#!/usr/bin/env python """ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ # 1. 导入必要的模块 from lib.core.common import getLimitRange # 获取限制范围 from lib.core.common import isAdminFromPrivileges # 判断是否为管理员 from lib.core.common import isInferenceAvailable # 判断是否可以使用推断注入 from lib.core.common import isNoneValue # 判断是否为 None 值 from lib.core.common import isNumPosStrValue # 判断是否为数字正字符串值 from lib.core.common import isTechniqueAvailable # 判断是否可以使用特定注入技术 from lib.core.compat import xrange # 兼容 Python 2 和 3 的 xrange from lib.core.data import conf # 全局配置信息 from lib.core.data import kb # 全局知识库 from lib.core.data import logger # 日志记录器 from lib.core.data import queries # SQL 查询语句 from lib.core.enums import CHARSET_TYPE # 字符集类型枚举 from lib.core.enums import DBMS # 数据库管理系统枚举 from lib.core.enums import EXPECTED # 预期返回类型枚举 from lib.core.enums import PAYLOAD # 注入类型枚举 from lib.core.exception import SqlmapNoneDataException # 没有数据异常 from lib.core.settings import CURRENT_USER # 当前用户 from lib.request import inject # 注入相关函数 from plugins.generic.enumeration import Enumeration as GenericEnumeration # 通用枚举类 # 2. 定义一个类 Enumeration,继承自 GenericEnumeration class Enumeration(GenericEnumeration): # 3. 获取数据库用户角色 def getRoles(self, query2=False): # 4. 输出获取数据库用户角色信息 infoMsg = "fetching database users roles" # 5. 从查询集中获取角色查询语句 rootQuery = queries[DBMS.ORACLE].roles # 6. 如果用户名为当前用户,则获取当前用户名 if conf.user == CURRENT_USER: infoMsg += " for current user" conf.user = self.getCurrentUser() logger.info(infoMsg) # 7. 存储管理员用户的集合 areAdmins = set() # 8. 检查是否存在可用的注入技术或直接连接 if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct: # 9. 选择使用哪个查询语句 if query2: query = rootQuery.inband.query2 condition = rootQuery.inband.condition2 else: query = rootQuery.inband.query condition = rootQuery.inband.condition # 10. 如果指定了用户名,则添加到查询条件中 if conf.user: users = conf.user.split(',') query += " WHERE " query += " OR ".join("%s = '%s'" % (condition, user) for user in sorted(users)) # 11. 执行查询语句,获取用户角色信息 values = inject.getValue(query, blind=False, time=False) # 12. 如果没有获取到数据,尝试使用备用表 `USER_ROLE_PRIVS` if not values and not query2: infoMsg = "trying with table 'USER_ROLE_PRIVS'" logger.info(infoMsg) return self.getRoles(query2=True) # 13. 处理获取到的用户角色信息 if not isNoneValue(values): for value in values: user = None roles = set() for count in xrange(0, len(value or [])): # 14. 第一列为用户名 if count == 0: user = value[count] # 15. 其他列为角色 else: role = value[count] roles.add(role) # 16. 将用户角色信息添加到缓存中 if user in kb.data.cachedUsersRoles: kb.data.cachedUsersRoles[user] = list(roles.union(kb.data.cachedUsersRoles[user])) else: kb.data.cachedUsersRoles[user] = list(roles) # 17. 如果没有获取到用户角色信息,尝试使用推断注入 if not kb.data.cachedUsersRoles and isInferenceAvailable() and not conf.direct: # 18. 获取用户名列表 if conf.user: users = conf.user.split(',') else: if not len(kb.data.cachedUsers): users = self.getUsers() else: users = kb.data.cachedUsers retrievedUsers = set() # 19. 遍历用户列表,获取每个用户的角色信息 for user in users: unescapedUser = None if user in retrievedUsers: continue infoMsg = "fetching number of roles " infoMsg += "for user '%s'" % user logger.info(infoMsg) if unescapedUser: queryUser = unescapedUser else: queryUser = user if query2: query = rootQuery.blind.count2 % queryUser else: query = rootQuery.blind.count % queryUser # 20. 获取每个用户的角色数量 count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # 21. 如果没有获取到角色数量,尝试使用备用表 `USER_SYS_PRIVS` if not isNumPosStrValue(count): if count != 0 and not query2: infoMsg = "trying with table 'USER_SYS_PRIVS'" logger.info(infoMsg) return self.getPrivileges(query2=True) warnMsg = "unable to retrieve the number of " warnMsg += "roles for user '%s'" % user logger.warning(warnMsg) continue infoMsg = "fetching roles for user '%s'" % user logger.info(infoMsg) roles = set() indexRange = getLimitRange(count, plusOne=True) # 22. 遍历角色索引,获取每个角色信息 for index in indexRange: if query2: query = rootQuery.blind.query2 % (queryUser, index) else: query = rootQuery.blind.query % (queryUser, index) role = inject.getValue(query, union=False, error=False) roles.add(role) # 23. 将获取到的角色信息添加到缓存中 if roles: kb.data.cachedUsersRoles[user] = list(roles) else: warnMsg = "unable to retrieve the roles " warnMsg += "for user '%s'" % user logger.warning(warnMsg) retrievedUsers.add(user) # 24. 如果没有获取到用户角色信息,抛出异常 if not kb.data.cachedUsersRoles: errMsg = "unable to retrieve the roles " errMsg += "for the database users" raise SqlmapNoneDataException(errMsg) # 25. 从角色信息中判断管理员用户 for user, privileges in kb.data.cachedUsersRoles.items(): if isAdminFromPrivileges(privileges): areAdmins.add(user) # 26. 返回用户角色信息和管理员用户 return kb.data.cachedUsersRoles, areAdmins