Merge branch 'master' of github.com:sqlmapproject/sqlmap

2025-12-10 09:49:06 +00:00 · 2013-01-11 13:31:49 +00:00
parent 41834e7a5b db91137eda
commit 675e4a026b
132 changed files with 359 additions and 322 deletions
--- a/plugins/dbms/access/fingerprint.py
+++ b/plugins/dbms/access/fingerprint.py
@@ -52,7 +52,7 @@ class Fingerprint(GenericFingerprint):
                      "97":           ("MSysModules2", "MSysAccessObjects"),
                      "2000" :        ("!MSysModules2", "MSysAccessObjects"),
                      "2002-2003" :   ("MSysAccessStorage", "!MSysNavPaneObjectIDs"),
-                      "2007" :        ("MSysAccessStorage", "MSysNavPaneObjectIDs")
+                      "2007" :        ("MSysAccessStorage", "MSysNavPaneObjectIDs"),
                    }
        # MSysAccessXML is not a reliable system table because it doesn't always exist
        # ("Access through Access", p6, should be "normally doesn't exist" instead of "is normally empty")
--- a/plugins/dbms/db2/enumeration.py
+++ b/plugins/dbms/db2/enumeration.py
@@ -17,4 +17,5 @@ class Enumeration(GenericEnumeration):
        warnMsg = "on DB2 it is not possible to list password hashes"
        logger.warn(warnMsg)

-        return {}
+        return {}
+
--- a/plugins/dbms/db2/fingerprint.py
+++ b/plugins/dbms/db2/fingerprint.py
@@ -47,7 +47,7 @@ class Fingerprint(GenericFingerprint):
            return None

    def getFingerprint(self):
-        value  = ""
+        value = ""
        wsOsFp = Format.getOs("web server", kb.headersFp)

        if wsOsFp:
--- a/plugins/dbms/firebird/connector.py
+++ b/plugins/dbms/firebird/connector.py
@@ -40,7 +40,7 @@ class Connector(GenericConnector):

        try:
            self.connector = kinterbasdb.connect(host=self.hostname.encode(UNICODE_ENCODING), database=self.db.encode(UNICODE_ENCODING), \
-                user=self.user.encode(UNICODE_ENCODING), password=self.password.encode(UNICODE_ENCODING), charset="UTF8") #http://www.daniweb.com/forums/thread248499.html
+                user=self.user.encode(UNICODE_ENCODING), password=self.password.encode(UNICODE_ENCODING), charset="UTF8")  # Reference: http://www.daniweb.com/forums/thread248499.html
        except kinterbasdb.OperationalError, msg:
            raise SqlmapConnectionException(msg[1])
        self.setCursor()
--- a/plugins/dbms/firebird/fingerprint.py
+++ b/plugins/dbms/firebird/fingerprint.py
@@ -70,16 +70,16 @@ class Fingerprint(GenericFingerprint):
    def _sysTablesCheck(self):
        retVal = None
        table = (
-                    ("1.0", ["EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)"]),
-                    ("1.5", ["NULLIF(%d,%d) IS NULL", "EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)"]),
-                    ("2.0", ["EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "BIT_LENGTH(%d)>0", "CHAR_LENGTH(%d)>0"]),
-                    ("2.1", ["BIN_XOR(%d,%d)=0", "PI()>0.%d", "RAND()<1.%d", "FLOOR(1.%d)>=0"])
+                    ("1.0", ("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)",)),
+                    ("1.5", ("NULLIF(%d,%d) IS NULL", "EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)")),
+                    ("2.0", ("EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "BIT_LENGTH(%d)>0", "CHAR_LENGTH(%d)>0")),
+                    ("2.1", ("BIN_XOR(%d,%d)=0", "PI()>0.%d", "RAND()<1.%d", "FLOOR(1.%d)>=0")),
                 )

        for i in xrange(len(table)):
            version, checks = table[i]
            failed = False
-            check = checks[randomRange(0, len(checks)-1)].replace("%d", getUnicode(randomRange(1,100)))
+            check = checks[randomRange(0, len(checks) - 1)].replace("%d", getUnicode(randomRange(1, 100)))
            result = inject.checkBooleanExpression(check)

            if result:
--- a/plugins/dbms/maxdb/enumeration.py
+++ b/plugins/dbms/maxdb/enumeration.py
@@ -148,7 +148,7 @@ class Enumeration(GenericEnumeration):

