Minor enhancement to fingerprint the back-end DBMS operating system (type,

version, release, distribution, codename and service pack) by parsing the DBMS banner value when both -f and -b are provided: adapted the code and added XML files defining regular expressions for matching. Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu: --8<-- back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2 comment injection fingerprint: MySQL 5.0.67 banner parsing fingerprint: MySQL 5.0.67 html error message fingerprint: MySQL back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid) --8<--
2025-12-06 12:41:30 +00:00 · 2008-11-15 23:41:31 +00:00
parent 84cbc60659
commit fa0507ab39
15 changed files with 372 additions and 69 deletions
--- a/plugins/dbms/mysql.py
+++ b/plugins/dbms/mysql.py
@@ -28,7 +28,8 @@ import re

 from lib.core.agent import agent
 from lib.core.common import fileToStr
-from lib.core.common import formatFingerprint
+from lib.core.common import formatDBMSfp
+from lib.core.common import formatOSfp
 from lib.core.common import getDirectories
 from lib.core.common import getHtmlErrorFp
 from lib.core.common import randomInt
@@ -43,6 +44,7 @@ from lib.core.settings import MYSQL_ALIASES
 from lib.core.settings import MYSQL_SYSTEM_DBS
 from lib.core.shell import autoCompletion
 from lib.core.unescaper import unescaper
+from lib.parse.banner import bannerParser
 from lib.request import inject
 from lib.request.connect import Connect as Request
 #from lib.utils.fuzzer import passiveFuzzing
@@ -180,26 +182,28 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):


    def getFingerprint(self):
-        actVer = formatFingerprint()
+        actVer = formatDBMSfp()

        if not conf.extensiveFp:
            return actVer

-        blank = " " * 16
-        value = "active fingerprint: %s" % actVer
-        comVer = self.__commentCheck()
+        comVer     = self.__commentCheck()
+        blank      = " " * 16
+        formatInfo = None
+        value      = "active fingerprint: %s" % actVer

        if comVer:
-            comVer = formatFingerprint([comVer])
+            comVer = formatDBMSfp([comVer])
            value += "\n%scomment injection fingerprint: %s" % (blank, comVer)

        if self.banner:
-            banVer = re.search("^([\d\.]+)", self.banner)
-            banVer = banVer.groups()[0]
+            info       = bannerParser(self.banner)
+            formatInfo = formatOSfp(info)
+
+            banVer = info['version']
            if re.search("-log$", self.banner):
                banVer += ", logging enabled"
-            banVer = formatFingerprint([banVer])
-
+            banVer = formatDBMSfp([banVer])
            value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)

        #passiveFuzzing()
@@ -208,6 +212,9 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Takeover):
        if htmlParsed:
            value += "\n%shtml error message fingerprint: %s" % (blank, htmlParsed)

+        if formatInfo:
+            value += "\n%s" % formatInfo
+
        return value