Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 36a9dda

Browse files
bdamelebdamele
committed
Minor bug fixes and code restyling for --privileges and --passwords
1 parent f56d135 commit 36a9dda

2 files changed

Lines changed: 71 additions & 76 deletions

File tree

plugins/generic/enumeration.py

Lines changed: 70 additions & 75 deletions
Original file line numberDiff line numberDiff line change
@@ -226,6 +226,21 @@ def getPasswordHashes(self):
226226

227227
logger.info(infoMsg)
228228

229+
if conf.user and Backend.isDbms(DBMS.ORACLE):
230+
conf.user = conf.user.upper()
231+
232+
if conf.user:
233+
users = conf.user.split(",")
234+
235+
if Backend.isDbms(DBMS.MYSQL):
236+
for user in users:
237+
parsedUser = re.search("[\047]*(.*?)[\047]*\@", user)
238+
239+
if parsedUser:
240+
users[users.index(user)] = parsedUser.groups()[0]
241+
else:
242+
users = []
243+
229244
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:
230245
if Backend.getIdentifiedDbms() == DBMS.MSSQL and Backend.isVersionWithin(("2005", "2008")):
231246
query = rootQuery.inband.query2
@@ -235,27 +250,18 @@ def getPasswordHashes(self):
235250
condition = rootQuery.inband.condition
236251

237252
if conf.user:
238-
if "," in conf.user:
239-
users = conf.user.split(",")
240-
query += " WHERE "
241-
query += " OR ".join("%s = '%s'" % (condition, user) for user in users)
242-
else:
243-
if Backend.getIdentifiedDbms() == DBMS.MYSQL:
244-
parsedUser = re.search("[\047]*(.*?)[\047]*\@", conf.user)
245-
246-
if parsedUser:
247-
conf.user = parsedUser.groups()[0]
248-
249-
query += " WHERE %s = '%s'" % (condition, conf.user)
253+
query += " WHERE "
254+
query += " OR ".join("%s = '%s'" % (condition, user) for user in users)
250255

251256
if Backend.getIdentifiedDbms() == DBMS.SYBASE:
252257
randStr = randomStr()
253258
getCurrentThreadData().disableStdOut = True
254259

255260
retVal = self.__pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr,'%s.password' % randStr], blind=False)
261+
256262
if retVal:
257263
for user, password in zip(retVal[0]["%s.name" % randStr], retVal[0]["%s.password" % randStr]):
258-
#password = "0x%s" % strToHex(password)
264+
# password = "0x%s" % strToHex(password)
259265
if not kb.data.cachedUsersPasswords.has_key(user):
260266
kb.data.cachedUsersPasswords[user] = [password]
261267
else:
@@ -278,16 +284,15 @@ def getPasswordHashes(self):
278284
kb.data.cachedUsersPasswords[user].append(password)
279285

280286
if not kb.data.cachedUsersPasswords and not conf.direct:
281-
if conf.user:
282-
if "," in conf.user:
283-
users = conf.user.split(",")
284-
else:
285-
users = [conf.user]
286-
else:
287-
if not len(kb.data.cachedUsers):
288-
users = self.getUsers()
289-
else:
290-
users = kb.data.cachedUsers
287+
if not len(users):
288+
users = self.getUsers()
289+
290+
if Backend.isDbms(DBMS.MYSQL):
291+
for user in users:
292+
parsedUser = re.search("[\047]*(.*?)[\047]*\@", user)
293+
294+
if parsedUser:
295+
users[users.index(user)] = parsedUser.groups()[0]
291296

292297
if Backend.getIdentifiedDbms() == DBMS.SYBASE:
293298
getCurrentThreadData().disableStdOut = True
@@ -296,27 +301,22 @@ def getPasswordHashes(self):
296301
query = rootQuery.inband.query
297302

298303
retVal = self.__pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr,'%s.password' % randStr], blind=True)
304+
299305
if retVal:
300306
for user, password in zip(retVal[0]["%s.name" % randStr], retVal[0]["%s.password" % randStr]):
301307
password = "0x%s" % strToHex(password)
308+
302309
if not kb.data.cachedUsersPasswords.has_key(user):
303310
kb.data.cachedUsersPasswords[user] = [password]
304311
else:
305312
kb.data.cachedUsersPasswords[user].append(password)
306313

