def getFingerprint(self): value = "" wsOsFp = formatFingerprint("web server", kb.headersFp) if wsOsFp: value += "%s\n" % wsOsFp if kb.data.banner: dbmsOsFp = formatFingerprint("back-end DBMS", kb.bannerFp) if dbmsOsFp: value += "%s\n" % dbmsOsFp value += "back-end DBMS: " if not conf.extensiveFp: value += "Oracle" return value actVer = formatDBMSfp() blank = " " * 15 value += "active fingerprint: %s" % actVer if kb.bannerFp: banVer = kb.bannerFp["dbmsVersion"] if 'dbmsVersion' in kb.bannerFp else None banVer = formatDBMSfp([banVer]) value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) htmlErrorFp = getHtmlErrorFp() if htmlErrorFp: value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) return value
def getFingerprint(self): value = "" wsOsFp = formatFingerprint("web server", kb.headersFp) if wsOsFp: value += "%s\n" % wsOsFp if kb.data.banner: dbmsOsFp = formatFingerprint("back-end DBMS", kb.bannerFp) if dbmsOsFp: value += "%s\n" % dbmsOsFp blank = " " * 15 value += "back-end DBMS: " if not conf.extensiveFp: value += DBMS.MAXDB return value actVer = formatDBMSfp() + " (%s)" % self.__versionCheck() blank = " " * 15 value += "active fingerprint: %s" % actVer if kb.bannerFp: value += "\n%sbanner parsing fingerprint: -" % blank htmlErrorFp = getHtmlErrorFp() if htmlErrorFp: value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) return value
def getFingerprint(self): value = "" wsOsFp = formatFingerprint("web server", kb.headersFp) if wsOsFp: value += "%s\n" % wsOsFp if self.banner: dbmsOsFp = formatFingerprint("back-end DBMS", kb.bannerFp) if dbmsOsFp: value += "%s\n" % dbmsOsFp value += "back-end DBMS: " if not conf.extensiveFp: value += "PostgreSQL" return value actVer = formatDBMSfp() blank = " " * 15 value += "active fingerprint: %s" % actVer if kb.bannerFp: banVer = kb.bannerFp["dbmsVersion"] banVer = formatDBMSfp([banVer]) value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) htmlErrorFp = getHtmlErrorFp() if htmlErrorFp: value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) return value
def getFingerprint(self): value = "" wsOsFp = formatFingerprint("web server", kb.headersFp) if wsOsFp: value += "%s\n" % wsOsFp if self.banner: dbmsOsFp = formatFingerprint("back-end DBMS", kb.bannerFp) if dbmsOsFp: value += "%s\n" % dbmsOsFp value += "back-end DBMS: " actVer = formatDBMSfp() if not conf.extensiveFp: value += actVer return value comVer = self.__commentCheck() blank = " " * 15 value += "active fingerprint: %s" % actVer if comVer: comVer = formatDBMSfp([comVer]) value += "\n%scomment injection fingerprint: %s" % (blank, comVer) if kb.bannerFp: # TODO: move to the XML banner file banVer = kb.bannerFp["dbmsVersion"] if re.search("-log$", self.banner): banVer += ", logging enabled" banVer = formatDBMSfp([banVer]) value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) htmlErrorFp = getHtmlErrorFp() if htmlErrorFp: value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) return value
def getFingerprint(self): value = "" wsOsFp = formatFingerprint("web server", kb.headersFp) if wsOsFp: value += "%s\n" % wsOsFp if self.banner: dbmsOsFp = formatFingerprint("back-end DBMS", kb.bannerFp) if dbmsOsFp: value += "%s\n" % dbmsOsFp value += "back-end DBMS: " actVer = formatDBMSfp() if not conf.extensiveFp: value += actVer return value blank = " " * 15 value += "active fingerprint: %s" % actVer if kb.bannerFp: release = kb.bannerFp["dbmsRelease"] version = kb.bannerFp["dbmsVersion"] servicepack = kb.bannerFp["dbmsServicePack"] if release and version and servicepack: banVer = "Microsoft SQL Server %s " % release banVer += "Service Pack %s " % servicepack banVer += "version %s" % version value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) htmlErrorFp = getHtmlErrorFp() if htmlErrorFp: value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) return value
def getFingerprint(self): value = "" wsOsFp = formatFingerprint("web server", kb.headersFp) if wsOsFp: value += "%s\n" % wsOsFp if kb.data.banner: dbmsOsFp = formatFingerprint("back-end DBMS", kb.bannerFp) if dbmsOsFp: value += "%s\n" % dbmsOsFp value += "back-end DBMS: " actVer = formatDBMSfp() if not conf.extensiveFp: value += actVer return value blank = " " * 15 value += "active fingerprint: %s" % actVer if kb.bannerFp: release = kb.bannerFp["dbmsRelease"] if 'dbmsRelease' in kb.bannerFp else None version = kb.bannerFp["dbmsVersion"] if 'dbmsVersion' in kb.bannerFp else None servicepack = kb.bannerFp["dbmsServicePack"] if 'dbmsServicePack' in kb.bannerFp else None if release and version and servicepack: banVer = "Microsoft SQL Server %s " % release banVer += "Service Pack %s " % servicepack banVer += "version %s" % version value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) htmlErrorFp = getHtmlErrorFp() if htmlErrorFp: value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) return value
def getFingerprint(self): value = "" wsOsFp = formatFingerprint("web server", kb.headersFp) if wsOsFp: value += "%s\n" % wsOsFp if kb.data.banner: dbmsOsFp = formatFingerprint("back-end DBMS", kb.bannerFp) if dbmsOsFp: value += "%s\n" % dbmsOsFp value += "back-end DBMS: " if not conf.extensiveFp: value += "Microsoft Access" return value actVer = formatDBMSfp() + " (%s)" % (self.__sandBoxCheck()) blank = " " * 15 value += "active fingerprint: %s" % actVer if kb.bannerFp: banVer = kb.bannerFp["dbmsVersion"] if re.search("-log$", kb.data.banner): banVer += ", logging enabled" banVer = formatDBMSfp([banVer]) value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) htmlErrorFp = getHtmlErrorFp() if htmlErrorFp: value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) value += "\ndatabase directory: '%s'" % self.__getDatabaseDir() return value
def action(): """ This function exploit the SQL injection on the affected url parameter and extract requested data from the back-end database management system or operating system if possible """ # First of all we have to identify the back-end database management # system to be able to go ahead with the injection conf.dbmsHandler = setHandler() if not conf.dbmsHandler: htmlParsed = getHtmlErrorFp() errMsg = "sqlmap was not able to fingerprint the " errMsg += "back-end database management system" if htmlParsed: errMsg += ", but from the HTML error page it was " errMsg += "possible to determinate that the " errMsg += "back-end DBMS is %s" % htmlParsed if htmlParsed and htmlParsed.lower() in SUPPORTED_DBMS: errMsg += ". Do not specify the back-end DBMS manually, " errMsg += "sqlmap will fingerprint the DBMS for you" else: errMsg += ". Support for this DBMS will be implemented if " errMsg += "you ask, just drop us an email" raise sqlmapUnsupportedDBMSException, errMsg print "%s\n" % conf.dbmsHandler.getFingerprint() # Techniques options if conf.stackedTest: dumper.string("stacked queries support", stackedTest()) if conf.timeTest: dumper.string("time based blind sql injection payload", timeTest()) if (conf.unionUse or conf.unionTest) and not kb.unionPosition: dumper.string("valid union", unionTest()) # Enumeration options if conf.getBanner: dumper.string("banner", conf.dbmsHandler.getBanner()) if conf.getCurrentUser: dumper.string("current user", conf.dbmsHandler.getCurrentUser()) if conf.getCurrentDb: dumper.string("current database", conf.dbmsHandler.getCurrentDb()) if conf.isDba: dumper.string("current user is DBA", conf.dbmsHandler.isDba()) if conf.getUsers: dumper.lister("database management system users", conf.dbmsHandler.getUsers()) if conf.getPasswordHashes: dumper.userSettings( "database management system users password hashes", conf.dbmsHandler.getPasswordHashes(), "password hash" ) if conf.getPrivileges: dumper.userSettings( "database management system users