PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-07 05:01:30 +00:00
Code Issues Projects Releases Wiki Activity

Couple of patches (CockroachDB, Drizzle, Firebird related)

Browse Source
This commit is contained in:
Miroslav Stampar
2020-02-10 16:22:58 +01:00
parent 2d48b8effa
commit 1fb1a05a78
9 changed files with 117 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
plugins/generic/databases.py
View File

@@ -43,6 +43,7 @@ from lib.core.dicts import INFORMIX_TYPES
from lib.core.enums import CHARSET_TYPE
from lib.core.enums import DBMS
from lib.core.enums import EXPECTED
from lib.core.enums import FORK
from lib.core.enums import PAYLOAD
from lib.core.exception import SqlmapMissingMandatoryOptionException
from lib.core.exception import SqlmapNoneDataException
@@ -607,6 +608,9 @@ class Databases(object):
query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery
if Backend.isFork(FORK.DRIZZLE):
query = query.replace("column_type", "data_type")
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.DERBY, DBMS.ALTIBASE, DBMS.MIMERSQL):
query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl.upper()), unsafeSQLIdentificatorNaming(conf.db.upper()))
query += condQuery
@@ -1016,7 +1020,10 @@ class Databases(object):
rootQuery = queries[Backend.getIdentifiedDbms()].statements
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
query = rootQuery.inband.query
if Backend.isFork(FORK.DRIZZLE):
query = rootQuery.inband.query2
else:
query = rootQuery.inband.query
while True:
values = inject.getValue(query, blind=False, time=False)
@@ -1039,6 +1046,10 @@ class Databases(object):
logger.info(infoMsg)
query = rootQuery.blind.count
if Backend.isFork(FORK.DRIZZLE):
query = query.replace("INFORMATION_SCHEMA", "DATA_DICTIONARY")
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if count == 0:
@@ -1063,6 +1074,10 @@ class Databases(object):
if isNoneValue(value):
query = rootQuery.blind.query % index
if Backend.isFork(FORK.DRIZZLE):
query = query.replace("INFORMATION_SCHEMA", "DATA_DICTIONARY")
value = unArrayizeValue(inject.getValue(query, union=False, error=False))
if not isNoneValue(value):

47
plugins/generic/search.py
View File

@@ -345,6 +345,8 @@ class Search(object):
def searchColumn(self):
bruteForce = False
self.forceDbmsEnum()
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
errMsg = "information_schema not available, "
errMsg += "back-end DBMS is MySQL < 5.0"
@@ -406,24 +408,26 @@ class Search(object):
foundCols[column] = {}
if conf.tbl:
_ = conf.tbl.split(',')
whereTblsQuery = " AND (" + " OR ".join("%s = '%s'" % (tblCond, unsafeSQLIdentificatorNaming(tbl)) for tbl in _) + ")"
infoMsgTbl = " for table%s '%s'" % ("s" if len(_) > 1 else "", ", ".join(unsafeSQLIdentificatorNaming(tbl) for tbl in _))
if tblCond:
if conf.tbl:
_ = conf.tbl.split(',')
whereTblsQuery = " AND (" + " OR ".join("%s = '%s'" % (tblCond, unsafeSQLIdentificatorNaming(tbl)) for tbl in _) + ")"
infoMsgTbl = " for table%s '%s'" % ("s" if len(_) > 1 else "", ", ".join(unsafeSQLIdentificatorNaming(tbl) for tbl in _))
if conf.db == CURRENT_DB:
conf.db = self.getCurrentDb()
if conf.db:
_ = conf.db.split(',')
whereDbsQuery = " AND (" + " OR ".join("%s = '%s'" % (dbCond, unsafeSQLIdentificatorNaming(db)) for db in _) + ")"
infoMsgDb = " in database%s '%s'" % ("s" if len(_) > 1 else "", ", ".join(unsafeSQLIdentificatorNaming(db) for db in _))
elif conf.excludeSysDbs:
whereDbsQuery = "".join(" AND %s != '%s'" % (dbCond, unsafeSQLIdentificatorNaming(db)) for db in self.excludeDbsList)
msg = "skipping system database%s '%s'" % ("s" if len(self.excludeDbsList) > 1 else "", ", ".join(unsafeSQLIdentificatorNaming(db) for db in self.excludeDbsList))
logger.info(msg)
else:
infoMsgDb = " across all databases"
if dbCond:
if conf.db:
_ = conf.db.split(',')
whereDbsQuery = " AND (" + " OR ".join("%s = '%s'" % (dbCond, unsafeSQLIdentificatorNaming(db)) for db in _) + ")"
infoMsgDb = " in database%s '%s'" % ("s" if len(_) > 1 else "", ", ".join(unsafeSQLIdentificatorNaming(db) for db in _))
elif conf.excludeSysDbs:
whereDbsQuery = "".join(" AND %s != '%s'" % (dbCond, unsafeSQLIdentificatorNaming(db)) for db in self.excludeDbsList)
msg = "skipping system database%s '%s'" % ("s" if len(self.excludeDbsList) > 1 else "", ", ".join(unsafeSQLIdentificatorNaming(db) for db in self.excludeDbsList))
logger.info(msg)
else:
infoMsgDb = " across all databases"
logger.info("%s%s%s" % (infoMsg, infoMsgTbl, infoMsgDb))
@@ -446,6 +450,9 @@ class Search(object):
for tbl in conf.tbl.split(','):
values.append([safeSQLIdentificatorNaming(db), safeSQLIdentificatorNaming(tbl, True)])
if Backend.getIdentifiedDbms() in (DBMS.FIREBIRD,):
values = [(conf.db, value) for value in arrayizeValue(values)]
for db, tbl in filterPairValues(values):
db = safeSQLIdentificatorNaming(db)
tbls = tbl.split(',') if not isNoneValue(tbl) else []
@@ -538,8 +545,12 @@ class Search(object):
logger.info(infoMsg)
query = rootQuery.blind.count2
query = query % unsafeSQLIdentificatorNaming(db)
query += " AND %s" % colQuery
if not re.search(r"(?i)%s\Z" % METADB_SUFFIX, db or ""):
query = query % unsafeSQLIdentificatorNaming(db)
query += " AND %s" % colQuery
else:
query = query % colQuery
query += whereTblsQuery
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
@@ -559,7 +570,9 @@ class Search(object):
for index in indexRange:
query = rootQuery.blind.query2
if query.endswith("'%s')"):
if re.search(r"(?i)%s\Z" % METADB_SUFFIX, db or ""):
query = query % (colQuery + whereTblsQuery)
elif query.endswith("'%s')"):
query = query[:-1] + " AND %s)" % (colQuery + whereTblsQuery)
elif " ORDER BY " in query:
query = query.replace(" ORDER BY ", " AND %s ORDER BY " % (colQuery + whereTblsQuery))

