Added support to search for tables (--search with -T). See #190.

bdamele · bdamele · commit c9ee11e0e4d9 · 2010-05-16T20:46:17.000Z
diff --git a/plugins/dbms/mssqlserver/enumeration.py b/plugins/dbms/mssqlserver/enumeration.py
@@ -22,6 +22,8 @@
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """
 
+from lib.core.agent import agent
+from lib.core.common import getRange
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -116,3 +118,89 @@ def getTables(self):
             raise sqlmapNoneDataException(errMsg)
 
         return kb.data.cachedTables
+
+    def searchTable(self):
+        rootQuery = queries[kb.dbms].searchTable
+        foundTbls = {}
+        tblList = conf.tbl.split(",")
+        tblCond = rootQuery["inband"]["condition"]
+        dbCond = rootQuery["inband"]["condition2"]
+
+        tblConsider, tblCondParam = self.likeOrExact("table")
+
+        if not len(kb.data.cachedDbs):
+            enumDbs = self.getDbs()
+        else:
+            enumDbs = kb.data.cachedDbs
+
+        for db in enumDbs:
+            foundTbls[db] = []
+
+        for tbl in tblList:
+            infoMsg = "searching table"
+            if tblConsider == "1":
+                infoMsg += "s like"
+            infoMsg += " '%s'" % tbl
+            logger.info(infoMsg)
+
+            if conf.excludeSysDbs:
+                exclDbsQuery = "".join(" AND '%s' != %s" % (db, dbCond) for db in self.excludeDbsList)
+                infoMsg = "skipping system databases '%s'" % ", ".join(db for db in self.excludeDbsList)
+                logger.info(infoMsg)
+            else:
+                exclDbsQuery = ""
+
+            tblQuery = "%s%s" % (tblCond, tblCondParam)
+            tblQuery = tblQuery % tbl
+
+            for db in foundTbls.keys():
+                if kb.unionPosition or conf.direct:
+                    query = rootQuery["inband"]["query"] % db
+                    query += tblQuery
+                    query += exclDbsQuery
+                    values = inject.getValue(query, blind=False)
+
+                    if values:
+                        if isinstance(values, str):
+                            values = [ values ]
+
+                        for foundTbl in values:
+                            foundTbls[db].append(foundTbl)
+                else:
+                    infoMsg = "fetching number of table"
+                    if tblConsider == "1":
+                        infoMsg += "s like"
+                    infoMsg += " '%s' in database '%s'" % (tbl, db)
+                    logger.info(infoMsg)
+
+                    query = rootQuery["blind"]["count2"]
+                    query = query % db
+                    query += " AND %s" % tblQuery
+                    count = inject.getValue(query, inband=False, expected="int", charsetType=2)
+
+                    if not count.isdigit() or not len(count) or count == "0":
+                        warnMsg = "no table"
+                        if tblConsider == "1":
+                            warnMsg += "s like"
+                        warnMsg += " '%s' " % tbl
+                        warnMsg += "in database '%s'" % db
+                        logger.warn(warnMsg)
+
+                        continue
+
+                    indexRange = getRange(count)
+
+                    for index in indexRange:
+                        query = rootQuery["blind"]["query2"]
+                        query = query % db
+                        query += " AND %s" % tblQuery
+                        query = agent.limitQuery(index, query, tblCond)
+                        tbl = inject.getValue(query, inband=False)
+                        kb.hintValue = tbl
+                        foundTbls[db].append(tbl)
+
+        for db, tbls in foundTbls.items():
+            if len(tbls) == 0:
+                foundTbls.pop(db)
+
+        return foundTbls
diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py
@@ -1269,8 +1269,125 @@ def searchDb(self):
         return foundDbs
 