            randStr = randomStr()
            query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), ("'%s'" % unsafeSQLIdentificatorNaming(conf.db)) if unsafeSQLIdentificatorNaming(conf.db) != "USER" else 'USER')
-            retVal = pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.columnname' % randStr,'%s.datatype' % randStr,'%s.len' % randStr], blind=True)
+            retVal = pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.columnname' % randStr, '%s.datatype' % randStr, '%s.len' % randStr], blind=True)

            if retVal:
                table = {}
--- a/plugins/dbms/mssqlserver/enumeration.py
+++ b/plugins/dbms/mssqlserver/enumeration.py
@@ -42,7 +42,7 @@ class Enumeration(GenericEnumeration):
        areAdmins = set()

        if conf.user:
-            users = [ conf.user ]
+            users = [conf.user]
        elif not len(kb.data.cachedUsers):
            users = self.getUsers()
        else:
@@ -203,7 +203,7 @@ class Enumeration(GenericEnumeration):

                    if not isNoneValue(values):
                        if isinstance(values, basestring):
-                            values = [ values ]
+                            values = [values]

                        for foundTbl in values:
                            if foundTbl is None:
@@ -325,7 +325,7 @@ class Enumeration(GenericEnumeration):

                    if not isNoneValue(values):
                        if isinstance(values, basestring):
-                            values = [ values ]
+                            values = [values]

                        for foundTbl in values:
                            foundTbl = safeSQLIdentificatorNaming(foundTbl, True)
@@ -353,7 +353,7 @@ class Enumeration(GenericEnumeration):
                            if db in foundCols[column]:
                                foundCols[column][db].append(foundTbl)
                            else:
-                                foundCols[column][db] = [ foundTbl ]
+                                foundCols[column][db] = [foundTbl]
                else:
                    foundCols[column][db] = []

--- a/plugins/dbms/mssqlserver/filesystem.py
+++ b/plugins/dbms/mssqlserver/filesystem.py
@@ -44,7 +44,7 @@ class Filesystem(GenericFilesystem):
        for fileLine in xrange(0, len(fileContent), lineLen):
            scrString = ""

-            for lineChar in fileContent[fileLine:fileLine+lineLen]:
+            for lineChar in fileContent[fileLine:fileLine + lineLen]:
                strLineChar = hexencode(lineChar)

                if not scrString:
--- a/plugins/dbms/mssqlserver/takeover.py
+++ b/plugins/dbms/mssqlserver/takeover.py
@@ -41,7 +41,7 @@ class Takeover(GenericTakeover):
                    #"2003-2": ("CHAR(0xe4)+CHAR(0x37)+CHAR(0xea)+CHAR(0x7c)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)" ),

                    # 2003 Service Pack 2 updated at 05/2009
-                    "2003-2": ("CHAR(0xc3)+CHAR(0xdb)+CHAR(0x67)+CHAR(0x77)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x47)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)")
+                    "2003-2": ("CHAR(0xc3)+CHAR(0xdb)+CHAR(0x67)+CHAR(0x77)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x47)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)"),

                    # 2003 Service Pack 2 updated at 09/2009
                    #"2003-2": ("CHAR(0xc3)+CHAR(0xc2)+CHAR(0xed)+CHAR(0x7c)", "CHAR(0xf3)+CHAR(0xd9)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x99)+CHAR(0xc8)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)"),
@@ -68,7 +68,7 @@ class Takeover(GenericTakeover):
        hexStr = binascii.hexlify(self.shellcodeString[:-1])

        for hexPair in xrange(0, len(hexStr), 2):
-            shellcodeChar += "CHAR(0x%s)+" % hexStr[hexPair:hexPair+2]
+            shellcodeChar += "CHAR(0x%s)+" % hexStr[hexPair:hexPair + 2]

        shellcodeChar = shellcodeChar[:-1]

--- a/plugins/dbms/mysql/fingerprint.py
+++ b/plugins/dbms/mysql/fingerprint.py
@@ -174,7 +174,7 @@ class Fingerprint(GenericFingerprint):
            infoMsg = "confirming %s" % DBMS.MYSQL
            logger.info(infoMsg)

-            result = inject.checkBooleanExpression("USER()=USER()")
+            result = inject.checkBooleanExpression("USER() LIKE USER()")

            if not result:
                warnMsg = "the back-end DBMS is not %s" % DBMS.MYSQL
@@ -206,7 +206,7 @@ class Fingerprint(GenericFingerprint):
                elif inject.checkBooleanExpression("@@table_open_cache=@@table_open_cache"):
                    if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.GLOBAL_STATUS LIMIT 0, 1)" % (randInt, randInt)):
                        Backend.setVersionList([">= 5.1.12", "< 5.5.0"])
-                    elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1)" % (randInt,randInt)):
+                    elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1)" % (randInt, randInt)):
                        Backend.setVersionList([">= 5.1.7", "< 5.1.12"])
                    elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PARTITIONS LIMIT 0, 1)" % (randInt, randInt)):
                        Backend.setVersion("= 5.1.6")
--- a/plugins/dbms/oracle/connector.py
+++ b/plugins/dbms/oracle/connector.py
@@ -64,10 +64,8 @@ class Connector(GenericConnector):
        try:
            self.cursor.execute(utf8encode(query))
            retVal = True
-        except (cx_Oracle.DatabaseError), msg:
+        except cx_Oracle.DatabaseError, msg:
            logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg)
-        except cx_Oracle.InternalError, msg:
-            raise SqlmapConnectionException(msg)

        self.connector.commit()

--- a/plugins/dbms/postgresql/init.py
+++ b/plugins/dbms/postgresql/init.py
@@ -24,10 +24,10 @@ class PostgreSQLMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous,
        self.excludeDbsList = PGSQL_SYSTEM_DBS
        self.sysUdfs = {
                         # UDF name:     UDF parameters' input data-type and return data-type
-                         "sys_exec":     { "input":  [ "text" ], "return": "int4" },
-                         "sys_eval":     { "input":  [ "text" ], "return": "text" },
-                         "sys_bineval":  { "input":  [ "text" ], "return": "int4" },
-                         "sys_fileread": { "input":  [ "text" ], "return": "text" }
+                         "sys_exec":     { "input":  ["text"], "return": "int4" },
+                         "sys_eval":     { "input":  ["text"], "return": "text" },
+                         "sys_bineval":  { "input":  ["text"], "return": "int4" },
+                         "sys_fileread": { "input":  ["text"], "return": "text" }
                       }

        Syntax.__init__(self)
--- a/plugins/dbms/sqlite/syntax.py
+++ b/plugins/dbms/sqlite/syntax.py
@@ -39,7 +39,7 @@ class Syntax(GenericSyntax):
                break

            firstIndex = index
-            index = expression[firstIndex+2:].find("'")
+            index = expression[firstIndex + 2:].find("'")

            if index == -1:
                raise SqlmapSyntaxException("Unenclosed ' in '%s'" % expression)
@@ -49,8 +49,8 @@ class Syntax(GenericSyntax):
            oldUpper = old.upper()
            oldUpper = oldUpper.replace("X'", "").replace("'", "")

-            for i in xrange(len(oldUpper)/2):
-                char = oldUpper[i*2:i*2+2]
+            for i in xrange(len(oldUpper) / 2):
+                char = oldUpper[i * 2:i * 2 + 2]
                escaped = "'%s'" % chr(int(char, 16))
            expression = expression.replace(old, escaped)

--- a/plugins/dbms/sybase/enumeration.py
+++ b/plugins/dbms/sybase/enumeration.py
@@ -60,7 +60,7 @@ class Enumeration(GenericEnumeration):
        areAdmins = set()

        if conf.user:
-            users = [ conf.user ]
+            users = [conf.user]
        elif not len(kb.data.cachedUsers):
            users = self.getUsers()
        else:
@@ -221,7 +221,7 @@ class Enumeration(GenericEnumeration):

            if colList:
                table = {}
-                table[safeSQLIdentificatorNaming(tbl)] = dict(map(lambda x: (x, None), colList))
+                table[safeSQLIdentificatorNaming(tbl)] = dict((_, None) for _ in colList)
                kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)] = table
                continue

@@ -233,7 +233,7 @@ class Enumeration(GenericEnumeration):
            for blind in blinds:
                randStr = randomStr()
                query = rootQuery.inband.query % (conf.db, conf.db, conf.db, conf.db, conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl))
-                retVal = pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr,'%s.usertype' % randStr], blind=blind)
+                retVal = pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr, '%s.usertype' % randStr], blind=blind)

                if retVal:
                    table = {}
--- a/plugins/generic/databases.py
+++ b/plugins/generic/databases.py
@@ -13,6 +13,7 @@ from lib.core.common import getLimitRange
 from lib.core.common import isInferenceAvailable
 from lib.core.common import isListLike
 from lib.core.common import isNoneValue
+from lib.core.common import isNullValue
 from lib.core.common import isNumPosStrValue
 from lib.core.common import isTechniqueAvailable
 from lib.core.common import parseSqliteTableSchema
@@ -275,7 +276,7 @@ class Databases:
                values = filter(None, arrayizeValue(values))

                if len(values) > 0 and not isListLike(values[0]):
-                    values = map(lambda x: (dbs[0], x), values)
+                    values = [(dbs[0], _) for _ in values]

                for db, table in filterPairValues(values):
                    db = safeSQLIdentificatorNaming(db)
@@ -524,6 +525,17 @@ class Databases:

                values = inject.getValue(query, blind=False, time=False)

+                if Backend.isDbms(DBMS.MSSQL) and isNoneValue(values):
+                    index, values = 1, []
+                    while True:
+                        query = rootQuery.inband.query2 % (conf.db, tbl, index)
+                        value = unArrayizeValue(inject.getValue(query, blind=False, time=False))
+                        if isNoneValue(value) or value == " ":
+                            break
+                        else:
+                            values.append((value,))
+                            index += 1
+
                if Backend.isDbms(DBMS.SQLITE):
                    parseSqliteTableSchema(unArrayizeValue(values))
                elif not isNoneValue(values):
@@ -536,7 +548,7 @@ class Databases:

                            if name:
                                if len(columnData) == 1:
-                                    columns[name] = ""
+                                    columns[name] = None
                                else:
                                    columns[name] = columnData[1]

@@ -600,17 +612,28 @@ class Databases:

                count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)

-                if not isNumPosStrValue(count):
-                    errMsg = "unable to retrieve the number of columns "
-                    errMsg += "for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
-                    errMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
-                    logger.error(errMsg)
-
-                    continue
-
                table = {}
                columns = {}

+                if not isNumPosStrValue(count):
+                    if Backend.isDbms(DBMS.MSSQL):
+                        count, index, values = 0, 1, []
+                        while True:
+                            query = rootQuery.blind.query3 % (conf.db, tbl, index)
+                            value = unArrayizeValue(inject.getValue(query, union=False, error=False))
+                            if isNoneValue(value) or value == " ":
+                                break
+                            else:
+                                columns[safeSQLIdentificatorNaming(value)] = None
+                                index += 1
+
+                    if not columns:
+                        errMsg = "unable to retrieve the %scolumns " % ("number of " if not Backend.isDbms(DBMS.MSSQL) else "")
+                        errMsg += "for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
+                        errMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
+                        logger.error(errMsg)
+                        continue
+
                for index in getLimitRange(count):
                    if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
                        query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
--- a/plugins/generic/filesystem.py
+++ b/plugins/generic/filesystem.py
@@ -6,7 +6,6 @@ See the file 'doc/COPYING' for copying permission
 """

 import os
-import tempfile

 from lib.core.agent import agent
 from lib.core.common import dataToOutFile
@@ -16,7 +15,6 @@ from lib.core.common import decodeHexValue
 from lib.core.common import isNumPosStrValue
 from lib.core.common import isListLike
 from lib.core.common import isTechniqueAvailable
-from lib.core.common import randomStr
 from lib.core.common import readInput
 from lib.core.data import conf
 from lib.core.data import kb
@@ -117,7 +115,7 @@ class Filesystem:
        if not single:
            if len(content) > 256:
                for i in xrange(0, len(content), 256):
-                    _ = content[i:i+256]
+                    _ = content[i:i + 256]

                    if encoding == "hex":
                        _ = "0x%s" % _
@@ -132,7 +130,7 @@ class Filesystem:
            elif encoding == "base64":
                content = "'%s'" % content

-            retVal = [ content ]
+            retVal = [content]

        return retVal

--- a/plugins/generic/takeover.py
+++ b/plugins/generic/takeover.py
@@ -184,9 +184,9 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
                        goUdf = True

                if goUdf:
-                    exitfunc="thread"
+                    exitfunc = "thread"
                else:
-                    exitfunc="process"
+                    exitfunc = "process"

                self.createMsfShellcode(exitfunc=exitfunc, format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed")