Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 73e5d20

Browse files
stamparmstamparm
committed
bulk commit for safe/unsafe identificator naming (done and tested for all 4 major DBMSes) and one bug fix for --search-column on MSSQL (inside queries)
1 parent 19a6f86 commit 73e5d20

4 files changed

Lines changed: 114 additions & 63 deletions

File tree

plugins/dbms/mssqlserver/enumeration.py

Lines changed: 30 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,8 @@ def getTables(self):
7878

7979
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:
8080
for db in dbs:
81+
db = self.__safeSQLIdentificatorNaming(db)
82+
8183
if conf.excludeSysDbs and db in self.excludeDbsList:
8284
infoMsg = "skipping system database '%s'" % db
8385
logger.info(infoMsg)
@@ -92,6 +94,8 @@ def getTables(self):
9294

9395
if not kb.data.cachedTables and not conf.direct:
9496
for db in dbs:
97+
db = self.__safeSQLIdentificatorNaming(db)
98+
9599
if conf.excludeSysDbs and db in self.excludeDbsList:
96100
infoMsg = "skipping system database '%s'" % db
97101
logger.info(infoMsg)
@@ -150,19 +154,24 @@ def searchTable(self):
150154
if isinstance(db, list):
151155
db = db[0]
152156

157+
db = self.__safeSQLIdentificatorNaming(db)
153158
foundTbls[db] = []
154159

155160
for tbl in tblList:
161+
tbl = self.__safeSQLIdentificatorNaming(tbl, True)
162+
156163
infoMsg = "searching table"
157164
if tblConsider == "1":
158165
infoMsg += "s like"
159-
infoMsg += " '%s'" % tbl
166+
infoMsg += " '%s'" % self.__unsafeSQLIdentificatorNaming(tbl)
160167
logger.info(infoMsg)
161168

162169
tblQuery = "%s%s" % (tblCond, tblCondParam)
163-
tblQuery = tblQuery % tbl
170+
tblQuery = tblQuery % self.__unsafeSQLIdentificatorNaming(tbl)
164171

165172
for db in foundTbls.keys():
173+
db = self.__safeSQLIdentificatorNaming(db)
174+
166175
if conf.excludeSysDbs and db in self.excludeDbsList:
167176
infoMsg = "skipping system database '%s'" % db
168177
logger.info(infoMsg)
@@ -187,7 +196,7 @@ def searchTable(self):
187196
infoMsg = "fetching number of table"
188197
if tblConsider == "1":
189198
infoMsg += "s like"
190-
infoMsg += " '%s' in database '%s'" % (tbl, db)
199+
infoMsg += " '%s' in database '%s'" % (self.__unsafeSQLIdentificatorNaming(tbl), self.__unsafeSQLIdentificatorNaming(db))
191200
logger.info(infoMsg)
192201

193202
query = rootQuery.blind.count2
@@ -199,8 +208,8 @@ def searchTable(self):
199208
warnMsg = "no table"
200209
if tblConsider == "1":
201210
warnMsg += "s like"
202-
warnMsg += " '%s' " % tbl
203-
warnMsg += "in database '%s'" % db
211+
warnMsg += " '%s' " % self.__unsafeSQLIdentificatorNaming(tbl)
212+
warnMsg += "in database '%s'" % self.__unsafeSQLIdentificatorNaming(db)
204213
logger.warn(warnMsg)
205214

206215
continue
@@ -236,29 +245,34 @@ def searchColumn(self):
236245
enumDbs = kb.data.cachedDbs
237246

238247
for db in enumDbs:
248+
db = self.__safeSQLIdentificatorNaming(db)
239249
dbs[db] = {}
240250

241251
for column in colList:
252+
column = self.__safeSQLIdentificatorNaming(column)
253+
242254
infoMsg = "searching column"
243255
if colConsider == "1":
244256
infoMsg += "s like"
245-
infoMsg += " '%s'" % column
257+
infoMsg += " '%s'" % self.__unsafeSQLIdentificatorNaming(column)
246258
logger.info(infoMsg)
247259

248260
foundCols[column] = {}
249261

250262
colQuery = "%s%s" % (colCond, colCondParam)
251-
colQuery = colQuery % column
263+
colQuery = colQuery % self.__unsafeSQLIdentificatorNaming(column)
252264

