Minor enhancement to fingerprint the back-end DBMS operating system (type,

version, release, distribution, codename and service pack) by parsing the
DBMS banner value when both -f and -b are provided: adapted the code and
added XML files defining regular expressions for matching.

Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu:
--8<--
back-end DBMS:	active fingerprint: MySQL >= 5.0.38 and < 5.1.2
                comment injection fingerprint: MySQL 5.0.67
                banner parsing fingerprint: MySQL 5.0.67
                html error message fingerprint: MySQL
back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid)
--8<--

lib/controller/handler.py

@@ -55,7 +55,7 @@ def setHandler():
 
     for dbmsAliases, dbmsEntry in dbmsMap:
         if conf.dbms and conf.dbms not in dbmsAliases:
-            debugMsg  = "skipping to test for %s" % dbmsNames[count]
+            debugMsg  = "skipping test for %s" % dbmsNames[count]
             logger.debug(debugMsg)
             count += 1
             continue

lib/core/common.py

@@ -112,7 +112,7 @@ def paramToDict(place, parameters=None):
     return testableParameters
 
 
-def formatFingerprint(versions=None):
+def formatDBMSfp(versions=None):
     """
     This function format the back-end DBMS fingerprint value and return its
     values formatted as a human readable string.
@@ -130,6 +130,47 @@ def formatFingerprint(versions=None):
         return "%s %s" % (kb.dbms, " and ".join([version for version in versions]))
 
 
+def formatOSfp(info):
+    """
+    This function format the back-end operating system fingerprint value
+    and return its values formatted as a human readable string.
+
+    @return: detected back-end operating system based upon fingerprint
+    techniques.
+    @rtype: C{str}
+    """
+
+    infoStr = ""
+
+    # Example of 'info' dictionary:
+    # {
+    #   'distrib': 'Ubuntu',
+    #   'release': '8.10',
+    #   'codename': 'Intrepid',
+    #   'version': '5.0.67',
+    #   'type': 'Linux'
+    # }
+
+    if not info or 'type' not in info:
+        return infoStr
+    elif info['type'] != "None":
+        infoStr += "back-end DBMS operating system: %s" % info['type']
+
+    if 'distrib' in info and info['distrib'] != "None":
+        infoStr += " %s" % info['distrib']
+
+    if 'release' in info and info['release'] != "None":
+        infoStr += " %s" % info['release']
+
+    if 'sp' in info and info['sp'] != "None":
+        infoStr += " %s" % info['sp']
+
+    if 'codename' in info and info['codename'] != "None":
+        infoStr += " (%s)" % info['codename']
+
+    return infoStr
+
+
 def getHtmlErrorFp():
     """
     This function parses the knowledge base htmlFp list and return its
@@ -442,20 +483,25 @@ def cleanQuery(query):
 
 def setPaths():
     # sqlmap paths
-    paths.SQLMAP_SHELL_PATH  = "%s/shell" % paths.SQLMAP_ROOT_PATH
-    paths.SQLMAP_TXT_PATH    = "%s/txt" % paths.SQLMAP_ROOT_PATH
-    paths.SQLMAP_XML_PATH    = "%s/xml" % paths.SQLMAP_ROOT_PATH
-    paths.SQLMAP_OUTPUT_PATH = "%s/output" % paths.SQLMAP_ROOT_PATH
-    paths.SQLMAP_DUMP_PATH   = paths.SQLMAP_OUTPUT_PATH + "/%s/dump"
-    paths.SQLMAP_FILES_PATH  = paths.SQLMAP_OUTPUT_PATH + "/%s/files"
+    paths.SQLMAP_SHELL_PATH      = "%s/shell" % paths.SQLMAP_ROOT_PATH
+    paths.SQLMAP_TXT_PATH        = "%s/txt" % paths.SQLMAP_ROOT_PATH
+    paths.SQLMAP_XML_PATH        = "%s/xml" % paths.SQLMAP_ROOT_PATH
+    paths.SQLMAP_XML_BANNER_PATH = "%s/banner" % paths.SQLMAP_XML_PATH
+    paths.SQLMAP_OUTPUT_PATH     = "%s/output" % paths.SQLMAP_ROOT_PATH
+    paths.SQLMAP_DUMP_PATH       = paths.SQLMAP_OUTPUT_PATH + "/%s/dump"
+    paths.SQLMAP_FILES_PATH      = paths.SQLMAP_OUTPUT_PATH + "/%s/files"
 
     # sqlmap files
-    paths.SQLMAP_HISTORY    = "%s/.sqlmap_history" % paths.SQLMAP_ROOT_PATH
-    paths.SQLMAP_CONFIG     = "%s/sqlmap-%s.conf" % (paths.SQLMAP_ROOT_PATH, randomStr())
-    paths.FUZZ_VECTORS      = "%s/fuzz_vectors.txt" % paths.SQLMAP_TXT_PATH
-    paths.ERRORS_XML        = "%s/errors.xml" % paths.SQLMAP_XML_PATH
-    paths.MSSQL_XML         = "%s/mssql.xml" % paths.SQLMAP_XML_PATH
-    paths.QUERIES_XML       = "%s/queries.xml" % paths.SQLMAP_XML_PATH
+    paths.SQLMAP_HISTORY         = "%s/.sqlmap_history" % paths.SQLMAP_ROOT_PATH
+    paths.SQLMAP_CONFIG          = "%s/sqlmap-%s.conf" % (paths.SQLMAP_ROOT_PATH, randomStr())
+    paths.FUZZ_VECTORS           = "%s/fuzz_vectors.txt" % paths.SQLMAP_TXT_PATH
+    paths.ERRORS_XML             = "%s/errors.xml" % paths.SQLMAP_XML_PATH
+    paths.QUERIES_XML            = "%s/queries.xml" % paths.SQLMAP_XML_PATH
+    paths.GENERIC_XML            = "%s/generic.xml" % paths.SQLMAP_XML_BANNER_PATH
+    paths.MSSQL_XML              = "%s/mssql.xml" % paths.SQLMAP_XML_BANNER_PATH
+    paths.MYSQL_XML              = "%s/mysql.xml" % paths.SQLMAP_XML_BANNER_PATH
+    paths.ORACLE_XML             = "%s/oracle.xml" % paths.SQLMAP_XML_BANNER_PATH
+    paths.PGSQL_XML              = "%s/postgresql.xml" % paths.SQLMAP_XML_BANNER_PATH
 
