cust_calls          call_code           7                   
+-- |     cust_calls          call_descr          7                   
+-- |     cust_calls          call_dtime          7                   
+-- |     cust_calls          customer_num        7                   
+-- |     cust_calls          res_descr           7                   
+-- |     cust_calls          res_dtime           7                   
+-- |     cust_calls          user_id             7                   
+-- |     warehouses          warehouse_id        4                   
+-- |     warehouses          warehouse_name      4                   
+-- |_    warehouses          warehouse_spec      4
+--
+-- @args informix-query.username The username used for authentication
+-- @args informix-query.password The password used for authentication
+--
+-- Version 0.1
+-- Created 27/07/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "auth"}
+dependencies = { "informix-brute" }
+
+require 'shortport'
+require 'informix'
+
+portrule = shortport.port_or_service( { 1526, 9088, 9090, 9092 }, "informix", "tcp", "open") 
+
+action = function( host, port )
+	local helper
+	local status, data
+	local result, output = {}, {}
+	local user = nmap.registry.args['informix-tables.username']
+	local pass = nmap.registry.args['informix-tables.password'] or ""
+	local query= [[
+		SELECT cast(tabname as char(20)) table, cast(colname as char(20)) column, cast( cast(nrows as int) as char(20)) rows
+		FROM "informix".systables st, "informix".syscolumns sc 
+		WHERE sc.tabid = st.tabid and st.tabid > 99 and st.tabtype='T' 
+		ORDER BY table, column]]
+	local excluded_dbs = { ["sysmaster"] = true, ["sysutils"] = true, ["sysuser"] = true, ["sysadmin"] = true }
+	
+	-- If no user was specified lookup the first user in the registry saved by
+	-- the informix-brute script
+	if ( not(user) ) then
+		if ( nmap.registry['informix-brute'] and nmap.registry['informix-brute'][1]["username"] ) then
+			user = nmap.registry['informix-brute'][1]["username"]
+			pass = nmap.registry['informix-brute'][1]["password"]
+		else
+			return "  \n  ERROR: No credentials specified (see informix-table.username and informix-table.password)"
+		end
+	end
+	
+	helper = informix.Helper:new( host, port )
+	
+	status, data = helper:Connect()
+	if ( not(status) ) then
+		return stdnse.format_output(status, data)
+	end
+
+	status, data = helper:Login(user, pass)
+	if ( not(status) ) then	return stdnse.format_output(status, data) end
+
+	status, databases = helper:GetDatabases()
+	if ( not(status) ) then
+		return "  \n  ERROR: Failed to retrieve a list of databases"
+	end
+	
+	for _, db in ipairs(databases) do
+		if ( not( excluded_dbs[db] ) ) then
+			status, data = helper:OpenDatabase(db)
+			if ( not(status) ) then	return stdnse.format_output(status, data) end
+			status, data = helper:Query( query )
+			if ( not(status) ) then	return stdnse.format_output(status, data) end
+						
+			if ( status ) then
+				data = informix.Util.formatTable( data[1] )
+				data.name = "Results"
+				table.insert( result, { "User: " .. user, "Database: " .. db, name="Information" } )
+				table.insert(result, data )
+			end
+			break
+		end
+	end
+
+	helper:Close()
+
+	return stdnse.format_output( true, result )
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -50,6 +50,9 @@ Entry { filename = "http-userdir-enum.nse", categories = { "discovery", "intrusi
 Entry { filename = "http-vmware-path-vuln.nse", categories = { "default", "safe", "vuln", } }
 Entry { filename = "iax2-version.nse", categories = { "version", } }
 Entry { filename = "imap-capabilities.nse", categories = { "default", "safe", } }
+Entry { filename = "informix-brute.nse", categories = { "auth", "intrusive", } }
+Entry { filename = "informix-query.nse", categories = { "auth", "intrusive", } }
+Entry { filename = "informix-tables.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "ipidseq.nse", categories = { "discovery", "safe", } }
 Entry { filename = "irc-info.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "irc-unrealircd-backdoor.nse", categories = { "safe", "vuln", } }