ptnqoxywl
/
sqlmap
1
0
Fork 1
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

SAP MaxDB 数据库枚举

Browse Source
wangshenghui_branch
Warmlight 6 months ago
parent 0a49890120
commit e3a3d81b3c
1 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File

30
src/sqlmap-master/plugins/dbms/maxdb/enumeration.py
Unescape View File

@ -32,40 +32,47 @@ from thirdparty.six.moves import zip as _zip
class Enumeration(GenericEnumeration): class Enumeration(GenericEnumeration):
def __init__(self): def __init__(self):
GenericEnumeration.__init__(self) GenericEnumeration.__init__(self)
# 将缓存的数据处理字符中的下划线替换为空格
kb.data.processChar = lambda x: x.replace('_', ' ') if x else x kb.data.processChar = lambda x: x.replace('_', ' ') if x else x
def getPasswordHashes(self): def getPasswordHashes(self):
# 输出警告信息因SAP MaxDB不支持用户密码哈希的枚举
warnMsg = "on SAP MaxDB it is not possible to enumerate the user password hashes" warnMsg = "on SAP MaxDB it is not possible to enumerate the user password hashes"
logger.warning(warnMsg) logger.warning(warnMsg)
return {} return {}
def getDbs(self): def getDbs(self):
# 若缓存的数据库信息不为空则返回缓存内容
if len(kb.data.cachedDbs) > 0: if len(kb.data.cachedDbs) > 0:
return kb.data.cachedDbs return kb.data.cachedDbs
infoMsg = "fetching database names" infoMsg = "fetching database names"
logger.info(infoMsg) logger.info(infoMsg)
# 查询数据库名称的SQL语句
rootQuery = queries[DBMS.MAXDB].dbs rootQuery = queries[DBMS.MAXDB].dbs
query = rootQuery.inband.query query = rootQuery.inband.query
retVal = pivotDumpTable("(%s) AS %s" % (query, kb.aliasName), ['%s.schemaname' % kb.aliasName], blind=True) retVal = pivotDumpTable("(%s) AS %s" % (query, kb.aliasName), ['%s.schemaname' % kb.aliasName], blind=True)
# 如果查询结果有效,缓存数据库名称
if retVal: if retVal:
kb.data.cachedDbs = next(six.itervalues(retVal[0])) kb.data.cachedDbs = next(six.itervalues(retVal[0]))
# 对数据库名称进行排序
if kb.data.cachedDbs: if kb.data.cachedDbs:
kb.data.cachedDbs.sort() kb.data.cachedDbs.sort()
return kb.data.cachedDbs return kb.data.cachedDbs
def getTables(self, bruteForce=None): def getTables(self, bruteForce=None):
# 如果缓存的表信息不为空,则返回缓存内容
if len(kb.data.cachedTables) > 0: if len(kb.data.cachedTables) > 0:
return kb.data.cachedTables return kb.data.cachedTables
self.forceDbmsEnum() self.forceDbmsEnum()
# 根据当前选中的数据库获取数据库名称
if conf.db == CURRENT_DB: if conf.db == CURRENT_DB:
conf.db = self.getCurrentDb() conf.db = self.getCurrentDb()
@ -74,6 +81,7 @@ class Enumeration(GenericEnumeration):
else: else:
dbs = self.getDbs() dbs = self.getDbs()
# 对数据库名称进行安全处理
for db in (_ for _ in dbs if _): for db in (_ for _ in dbs if _):
dbs[dbs.index(db)] = safeSQLIdentificatorNaming(db) dbs[dbs.index(db)] = safeSQLIdentificatorNaming(db)
@ -83,6 +91,7 @@ class Enumeration(GenericEnumeration):
rootQuery = queries[DBMS.MAXDB].tables rootQuery = queries[DBMS.MAXDB].tables
# 遍历每个数据库,查询表名称
for db in dbs: for db in dbs:
query = rootQuery.inband.query % (("'%s'" % db) if db != "USER" else 'USER') query = rootQuery.inband.query % (("'%s'" % db) if db != "USER" else 'USER')
blind = not isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) blind = not isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION)