253265
for db in dbs.keys():
266+
db = self.__safeSQLIdentificatorNaming(db)
267+
254268
if conf.excludeSysDbs and db in self.excludeDbsList:
255269
infoMsg = "skipping system database '%s'" % db
256270
logger.info(infoMsg)
257271

258272
continue
259273

260274
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:
261-
query = rootQuery.inband.query % (db, db, db, db, db)
275+
query = rootQuery.inband.query % (db, db, db, db, db, db)
262276
query += " AND %s" % colQuery.replace("[DB]", db)
263277
values = inject.getValue(query, blind=False)
264278

@@ -267,6 +281,8 @@ def searchColumn(self):
267281
values = [ values ]
268282

269283
for foundTbl in values:
284+
foundTbl = self.__safeSQLIdentificatorNaming(foundTbl, True)
285+
270286
if foundTbl is None:
271287
continue
272288

@@ -279,8 +295,8 @@ def searchColumn(self):
279295
conf.col = column
280296

281297
self.getColumns(onlyColNames=True)
282-
283-
dbs[db][foundTbl].update(kb.data.cachedColumns[db][foundTbl])
298+
if kb.data.cachedColumns[db][foundTbl] != {None: None}:
299+
dbs[db][foundTbl].update(kb.data.cachedColumns[db][foundTbl])
284300
kb.data.cachedColumns = {}
285301
else:
286302
dbs[db][foundTbl][column] = None
@@ -299,7 +315,7 @@ def searchColumn(self):
299315
logger.info(infoMsg)
300316

301317
query = rootQuery.blind.count2
302-
query = query % (db, db, db, db, db)
318+
query = query % (db, db, db, db, db, db)
303319
query += " AND %s" % colQuery.replace("[DB]", db)
304320
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2)
305321

@@ -317,12 +333,14 @@ def searchColumn(self):
317333

318334
for index in indexRange:
319335
query = rootQuery.blind.query2
320-
query = query % (db, db, db, db, db)
336+
query = query % (db, db, db, db, db, db)
321337
query += " AND %s" % colQuery.replace("[DB]", db)
322338
query = agent.limitQuery(index, query, colCond.replace("[DB]", db))
323339
tbl = inject.getValue(query, inband=False, error=False)
324340
kb.hintValue = tbl
325341

342+
tbl = self.__safeSQLIdentificatorNaming(tbl, True)
343+
326344
if tbl not in dbs[db]:
327345
dbs[db][tbl] = {}
328346

plugins/dbms/oracle/enumeration.py

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -181,20 +181,22 @@ def searchColumn(self):
181181
colConsider, colCondParam = self.likeOrExact("column")
182182

183183
for column in colList:
184-
column = column.upper()
184+
column = self.__safeSQLIdentificatorNaming(column)
185185

186186
infoMsg = "searching column"
187187
if colConsider == "1":
188188
infoMsg += "s like"
189-
infoMsg += " '%s'" % column
189+
infoMsg += " '%s'" % self.__unsafeSQLIdentificatorNaming(column)
190190
logger.info(infoMsg)
191191

192192
foundCols[column] = {}
193193

194194
colQuery = "%s%s" % (colCond, colCondParam)
195-
colQuery = colQuery % column
195+
colQuery = colQuery % self.__unsafeSQLIdentificatorNaming(column)
196196

197197
for db in dbs.keys():
198+
db = self.__safeSQLIdentificatorNaming(db)
199+
198200
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:
199201
query = rootQuery.inband.query
200202
query += colQuery
@@ -205,6 +207,8 @@ def searchColumn(self):
205207
values = [ values ]
206208

207209
for foundTbl in values:
210+
foundTbl = self.__safeSQLIdentificatorNaming(foundTbl, True)
211+
208212
if foundTbl is None:
209213
continue
210214

@@ -259,6 +263,8 @@ def searchColumn(self):
259263
tbl = inject.getValue(query, inband=False, error=False)
260264
kb.hintValue = tbl
261265

266+
tbl = self.__safeSQLIdentificatorNaming(tbl, True)
267+
262268
if tbl not in dbs[db]:
263269
dbs[db][tbl] = {}
264270

0 commit comments

Comments
 (0)