Support for Informix --roles/--privileges (Issue #552)

stamparm · stamparm · commit aa0b97b562c5 · 2016-09-26T14:20:04.000+02:00
diff --git a/lib/core/dicts.py b/lib/core/dicts.py
@@ -159,6 +159,17 @@
     "B": "SUBSCRIBE",
 }
 
+# Reference(s): https://www.ibm.com/support/knowledgecenter/SSGU8G_12.1.0/com.ibm.sqls.doc/ids_sqs_0147.htm
+#               https://www.ibm.com/support/knowledgecenter/SSGU8G_11.70.0/com.ibm.sqlr.doc/ids_sqr_077.htm
+
+INFORMIX_PRIVS = {
+    "D": "DBA (all privileges)",
+    "R": "RESOURCE (create UDRs, UDTs, permanent tables and indexes)",
+    "C": "CONNECT (work with existing tables)",
+    "G": "ROLE",
+    "U": "DEFAULT (implicit connection)",
+}
+
 DB2_PRIVS = {
     1: "CONTROLAUTH",
     2: "ALTERAUTH",
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -19,7 +19,7 @@
 from lib.core.revision import getRevisionNumber
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.0.9.32"
+VERSION = "1.0.9.33"
 REVISION = getRevisionNumber()
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
diff --git a/plugins/generic/users.py b/plugins/generic/users.py
@@ -27,10 +27,11 @@
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import queries
+from lib.core.dicts import DB2_PRIVS
+from lib.core.dicts import FIREBIRD_PRIVS
+from lib.core.dicts import INFORMIX_PRIVS
 from lib.core.dicts import MYSQL_PRIVS
 from lib.core.dicts import PGSQL_PRIVS
-from lib.core.dicts import FIREBIRD_PRIVS
-from lib.core.dicts import DB2_PRIVS
 from lib.core.enums import CHARSET_TYPE
 from lib.core.enums import DBMS
 from lib.core.enums import EXPECTED
@@ -470,32 +471,35 @@ def getPrivileges(self, query2=False):
                 if Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
                     user = "%%%s%%" % user
 
-                infoMsg = "fetching number of privileges "
-                infoMsg += "for user '%s'" % outuser
-                logger.info(infoMsg)
-
-                if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
-                    query = rootQuery.blind.count2 % user
-                elif Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
-                    query = rootQuery.blind.count % (conditionChar, user)
-                elif Backend.isDbms(DBMS.ORACLE) and query2:
-                    query = rootQuery.blind.count2 % user
+                if Backend.isDbms(DBMS.INFORMIX):
+                    count = 1
                 else:
-                    query = rootQuery.blind.count % user
+                    infoMsg = "fetching number of privileges "
+                    infoMsg += "for user '%s'" % outuser
+                    logger.info(infoMsg)
+
+                    if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
+                        query = rootQuery.blind.count2 % user
+                    elif Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
+                        query = rootQuery.blind.count % (conditionChar, user)
+                    elif Backend.isDbms(DBMS.ORACLE) and query2:
+                        query = rootQuery.blind.count2 % user
+                    else:
+                        query = rootQuery.blind.count % user
 
-                count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
+                    count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
 
-                if not isNumPosStrValue(count):
-                    if not retrievedUsers and Backend.isDbms(DBMS.ORACLE) and not query2:
-                        infoMsg = "trying with table USER_SYS_PRIVS"
-                        logger.info(infoMsg)
+                    if not isNumPosStrValue(count):
+                        if not retrievedUsers and Backend.isDbms(DBMS.ORACLE) and not query2:
+                            infoMsg = "trying with table USER_SYS_PRIVS"
+                            logger.info(infoMsg)
 
-                        return self.getPrivileges(query2=True)
+                            return self.getPrivileges(query2=True)
 
-                    warnMsg = "unable to retrieve the number of "
-                    warnMsg += "privileges for user '%s'" % outuser
-                    logger.warn(warnMsg)
-                    continue
+                        warnMsg = "unable to retrieve the number of "
+                        warnMsg += "privileges for user '%s'" % outuser
+                        logger.warn(warnMsg)
+                        continue
 
                 infoMsg = "fetching privileges for user '%s'" % outuser
                 logger.info(infoMsg)
@@ -514,6 +518,8 @@ def getPrivileges(self, query2=False):
                         query = rootQuery.blind.query2 % (user, index)
                     elif Backend.isDbms(DBMS.FIREBIRD):
                         query = rootQuery.blind.query % (index, user)
+                    elif Backend.isDbms(DBMS.INFORMIX):
+                        query = rootQuery.blind.query % (user,)
                     else:
                         query = rootQuery.blind.query % (user, index)
 
@@ -561,6 +567,10 @@ def getPrivileges(self, query2=False):
                     elif Backend.isDbms(DBMS.FIREBIRD):
                         privileges.add(FIREBIRD_PRIVS[privilege.strip()])
 