     def searchTable(self):
-        errMsg = "search for table names is not supported yet"
-        raise sqlmapUnsupportedFeatureException, errMsg
+        if kb.dbms == "MySQL" and not kb.data.has_information_schema:
+            errMsg  = "information_schema not available, "
+            errMsg += "back-end DBMS is MySQL < 5.0"
+            raise sqlmapUnsupportedFeatureException, errMsg
+
+        rootQuery = queries[kb.dbms].searchTable
+        foundTbls = {}
+        tblList = conf.tbl.split(",")
+        tblCond = rootQuery["inband"]["condition"]
+        dbCond = rootQuery["inband"]["condition2"]
+
+        tblConsider, tblCondParam = self.likeOrExact("table")
+
+        for tbl in tblList:
+            if kb.dbms == "Oracle":
+                tbl = tbl.upper()
+
+            infoMsg = "searching table"
+            if tblConsider == "1":
+                infoMsg += "s like"
+            infoMsg += " '%s'" % tbl
+            logger.info(infoMsg)
+
+            if conf.excludeSysDbs:
+                exclDbsQuery = "".join(" AND '%s' != %s" % (db, dbCond) for db in self.excludeDbsList)
+                infoMsg = "skipping system databases '%s'" % ", ".join(db for db in self.excludeDbsList)
+                logger.info(infoMsg)
+            else:
+                exclDbsQuery = ""
+
+            tblQuery = "%s%s" % (tblCond, tblCondParam)
+            tblQuery = tblQuery % tbl
+
+            if kb.unionPosition or conf.direct:
+                query = rootQuery["inband"]["query"]
+                query += tblQuery
+                query += exclDbsQuery
+                values = inject.getValue(query, blind=False)
+
+                if values:
+                    if isinstance(values, str):
+                        values = [ values ]
+
+                    for foundDb, foundTbl in values:
+                        if foundDb in foundTbls:
+                            foundTbls[foundDb].append(foundTbl)
+                        else:
+                            foundTbls[foundDb] = [ foundTbl ]
+            else:
+                infoMsg = "fetching number of databases with table"
+                if tblConsider == "1":
+                    infoMsg += "s like"
+                infoMsg += " '%s'" % tbl
+                logger.info(infoMsg)
+
+                query = rootQuery["blind"]["count"]
+                query += tblQuery
+                query += exclDbsQuery
+                count = inject.getValue(query, inband=False, expected="int", charsetType=2)
+
+                if not count.isdigit() or not len(count) or count == "0":
+                    warnMsg  = "no databases have table"
+                    if tblConsider == "1":
+                        warnMsg += "s like"
+                    warnMsg += " '%s'" % tbl
+                    logger.warn(warnMsg)
+
+                    continue
+
+                indexRange = getRange(count)
+
+                for index in indexRange:
+                    query = rootQuery["blind"]["query"]
+                    query += tblQuery
+                    query += exclDbsQuery
+                    query = agent.limitQuery(index, query)
+                    foundDb = inject.getValue(query, inband=False)
+                    foundTbls[foundDb] = []
+
+                    if tblConsider == "2":
+                        foundTbls[foundDb].append(tbl)
+
+                if tblConsider == "2":
+                    continue
+
+                for db in foundTbls.keys():
+                    infoMsg = "fetching number of table"
+                    if tblConsider == "1":
+                        infoMsg += "s like"
+                    infoMsg += " '%s' in database '%s'" % (tbl, db)
+                    logger.info(infoMsg)
+
+                    query = rootQuery["blind"]["count2"]
+                    query = query % db
+                    query += " AND %s" % tblQuery
+                    count = inject.getValue(query, inband=False, expected="int", charsetType=2)
+
+                    if not count.isdigit() or not len(count) or count == "0":
+                        warnMsg = "no table"
+                        if tblConsider == "1":
+                            warnMsg += "s like"
+                        warnMsg += " '%s' " % tbl
+                        warnMsg += "in database '%s'" % db
+                        logger.warn(warnMsg)
+
+                        continue
+
+                    indexRange = getRange(count)
+
+                    for index in indexRange:
+                        query = rootQuery["blind"]["query2"]
+                        query = query % db
+                        query += " AND %s" % tblQuery
+                        query = agent.limitQuery(index, query)
+                        foundTbl = inject.getValue(query, inband=False)
+                        kb.hintValue = foundTbl
+                        foundTbls[db].append(foundTbl)
+
+        return foundTbls
 
     def searchColumn(self):
         if kb.dbms == "MySQL" and not kb.data.has_information_schema:
@@ -1291,7 +1408,16 @@ def searchColumn(self):
             if kb.dbms == "Oracle":
                 column = column.upper()
                 conf.db = "USERS"
-            elif kb.dbms == "Microsoft SQL Server":
+
+            infoMsg = "searching column"
+            if colConsider == "1":
+                infoMsg += "s like"
+            infoMsg += " '%s'" % column
+            logger.info(infoMsg)
+
+            foundCols[column] = {}
+
+            if kb.dbms == "Microsoft SQL Server":
                 if not conf.db:
                     if not len(kb.data.cachedDbs):
                         enumDbs = self.getDbs()
@@ -1300,8 +1426,6 @@ def searchColumn(self):
 
                     conf.db = ",".join(db for db in enumDbs)
 