307314
getCurrentThreadData().disableStdOut = False
308-
309315
else:
310316
retrievedUsers = set()
311317

312318
for user in users:
313-
if Backend.getIdentifiedDbms() == DBMS.MYSQL:
314-
parsedUser = re.search("[\047]*(.*?)[\047]*\@", user)
315-
316-
if parsedUser:
317-
user = parsedUser.groups()[0]
318-
319-
if not user or user in retrievedUsers:
319+
if user in retrievedUsers:
320320
continue
321321

322322
infoMsg = "fetching number of password hashes "
@@ -419,6 +419,21 @@ def getPrivileges(self, query2=False):
419419

420420
logger.info(infoMsg)
421421

422+
if conf.user and Backend.isDbms(DBMS.ORACLE):
423+
conf.user = conf.user.upper()
424+
425+
if conf.user:
426+
users = conf.user.split(",")
427+
428+
if Backend.isDbms(DBMS.MYSQL):
429+
for user in users:
430+
parsedUser = re.search("[\047]*(.*?)[\047]*\@", user)
431+
432+
if parsedUser:
433+
users[users.index(user)] = parsedUser.groups()[0]
434+
else:
435+
users = []
436+
422437
# Set containing the list of DBMS administrators
423438
areAdmins = set()
424439

@@ -434,13 +449,10 @@ def getPrivileges(self, query2=False):
434449
condition = rootQuery.inband.condition
435450

436451
if conf.user:
437-
users = conf.user.split(",")
438452
query += " WHERE "
439-
# NOTE: I assume that the user provided is not in
440-
# MySQL >= 5.0 syntax 'user'@'host'
453+
441454
if Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema:
442-
queryUser = "%" + conf.user + "%"
443-
query += " OR ".join("%s LIKE '%s'" % (condition, "%" + user + "%") for user in users)
455+
query += " OR ".join("%s LIKE '%%%s%%'" % (condition, user) for user in users)
444456
else:
445457
query += " OR ".join("%s = '%s'" % (condition, user) for user in users)
446458

@@ -492,59 +504,42 @@ def getPrivileges(self, query2=False):
492504
kb.data.cachedUsersPrivileges[user] = list(privileges)
493505

494506
if not kb.data.cachedUsersPrivileges and not conf.direct:
495-
conditionChar = "="
507+
if Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema:
508+
conditionChar = " LIKE "
509+
else:
510+
conditionChar = "="
496511

497-
if conf.user:
498-
if Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema:
499-
conditionChar = " LIKE "
512+
if not len(users):
513+
users = self.getUsers()
500514

501-
if "," in conf.user:
502-
users = set()
503-
for user in conf.user.split(","):
504-
users.add("%" + user + "%")
505-
else:
506-
parsedUser = re.search("[\047]*(.*?)[\047]*\@", conf.user)
515+
if Backend.isDbms(DBMS.MYSQL):
516+
for user in users:
517+
parsedUser = re.search("[\047]*(.*?)[\047]*\@", user)
507518

508519
if parsedUser:
509-
conf.user = parsedUser.groups()[0]
510-
511-
users = [ "%" + conf.user + "%" ]
512-
else:
513-
users = conf.user.split(",")
514-
else:
515-
if not len(kb.data.cachedUsers):
516-
users = self.getUsers()
517-
else:
518-
users = kb.data.cachedUsers
520+
users[users.index(user)] = parsedUser.groups()[0]
519521

520522
retrievedUsers = set()
521523

522524
for user in users:
523-
unescapedUser = None
525+
if user in retrievedUsers:
526+
continue
524527

525528
if Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema:
526-
unescapedUser = unescaper.unescape(user, quote=False)
527-
528-
if not user or user in retrievedUsers:
529-
continue
529+
user = "%%%s%%" % user
530530

531531
infoMsg = "fetching number of privileges "
532532
infoMsg += "for user '%s'" % user
533533
logger.info(infoMsg)
534534

