mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2026-01-07 15:19:01 +00:00
Major code refactoring - moved to one location only (getIdentifiedDBMS() in common.py) the retrieval of identified/fingerprinted DBMS.
Minor bug fixes thanks to previous refactoring too.
This commit is contained in:
Bernardo Damele
@@ -12,6 +12,7 @@ import socket
|
||||
import time
|
||||
|
||||
from lib.core.agent import agent
|
||||
from lib.core.common import aliasToDbmsEnum
|
||||
from lib.core.common import beep
|
||||
from lib.core.common import extractRegexResult
|
||||
from lib.core.common import findDynamicContent
|
||||
@@ -430,7 +431,7 @@ def checkSqlInjection(place, parameter, value):
|
||||
for detailKey, detailValue in test.details.items():
|
||||
if detailKey == "dbms" and injection.dbms is None:
|
||||
injection.dbms = detailValue
|
||||
kb.dbms = detailValue
|
||||
kb.dbms = aliasToDbmsEnum(detailValue)
|
||||
elif detailKey == "dbms_version" and injection.dbms_version is None:
|
||||
injection.dbms_version = detailValue
|
||||
kb.dbmsVersion = [ detailValue ]
|
||||
|
||||
@@ -7,7 +7,7 @@ Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.common import getErrorParsedDBMSes
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import popValue
|
||||
from lib.core.common import pushValue
|
||||
from lib.core.data import conf
|
||||
@@ -63,18 +63,11 @@ def setHandler():
|
||||
( SYBASE_ALIASES, SybaseMap, SybaseConn ),
|
||||
]
|
||||
|
||||
inferencedDbms = (getErrorParsedDBMSes()[0] if getErrorParsedDBMSes() else '') or kb.dbms
|
||||
|
||||
for injection in kb.injections:
|
||||
if hasattr(injection, "dbms") and injection.dbms:
|
||||
inferencedDbms = injection.dbms
|
||||
break
|
||||
|
||||
if inferencedDbms is not None:
|
||||
if getIdentifiedDBMS() is not None:
|
||||
for i in xrange(len(dbmsObj)):
|
||||
dbmsAliases, _, _ = dbmsObj[i]
|
||||
|
||||
if inferencedDbms.lower() in dbmsAliases:
|
||||
if getIdentifiedDBMS().lower() in dbmsAliases:
|
||||
if i > 0:
|
||||
pushValue(dbmsObj[i])
|
||||
dbmsObj.remove(dbmsObj[i])
|
||||
|
||||
@@ -13,6 +13,7 @@ from xml.etree import ElementTree as ET
|
||||
|
||||
from lib.core.common import getCompiledRegex
|
||||
from lib.core.common import getErrorParsedDBMSes
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import isDBMSVersionAtLeast
|
||||
from lib.core.common import isTechniqueAvailable
|
||||
from lib.core.common import randomInt
|
||||
@@ -33,13 +34,6 @@ class Agent:
|
||||
This class defines the SQL agent methods.
|
||||
"""
|
||||
|
||||
def __init__(self):
|
||||
kb.misc = advancedDict()
|
||||
kb.misc.delimiter = randomStr(length=6)
|
||||
kb.misc.start = ":%s:" % randomStr(length=3, lowercase=True)
|
||||
kb.misc.stop = ":%s:" % randomStr(length=3, lowercase=True)
|
||||
kb.misc.space = ":%s:" % randomStr(length=1, lowercase=True)
|
||||
|
||||
def payloadDirect(self, query):
|
||||
if query.startswith("AND "):
|
||||
query = query.replace("AND ", "SELECT ", 1)
|
||||
@@ -211,8 +205,8 @@ class Agent:
|
||||
payload = payload.replace("[ORIGVALUE]", origvalue)
|
||||
|
||||
if "[INFERENCE]" in payload:
|
||||
if kb.dbms is not None:
|
||||
inference = queries[kb.dbms].inference
|
||||
if getIdentifiedDBMS() is not None:
|
||||
inference = queries[getIdentifiedDBMS()].inference
|
||||
|
||||
if "dbms_version" in inference:
|
||||
if isDBMSVersionAtLeast(inference.dbms_version):
|
||||
@@ -223,11 +217,6 @@ class Agent:
|
||||
inferenceQuery = inference.query
|
||||
|
||||
payload = payload.replace("[INFERENCE]", inferenceQuery)
|
||||
|
||||
elif hasattr(kb.misc, "testedDbms") and kb.misc.testedDbms is not None:
|
||||
inferenceQuery = queries[kb.misc.testedDbms].inference.query
|
||||
payload = payload.replace("[INFERENCE]", inferenceQuery)
|
||||
|
||||
else:
|
||||
errMsg = "invalid usage of inference payload without "
|
||||
errMsg += "knowledge of underlying DBMS"
|
||||
@@ -275,17 +264,17 @@ class Agent:
|
||||
|
||||
# SQLite version 2 does not support neither CAST() nor IFNULL(),
|
||||
# introduced only in SQLite version 3
|
||||
if kb.dbms == DBMS.SQLITE:
|
||||
if getIdentifiedDBMS() == DBMS.SQLITE:
|
||||
return field
|
||||
|
||||
if field.startswith("(CASE"):
|
||||
nulledCastedField = field
|
||||
else:
|
||||
nulledCastedField = queries[kb.dbms].cast.query % field
|
||||
if kb.dbms == DBMS.ACCESS:
|
||||
nulledCastedField = queries[kb.dbms].isnull.query % (nulledCastedField, nulledCastedField)
|
||||
nulledCastedField = queries[getIdentifiedDBMS()].cast.query % field
|
||||
if getIdentifiedDBMS() == DBMS.ACCESS:
|
||||
nulledCastedField = queries[getIdentifiedDBMS()].isnull.query % (nulledCastedField, nulledCastedField)
|
||||
else:
|
||||
nulledCastedField = queries[kb.dbms].isnull.query % nulledCastedField
|
||||
nulledCastedField = queries[getIdentifiedDBMS()].isnull.query % nulledCastedField
|
||||
|
||||
return nulledCastedField
|
||||
|
||||
@@ -324,7 +313,7 @@ class Agent:
|
||||
|
||||
fields = fields.replace(", ", ",")
|
||||
fieldsSplitted = fields.split(",")
|
||||
dbmsDelimiter = queries[kb.dbms].delimiter.query
|
||||
dbmsDelimiter = queries[getIdentifiedDBMS()].delimiter.query
|
||||
nulledCastedFields = []
|
||||
|
||||
for field in fieldsSplitted:
|
||||
@@ -383,13 +372,13 @@ class Agent:
|
||||
def simpleConcatQuery(self, query1, query2):
|
||||
concatenatedQuery = ""
|
||||
|
||||
if kb.dbms == DBMS.MYSQL:
|
||||
if getIdentifiedDBMS() == DBMS.MYSQL:
|
||||
concatenatedQuery = "CONCAT(%s,%s)" % (query1, query2)
|
||||
|
||||
elif kb.dbms in ( DBMS.PGSQL, DBMS.ORACLE, DBMS.SQLITE ):
|
||||
elif getIdentifiedDBMS() in ( DBMS.PGSQL, DBMS.ORACLE, DBMS.SQLITE ):
|
||||
concatenatedQuery = "%s||%s" % (query1, query2)
|
||||
|
||||
elif kb.dbms in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
elif getIdentifiedDBMS() in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
concatenatedQuery = "%s+%s" % (query1, query2)
|
||||
|
||||