 
 def weAreFrozen():

lib/parse/banner.py

@@ -31,25 +31,67 @@ from xml.sax.handler import ContentHandler
 
 from lib.core.common import checkFile
 from lib.core.common import sanitizeStr
+from lib.core.data import kb
+from lib.core.data import paths
 
 
-class bannerHandler(ContentHandler):
+class BannerHandler(ContentHandler):
     """
     This class defines methods to parse and extract information from
     the given DBMS banner based upon the data in XML file
     """
 
+    def __init__(self, banner):
+        self.__banner   = sanitizeStr(banner)
+
+        self.__regexp   = None
+        self.__match    = None
+        self.__position = None
+
+        self.info       = {}
+
+
+    def startElement(self, name, attrs):
+        if name == "regexp":
+            self.__regexp = sanitizeStr(attrs.get("value"))
+            self.__match  = re.search(self.__regexp, self.__banner, re.I | re.M)
+
+        if name == "info" and self.__match:
+            self.__position = sanitizeStr(attrs.get("version"))
+            self.__sp       = sanitizeStr(attrs.get("sp"))
+
+            self.info['type']     = sanitizeStr(attrs.get("type"))
+            self.info['distrib']  = sanitizeStr(attrs.get("distrib"))
+            self.info['release']  = sanitizeStr(attrs.get("release"))
+            self.info['codename'] = sanitizeStr(attrs.get("codename"))
+
+            if self.__position.isdigit():
+                self.info['version'] = self.__match.group(int(self.__position))
+
+            if self.__sp.isdigit():
+                self.info['sp'] = "Service Pack %s" % self.__match.group(int(self.__sp))
+
+            self.__match    = None
+            self.__position = None
+
+
+class MSSQLBannerHandler(ContentHandler):
+    """
+    This class defines methods to parse and extract information from the
+    given Microsoft SQL Server banner based upon the data in XML file
+    """
+
     def __init__(self, banner):
         self.__banner        = sanitizeStr(banner)
-        self.release         = None
-        self.version         = None
-        self.servicePack     = None
+
         self.__inVersion     = False
         self.__inServicePack = False
         self.__release       = None
         self.__version       = ""
         self.__servicePack   = ""
 
+        self.info            = {}
+
 
     def startElement(self, name, attrs):
         if name == "signatures":
@@ -72,9 +114,9 @@ class bannerHandler(ContentHandler):
     def endElement(self, name):
         if name == "signature":
             if re.search(" %s[\.\ ]+" % self.__version, self.__banner):
-                self.release     = self.__release
-                self.version     = self.__version
-                self.servicePack = self.__servicePack
+                self.info['dbmsRelease']     = self.__release
+                self.info['dbmsVersion']     = self.__version
+                self.info['dbmsServicePack'] = self.__servicePack
 
             self.__version     = ""
             self.__servicePack = ""
@@ -89,16 +131,47 @@ class bannerHandler(ContentHandler):
             self.__servicePack = self.__servicePack.replace(" ", "")
 
 
-
-def bannerParser(banner, xmlfile):
+def bannerParser(banner):
     """
     This function calls a class to extract information from the given
     DBMS banner based upon the data in XML file
     """
 
-    checkFile(xmlfile)
     banner = sanitizeStr(banner)
-    handler = bannerHandler(banner)
-    parse(xmlfile, handler)
+    info   = {}
 
-    return handler.release, handler.version, handler.servicePack
+    if kb.dbms == "Microsoft SQL Server":
+        xmlfile = paths.MSSQL_XML
+    elif kb.dbms == "MySQL":
+        xmlfile = paths.MYSQL_XML
+    elif kb.dbms == "Oracle":
+        xmlfile = paths.ORACLE_XML
+    elif kb.dbms == "PostgreSQL":
+        xmlfile = paths.PGSQL_XML
+
+    checkFile(xmlfile)
+
+    if kb.dbms == "Microsoft SQL Server":
+        handler = MSSQLBannerHandler(banner)
+        parse(xmlfile, handler)
+        info = handler.info
+
+        handler = BannerHandler(banner)
+        parse(paths.GENERIC_XML, handler)
+
+        for title, value in handler.info.items():
+            info[title] = value
+    else:
+        handler = BannerHandler(banner)
+        parse(xmlfile, handler)
+        info = handler.info
+
+        if "type" not in info or info["type"] == "None":
+            parse(paths.GENERIC_XML, handler)
+            info["type"] = handler.info["type"]
+
+        if "distrib" not in info or info["distrib"] == "None":
+            parse(paths.GENERIC_XML, handler)
+            info["distrib"] = handler.info["distrib"]
+
+    return info

lib/parse/cmdline.py

@@ -129,7 +129,7 @@ def cmdLineParser():
 
         fingerprint.add_option("-f", "--fingerprint", dest="extensiveFp",
                                action="store_true",
-                               help="Perform an extensive database fingerprint")
+                               help="Perform an extensive DBMS version fingerprint")
 
         # Enumeration options
         enumeration = OptionGroup(parser, "Enumeration", "These options can "