25
plugins/generic/users.py
View File

@@ -36,6 +36,7 @@ from lib.core.dicts import PGSQL_PRIVS
from lib.core.enums import CHARSET_TYPE
from lib.core.enums import DBMS
from lib.core.enums import EXPECTED
from lib.core.enums import FORK
from lib.core.enums import PAYLOAD
from lib.core.exception import SqlmapNoneDataException
from lib.core.exception import SqlmapUserQuitException
@@ -75,16 +76,22 @@ class Users(object):
infoMsg = "testing if current user is DBA"
logger.info(infoMsg)
query = None
if Backend.isDbms(DBMS.MYSQL):
self.getCurrentUser()
query = queries[Backend.getIdentifiedDbms()].is_dba.query % (kb.data.currentUser.split("@")[0] if kb.data.currentUser else None)
if Backend.isFork(FORK.DRIZZLE):
kb.data.isDba = "root" in (kb.data.currentUser or "")
elif kb.data.currentUser:
query = queries[Backend.getIdentifiedDbms()].is_dba.query % kb.data.currentUser.split("@")[0]
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and user is not None:
query = queries[Backend.getIdentifiedDbms()].is_dba.query2 % user
else:
query = queries[Backend.getIdentifiedDbms()].is_dba.query
query = agent.forgeCaseStatement(query)
kb.data.isDba = inject.checkBooleanExpression(query) or False
if query:
query = agent.forgeCaseStatement(query)
kb.data.isDba = inject.checkBooleanExpression(query) or False
return kb.data.isDba
@@ -98,10 +105,13 @@ class Users(object):
condition |= (Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema)
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
if condition:
if Backend.isFork(FORK.DRIZZLE):
query = rootQuery.inband.query3
elif condition:
query = rootQuery.inband.query2
else:
query = rootQuery.inband.query
values = inject.getValue(query, blind=False, time=False)
if not isNoneValue(values):
@@ -115,7 +125,9 @@ class Users(object):
infoMsg = "fetching number of database users"
logger.info(infoMsg)
if condition:
if Backend.isFork(FORK.DRIZZLE):
query = rootQuery.blind.count3
elif condition:
query = rootQuery.blind.count2
else:
query = rootQuery.blind.count
@@ -134,10 +146,13 @@ class Users(object):
for index in indexRange:
if Backend.getIdentifiedDbms() in (DBMS.SYBASE, DBMS.MAXDB):
query = rootQuery.blind.query % (kb.data.cachedUsers[-1] if kb.data.cachedUsers else " ")
elif Backend.isFork(FORK.DRIZZLE):
query = rootQuery.blind.query3 % index
elif condition:
query = rootQuery.blind.query2 % index
else:
query = rootQuery.blind.query % index
user = unArrayizeValue(inject.getValue(query, union=False, error=False))
if user: