Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 53c0336

Browse files
bdamelebdamele
committed
added --hostname switch to retrieve DBMS server hostname - closes issue #69 
1 parent 4e64c11 commit 53c0336

7 files changed

Lines changed: 39 additions & 2 deletions

File tree

lib/controller/action.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,9 @@ def action():
6464
if conf.getCurrentDb:
6565
conf.dumper.currentDb(conf.dbmsHandler.getCurrentDb())
6666

67+
if conf.getHostname:
68+
conf.dumper.hostname(conf.dbmsHandler.getHostname())
69+
6770
if conf.isDba:
6871
conf.dumper.dba(conf.dbmsHandler.isDba())
6972

lib/core/dump.py

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ def getOutputFile(self):
7474
def string(self, header, data, sort=True):
7575
if isListLike(data):
7676
self.lister(header, data, sort)
77-
elif data is not None:
77+
elif data is not None and len(data) > 0:
7878
data = getUnicode(data)
7979

8080
if data[-1] == '\n':
@@ -125,6 +125,9 @@ def currentDb(self,data):
125125
else:
126126
self.string("current database", data)
127127

128+
def hostname(self,data):
129+
self.string("hostname", data)
130+
128131
def dba(self,data):
129132
self.string("current user is DBA", data)
130133

lib/core/optiondict.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,7 @@
9696
"getBanner": ("boolean", "Banners"),
9797
"getCurrentUser": ("boolean", "Users"),
9898
"getCurrentDb": ("boolean", "Databases"),
99+
"getHostname": "boolean",
99100
"isDba": "boolean",
100101
"getUsers": ("boolean", "Users"),
101102
"getPasswordHashes": ("boolean", "Passwords"),

lib/parse/cmdline.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -304,6 +304,10 @@ def cmdLineParser():
304304
action="store_true",
305305
help="Retrieve DBMS current database")
306306

307+
enumeration.add_option("--hostname", dest="getHostname",
308+
action="store_true",
309+
help="Retrieve DBMS server hostname")
310+
307311
enumeration.add_option("--is-dba", dest="isDba",
308312
action="store_true",
309313
help="Detect if the DBMS current user is DBA")

plugins/generic/enumeration.py

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,7 @@ def __init__(self):
8383
kb.data.banner = None
8484
kb.data.currentUser = ""
8585
kb.data.currentDb = ""
86+
kb.data.hostname = ""
8687
kb.data.cachedUsers = []
8788
kb.data.cachedUsersPasswords = {}
8889
kb.data.cachedUsersPrivileges = {}
@@ -150,6 +151,17 @@ def getCurrentDb(self):
150151

151152
return kb.data.currentDb
152153

154+
def getHostname(self):
155+
infoMsg = "fetching server hostname"
156+
logger.info(infoMsg)
157+
158+
query = queries[Backend.getIdentifiedDbms()].hostname.query
159+
160+
if not kb.data.hostname:
161+
kb.data.hostname = unArrayizeValue(inject.getValue(query, safeCharEncode=False))
162+
163+
return kb.data.hostname
164+
153165
def isDba(self, user=None):
154166
infoMsg = "testing if current user is DBA"
155167
logger.info(infoMsg)

sqlmap.conf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -327,6 +327,10 @@ getCurrentUser = False
327327
# Valid: True or False
328328
getCurrentDb = False
329329

330+
# Retrieve back-end database management system server hostname.
331+
# Valid: True or False
332+
getHostname = False
333+
330334
# Detect if the DBMS current user is DBA.
331335
# Valid: True or False
332336
isDba = False

xml/queries.xml

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@
2929
<banner query="VERSION()"/>
3030
<current_user query="CURRENT_USER()"/>
3131
<current_db query="DATABASE()"/>
32+
<hostname query="@@HOSTNAME"/>
3233
<is_dba query="(SELECT super_priv FROM mysql.user WHERE user='%s' LIMIT 0,1)='Y'"/>
3334
<check_udf query="(SELECT name FROM mysql.func WHERE name='%s' LIMIT 0,1)='%s'"/>
3435
<users>
@@ -102,6 +103,7 @@
102103
<banner query="VERSION()"/>
103104
<current_user query="CURRENT_USER"/>
104105
<current_db query="CURRENT_DATABASE()"/>
106+
<hostname/>
105107
<is_dba query="(SELECT usesuper=true FROM pg_user WHERE usename=CURRENT_USER OFFSET 0 LIMIT 1)"/>
106108
<check_udf query="(SELECT proname='%s' FROM pg_proc WHERE proname='%s' OFFSET 0 LIMIT 1)"/>
107109
<users>
@@ -169,6 +171,7 @@
169171
<banner query="SELECT @@VERSION"/>
170172
<current_user query="SELECT SYSTEM_USER"/>
171173
<current_db query="SELECT DB_NAME()"/>
174+
<hostname query="@@SERVERNAME"/>
172175
<is_dba query="IS_SRVROLEMEMBER('sysadmin')=1" query2="IS_SRVROLEMEMBER('sysadmin','%s')=1"/>
173176
<users>
174177
<inband query="SELECT name FROM master..syslogins" query2="SELECT name FROM sys.sql_logins"/>
@@ -242,6 +245,7 @@
242245
NOTE: in Oracle to check if the session user is DBA you can use:
243246
SELECT USERENV('ISDBA') FROM DUAL
244247
-->
248+
<hostname query="SELECT UTL_INADDR.get_host_name FROM DUAL"/>
245249
<is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=USER AND GRANTED_ROLE='DBA')='DBA'"/>
246250
<users>
247251
<inband query="SELECT USERNAME FROM SYS.ALL_USERS"/>
@@ -321,6 +325,7 @@
321325
<banner query="SELECT SQLITE_VERSION()"/>
322326
<current_user/>
323327
<current_db/>
328+
<hostname/>
324329
<is_dba/>
325330
<check_udf/>
326331
<users/>
@@ -366,6 +371,7 @@
366371
<!--CURRENTUSER() is not available outside the MS Access query tool itself-->
367372
<current_user/>
368373
<current_db/>
374+
<hostname/>
369375
<inference query="ASCW(MID((%s),%d,1)) > %d"/>
370376
<is_dba/>
371377
<dbs/>
@@ -407,6 +413,7 @@
407413
<banner query="SELECT RDB$GET_CONTEXT('SYSTEM','ENGINE_VERSION') FROM RDB$DATABASE" dbms_version="&gt;=2.1"/>
408414
<current_user query="SELECT CURRENT_USER FROM RDB$DATABASE"/>
409415
<current_db query="SELECT RDB$GET_CONTEXT('SYSTEM','DB_NAME') FROM RDB$DATABASE"/>
416+
<hostname/>
410417
<users>
411418
<inband query="SELECT DISTINCT RDB$USER FROM RDB$USER_PRIVILEGES"/>
412419
<blind query="SELECT FIRST 1 SKIP %d DISTINCT(RDB$USER) FROM RDB$USER_PRIVILEGES" count="SELECT COUNT(DISTINCT(RDB$USER)) FROM RDB$USER_PRIVILEGES"/>
@@ -455,6 +462,7 @@
455462
<cast query="REPLACE(CHR(%s),' ','_')"/>
456463
<current_user query="SELECT USER() FROM DUAL"/>
457464
<current_db query="SELECT DATABASE() FROM DUAL"/>
465+
<hostname/>
458466
<order query="ORDER BY %s ASC"/>
459467
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
460468
<hex query="HEX(%s)"/>
@@ -509,6 +517,7 @@
509517
<banner query="SELECT @@VERSION"/>
510518
<current_user query="SELECT SUSER_NAME()"/>
511519
<current_db query="SELECT DB_NAME()"/>
520+
<hostname/>
512521
<is_dba query="PATINDEX('%sa_role%',SHOW_ROLE())>0" query2="EXISTS(SELECT * FROM master..syslogins,master..sysloginroles WHERE srid=0 and name='%s')"/>
513522
<users>
514523
<inband query="SELECT name FROM master..syslogins"/>
@@ -575,10 +584,11 @@
575584
<hex query="HEX(%s)"/>
576585
<inference query="SUBSTR((%s),%d,1) > '%c'"/>
577586
<!-- NOTE: We have to use the complicated UDB OLAP functions in query2 because sqlmap injects isnull query inside MAX function, else we would use: SELECT MAX(versionnumber) FROM sysibm.sysversions -->
578-
<banner query="SELECT service_level FROM TABLE (sysproc.env_get_inst_info())" query2="SELECT versionnumber FROM (SELECT ROW_NUMBER() OVER (ORDER BY versionnumber DESC) AS LIMIT, versionnumber FROM sysibm.sysversions) AS foobar WHERE LIMIT=1"/>
587+
<banner query="SELECT service_level FROM TABLE(sysproc.env_get_inst_info())" query2="SELECT versionnumber FROM (SELECT ROW_NUMBER() OVER (ORDER BY versionnumber DESC) AS LIMIT, versionnumber FROM sysibm.sysversions) AS foobar WHERE LIMIT=1"/>
579588
<current_user query="SELECT user FROM SYSIBM.SYSDUMMY1"/>
580589
<!-- NOTE: On DB2 we use the current user as default schema (database) -->
581590
<current_db query="SELECT user FROM SYSIBM.SYSDUMMY1"/>
591+
<hostname query="SELECT host_name FROM TABLE(sysproc.env_get_sys_info())"/>
582592
<is_dba query="(SELECT dbadmauth FROM syscat.dbauth WHERE grantee=current user)='Y'"/>
583593
<users>
584594
<inband query="SELECT grantee FROM sysibm.sysdbauth WHERE grantee!='SYSTEM' AND grantee!='PUBLIC'"/>

0 commit comments

Comments
 (0)