Added support to connect directly also to Oracle - see #158

2025-12-30 03:19:04 +00:00 · 2010-03-27 21:50:19 +00:00
parent 1416cd0d86
commit a0290a257b
7 changed files with 98 additions and 12 deletions
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -628,7 +628,7 @@ def parseTargetDirect():
    dbmsDict = { "Microsoft SQL Server": [MSSQL_ALIASES, "python-pymssql", "http://pymssql.sourceforge.net/"],
                 "MySQL": [MYSQL_ALIASES, "python-mysqldb", "http://mysql-python.sourceforge.net/"],
                 "PostgreSQL": [PGSQL_ALIASES, "python-psycopg2", "http://initd.org/psycopg/"],
-                 "Oracle": [ORACLE_ALIASES, "", ""],
+                 "Oracle": [ORACLE_ALIASES, "python cx_Oracle", "http://cx-oracle.sourceforge.net/"],
                 "SQLite": [SQLITE_ALIASES, "", ""],
                 "Access": [ACCESS_ALIASES, "", ""],
                 "Firebird": [FIREBIRD_ALIASES, "", ""] }
@@ -642,6 +642,8 @@ def parseTargetDirect():
                    import MySQLdb
                elif dbmsName == "PostgreSQL":
                    import psycopg2
+                elif dbmsName == "Oracle":
+                    import cx_Oracle
            except ImportError, _:
                errMsg  = "sqlmap requires %s third-party library " % data[1]
                errMsg += "in order to directly connect to the database "
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -268,6 +268,9 @@ class Connect:
            values = None
            select = False

+            if kb.dbms == "Oracle" and value.startswith("SELECT ") and " FROM " not in value:
+                value = "%s FROM DUAL" % value
+
            for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
                for sqlStatement in sqlStatements:
                    if value.lower().startswith(sqlStatement) and sqlTitle == "SQL SELECT statement":
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@@ -356,6 +356,9 @@ def getValue(expression, blind=True, inband=True, fromUser=False, expected=None,
        values = None
        select = False

+        if kb.dbms == "Oracle" and expression.startswith("SELECT ") and " FROM " not in expression:
+            expression = "%s FROM DUAL" % expression
+
        for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
            for sqlStatement in sqlStatements:
                if expression.lower().startswith(sqlStatement) and sqlTitle == "SQL SELECT statement":
@@ -419,6 +422,9 @@ def goStacked(expression, silent=False):
        values = None
        select = False

+        if kb.dbms == "Oracle" and expression.startswith("SELECT ") and " FROM " not in expression:
+            expression = "%s FROM DUAL" % expression
+
        for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
            for sqlStatement in sqlStatements:
                if expression.lower().startswith(sqlStatement) and sqlTitle == "SQL SELECT statement":