535-
if unescapedUser:
536-
queryUser = unescapedUser
537-
else:
538-
queryUser = user
539-
540535
if Backend.getIdentifiedDbms() == DBMS.MYSQL and not kb.data.has_information_schema:
541-
query = rootQuery.blind.count2 % queryUser
536+
query = rootQuery.blind.count2 % user
542537
elif Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema:
543-
query = rootQuery.blind.count % (conditionChar, queryUser)
538+
query = rootQuery.blind.count % (conditionChar, user)
544539
elif Backend.getIdentifiedDbms() == DBMS.ORACLE and query2:
545-
query = rootQuery.blind.count2 % queryUser
540+
query = rootQuery.blind.count2 % user
546541
else:
547-
query = rootQuery.blind.count % queryUser
542+
query = rootQuery.blind.count % user
548543
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2)
549544

550545
if not isNumPosStrValue(count):
@@ -572,15 +567,15 @@ def getPrivileges(self, query2=False):
572567

573568
for index in indexRange:
574569
if Backend.getIdentifiedDbms() == DBMS.MYSQL and not kb.data.has_information_schema:
575-
query = rootQuery.blind.query2 % (queryUser, index)
570+
query = rootQuery.blind.query2 % (user, index)
576571
elif Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema:
577-
query = rootQuery.blind.query % (conditionChar, queryUser, index)
572+
query = rootQuery.blind.query % (conditionChar, user, index)
578573
elif Backend.getIdentifiedDbms() == DBMS.ORACLE and query2:
579-
query = rootQuery.blind.query2 % (queryUser, index)
574+
query = rootQuery.blind.query2 % (user, index)
580575
elif Backend.getIdentifiedDbms() == DBMS.FIREBIRD:
581-
query = rootQuery.blind.query % (index, queryUser)
576+
query = rootQuery.blind.query % (index, user)
582577
else:
583-
query = rootQuery.blind.query % (queryUser, index)
578+
query = rootQuery.blind.query % (user, index)
584579
privilege = inject.getValue(query, inband=False, error=False)
585580

586581
# In PostgreSQL we get 1 if the privilege is True,

xml/queries.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@
4040
</passwords>
4141
<privileges>
4242
<inband query="SELECT grantee,privilege_type FROM information_schema.USER_PRIVILEGES" condition="grantee" query2="SELECT user,select_priv,insert_priv,update_priv,delete_priv,create_priv,drop_priv,reload_priv,shutdown_priv,process_priv,file_priv,grant_priv,references_priv,index_priv,alter_priv,show_db_priv,super_priv,create_tmp_table_priv,lock_tables_priv,execute_priv,repl_slave_priv,repl_client_priv,create_view_priv,show_view_priv,create_routine_priv,alter_routine_priv,create_user_priv FROM mysql.user" condition2="user"/>
43-
<blind query="SELECT DISTINCT(privilege_type) FROM information_schema.USER_PRIVILEGES WHERE grantee%s%s LIMIT %d,1" query2="SELECT select_priv,insert_priv,update_priv,delete_priv,create_priv,drop_priv,reload_priv,shutdown_priv,process_priv,file_priv,grant_priv,references_priv,index_priv,alter_priv,show_db_priv,super_priv,create_tmp_table_priv,lock_tables_priv,execute_priv,repl_slave_priv,repl_client_priv,create_view_priv,show_view_priv,create_routine_priv,alter_routine_priv,create_user_priv FROM mysql.user WHERE user='%s' LIMIT %d,1" count="SELECT COUNT(DISTINCT(privilege_type)) FROM information_schema.USER_PRIVILEGES WHERE grantee%s%s" count2="SELECT COUNT(*) FROM mysql.user WHERE user='%s'"/>
43+
<blind query="SELECT DISTINCT(privilege_type) FROM information_schema.USER_PRIVILEGES WHERE grantee%s'%s' LIMIT %d,1" query2="SELECT select_priv,insert_priv,update_priv,delete_priv,create_priv,drop_priv,reload_priv,shutdown_priv,process_priv,file_priv,grant_priv,references_priv,index_priv,alter_priv,show_db_priv,super_priv,create_tmp_table_priv,lock_tables_priv,execute_priv,repl_slave_priv,repl_client_priv,create_view_priv,show_view_priv,create_routine_priv,alter_routine_priv,create_user_priv FROM mysql.user WHERE user='%s' LIMIT %d,1" count="SELECT COUNT(DISTINCT(privilege_type)) FROM information_schema.USER_PRIVILEGES WHERE grantee%s'%s'" count2="SELECT COUNT(*) FROM mysql.user WHERE user='%s'"/>
4444
</privileges>
4545
<roles/>
4646
<dbs>

0 commit comments

Comments
 (0)