Minor enhancement to fingerprint the back-end DBMS operating system (type,

version, release, distribution, codename and service pack) by parsing the DBMS banner value when both -f and -b are provided: adapted the code and added XML files defining regular expressions for matching. Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu: --8<-- back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2 comment injection fingerprint: MySQL 5.0.67 banner parsing fingerprint: MySQL 5.0.67 html error message fingerprint: MySQL back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid) --8<--
2026-01-07 07:09:02 +00:00 · 2008-11-15 23:41:31 +00:00
parent 84cbc60659
commit fa0507ab39
15 changed files with 372 additions and 69 deletions
--- a/xml/banner/generic.xml
+++ b/xml/banner/generic.xml
@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<root>
+    <!-- Windows -->
+    <regexp value="(Windows|Win32)">
+        <info type="Windows"/>
+    </regexp>
+
+    <regexp value="Microsoft.*7\.0.*Service Pack (\d)">
+        <info type="Windows" distrib="Vista" sp="1"/>
+    </regexp>
+
+    <regexp value="Microsoft.*6\.0.*Service Pack (\d)">
+        <info type="Windows" distrib="2003" sp="1"/>
+    </regexp>
+
+    <regexp value="Microsoft.*5\.1.*Service Pack (\d)">
+        <info type="Windows" distrib="XP" sp="1"/>
+    </regexp>
+
+    <regexp value="Microsoft.*5\.0.*Service Pack (\d)">
+        <info type="Windows" distrib="2000" sp="1"/>
+    </regexp>
+
+    <!-- Linux -->
+    <regexp value="Linux">
+        <info type="Linux"/>
+    </regexp>
+
+    <regexp value="Cobalt">
+        <info type="Linux" distrib="Cobalt"/>
+    </regexp>
+
+    <regexp value="Conectiva">
+        <info type="Linux" distrib="Conectiva"/>
+    </regexp>
+
+    <regexp value="Debian">
+        <info type="Linux" distrib="Debian or Ubuntu"/>
+    </regexp>
+
+    <regexp value="Fedora">
+        <info type="Linux" distrib="Fedora"/>
+    </regexp>
+
+    <regexp value="Gentoo">
+        <info type="Linux" distrib="Gentoo"/>
+    </regexp>
+
+    <regexp value="Knoppix">
+        <info type="Linux" distrib="Knoppix"/>
+    </regexp>
+
+    <regexp value="(Mandrake|Mandriva)">
+        <info type="Linux" distrib="Mandrake"/>
+    </regexp>
+
+    <regexp value="Red[\-\_\ ]*Hat">
+        <info type="Linux" distrib="RedHat"/>
+    </regexp>
+
+    <regexp value="SuSE">
+        <info type="Linux" distrib="SuSE"/>
+    </regexp>
+
+    <regexp value="Ubuntu">
+        <info type="Linux" distrib="Ubuntu"/>
+    </regexp>
+
+    <!-- Unices -->
+    <regexp value="FreeBSD">
+        <info type="FreeBSD"/>
+    </regexp>
+
+    <regexp value="NetBSD">
+        <info type="NetBSD"/>
+    </regexp>
+
+    <regexp value="OpenBSD">
+        <info type="OpenBSD"/>
+    </regexp>
+
+    <regexp value="Darwin">
+        <info type="Mac OSX"/>
+    </regexp>
+</root>
--- a/xml/banner/mssql.xml
+++ b/xml/banner/mssql.xml
--- a/xml/banner/mysql.xml
+++ b/xml/banner/mysql.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<root>
+    <!-- Generic -->
+    <regexp value="^([\d\.\-]+)[\-\_\ ].*">
+        <info version="1"/>
+    </regexp>
+
+    <!-- Windows -->
+    <regexp value="^([\d\.\-]+)[\-\_\ ].*nt$">
+        <info version="1" type="Windows"/>
+    </regexp>
+
+    <!-- Debian -->
+    <regexp value="^([\d\.]+)[\-\_]Debian[\-\_][\d\.]+potato">
+        <info version="1" type="Linux" distrib="Debian" release="2.1" codename="Potato"/>
+    </regexp>
+
+    <regexp value="^([\d\.]+)[\-\_]Debian[\-\_][\d\.]+woody">
+        <info version="1" type="Linux" distrib="Debian" release="3.0" codename="Woody"/>
+    </regexp>
+
+    <regexp value="^([\d\.]+)[\-\_]Debian[\-\_][\d\.]+sarge">
+        <info version="1" type="Linux" distrib="Debian" release="3.1" codename="Sarge"/>
+    </regexp>
+
+    <regexp value="^([\d\.]+)[\-\_]Debian[\-\_][\d\.]+etch">
+        <info version="1" type="Linux" distrib="Debian" release="4.0" codename="Etch"/>
+    </regexp>
+
+    <regexp value="^([\d\.]+)[\-\_]Debian[\-\_][\d\.]+(sid|unstable)">
+        <info version="1" type="Linux" distrib="Debian" codename="Unstable"/>
+    </regexp>
+
+    <regexp value="^([\d\.]+)[\-\_]Debian[\-\_][\d\.]+testing">
+        <info version="1" type="Linux" distrib="Debian" codename="Testing"/>
+    </regexp>
+
+    <!-- Ubuntu -->
+    <regexp value="(5\.0\.67)-0ubuntu6">
+        <info version="1" type="Linux" distrib="Ubuntu" release="8.10" codename="Intrepid"/>
+    </regexp>
+</root>
--- a/xml/banner/oracle.xml
+++ b/xml/banner/oracle.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<root>
+    <!-- Generic -->
+    <regexp value="^Oracle\s+.*Release\s+([\d\.]+)\s+">
+        <info version="1"/>
+    </regexp>
+</root>
--- a/xml/banner/postgresql.xml
+++ b/xml/banner/postgresql.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<root>
+    <!-- Generic -->
+    <regexp value="PostgreSQL\s+([\w\.]+)">
+        <info version="1"/>
+    </regexp>
+
+    <!-- Ubuntu -->
+    <regexp value="PostgreSQL\s+(8\.2\.7)\s+on\s+.*?\s+\(Ubuntu 4\.2\.3-2ubuntu4\)">
+        <info version="1" type="Linux" distrib="Ubuntu" release="8.10" codename="Intrepid"/>
+    </regexp>
+</root>
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -75,6 +75,10 @@
        <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d00)"/>
        <substring query="SUBSTR((%s), %d, %d)"/>
        <inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
+        <!--
+             TODO: the following query does not work with inband SQL injection:
+             SELECT banner FROM (SELECT banner, ROWNUM AS limit FROM v$version) WHERE limit=4
+        -->
        <banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
        <current_user query="SELECT SYS.LOGIN_USER FROM DUAL"/>
        <current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>