privileges", conf.dbmsHandler.getPrivileges(), "privilege" ) if conf.getDbs: dumper.lister("available databases", conf.dbmsHandler.getDbs()) if conf.getTables: dumper.dbTables(conf.dbmsHandler.getTables()) if conf.getColumns: dumper.dbTableColumns(conf.dbmsHandler.getColumns()) if conf.dumpTable: dumper.dbTableValues(conf.dbmsHandler.dumpTable()) if conf.dumpAll: conf.dbmsHandler.dumpAll() if conf.query: dumper.string(conf.query, conf.dbmsHandler.sqlQuery(conf.query)) if conf.sqlShell: conf.dbmsHandler.sqlShell() # User-defined function options if conf.udfInject: conf.dbmsHandler.udfInjectCustom() # File system options if conf.rFile: dumper.string("%s file saved to" % conf.rFile, conf.dbmsHandler.readFile(conf.rFile), sort=False) if conf.wFile: conf.dbmsHandler.writeFile(conf.wFile, conf.dFile, conf.wFileType) # Operating system options if conf.osCmd: conf.dbmsHandler.osCmd() if conf.osShell: conf.dbmsHandler.osShell() if conf.osPwn: conf.dbmsHandler.osPwn() if conf.osSmb: conf.dbmsHandler.osSmb() if conf.osBof: conf.dbmsHandler.osBof() # Windows registry options if conf.regRead: dumper.string("Registry key value data", conf.dbmsHandler.regRead()) if conf.regAdd: conf.dbmsHandler.regAdd() if conf.regDel: conf.dbmsHandler.regDel() # Miscellaneous options if conf.cleanup: conf.dbmsHandler.cleanup()
def action(): """ This function exploit the SQL injection on the affected url parameter and extract requested data from the back-end database management system or operating system if possible """ # First of all we have to identify the back-end database management # system to be able to go ahead with the injection conf.dbmsHandler = setHandler() if not conf.dbmsHandler: htmlParsed = getHtmlErrorFp() errMsg = "sqlmap was not able to fingerprint the " errMsg += "back-end database management system" if htmlParsed: errMsg += ", but from the HTML error page it was " errMsg += "possible to determinate that the " errMsg += "back-end DBMS is %s" % htmlParsed if htmlParsed and htmlParsed.lower() in SUPPORTED_DBMS: errMsg += ". Do not specify the back-end DBMS manually, " errMsg += "sqlmap will fingerprint the DBMS for you" else: errMsg += ". Support for this DBMS will be implemented if " errMsg += "you ask, just drop us an email" raise sqlmapUnsupportedDBMSException, errMsg print "%s\n" % conf.dbmsHandler.getFingerprint() # Techniques options if conf.stackedTest: dumper.string("stacked queries support", stackedTest()) if conf.timeTest: dumper.string("time based blind sql injection payload", timeTest()) if conf.unionTest: dumper.string("valid union", unionTest()) # Enumeration options if conf.getBanner: dumper.string("banner", conf.dbmsHandler.getBanner()) if conf.getCurrentUser: dumper.string("current user", conf.dbmsHandler.getCurrentUser()) if conf.getCurrentDb: dumper.string("current database", conf.dbmsHandler.getCurrentDb()) if conf.getUsers: dumper.lister("database management system users", conf.dbmsHandler.getUsers()) if conf.getPasswordHashes: dumper.userSettings("database management system users password hashes", conf.dbmsHandler.getPasswordHashes(), "password hash") if conf.getPrivileges: dumper.userSettings("database management system users privileges", conf.dbmsHandler.getPrivileges(), "privilege") if conf.getDbs: dumper.lister("available databases", conf.dbmsHandler.getDbs()) if conf.getTables: dumper.dbTables(conf.dbmsHandler.getTables()) if conf.getColumns: dumper.dbTableColumns(conf.dbmsHandler.getColumns()) if conf.dumpTable: dumper.dbTableValues(conf.dbmsHandler.dumpTable()) if conf.dumpAll: conf.dbmsHandler.dumpAll() if conf.query: dumper.string(conf.query, conf.dbmsHandler.sqlQuery(conf.query)) if conf.sqlShell: conf.dbmsHandler.sqlShell() # File system options if conf.rFile: dumper.string(conf.rFile, conf.dbmsHandler.readFile(conf.rFile)) if conf.wFile: dumper.string(conf.wFile, conf.dbmsHandler.writeFile(conf.wFile)) # Takeover options if conf.osShell: conf.dbmsHandler.osShell()
def action(): """ This function exploit the SQL injection on the affected url parameter and extract requested data from the back-end database management system or operating system if possible """ # First of all we have to identify the back-end database management # system to be able to go ahead with the injection setHandler() if not kb.dbmsDetected: htmlParsed = getHtmlErrorFp() errMsg = "sqlmap was not able to fingerprint the " errMsg += "back-end database management system" if htmlParsed: errMsg += ", but from the HTML error page it was " errMsg += "possible to determinate that the " errMsg += "back-end DBMS is %s" % htmlParsed if htmlParsed and htmlParsed.lower() in SUPPORTED_DBMS: errMsg += ". Do not specify the back-end DBMS manually, " errMsg += "sqlmap will fingerprint the DBMS for you" elif kb.nullConnection: errMsg += ". You can try to rerun without using optimization " errMsg += "switch '%s'" % ("-o" if conf.optimize else "--null-connection") else: errMsg += ". Support for this DBMS will be implemented at " errMsg += "some point" raise sqlmapUnsupportedDBMSException, errMsg dataToStdout("%s\n" % conf.dbmsHandler.getFingerprint()) # Techniques options if conf.stackedTest: conf.dumper.technic("stacked queries injection payload", stackedTest()) if conf.errorTest: conf.dumper.technic("error-based injection payload", errorTest()) if conf.timeTest: conf.dumper.technic("time-based blind injection payload", timeTest()) if conf.unionTest and kb.unionPosition is None: conf.dumper.technic("inband injection payload", unionTest()) # Enumeration options if conf.getBanner: conf.dumper.banner(conf.dbmsHandler.getBanner()) if conf.getCurrentUser: conf.dumper.currentUser(conf.dbmsHandler.getCurrentUser()) if conf.getCurrentDb: conf.dumper.currentDb(conf.dbmsHandler.getCurrentDb()) if conf.isDba: conf.dumper.dba(conf.dbmsHandler.isDba()) if conf.getUsers: conf.dumper.users(conf.dbmsHandler.getUsers()) if conf.getPasswordHashes: conf.dumper.userSettings("database management system users password hashes", conf.dbmsHandler.getPasswordHashes(), "password hash") if conf.getPrivileges: conf.dumper.userSettings("database management system users privileges", conf.dbmsHandler.getPrivileges(), "privilege") if conf.getRoles: conf.dumper.userSettings("database management system users roles", conf.dbmsHandler.getRoles(), "role") if conf.getDbs: conf.dumper.dbs(conf.dbmsHandler.getDbs()) if conf.getTables: conf.dumper.dbTables(conf.dbmsHandler.getTables()) if conf.commonTables: conf.dumper.dbTables(tableExists(paths.COMMON_TABLES)) if conf.getColumns: conf.dumper.dbTableColumns(conf.dbmsHandler.getColumns()) if conf.commonColumns: conf.dumper.dbTableColumns(columnExists(paths.COMMON_COLUMNS)) if conf.dumpTable: conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable()) if conf.dumpAll: conf.dbmsHandler.dumpAll() if conf.search: conf.dbmsHandler.search() if conf.query: conf.dumper.query(conf.query, conf.dbmsHandler.sqlQuery(conf.query)) if conf.sqlShell: conf.dbmsHandler.sqlShell() # User-defined function options if conf.udfInject: conf.dbmsHandler.udfInjectCustom() # File system options if conf.rFile: conf.dumper.rFile(conf.rFile, conf.dbmsHandler.readFile(conf.rFile)) if conf.wFile: conf.dbmsHandler.writeFile(conf.wFile, conf.dFile, conf.wFileType) # Operating system options if conf.osCmd: conf.dbmsHandler.osCmd() if conf.osShell: conf.dbmsHandler.osShell() if conf.osPwn: conf.dbmsHandler.osPwn() if conf.osSmb: conf.dbmsHandler.osSmb() if conf.osBof: conf.dbmsHandler.osBof() # Windows registry options if conf.regRead: conf.dumper.registerValue(conf.dbmsHandler.regRead()) if conf.regAdd: conf.dbmsHandler.regAdd() if conf.regDel: conf.dbmsHandler.regDel() # Miscellaneous options if conf.cleanup: conf.dbmsHandler.cleanup() if conf.direct: conf.dbmsConnector.close()