@ -95,6 +104,7 @@ class Enumeration(GenericEnumeration):
else: else:
kb.data.cachedTables[db].append(table) kb.data.cachedTables[db].append(table)
# 对每个数据库的表进行排序
for db, tables in kb.data.cachedTables.items(): for db, tables in kb.data.cachedTables.items():
kb.data.cachedTables[db] = sorted(tables) if tables else tables kb.data.cachedTables[db] = sorted(tables) if tables else tables
@ -103,6 +113,7 @@ class Enumeration(GenericEnumeration):
def getColumns(self, onlyColNames=False, colTuple=None, bruteForce=None, dumpMode=False): def getColumns(self, onlyColNames=False, colTuple=None, bruteForce=None, dumpMode=False):
self.forceDbmsEnum() self.forceDbmsEnum()
# 获取当前选中的数据库
if conf.db is None or conf.db == CURRENT_DB: if conf.db is None or conf.db == CURRENT_DB:
if conf.db is None: if conf.db is None:
warnMsg = "missing database parameter. sqlmap is going " warnMsg = "missing database parameter. sqlmap is going "
@ -118,19 +129,24 @@ class Enumeration(GenericEnumeration):
errMsg += "the tables' columns" errMsg += "the tables' columns"
raise SqlmapMissingMandatoryOptionException(errMsg) raise SqlmapMissingMandatoryOptionException(errMsg)
# 对数据库名称进行安全处理
conf.db = safeSQLIdentificatorNaming(conf.db) conf.db = safeSQLIdentificatorNaming(conf.db)
# 获取需要查询的列名
if conf.col: if conf.col:
colList = conf.col.split(',') colList = conf.col.split(',')
else: else:
colList = [] colList = []
# 处理排除的列名
if conf.exclude: if conf.exclude:
colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None] colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None]
# 对列名进行安全处理
for col in colList: for col in colList:
colList[colList.index(col)] = safeSQLIdentificatorNaming(col) colList[colList.index(col)] = safeSQLIdentificatorNaming(col)
# 获取需要查询的表名
if conf.tbl: if conf.tbl:
tblList = conf.tbl.split(',') tblList = conf.tbl.split(',')
else: else:
@ -146,12 +162,14 @@ class Enumeration(GenericEnumeration):
errMsg += "on database '%s'" % unsafeSQLIdentificatorNaming(conf.db) errMsg += "on database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
raise SqlmapNoneDataException(errMsg) raise SqlmapNoneDataException(errMsg)
# 对表名进行安全处理
for tbl in tblList: for tbl in tblList:
tblList[tblList.index(tbl)] = safeSQLIdentificatorNaming(tbl, True) tblList[tblList.index(tbl)] = safeSQLIdentificatorNaming(tbl, True)
if bruteForce: if bruteForce:
resumeAvailable = False resumeAvailable = False
# 检查列名是否已存在于缓存中
for tbl in tblList: for tbl in tblList:
for db, table, colName, colType in kb.brute.columns: for db, table, colName, colType in kb.brute.columns:
if db == conf.db and table == tbl: if db == conf.db and table == tbl:
@ -188,6 +206,7 @@ class Enumeration(GenericEnumeration):
rootQuery = queries[DBMS.MAXDB].columns rootQuery = queries[DBMS.MAXDB].columns
# 遍历每个表,查询列名称及数据类型
for tbl in tblList: for tbl in tblList:
if conf.db is not None and len(kb.data.cachedColumns) > 0 and conf.db in kb.data.cachedColumns and tbl in kb.data.cachedColumns[conf.db]: if conf.db is not None and len(kb.data.cachedColumns) > 0 and conf.db in kb.data.cachedColumns and tbl in kb.data.cachedColumns[conf.db]:
infoMsg = "fetched tables' columns on " infoMsg = "fetched tables' columns on "