-            foundCols[column] = {}
-
             if conf.db:
                 for db in conf.db.split(","):
                     dbs[db] = {}
diff --git a/plugins/generic/misc.py b/plugins/generic/misc.py
@@ -32,6 +32,7 @@
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import queries
+from lib.core.exception import sqlmapNoneDataException
 from lib.core.exception import sqlmapUnsupportedFeatureException
 from lib.core.session import setRemoteTempPath
 from lib.request import inject
diff --git a/xml/queries.xml b/xml/queries.xml
@@ -63,7 +63,10 @@
             <inband query="SELECT schema_name FROM information_schema.SCHEMATA WHERE " query2="SELECT db FROM mysql.db WHERE " condition="schema_name" condition2="db"/>
             <blind query="SELECT DISTINCT(schema_name) FROM information_schema.SCHEMATA WHERE " query2="SELECT DISTINCT(db) FROM mysql.db WHERE " count="SELECT COUNT(DISTINCT(schema_name)) FROM information_schema.SCHEMATA WHERE " count2="SELECT COUNT(DISTINCT(db)) FROM mysql.db WHERE " condition="schema_name" condition2="db"/>
         </search_db>
-        <search_table/>
+        <search_table>
+            <inband query="SELECT table_schema, table_name FROM information_schema.TABLES WHERE " condition="table_name" condition2="table_schema"/>
+            <blind query="SELECT DISTINCT(table_schema) FROM information_schema.TABLES WHERE " query2="SELECT DISTINCT(table_name) FROM information_schema.TABLES WHERE table_schema='%s'" count="SELECT COUNT(DISTINCT(table_schema)) FROM information_schema.TABLES WHERE " count2="SELECT COUNT(DISTINCT(table_name)) FROM information_schema.TABLES WHERE table_schema='%s'" condition="table_name" condition2="table_schema"/>
+        </search_table>
         <search_column>
             <inband query="SELECT table_schema FROM information_schema.COLUMNS WHERE " query2="SELECT table_name FROM information_schema.COLUMNS WHERE table_schema='%s'" condition="column_name" condition2="table_schema"/>
             <blind query="SELECT DISTINCT(table_schema) FROM information_schema.COLUMNS WHERE " query2="SELECT DISTINCT(table_name) FROM information_schema.COLUMNS WHERE table_schema='%s'" count="SELECT COUNT(DISTINCT(table_schema)) FROM information_schema.COLUMNS WHERE " count2="SELECT COUNT(DISTINCT(table_name)) FROM information_schema.COLUMNS WHERE table_schema='%s'" condition="column_name" condition2="table_schema"/>
@@ -136,7 +139,11 @@
             <blind query="SELECT %s FROM (SELECT %s, ROWNUM AS LIMIT FROM %s) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
         </dump_table>
         <search_db/>
-        <search_table/>
+        <search_table>
+            <!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
+            <inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES WHERE " condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
+            <blind query="SELECT DISTINCT(TABLESPACE_NAME) FROM SYS.ALL_TABLES WHERE " query2="SELECT TABLE_NAME FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" count="SELECT COUNT(DISTINCT(TABLESPACE_NAME)) FROM SYS.ALL_TABLES WHERE " count2="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
+        </search_table>
         <search_column>
             <inband query="" query2="SELECT TABLE_NAME FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME" condition2="TABLESPACE_NAME"/>
             <blind query="" query2="SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TAB_COLUMNS" count="" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME" condition2="TABLESPACE_NAME"/>
@@ -205,7 +212,10 @@
             <inband query="SELECT datname FROM pg_database WHERE " query2="" condition="datname" condition2=""/>
             <blind query="SELECT DISTINCT(datname) FROM pg_database WHERE " query2="" count="SELECT COUNT(DISTINCT(datname)) FROM pg_database WHERE " count2="" condition="datname" condition2=""/>
         </search_db>
-        <search_table/>
+        <search_table>
+            <inband query="SELECT schemaname, tablename FROM pg_tables WHERE " condition="tablename" condition2="schemaname"/>
+            <blind query="SELECT DISTINCT(schemaname) FROM pg_tables WHERE " query2="SELECT tablename FROM pg_tables WHERE schemaname='%s'" count="SELECT COUNT(DISTINCT(schemaname)) FROM pg_tables WHERE " count2="SELECT COUNT(tablename) FROM pg_tables WHERE schemaname='%s'" condition="tablename" condition2="schemaname"/>
+        </search_table>
         <search_column>
             <inband query="SELECT nspname FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND " query2="SELECT relname FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND nspname='%s'" condition="attname" condition2="nspname"/>
             <blind query="SELECT DISTINCT(nspname) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND " query2="SELECT DISTINCT(relname) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND nspname='%s'" count="SELECT COUNT(DISTINCT(nspname)) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND " count2="SELECT COUNT(DISTINCT(relname)) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND nspname='%s'" condition="attname" condition2="nspname"/>
@@ -265,7 +275,10 @@
             <inband query="SELECT name FROM master..sysdatabases WHERE " condition="name"/>
             <blind query="SELECT name FROM master..sysdatabases WHERE " count="SELECT LTRIM(STR(COUNT(name))) FROM master..sysdatabases WHERE " condition="name"/>
         </search_db>
-        <search_table/>
+        <search_table>
+            <inband query="SELECT name FROM %s..sysobjects WHERE xtype IN ('u', 'v') AND " condition="name" condition2="name"/>
+            <blind query="" query2="SELECT name FROM %s..sysobjects WHERE xtype IN ('u', 'v') " count="" count2="SELECT LTRIM(STR(COUNT(name))) FROM %s..sysobjects WHERE xtype IN ('u', 'v')" condition="name" condition2="name"/>
+        </search_table>
         <search_column>
             <inband query="" query2="SELECT %s..sysobjects.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" condition="[DB]..syscolumns.name"/>
             <blind query="" query2="SELECT %s..sysobjects.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" count="" count2="SELECT COUNT(%s..sysobjects.name) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" condition="[DB]..syscolumns.name"/>