return concatenatedQuery
|
||||
@@ -431,7 +420,7 @@ class Agent:
|
||||
concatenatedQuery = query
|
||||
fieldsSelectFrom, fieldsSelect, fieldsNoSelect, fieldsSelectTop, fieldsSelectCase, _, fieldsToCastStr = self.getFields(query)
|
||||
|
||||
if kb.dbms == DBMS.MYSQL:
|
||||
if getIdentifiedDBMS() == DBMS.MYSQL:
|
||||
if fieldsSelectCase:
|
||||
concatenatedQuery = concatenatedQuery.replace("SELECT ", "CONCAT('%s'," % kb.misc.start, 1)
|
||||
concatenatedQuery += ",'%s')" % kb.misc.stop
|
||||
@@ -444,7 +433,7 @@ class Agent:
|
||||
elif fieldsNoSelect:
|
||||
concatenatedQuery = "CONCAT('%s',%s,'%s')" % (kb.misc.start, concatenatedQuery, kb.misc.stop)
|
||||
|
||||
elif kb.dbms in ( DBMS.PGSQL, DBMS.ORACLE, DBMS.SQLITE ):
|
||||
elif getIdentifiedDBMS() in ( DBMS.PGSQL, DBMS.ORACLE, DBMS.SQLITE ):
|
||||
if fieldsSelectCase:
|
||||
concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % kb.misc.start, 1)
|
||||
concatenatedQuery += "||'%s'" % kb.misc.stop
|
||||
@@ -457,10 +446,10 @@ class Agent:
|
||||
elif fieldsNoSelect:
|
||||
concatenatedQuery = "'%s'||%s||'%s'" % (kb.misc.start, concatenatedQuery, kb.misc.stop)
|
||||
|
||||
if kb.dbms == DBMS.ORACLE and " FROM " not in concatenatedQuery and ( fieldsSelect or fieldsNoSelect ):
|
||||
if getIdentifiedDBMS() == DBMS.ORACLE and " FROM " not in concatenatedQuery and ( fieldsSelect or fieldsNoSelect ):
|
||||
concatenatedQuery += " FROM DUAL"
|
||||
|
||||
elif kb.dbms in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
elif getIdentifiedDBMS() in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
if fieldsSelectTop:
|
||||
topNum = re.search("\ASELECT\s+TOP\s+([\d]+)\s+", concatenatedQuery, re.I).group(1)
|
||||
concatenatedQuery = concatenatedQuery.replace("SELECT TOP %s " % topNum, "TOP %s '%s'+" % (topNum, kb.misc.start), 1)
|
||||
@@ -511,13 +500,13 @@ class Agent:
|
||||
"""
|
||||
|
||||
if query.startswith("SELECT "):
|
||||
query = query[len("SELECT "):]
|
||||
query = query[len("SELECT "):]
|
||||
|
||||
inbandQuery = self.prefixQuery("UNION ALL SELECT ", prefix=prefix)
|
||||
|
||||
if query.startswith("TOP"):
|
||||
topNum = re.search("\ATOP\s+([\d]+)\s+", query, re.I).group(1)
|
||||
query = query[len("TOP %s " % topNum):]
|
||||
topNum = re.search("\ATOP\s+([\d]+)\s+", query, re.I).group(1)
|
||||
query = query[len("TOP %s " % topNum):]
|
||||
inbandQuery += "TOP %s " % topNum
|
||||
|
||||
intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I)
|
||||
@@ -526,7 +515,7 @@ class Agent:
|
||||
intoRegExp = intoRegExp.group(1)
|
||||
query = query[:query.index(intoRegExp)]
|
||||
|
||||
if kb.dbms == DBMS.ORACLE and inbandQuery.endswith(" FROM DUAL"):
|
||||
if getIdentifiedDBMS() == DBMS.ORACLE and inbandQuery.endswith(" FROM DUAL"):
|
||||
inbandQuery = inbandQuery[:-len(" FROM DUAL")]
|
||||
|
||||
for element in range(count):
|
||||
@@ -546,7 +535,7 @@ class Agent:
|
||||
conditionIndex = query.index(" FROM ")
|
||||
inbandQuery += query[conditionIndex:]
|
||||
|
||||
if kb.dbms == DBMS.ORACLE or DBMS.ORACLE in getErrorParsedDBMSes():
|
||||
if getIdentifiedDBMS() == DBMS.ORACLE:
|
||||
if " FROM " not in inbandQuery:
|
||||
inbandQuery += " FROM DUAL"
|
||||
|
||||
@@ -565,7 +554,7 @@ class Agent:
|
||||
else:
|
||||
inbandQuery += char
|
||||
|
||||
if kb.dbms == DBMS.ORACLE:
|
||||
if getIdentifiedDBMS() == DBMS.ORACLE:
|
||||
inbandQuery += " FROM DUAL"
|
||||
|
||||
inbandQuery = self.suffixQuery(inbandQuery, comment, suffix)
|
||||
@@ -595,21 +584,21 @@ class Agent:
|
||||
"""
|
||||
|
||||
limitedQuery = query
|
||||
limitStr = queries[kb.dbms].limit.query
|
||||
limitStr = queries[getIdentifiedDBMS()].limit.query
|
||||
fromIndex = limitedQuery.index(" FROM ")
|
||||
untilFrom = limitedQuery[:fromIndex]
|
||||
fromFrom = limitedQuery[fromIndex+1:]
|
||||
orderBy = False
|
||||
|
||||
if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE ):
|
||||
limitStr = queries[kb.dbms].limit.query % (num, 1)
|
||||
if getIdentifiedDBMS() in ( DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE ):
|
||||
limitStr = queries[getIdentifiedDBMS()].limit.query % (num, 1)
|
||||
limitedQuery += " %s" % limitStr
|
||||
|
||||
elif kb.dbms == DBMS.FIREBIRD:
|
||||
limitStr = queries[kb.dbms].limit.query % (num+1, num+1)
|
||||
elif getIdentifiedDBMS() == DBMS.FIREBIRD:
|
||||
limitStr = queries[getIdentifiedDBMS()].limit.query % (num+1, num+1)
|
||||
limitedQuery += " %s" % limitStr
|
||||
|
||||
elif kb.dbms == DBMS.ORACLE:
|
||||
elif getIdentifiedDBMS() == DBMS.ORACLE:
|
||||
if " ORDER BY " in limitedQuery and "(SELECT " in limitedQuery:
|
||||
orderBy = limitedQuery[limitedQuery.index(" ORDER BY "):]
|
||||
limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]
|
||||
@@ -621,7 +610,7 @@ class Agent:
|
||||
limitedQuery = limitedQuery % fromFrom
|
||||
limitedQuery += "=%d" % (num + 1)
|
||||
|
||||
elif kb.dbms in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
elif getIdentifiedDBMS() in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
forgeNotIn = True
|
||||
|
||||
if " ORDER BY " in limitedQuery:
|
||||
@@ -635,7 +624,7 @@ class Agent:
|
||||
limitedQuery = limitedQuery.replace("DISTINCT %s" % notDistinct, notDistinct)
|
||||
|
||||
if limitedQuery.startswith("SELECT TOP ") or limitedQuery.startswith("TOP "):
|
||||
topNums = re.search(queries[kb.dbms].limitregexp.query, limitedQuery, re.I)
|
||||
topNums = re.search(queries[getIdentifiedDBMS()].limitregexp.query, limitedQuery, re.I)
|
||||
|
||||
if topNums:
|
||||
topNums = topNums.groups()
|
||||
@@ -681,7 +670,7 @@ class Agent:
|
||||
@rtype: C{str}
|
||||
"""
|
||||
|
||||
return queries[kb.dbms if kb.dbms else kb.misc.testedDbms].case.query % expression
|
||||
return queries[getIdentifiedDBMS()].case.query % expression
|
||||
|
||||
def addPayloadDelimiters(self, inpStr):
|
||||
"""
|
||||
|
||||
@@ -218,15 +218,15 @@ def formatDBMSfp(versions=None):
|
||||
versions = kb.dbmsVersion
|
||||