@ -196,6 +215,7 @@ class Enumeration(GenericEnumeration):
return {conf.db: kb.data.cachedColumns[conf.db]} return {conf.db: kb.data.cachedColumns[conf.db]}
# 在剩余模式且限制列名时,继续缓存
if dumpMode and colList: if dumpMode and colList:
table = {} table = {}
table[safeSQLIdentificatorNaming(tbl, True)] = dict((_, None) for _ in colList) table[safeSQLIdentificatorNaming(tbl, True)] = dict((_, None) for _ in colList)
@ -209,6 +229,7 @@ class Enumeration(GenericEnumeration):
blind = not isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) blind = not isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION)
# 查询表的列名称和数据类型的SQL语句
query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), ("'%s'" % unsafeSQLIdentificatorNaming(conf.db)) if unsafeSQLIdentificatorNaming(conf.db) != "USER" else 'USER') query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), ("'%s'" % unsafeSQLIdentificatorNaming(conf.db)) if unsafeSQLIdentificatorNaming(conf.db) != "USER" else 'USER')
retVal = pivotDumpTable("(%s) AS %s" % (query, kb.aliasName), ['%s.columnname' % kb.aliasName, '%s.datatype' % kb.aliasName, '%s.len' % kb.aliasName], blind=blind) retVal = pivotDumpTable("(%s) AS %s" % (query, kb.aliasName), ['%s.columnname' % kb.aliasName, '%s.datatype' % kb.aliasName, '%s.len' % kb.aliasName], blind=blind)
@ -216,6 +237,7 @@ class Enumeration(GenericEnumeration):
table = {} table = {}
columns = {} columns = {}
# 将查询结果中的列名和数据类型进行处理
for columnname, datatype, length in _zip(retVal[0]["%s.columnname" % kb.aliasName], retVal[0]["%s.datatype" % kb.aliasName], retVal[0]["%s.len" % kb.aliasName]): for columnname, datatype, length in _zip(retVal[0]["%s.columnname" % kb.aliasName], retVal[0]["%s.datatype" % kb.aliasName], retVal[0]["%s.len" % kb.aliasName]):
columns[safeSQLIdentificatorNaming(columnname)] = "%s(%s)" % (datatype, length) columns[safeSQLIdentificatorNaming(columnname)] = "%s(%s)" % (datatype, length)
@ -225,21 +247,25 @@ class Enumeration(GenericEnumeration):
return kb.data.cachedColumns return kb.data.cachedColumns
def getPrivileges(self, *args, **kwargs): def getPrivileges(self, *args, **kwargs):
# 输出警告信息因SAP MaxDB不支持用户权限的枚举
warnMsg = "on SAP MaxDB it is not possible to enumerate the user privileges" warnMsg = "on SAP MaxDB it is not possible to enumerate the user privileges"
logger.warning(warnMsg) logger.warning(warnMsg)
return {} return {}
def search(self): def search(self):
# 输出警告表示SAP MaxDB不支持搜索功能
warnMsg = "on SAP MaxDB search option is not available" warnMsg = "on SAP MaxDB search option is not available"
logger.warning(warnMsg) logger.warning(warnMsg)
def getHostname(self): def getHostname(self):
# 输出警告信息因SAP MaxDB不支持主机名的枚举
warnMsg = "on SAP MaxDB it is not possible to enumerate the hostname" warnMsg = "on SAP MaxDB it is not possible to enumerate the hostname"
logger.warning(warnMsg) logger.warning(warnMsg)
def getStatements(self): def getStatements(self):
# 输出警告信息因SAP MaxDB不支持SQL语句的枚举
warnMsg = "on SAP MaxDB it is not possible to enumerate the SQL statements" warnMsg = "on SAP MaxDB it is not possible to enumerate the SQL statements"
logger.warning(warnMsg) logger.warning(warnMsg)
return [] return []
Write Preview
Loading…
Cancel
Save