PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-06 12:41:30 +00:00
Code Issues Projects Releases Wiki Activity

Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module).

Browse Source 
Minor layout adjustments.
This commit is contained in:
Bernardo Damele
2010-03-26 23:23:25 +00:00
parent 4ca1adba2c
commit 1416cd0d86
32 changed files with 791 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
plugins/dbms/postgresql/connector.py Normal file
View File

@@ -0,0 +1,88 @@
#!/usr/bin/env python
"""
$Id$
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
sqlmap is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation version 2 of the License.
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
You should have received a copy of the GNU General Public License along
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
"""
try:
import psycopg2
except ImportError, _:
pass
from lib.core.data import logger
from lib.core.exception import sqlmapConnectionException
from plugins.generic.connector import Connector as GenericConnector
class Connector(GenericConnector):
"""
Homepage: http://initd.org/psycopg/
User guide: http://initd.org/psycopg/docs/
API: http://initd.org/psycopg/docs/genindex.html
Debian package: python-psycopg2
License: GPL
Possible connectors: http://wiki.python.org/moin/PostgreSQL
"""
def __init__(self):
GenericConnector.__init__(self)
def connect(self):
self.initConnection()
try:
self.connector = psycopg2.connect(host=self.hostname, user=self.user, password=self.password, database=self.db, port=self.port)
except psycopg2.OperationalError, msg:
raise sqlmapConnectionException, msg
self.setCursor()
self.connected()
def fetchall(self):
try:
return self.cursor.fetchall()
except psycopg2.ProgrammingError, msg:
logger.log(8, msg)
return None
def execute(self, query):
logger.debug(query)
try:
self.cursor.execute(query)
except (psycopg2.OperationalError, psycopg2.ProgrammingError), msg:
logger.log(8, msg)
except psycopg2.InternalError, msg:
raise sqlmapConnectionException, msg
self.connector.commit()
def select(self, query):
self.execute(query)
return self.fetchall()
def setCursor(self):
self.cursor = self.connector.cursor()
def close(self):
self.cursor.close()
self.connector.close()

2
plugins/dbms/postgresql/filesystem.py
View File

@@ -125,4 +125,4 @@ class Filesystem(GenericFilesystem):
if confirm:
self.askCheckWrittenFile(wFile, dFile, fileType)
inject.goStacked("SELECT lo_unlink(%d)" % self.oid)
inject.goStacked("SELECT lo_unlink(%d)" % self.oid)