|
||||
if isinstance(versions, basestring):
|
||||
return "%s %s" % (kb.dbms, versions)
|
||||
return "%s %s" % (getIdentifiedDBMS(), versions)
|
||||
elif isinstance(versions, (list, set, tuple)):
|
||||
return "%s %s" % (kb.dbms, " and ".join([version for version in versions]))
|
||||
return "%s %s" % (getIdentifiedDBMS(), " and ".join([version for version in versions]))
|
||||
elif not versions:
|
||||
warnMsg = "unable to extensively fingerprint the back-end "
|
||||
warnMsg += "DBMS version"
|
||||
logger.warn(warnMsg)
|
||||
|
||||
return kb.dbms
|
||||
return getIdentifiedDBMS()
|
||||
|
||||
def formatFingerprintString(values, chain=" or "):
|
||||
strJoin = "|".join([v for v in values])
|
||||
@@ -627,7 +627,7 @@ def parsePasswordHash(password):
|
||||
if not password or password == " ":
|
||||
password = "NULL"
|
||||
|
||||
if kb.dbms == DBMS.MSSQL and password != "NULL" and isHexEncodedString(password):
|
||||
if getIdentifiedDBMS() == DBMS.MSSQL and password != "NULL" and isHexEncodedString(password):
|
||||
hexPassword = password
|
||||
password = "%s\n" % hexPassword
|
||||
password += "%sheader: %s\n" % (blank, hexPassword[:6])
|
||||
@@ -928,25 +928,25 @@ def parseUnionPage(output, expression, partial=False, condition=None, sort=True)
|
||||
def getDelayQuery(andCond=False):
|
||||
query = None
|
||||
|
||||
if kb.dbms in (DBMS.MYSQL, DBMS.PGSQL):
|
||||
if getIdentifiedDBMS() in (DBMS.MYSQL, DBMS.PGSQL):
|
||||
if not kb.data.banner:
|
||||
conf.dbmsHandler.getVersionFromBanner()
|
||||
|
||||
banVer = kb.bannerFp["dbmsVersion"] if 'dbmsVersion' in kb.bannerFp else None
|
||||
|
||||
if banVer is None or (kb.dbms == DBMS.MYSQL and banVer >= "5.0.12") or (kb.dbms == DBMS.PGSQL and banVer >= "8.2"):
|
||||
query = queries[kb.dbms].timedelay.query % conf.timeSec
|
||||
if banVer is None or (getIdentifiedDBMS() == DBMS.MYSQL and banVer >= "5.0.12") or (getIdentifiedDBMS() == DBMS.PGSQL and banVer >= "8.2"):
|
||||
query = queries[getIdentifiedDBMS()].timedelay.query % conf.timeSec
|
||||
else:
|
||||
query = queries[kb.dbms].timedelay.query2 % conf.timeSec
|
||||
elif kb.dbms == DBMS.FIREBIRD:
|
||||
query = queries[kb.dbms].timedelay.query
|
||||
query = queries[getIdentifiedDBMS()].timedelay.query2 % conf.timeSec
|
||||
elif getIdentifiedDBMS() == DBMS.FIREBIRD:
|
||||
query = queries[getIdentifiedDBMS()].timedelay.query
|
||||
else:
|
||||
query = queries[kb.dbms].timedelay.query % conf.timeSec
|
||||
query = queries[getIdentifiedDBMS()].timedelay.query % conf.timeSec
|
||||
|
||||
if andCond:
|
||||
if kb.dbms in ( DBMS.MYSQL, DBMS.SQLITE ):
|
||||
if getIdentifiedDBMS() in ( DBMS.MYSQL, DBMS.SQLITE ):
|
||||
query = query.replace("SELECT ", "")
|
||||
elif kb.dbms == DBMS.FIREBIRD:
|
||||
elif getIdentifiedDBMS() == DBMS.FIREBIRD:
|
||||
query = "(%s)>0" % query
|
||||
|
||||
return query
|
||||
@@ -1763,7 +1763,7 @@ def aliasToDbmsEnum(value):
|
||||
retVal = None
|
||||
|
||||
for key, item in dbmsDict.items():
|
||||
if value in item[0]:
|
||||
if value.lower() in item[0]:
|
||||
retVal = key
|
||||
break
|
||||
|
||||
@@ -2040,6 +2040,18 @@ def getErrorParsedDBMSes():
|
||||
|
||||
return kb.htmlFp
|
||||
|
||||
def getIdentifiedDBMS():
|
||||
dbms = None
|
||||
|
||||
if kb.dbms is not None:
|
||||
dbms = kb.dbms
|
||||
elif conf.dbms is not None:
|
||||
dbms = conf.dbms
|
||||
elif getErrorParsedDBMSes() is not None:
|
||||
dbms = getErrorParsedDBMSes()[0]
|
||||
|
||||
return aliasToDbmsEnum(dbms)
|
||||
|
||||
def showHttpErrorCodes():
|
||||
"""
|
||||
Shows all HTTP error codes raised till now
|
||||
|
||||
@@ -31,7 +31,7 @@ class DBMS:
|
||||
MSSQL = "Microsoft SQL Server"
|
||||
MYSQL = "MySQL"
|
||||
ORACLE = "Oracle"
|
||||
PGSQL = "PostgreSQL"
|
||||
PGSQL = "PostgreSQL"
|
||||
SQLITE = "SQLite"
|
||||
SYBASE = "Sybase"
|
||||
|
||||
|
||||
@@ -34,6 +34,7 @@ from lib.core.common import parseTargetDirect
|
||||
from lib.core.common import parseTargetUrl
|
||||
from lib.core.common import paths
|
||||
from lib.core.common import randomRange
|
||||
from lib.core.common import randomStr
|
||||
from lib.core.common import readCachedFileContent
|
||||
from lib.core.common import readInput
|
||||
from lib.core.common import runningAsAdmin
|
||||
@@ -46,6 +47,7 @@ from lib.core.data import paths
|
||||
from lib.core.data import queries
|
||||
from lib.core.datatype import advancedDict
|
||||
from lib.core.datatype import injectionDict
|
||||
from lib.core.enums import DBMS
|
||||
from lib.core.enums import HTTPMETHOD
|
||||
from lib.core.enums import PAYLOAD
|
||||
from lib.core.enums import PRIORITY
|
||||
@@ -1165,6 +1167,12 @@ def __setKnowledgeBaseAttributes(flushAll=True):
|
||||
kb.threadException = False
|
||||
kb.threadData = {}
|
||||
|
||||
kb.misc = advancedDict()
|
||||
kb.misc.delimiter = randomStr(length=6)
|
||||
kb.misc.start = ":%s:" % randomStr(length=3, lowercase=True)
|
||||
kb.misc.stop = ":%s:" % randomStr(length=3, lowercase=True)
|
||||
kb.misc.space = ":%s:" % randomStr(length=1, lowercase=True)
|
||||
|
||||
if flushAll:
|
||||
kb.keywords = set(getFileItems(paths.SQL_KEYWORDS))
|
||||
kb.tamperFunctions = []
|
||||
|
||||
@@ -13,6 +13,7 @@ from lib.core.common import aliasToDbmsEnum
|
||||
from lib.core.common import dataToSessionFile
|
||||
from lib.core.common import formatFingerprintString
|
||||
from lib.core.common import getFilteredPageContent
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import readInput
|
||||
from lib.core.convert import base64pickle
|
||||
from lib.core.convert import base64unpickle
|
||||
@@ -140,7 +141,7 @@ def setDbms(dbms):
|
||||
if dbmsRegExp:
|
||||
dbms = dbmsRegExp.group(1)
|
||||
|
||||
kb.dbms = dbms
|
||||
kb.dbms = aliasToDbmsEnum(dbms)
|
||||
|
||||
logger.info("the back-end DBMS is %s" % kb.dbms)
|
||||
|
||||
@@ -340,7 +341,7 @@ def resumeConfKb(expression, url, value):
|
||||
if '.' in table:
|
||||
db, table = table.split('.')
|
||||
else:
|
||||
db = "%s%s" % (kb.dbms, METADB_SUFFIX)
|
||||
db = "%s%s" % (getIdentifiedDBMS(), METADB_SUFFIX)
|
||||
|
||||
logMsg = "resuming brute forced table name "
|
||||
logMsg += "'%s' from session file" % table
|
||||
@@ -355,7 +356,7 @@ def resumeConfKb(expression, url, value):
|
||||
if '.' in table:
|
||||
db, table = table.split('.')
|
||||
else:
|
||||
db = "%s%s" % (kb.dbms, METADB_SUFFIX)
|
||||
db = "%s%s" % (getIdentifiedDBMS(), METADB_SUFFIX)
|
||||
|
||||
logMsg = "resuming brute forced column name "
|
||||
logMsg += "'%s' for table '%s' from session file" % (colName, table)
|
||||
|
||||
@@ -12,6 +12,7 @@ import os
|
||||
import rlcompleter
|
||||
|
||||
from lib.core import readlineng as readline
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.data import kb
|
||||
from lib.core.data import paths
|
||||
from lib.core.data import queries
|
||||
@@ -29,7 +30,7 @@ def loadHistory():
|
||||
def queriesForAutoCompletion():
|
||||
autoComplQueries = {}
|
||||
|
||||
for item in queries[kb.dbms]._toflat():
|
||||
for item in queries[getIdentifiedDBMS()]._toflat():
|
||||
if item._has_key('query') and len(item.query) > 1 and item._name != 'blind':
|
||||
autoComplQueries[item.query] = None
|
||||
|
||||
|
||||
@@ -7,18 +7,15 @@ Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.common import getErrorParsedDBMSes
|
||||
from lib.core.data import kb
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.datatype import advancedDict
|
||||
|
||||
class Unescaper(advancedDict):
|
||||
def unescape(self, expression, quote=True, dbms=None):
|
||||
if hasattr(kb, "dbms") and kb.dbms is not None:
|
||||
return self[kb.dbms](expression, quote=quote)
|
||||
elif hasattr(kb.misc, "testedDbms") and kb.misc.testedDbms is not None:
|
||||
return self[kb.misc.testedDbms](expression, quote=quote)
|
||||
elif getErrorParsedDBMSes():
|
||||
return self[getErrorParsedDBMSes()[0]](expression, quote=quote)
|
||||
identifiedDbms = getIdentifiedDBMS()
|
||||
|
||||
if identifiedDbms is not None:
|
||||
return self[identifiedDbms](expression, quote=quote)
|
||||
elif dbms is not None:
|
||||
return self[dbms](expression, quote=quote)
|
||||
else:
|
||||
|
||||
@@ -13,6 +13,7 @@ from xml.sax.handler import ContentHandler
|
||||
|
||||
from lib.core.common import checkFile
|
||||
from lib.core.common import getCompiledRegex
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import parseXmlFile
|
||||
from lib.core.common import sanitizeStr
|
||||
from lib.core.data import kb
|
||||
@@ -94,13 +95,13 @@ def bannerParser(banner):
|
||||
|
||||
xmlfile = None
|
||||
|
||||
if kb.dbms == DBMS.MSSQL:
|
||||
if getIdentifiedDBMS() == DBMS.MSSQL:
|
||||
xmlfile = paths.MSSQL_XML
|
||||
elif kb.dbms == DBMS.MYSQL:
|
||||
elif getIdentifiedDBMS() == DBMS.MYSQL:
|
||||
xmlfile = paths.MYSQL_XML
|
||||
elif kb.dbms == DBMS.ORACLE:
|
||||
elif getIdentifiedDBMS() == DBMS.ORACLE:
|
||||
xmlfile = paths.ORACLE_XML
|
||||
elif kb.dbms == DBMS.PGSQL:
|
||||
elif getIdentifiedDBMS() == DBMS.PGSQL:
|
||||
xmlfile = paths.PGSQL_XML
|
||||
|
||||
if not xmlfile:
|
||||
@@ -108,7 +109,7 @@ def bannerParser(banner):
|
||||
|
||||
checkFile(xmlfile)
|
||||
|
||||
if kb.dbms == DBMS.MSSQL:
|
||||
if getIdentifiedDBMS() == DBMS.MSSQL:
|
||||
handler = MSSQLBannerHandler(banner, kb.bannerFp)
|
||||
parseXmlFile(xmlfile, handler)
|
||||
|
||||
|
||||
@@ -9,6 +9,7 @@ See the file 'doc/COPYING' for copying permission
|
||||
|
||||
from lib.core.agent import agent
|
||||
from lib.core.common import dataToSessionFile
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import getUnicode
|
||||
from lib.core.convert import base64pickle
|
||||
from lib.core.convert import base64unpickle
|
||||
@@ -25,7 +26,7 @@ def direct(query, content=True):
|
||||
select = False
|
||||
query = agent.payloadDirect(query)
|
||||
|
||||
if kb.dbms == DBMS.ORACLE and query.startswith("SELECT ") and " FROM " not in query:
|
||||
if getIdentifiedDBMS() == DBMS.ORACLE and query.startswith("SELECT ") and " FROM " not in query:
|
||||
query = "%s FROM DUAL" % query
|
||||
|
||||
for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
|
||||
|
||||
@@ -15,6 +15,7 @@ from lib.core.common import calculateDeltaSeconds
|
||||
from lib.core.common import cleanQuery
|
||||
from lib.core.common import dataToSessionFile
|
||||
from lib.core.common import expandAsteriskForColumns
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import getPublicTypeMembers
|
||||
from lib.core.common import initTechnique
|
||||
from lib.core.common import isTechniqueAvailable
|
||||
@@ -48,7 +49,7 @@ from lib.utils.resume import resume
|
||||
def __goInference(payload, expression, charsetType=None, firstChar=None, lastChar=None):
|
||||
start = time.time()
|
||||
|
||||
if ( conf.eta or conf.threads > 1 ) and kb.dbms:
|
||||
if ( conf.eta or conf.threads > 1 ) and getIdentifiedDBMS():
|
||||
_, length, _ = queryOutputLength(expression, payload)
|
||||
else:
|
||||
length = None
|
||||
@@ -160,7 +161,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
|
||||
_, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(expression)
|
||||
|
||||
rdbRegExp = re.search("RDB\$GET_CONTEXT\([^)]+\)", expression, re.I)
|
||||
if rdbRegExp and kb.dbms == DBMS.FIREBIRD:
|
||||
if rdbRegExp and getIdentifiedDBMS() == DBMS.FIREBIRD:
|
||||
expressionFieldsList = [expressionFields]
|
||||
|
||||
if len(expressionFieldsList) > 1:
|
||||
@@ -176,13 +177,13 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
|
||||
# NOTE: I assume that only queries that get data from a table
|
||||
# can return multiple entries
|
||||
if fromUser and " FROM " in expression:
|
||||
limitRegExp = re.search(queries[kb.dbms].limitregexp.query, expression, re.I)
|
||||
limitRegExp = re.search(queries[getIdentifiedDBMS()].limitregexp.query, expression, re.I)
|
||||
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
|
||||
|
||||
if limitRegExp or ( kb.dbms in (DBMS.MSSQL, DBMS.SYBASE) and topLimit ):
|
||||
if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
limitGroupStart = queries[kb.dbms].limitgroupstart.query
|
||||
limitGroupStop = queries[kb.dbms].limitgroupstop.query
|
||||
if limitRegExp or ( getIdentifiedDBMS() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit ):
|
||||
if getIdentifiedDBMS() in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
limitGroupStart = queries[getIdentifiedDBMS()].limitgroupstart.query
|
||||
limitGroupStop = queries[getIdentifiedDBMS()].limitgroupstop.query
|
||||
|
||||
if limitGroupStart.isdigit():
|
||||
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
||||
@@ -190,10 +191,10 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
|
||||
stopLimit = limitRegExp.group(int(limitGroupStop))
|
||||
limitCond = int(stopLimit) > 1
|
||||
|
||||
elif kb.dbms in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
elif getIdentifiedDBMS() in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
if limitRegExp:
|
||||
limitGroupStart = queries[kb.dbms].limitgroupstart.query
|
||||
limitGroupStop = queries[kb.dbms].limitgroupstop.query
|
||||
limitGroupStart = queries[getIdentifiedDBMS()].limitgroupstart.query
|
||||
limitGroupStop = queries[getIdentifiedDBMS()].limitgroupstop.query
|
||||
|
||||
if limitGroupStart.isdigit():
|
||||
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
||||
@@ -205,7 +206,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
|
||||
stopLimit = int(topLimit.group(1))
|
||||
limitCond = int(stopLimit) > 1
|
||||
|
||||
elif kb.dbms == DBMS.ORACLE:
|
||||
elif getIdentifiedDBMS() == DBMS.ORACLE:
|
||||
limitCond = False
|
||||
else:
|
||||
limitCond = True
|
||||
@@ -219,16 +220,16 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
|
||||
|
||||
# From now on we need only the expression until the " LIMIT "
|
||||
# (or similar, depending on the back-end DBMS) word
|
||||
if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
if getIdentifiedDBMS() in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
stopLimit += startLimit
|
||||
untilLimitChar = expression.index(queries[kb.dbms].limitstring.query)
|
||||
untilLimitChar = expression.index(queries[getIdentifiedDBMS()].limitstring.query)
|
||||
expression = expression[:untilLimitChar]
|
||||
|
||||
elif kb.dbms in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
elif getIdentifiedDBMS() in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
stopLimit += startLimit
|
||||
|
||||
if not stopLimit or stopLimit <= 1:
|
||||
if kb.dbms == DBMS.ORACLE and expression.endswith("FROM DUAL"):
|
||||
if getIdentifiedDBMS() == DBMS.ORACLE and expression.endswith("FROM DUAL"):
|
||||
test = "n"
|
||||
elif batch:
|
||||
test = "y"
|
||||
@@ -239,7 +240,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
|
||||
|
||||
if not test or test[0] in ("y", "Y"):
|
||||
# Count the number of SQL query entries output
|
||||
countFirstField = queries[kb.dbms].count.query % expressionFieldsList[0]
|
||||
countFirstField = queries[getIdentifiedDBMS()].count.query % expressionFieldsList[0]
|
||||
countedExpression = expression.replace(expressionFields, countFirstField, 1)
|
||||
|
||||
if re.search(" ORDER BY ", expression, re.I):
|
||||
@@ -327,7 +328,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
|
||||
|
||||
return outputs
|
||||
|
||||
elif kb.dbms == DBMS.ORACLE and expression.startswith("SELECT ") and " FROM " not in expression:
|
||||
elif getIdentifiedDBMS() == DBMS.ORACLE and expression.startswith("SELECT ") and " FROM " not in expression:
|
||||
expression = "%s FROM DUAL" % expression
|
||||
|
||||
outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar)
|
||||
@@ -488,7 +489,7 @@ def goStacked(expression, silent=False):
|
||||
if conf.direct:
|
||||
return direct(expression), None
|
||||
|
||||
comment = queries[kb.dbms].comment.query
|
||||
comment = queries[getIdentifiedDBMS()].comment.query
|
||||
query = agent.prefixQuery("; %s" % expression)
|
||||
query = agent.suffixQuery("%s;%s" % (query, comment))
|
||||
|
||||
|
||||
@@ -8,6 +8,7 @@ See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.common import dataToStdout
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import isTechniqueAvailable
|
||||
from lib.core.common import readInput
|
||||
from lib.core.data import conf
|
||||
@@ -40,10 +41,10 @@ class Abstraction(Web, UDF, xp_cmdshell):
|
||||
if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):
|
||||
self.webBackdoorRunCmd(cmd)
|
||||
|
||||
elif kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
elif getIdentifiedDBMS() in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
self.udfExecCmd(cmd, silent=silent)
|
||||
|
||||
elif kb.dbms == DBMS.MSSQL:
|
||||
elif getIdentifiedDBMS() == DBMS.MSSQL:
|
||||
self.xpCmdshellExecCmd(cmd, silent=silent)
|
||||
|
||||
else:
|
||||
@@ -54,10 +55,10 @@ class Abstraction(Web, UDF, xp_cmdshell):
|
||||
if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):
|
||||
return self.webBackdoorRunCmd(cmd)
|
||||
|
||||
elif kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
elif getIdentifiedDBMS() in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
return self.udfEvalCmd(cmd, first, last)
|
||||
|
||||
elif kb.dbms == DBMS.MSSQL:
|
||||
elif getIdentifiedDBMS() == DBMS.MSSQL:
|
||||
return self.xpCmdshellEvalCmd(cmd, first, last)
|
||||
|
||||
else:
|
||||
@@ -92,13 +93,13 @@ class Abstraction(Web, UDF, xp_cmdshell):
|
||||
logger.info(infoMsg)
|
||||
|
||||
else:
|
||||
if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
if getIdentifiedDBMS() in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
infoMsg = "going to use injected sys_eval and sys_exec "
|
||||
infoMsg += "user-defined functions for operating system "
|
||||
infoMsg += "command execution"
|
||||
logger.info(infoMsg)
|
||||
|
||||
elif kb.dbms == DBMS.MSSQL:
|
||||
elif getIdentifiedDBMS() == DBMS.MSSQL:
|
||||
infoMsg = "going to use xp_cmdshell extended procedure for "
|
||||
infoMsg += "operating system command execution"
|
||||
logger.info(infoMsg)
|
||||
@@ -150,9 +151,9 @@ class Abstraction(Web, UDF, xp_cmdshell):
|
||||
warnMsg += "the session user is not a database administrator"
|
||||
logger.warn(warnMsg)
|
||||
|
||||
if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
if getIdentifiedDBMS() in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
self.udfInjectSys()
|
||||
elif kb.dbms == DBMS.MSSQL:
|
||||
elif getIdentifiedDBMS() == DBMS.MSSQL:
|
||||
if mandatory:
|
||||
self.xpCmdshellInit()
|
||||
else:
|
||||
|
||||
@@ -19,6 +19,7 @@ from subprocess import PIPE
|
||||
from subprocess import Popen as execute
|
||||
|
||||
from lib.core.common import dataToStdout
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import getLocalIP
|
||||
from lib.core.common import getRemoteIP
|
||||
from lib.core.common import getUnicode
|
||||
@@ -186,13 +187,13 @@ class Metasploit:
|
||||
if __payloadStr == "windows/vncinject":
|
||||
choose = False
|
||||
|
||||
if kb.dbms == DBMS.MYSQL:
|
||||
if getIdentifiedDBMS() == DBMS.MYSQL:
|
||||
debugMsg = "by default MySQL on Windows runs as SYSTEM "
|
||||
debugMsg += "user, it is likely that the the VNC "
|
||||
debugMsg += "injection will be successful"
|
||||
logger.debug(debugMsg)
|
||||
|
||||
elif kb.dbms == DBMS.PGSQL:
|
||||
elif getIdentifiedDBMS() == DBMS.PGSQL:
|
||||
choose = True
|
||||
|
||||
warnMsg = "by default PostgreSQL on Windows runs as "
|
||||
@@ -200,7 +201,7 @@ class Metasploit:
|
||||
warnMsg += "injection will be successful"
|
||||
logger.warn(warnMsg)
|
||||
|
||||
elif kb.dbms == DBMS.MSSQL and kb.dbmsVersion[0] in ( "2005", "2008" ):
|
||||
elif getIdentifiedDBMS() == DBMS.MSSQL and kb.dbmsVersion[0] in ( "2005", "2008" ):
|
||||
choose = True
|
||||
|
||||
warnMsg = "it is unlikely that the VNC injection will be "
|
||||
@@ -229,12 +230,12 @@ class Metasploit:
|
||||
break
|
||||
|
||||
elif choice == "1":
|
||||
if kb.dbms == DBMS.PGSQL:
|
||||
if getIdentifiedDBMS() == DBMS.PGSQL:
|
||||
logger.warn("beware that the VNC injection might not work")
|
||||
|
||||
break
|
||||
|
||||
elif kb.dbms == DBMS.MSSQL and kb.dbmsVersion[0] in ( "2005", "2008" ):
|
||||
elif getIdentifiedDBMS() == DBMS.MSSQL and kb.dbmsVersion[0] in ( "2005", "2008" ):
|
||||
break
|
||||
|
||||
elif not choice.isdigit():
|
||||
@@ -554,7 +555,7 @@ class Metasploit:
|
||||
# This is useful for sqlmap because on PostgreSQL it is not
|
||||
# possible to write files bigger than 8192 bytes abusing the
|
||||
# lo_export() feature implemented in sqlmap.
|
||||
if kb.dbms == DBMS.PGSQL:
|
||||
if getIdentifiedDBMS() == DBMS.PGSQL:
|
||||
self.__fileFormat = "exe-small"
|
||||
else:
|
||||
self.__fileFormat = "exe"
|
||||
@@ -656,7 +657,7 @@ class Metasploit:
|
||||
self.__forgeMsfConsoleResource()
|
||||
self.__forgeMsfConsoleCmd()
|
||||
|
||||
if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
if getIdentifiedDBMS() in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
self.uncPath = "\\\\\\\\%s\\\\%s" % (self.lhostStr, self.__randFile)
|
||||
else:
|
||||
self.uncPath = "\\\\%s\\%s" % (self.lhostStr, self.__randFile)
|
||||
|
||||
@@ -11,6 +11,7 @@ import os
|
||||
|
||||
from lib.core.agent import agent
|
||||
from lib.core.common import dataToStdout
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import isTechniqueAvailable
|
||||
from lib.core.common import readInput
|
||||
from lib.core.data import conf
|
||||
@@ -50,7 +51,7 @@ class UDF:
|
||||
def __checkExistUdf(self, udf):
|
||||
logger.info("checking if UDF '%s' already exist" % udf)
|
||||
|
||||
query = agent.forgeCaseStatement(queries[kb.dbms].check_udf.query % (udf, udf))
|
||||
query = agent.forgeCaseStatement(queries[getIdentifiedDBMS()].check_udf.query % (udf, udf))
|
||||
exists = inject.getValue(query, resumeValue=False, unpack=False, charsetType=2)
|
||||
|
||||
if exists == "1":
|
||||
@@ -103,7 +104,7 @@ class UDF:
|
||||
return output
|
||||
|
||||
def udfCheckNeeded(self):
|
||||
if ( not conf.rFile or ( conf.rFile and kb.dbms != DBMS.PGSQL ) ) and "sys_fileread" in self.sysUdfs:
|
||||
if ( not conf.rFile or ( conf.rFile and getIdentifiedDBMS() != DBMS.PGSQL ) ) and "sys_fileread" in self.sysUdfs:
|
||||
self.sysUdfs.pop("sys_fileread")
|
||||
|
||||
if not conf.osPwn:
|
||||
@@ -142,9 +143,9 @@ class UDF:
|
||||
if udf in self.udfToCreate and udf not in self.createdUdf:
|
||||
self.udfCreateFromSharedLib(udf, inpRet)
|
||||
|
||||
if kb.dbms == DBMS.MYSQL:
|
||||
if getIdentifiedDBMS() == DBMS.MYSQL:
|
||||
supportTblType = "longtext"
|
||||
elif kb.dbms == DBMS.PGSQL:
|
||||
elif getIdentifiedDBMS() == DBMS.PGSQL:
|
||||
supportTblType = "text"
|
||||
|
||||
self.udfCreateSupportTbl(supportTblType)
|
||||
@@ -155,8 +156,8 @@ class UDF:
|
||||
self.udfInjectCore(self.sysUdfs)
|
||||
|
||||
def udfInjectCustom(self):
|
||||
if kb.dbms not in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
errMsg = "UDF injection feature is not yet implemented on %s" % kb.dbms
|
||||
if getIdentifiedDBMS() not in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
errMsg = "UDF injection feature is not yet implemented on %s" % getIdentifiedDBMS()
|
||||
raise sqlmapUnsupportedFeatureException(errMsg)
|
||||
|
||||
if not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED) and not conf.direct:
|
||||
@@ -235,9 +236,9 @@ class UDF:
|
||||
else:
|
||||
logger.warn("you need to specify the name of the UDF")
|
||||
|
||||
if kb.dbms == DBMS.MYSQL:
|
||||
if getIdentifiedDBMS() == DBMS.MYSQL:
|
||||
defaultType = "string"
|
||||
elif kb.dbms == DBMS.PGSQL:
|
||||
elif getIdentifiedDBMS() == DBMS.PGSQL:
|
||||
defaultType = "text"
|
||||
|
||||
self.udfs[udfName]["input"] = []
|
||||
|
||||
@@ -16,6 +16,7 @@ from lib.core.common import dataToSessionFile
|
||||
from lib.core.common import dataToStdout
|
||||
from lib.core.common import filterControlChars
|
||||
from lib.core.common import getCharset
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import goGoodSamaritan
|
||||
from lib.core.common import getPartRun
|
||||
from lib.core.common import popValue
|
||||
@@ -49,7 +50,6 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
|
||||
finalValue = ""
|
||||
asciiTbl = getCharset(charsetType)
|
||||
timeBasedCompare = (kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED))
|
||||
dbms = kb.dbms if kb.dbms else kb.misc.testedDbms
|
||||
|
||||
# Set kb.partRun in case "common prediction" feature (a.k.a. "good
|
||||
# samaritan") is used
|
||||
@@ -121,7 +121,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
|
||||
hintlock.release()
|
||||
|
||||
if hintValue is not None and len(hintValue) >= idx:
|
||||
if dbms in (DBMS.SQLITE, DBMS.ACCESS, DBMS.MAXDB):
|
||||
if getIdentifiedDBMS() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.MAXDB):
|
||||
posValue = hintValue[idx-1]
|
||||
else:
|
||||
posValue = ord(hintValue[idx-1])
|
||||
@@ -454,7 +454,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
|
||||
# check it via equal against the substring-query output
|
||||
if commonPattern is not None:
|
||||
# Substring-query containing equals commonPattern
|
||||
subquery = queries[dbms].substring.query % (expressionUnescaped, 1, len(commonPattern))
|
||||
subquery = queries[getIdentifiedDBMS()].substring.query % (expressionUnescaped, 1, len(commonPattern))
|
||||
testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False)
|
||||
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue)))
|
||||
query = agent.suffixQuery(query)
|
||||
|
||||
@@ -15,6 +15,7 @@ from lib.core.common import dataToSessionFile
|
||||
from lib.core.common import dataToStdout
|
||||
from lib.core.common import filterListValue
|
||||
from lib.core.common import getFileItems
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import getPageTextWordsSet
|
||||
from lib.core.common import popValue
|
||||
from lib.core.common import pushValue
|
||||
@@ -31,7 +32,7 @@ from lib.core.session import safeFormatString
|
||||
from lib.request import inject
|
||||
|
||||
def tableExists(tableFile, regex=None):
|
||||
tables = getFileItems(tableFile, lowercase=kb.dbms in (DBMS.ACCESS), unique=True)
|
||||
tables = getFileItems(tableFile, lowercase=getIdentifiedDBMS() in (DBMS.ACCESS), unique=True)
|
||||
retVal = []
|
||||
|
||||
infoMsg = "checking table existence using items from '%s'" % tableFile
|
||||
|
||||
@@ -13,6 +13,7 @@ import time
|
||||
from lib.core.agent import agent
|
||||
from lib.core.common import dataToStdout
|
||||
from lib.core.common import extractRegexResult
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import initTechnique
|
||||
from lib.core.common import randomInt
|
||||
from lib.core.common import replaceNewlineTabs
|
||||
@@ -44,7 +45,7 @@ def errorUse(expression):
|
||||
_, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
|
||||
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
|
||||
|
||||
if kb.dbms == DBMS.MYSQL:
|
||||
if getIdentifiedDBMS() == DBMS.MYSQL:
|
||||
nulledCastedField = nulledCastedField.replace("AS CHAR)", "AS CHAR(100))") # fix for that 'Subquery returns more than 1 row'
|
||||
|
||||
expression = expression.replace(fieldToCastStr, nulledCastedField, 1)
|
||||
|
||||
@@ -12,6 +12,7 @@ import time
|
||||
from lib.core.agent import agent
|
||||
from lib.core.common import clearConsoleLine
|
||||
from lib.core.common import dataToStdout
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import getUnicode
|
||||
from lib.core.common import parseUnionPage
|
||||
from lib.core.common import randomStr
|
||||
@@ -62,7 +63,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun
|
||||
# Perform the request
|
||||
resultPage, _ = Request.queryPage(payload, place=place, content=True)
|
||||
|
||||
if resultPage and " UNION ALL SELECT " not in resultPage and (randQuery not in resultPage or randQuery2 not in resultPage):
|
||||
if resultPage and " UNION ALL SELECT " not in resultPage and ((randQuery in resultPage and randQuery2 not in resultPage) or (randQuery not in resultPage and randQuery2 in resultPage)):
|
||||
vector = (position, count, comment, prefix, suffix, conf.uChar, 2)
|
||||
|
||||
break
|
||||
@@ -96,13 +97,13 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix
|
||||
query = agent.prefixQuery("UNION ALL SELECT %s" % conf.uChar)
|
||||
|
||||
for count in range(conf.uColsStart, conf.uColsStop+1):
|
||||
if kb.dbms == DBMS.ORACLE and query.endswith(" FROM DUAL"):
|
||||
if getIdentifiedDBMS() == DBMS.ORACLE and query.endswith(" FROM DUAL"):
|
||||
query = query[:-len(" FROM DUAL")]
|
||||
|
||||
if count:
|
||||
query += ", %s" % conf.uChar
|
||||
|
||||
if kb.dbms == DBMS.ORACLE:
|
||||
if getIdentifiedDBMS() == DBMS.ORACLE:
|
||||
query += " FROM DUAL"
|
||||
|
||||
status = '%d/%d (%d%s)' % (count, conf.uColsStop, round(100.0*count/conf.uColsStop), '%')
|
||||
|
||||
@@ -14,6 +14,7 @@ from lib.core.agent import agent
|
||||
from lib.core.common import calculateDeltaSeconds
|
||||
from lib.core.common import clearConsoleLine
|
||||
from lib.core.common import dataToStdout
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import getUnicode
|
||||
from lib.core.common import initTechnique
|
||||
from lib.core.common import parseUnionPage
|
||||
@@ -65,12 +66,12 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
|
||||
# NOTE: I assume that only queries that get data from a table can
|
||||
# return multiple entries
|
||||
if " FROM " in expression and "EXISTS(" not in expression:
|
||||
limitRegExp = re.search(queries[kb.dbms].limitregexp.query, expression, re.I)
|
||||
limitRegExp = re.search(queries[getIdentifiedDBMS()].limitregexp.query, expression, re.I)
|
||||
|
||||
if limitRegExp:
|
||||
if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
limitGroupStart = queries[kb.dbms].limitgroupstart.query
|
||||
limitGroupStop = queries[kb.dbms].limitgroupstop.query
|
||||
if getIdentifiedDBMS() in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
limitGroupStart = queries[getIdentifiedDBMS()].limitgroupstart.query
|
||||
limitGroupStop = queries[getIdentifiedDBMS()].limitgroupstop.query
|
||||
|
||||
if limitGroupStart.isdigit():
|
||||