+                    # In Informix we get one letter for the highest privilege
+                    elif Backend.isDbms(DBMS.INFORMIX):
+                        privileges.add(INFORMIX_PRIVS[privilege.strip()])
+
                     # In DB2 we get Y or G if the privilege is
                     # True, N otherwise
                     elif Backend.isDbms(DBMS.DB2):
diff --git a/txt/checksum.md5 b/txt/checksum.md5
@@ -32,7 +32,7 @@ e77cca1cb063016f71f6e6bdebf4ec73  lib/core/data.py
 1d042f0bc0557d3fd564ea5a46deb77e  lib/core/datatype.py
 e4ca0fd47f20cf7ba6a5f5cbf980073c  lib/core/decorators.py
 67f206cf2658145992cc1d7020138325  lib/core/defaults.py
-863095fcfb94799c4e5ba3d3d6f590d6  lib/core/dicts.py
+439cae0904cf3db20d1bc81d56980a21  lib/core/dicts.py
 1f98d3f57ce21d625fd67adb26cfd13c  lib/core/dump.py
 1128705f593013359497b3959078b650  lib/core/enums.py
 e4aec2b11c1ad6039d0c3dbbfbc5eb1a  lib/core/exception.py
@@ -45,7 +45,7 @@ e60456db5380840a586654344003d4e6  lib/core/readlineng.py
 5ef56abb8671c2ca6ceecb208258e360  lib/core/replication.py
 99a2b496b9d5b546b335653ca801153f  lib/core/revision.py
 7c15dd2777af4dac2c89cab6df17462e  lib/core/session.py
-5750f92c622c3c5468a1c263bde4b306  lib/core/settings.py
+55a79706107d51efb7ed0a771f80e58e  lib/core/settings.py
 7af83e4f18cab6dff5e67840eb65be80  lib/core/shell.py
 23657cd7d924e3c6d225719865855827  lib/core/subprocessng.py
 0bc2fae1dec18cdd11954b22358293f2  lib/core/target.py
@@ -213,7 +213,7 @@ cc9c82cfffd8ee9b25ba3af6284f057e  plugins/generic/__init__.py
 7b3e044a7fca497278d79883697089b7  plugins/generic/search.py
 73f8d047dbbcff307d62357836e382e6  plugins/generic/syntax.py
 da3ebc20998af02e3d952d0417a67792  plugins/generic/takeover.py
-4b5a6e2aec8e240fc43916d9dde27b14  plugins/generic/users.py
+078434ac78aaa539526031ebdd5556f2  plugins/generic/users.py
 cc9c82cfffd8ee9b25ba3af6284f057e  plugins/__init__.py
 b04db3e861edde1f9dd0a3850d5b96c8  shell/backdoor.asp_
 158bfa168128393dde8d6ed11fe9a1b8  shell/backdoor.aspx_
@@ -455,4 +455,4 @@ a279656ea3fcb85c727249b02f828383  xml/livetests.xml
 96adb9bfbab867d221974d3ddb303cb6  xml/payloads/stacked_queries.xml
 c8b152ecebf04ec997e52c6c78cbd488  xml/payloads/time_blind.xml
 033b39025e8ee0f302935f6db3a39e77  xml/payloads/union_query.xml
-b788ef9f0198fa0bbb56644c206b688e  xml/queries.xml
+3365321fc0217e148c2fa8a217cbfc5e  xml/queries.xml
diff --git a/xml/queries.xml b/xml/queries.xml
@@ -752,11 +752,11 @@
             <inband query="SELECT USERNAME,HASHED_PASSWORD,SALT FROM SYSUSER:SYSINTAUTHUSERS" condition="USERNAME"/>
             <blind query="SELECT HASHED_PASSWORD FROM SYSUSER:SYSINTAUTHUSERS WHERE USERNAME='%s'" query2="SELECT SALT FROM SYSUSER:SYSINTAUTHUSERS WHERE USERNAME='%s'"/>
         </passwords>
-        <privileges/>
-        <roles>
-            <inband query="SELECT USERNAME,USERTYPE FROM SYSUSERS" condition="name"/>
-            <blind query="SELECT GRANTED_ROLE FROM SYSUSERS WHERE USERNAME='s'"/>
-        </roles>
+        <privileges>
+            <inband query="SELECT USERNAME,USERTYPE FROM SYSUSERS" condition="USERNAME"/>
+            <blind query="SELECT USERTYPE FROM SYSUSERS WHERE USERNAME='%s'"/>
+        </privileges>
+        <roles/>
         <dbs>
             <inband query="SELECT NAME FROM SYSMASTER:SYSDATABASES"/>
             <blind query="SELECT SKIP %d LIMIT 1 NAME FROM SYSMASTER:SYSDATABASES ORDER BY NAME" count="SELECT COUNT(NAME) FROM SYSMASTER:SYSDATABASES"/>