39
plugins/dbms/postgresql/fingerprint.py
View File

@@ -86,6 +86,12 @@ class Fingerprint(GenericFingerprint):
* http://www.postgresql.org/docs/8.4/interactive/release.html (up to 8.4.2)
"""
infoMsg = "testing PostgreSQL"
logger.info(infoMsg)
if conf.direct:
conf.dbmsConnector.connect()
if conf.dbms in PGSQL_ALIASES:
setDbms("PostgreSQL")
@@ -94,9 +100,6 @@ class Fingerprint(GenericFingerprint):
if not conf.extensiveFp:
return True
infoMsg = "testing PostgreSQL"
logger.info(infoMsg)
randInt = str(randomInt(1))
payload = agent.fullPayload(" AND %s::int=%s" % (randInt, randInt))
@@ -122,33 +125,33 @@ class Fingerprint(GenericFingerprint):
if not conf.extensiveFp:
return True
if inject.getValue("DIV(6, 3)", unpack=False, charsetType=2) == "2":
if inject.getValue("SELECT DIV(6, 3)", unpack=False, charsetType=2) == "2":
kb.dbmsVersion = [">= 8.4.0"]
elif inject.getValue("SUBSTR(TRANSACTION_TIMESTAMP()::text, 1, 1)", unpack=False, charsetType=2) in ( "1", "2" ) and not inject.getValue("SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2) in ( "1", "2" ):
elif inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP()::text, 1, 1)", unpack=False, charsetType=2) in ( "1", "2" ) and not inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2) in ( "1", "2" ):
kb.dbmsVersion = [">= 8.3.0", "< 8.4"]
elif inject.getValue("SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2):
elif inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2):
kb.dbmsVersion = [">= 8.2.0", "< 8.3.0"]
elif inject.getValue("GREATEST(5, 9, 1)", unpack=False, charsetType=2) == "9":
elif inject.getValue("SELECT GREATEST(5, 9, 1)", unpack=False, charsetType=2) == "9":
kb.dbmsVersion = [">= 8.1.0", "< 8.2.0"]
elif inject.getValue("WIDTH_BUCKET(5.35, 0.024, 10.06, 5)", unpack=False, charsetType=2) == "3":
elif inject.getValue("SELECT WIDTH_BUCKET(5.35, 0.024, 10.06, 5)", unpack=False, charsetType=2) == "3":
kb.dbmsVersion = [">= 8.0.0", "< 8.1.0"]
elif inject.getValue("SUBSTR(MD5('sqlmap'), 1, 1)", unpack=False):
elif inject.getValue("SELECT SUBSTR(MD5('sqlmap'), 1, 1)", unpack=False):
kb.dbmsVersion = [">= 7.4.0", "< 8.0.0"]
elif inject.getValue("SUBSTR(CURRENT_SCHEMA(), 1, 1)", unpack=False) == "p":
elif inject.getValue("SELECT SUBSTR(CURRENT_SCHEMA(), 1, 1)", unpack=False) == "p":
kb.dbmsVersion = [">= 7.3.0", "< 7.4.0"]
elif inject.getValue("BIT_LENGTH(1)") == "8":
elif inject.getValue("SELECT BIT_LENGTH(1)") == "8":
kb.dbmsVersion = [">= 7.2.0", "< 7.3.0"]
elif inject.getValue("SUBSTR(QUOTE_LITERAL('a'), 2, 1)", unpack=False) == "a":
elif inject.getValue("SELECT SUBSTR(QUOTE_LITERAL('a'), 2, 1)", unpack=False) == "a":
kb.dbmsVersion = [">= 7.1.0", "< 7.2.0"]
elif inject.getValue("POW(2, 3)", unpack=False, charsetType=2) == "8":
elif inject.getValue("SELECT POW(2, 3)", unpack=False, charsetType=2) == "8":
kb.dbmsVersion = [">= 7.0.0", "< 7.1.0"]
elif inject.getValue("MAX('a')") == "a":
elif inject.getValue("SELECT MAX('a')") == "a":
kb.dbmsVersion = [">= 6.5.0", "< 6.5.3"]
elif re.search("([\d\.]+)", inject.getValue("SUBSTR(VERSION(), 12, 5)", unpack=False)):
elif re.search("([\d\.]+)", inject.getValue("SELECT SUBSTR(VERSION(), 12, 5)", unpack=False)):
kb.dbmsVersion = [">= 6.4.0", "< 6.5.0"]
elif inject.getValue("SUBSTR(CURRENT_DATE, 1, 1)", unpack=False, charsetType=2) == "2":
elif inject.getValue("SELECT SUBSTR(CURRENT_DATE, 1, 1)", unpack=False, charsetType=2) == "2":
kb.dbmsVersion = [">= 6.3.0", "< 6.4.0"]
elif inject.getValue("SUBSTRING('sqlmap', 1, 1)", unpack=False) == "s":
elif inject.getValue("SELECT SUBSTRING('sqlmap', 1, 1)", unpack=False) == "s":
kb.dbmsVersion = [">= 6.2.0", "< 6.3.0"]
else:
kb.dbmsVersion = ["< 6.2.0"]
@@ -167,7 +170,7 @@ class Fingerprint(GenericFingerprint):
infoMsg = "fingerprinting the back-end DBMS operating system"
logger.info(infoMsg)
self.createSupportTbl(self.fileTblName, self.tblField, "character(1000)")
self.createSupportTbl(self.fileTblName, self.tblField, "character(10000)")
inject.goStacked("INSERT INTO %s(%s) VALUES (%s)" % (self.fileTblName, self.tblField, "VERSION()"))
# Windows executables should always have ' Visual C++' or ' mingw'