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
||||
@@ -78,9 +79,9 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
|
||||
stopLimit = limitRegExp.group(int(limitGroupStop))
|
||||
limitCond = int(stopLimit) > 1
|
||||
|
||||
elif kb.dbms in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
limitGroupStart = queries[kb.dbms].limitgroupstart.query
|
||||
limitGroupStop = queries[kb.dbms].limitgroupstop.query
|
||||
elif getIdentifiedDBMS() in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
limitGroupStart = queries[getIdentifiedDBMS()].limitgroupstart.query
|
||||
limitGroupStop = queries[getIdentifiedDBMS()].limitgroupstop.query
|
||||
|
||||
if limitGroupStart.isdigit():
|
||||
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
||||
@@ -88,7 +89,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
|
||||
stopLimit = limitRegExp.group(int(limitGroupStop))
|
||||
limitCond = int(stopLimit) > 1
|
||||
|
||||
elif kb.dbms == DBMS.ORACLE:
|
||||
elif getIdentifiedDBMS() == DBMS.ORACLE:
|
||||
limitCond = False
|
||||
else:
|
||||
limitCond = True
|
||||
@@ -102,12 +103,12 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
|
||||
|
||||
# From now on we need only the expression until the " LIMIT "
|
||||
# (or similar, depending on the back-end DBMS) word
|
||||
if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
if getIdentifiedDBMS() in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
stopLimit += startLimit
|
||||
untilLimitChar = expression.index(queries[kb.dbms].limitstring.query)
|
||||
untilLimitChar = expression.index(queries[getIdentifiedDBMS()].limitstring.query)
|
||||
expression = expression[:untilLimitChar]
|
||||
|
||||
elif kb.dbms in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
elif getIdentifiedDBMS() in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
stopLimit += startLimit
|
||||
elif dump:
|
||||
if conf.limitStart:
|
||||
@@ -116,14 +117,14 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
|
||||
stopLimit = conf.limitStop
|
||||
|
||||
if not stopLimit or stopLimit <= 1:
|
||||
if kb.dbms == DBMS.ORACLE and expression.endswith("FROM DUAL"):
|
||||
if getIdentifiedDBMS() == DBMS.ORACLE and expression.endswith("FROM DUAL"):
|
||||
test = False
|
||||
else:
|
||||
test = True
|
||||
|
||||
if test:
|
||||
# Count the number of SQL query entries output
|
||||
countFirstField = queries[kb.dbms].count.query % expressionFieldsList[0]
|
||||
countFirstField = queries[getIdentifiedDBMS()].count.query % expressionFieldsList[0]
|
||||
countedExpression = origExpr.replace(expressionFields, countFirstField, 1)
|
||||
|
||||
if re.search(" ORDER BY ", expression, re.I):
|
||||
@@ -171,9 +172,9 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
|
||||
|
||||
try:
|
||||
for num in xrange(startLimit, stopLimit):
|
||||
if kb.dbms in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
if getIdentifiedDBMS() in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
field = expressionFieldsList[0]
|
||||
elif kb.dbms == DBMS.ORACLE:
|
||||
elif getIdentifiedDBMS() == DBMS.ORACLE:
|
||||
field = expressionFieldsList
|
||||
else:
|
||||
field = None
|
||||
|
||||
@@ -22,6 +22,7 @@ from lib.core.common import clearConsoleLine
|
||||
from lib.core.common import dataToStdout
|
||||
from lib.core.common import getCompiledRegex
|
||||
from lib.core.common import getFileItems
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import getPublicTypeMembers
|
||||
from lib.core.common import getUnicode
|
||||
from lib.core.common import paths
|
||||
@@ -267,10 +268,10 @@ def hashRecognition(value):
|
||||
|
||||
if value:
|
||||
for name, regex in getPublicTypeMembers(HASH):
|
||||
#hashes for Oracle and old MySQL look the same hence these checks
|
||||
if kb.dbms == DBMS.ORACLE and regex == HASH.MYSQL_OLD:
|
||||
# Hashes for Oracle and old MySQL look the same hence these checks
|
||||
if getIdentifiedDBMS() == DBMS.ORACLE and regex == HASH.MYSQL_OLD:
|
||||
continue
|
||||
elif kb.dbms == DBMS.MYSQL and regex == HASH.ORACLE_OLD:
|
||||
elif getIdentifiedDBMS() == DBMS.MYSQL and regex == HASH.ORACLE_OLD:
|
||||
continue
|
||||
elif getCompiledRegex(regex).match(value):
|
||||
retVal = regex
|
||||
|
||||
@@ -13,6 +13,7 @@ import time
|
||||
from lib.core.common import calculateDeltaSeconds
|
||||
from lib.core.common import dataToSessionFile
|
||||
from lib.core.common import dataToStdout
|
||||
from lib.core.common import getIdentifiedDBMS
|
||||
from lib.core.common import safeStringFormat
|
||||
from lib.core.common import randomStr
|
||||
from lib.core.common import replaceNewlineTabs
|
||||
@@ -33,8 +34,7 @@ def queryOutputLength(expression, payload):
|
||||
Returns the query output length.
|
||||
"""
|
||||
|
||||
lengthQuery = queries[kb.dbms].length.query
|
||||
|
||||
lengthQuery = queries[getIdentifiedDBMS()].length.query
|
||||
select = re.search("\ASELECT\s+", expression, re.I)
|
||||
selectTopExpr = re.search("\ASELECT\s+TOP\s+[\d]+\s+(.+?)\s+FROM", expression, re.I)
|
||||
selectDistinctExpr = re.search("\ASELECT\s+DISTINCT\((.+?)\)\s+FROM", expression, re.I)
|
||||
@@ -60,7 +60,7 @@ def queryOutputLength(expression, payload):
|
||||
if selectDistinctExpr:
|
||||
lengthExpr = "SELECT %s FROM (%s)" % (lengthQuery % regExpr, expression)
|
||||
|
||||
if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
if getIdentifiedDBMS() in ( DBMS.MYSQL, DBMS.PGSQL ):
|
||||
lengthExpr += " AS %s" % randomStr(lowercase=True)
|
||||
elif select:
|
||||
lengthExpr = expression.replace(regExpr, lengthQuery % regExpr, 1)
|
||||
@@ -142,10 +142,10 @@ def resume(expression, payload):
|
||||
if not payload:
|
||||
return None
|
||||
|
||||
if not kb.dbms:
|
||||
if not getIdentifiedDBMS():
|
||||
return None
|
||||
|
||||
substringQuery = queries[kb.dbms].substring.query
|
||||
substringQuery = queries[getIdentifiedDBMS()].substring.query
|
||||
select = re.search("\ASELECT ", expression, re.I)
|
||||
|
||||
_, length, regExpr = queryOutputLength(expression, payload)
|
||||
|
||||
Reference in New Issue
Block a user