403Webshell
Server IP : 80.87.202.40  /  Your IP : 216.73.216.169
Web Server : Apache
System : Linux rospirotorg.ru 5.14.0-539.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 5 22:26:13 UTC 2024 x86_64
User : bitrix ( 600)
PHP Version : 8.2.27
Disable Function : NONE
MySQL : OFF |  cURL : ON |  WGET : ON |  Perl : ON |  Python : OFF |  Sudo : ON |  Pkexec : ON
Directory :  /usr/share/nmap/nselib/

Upload File :
current_dir [ Writeable] document_root [ Writeable]

 

Command :


[ Back ]     

Current File : /usr/share/nmap/nselib/pgsql.lua
---
-- PostgreSQL library supporting both version 2 and version 3 of the protocol.
-- The library currently contains the bare minimum to perform authentication.
-- Authentication is supported with or without SSL enabled and using the
-- plain-text or MD5 authentication mechanisms.
--
-- The PGSQL protocol is explained in detail in the following references.
-- * http://developer.postgresql.org/pgdocs/postgres/protocol.html
-- * http://developer.postgresql.org/pgdocs/postgres/protocol-flow.html
-- * http://developer.postgresql.org/pgdocs/postgres/protocol-message-formats.html
--
-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
-- @author Patrik Karlsson <patrik@cqure.net>

local nmap = require "nmap"
local stdnse = require "stdnse"
local openssl = stdnse.silent_require "openssl"
local string = require "string"
local table = require "table"
_ENV = stdnse.module("pgsql", stdnse.seeall)

-- Version 0.3
-- Created 02/05/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
-- Revised 02/20/2010 - v0.2 - added detectVersion to automatically detect and return
--                             the correct version class
-- Revised 03/04/2010 - v0.3 - added support for trust authentication method

--- Supported pgsql message types
MessageType = {
  Error = 0x45,
  BackendKeyData = 0x4b,
  AuthRequest=0x52,
  ParameterStatus = 0x53,
  ReadyForQuery = 0x5a,
  PasswordMessage = 0x70,
}

--- Supported authentication types
AuthenticationType = {
  Success = 0x00,
  Plain = 0x03,
  MD5 = 0x05
}

-- Version 2 of the protocol
v2 =
{

  --- Pad a string with zeroes
  --
  -- @param str string containing the string to be padded
  -- @param len number containing the wanted length
  -- @return string containing the padded string value
  zeroPad = function(str, len)
    return str .. string.rep('\0', len - #str)
  end,

  messageDecoder = {

    --- Decodes an Auth Request packet
    --
    -- @param data string containing raw data received from socket
    -- @param len number containing the length as retrieved from the header
    -- @param pos number containing the offset into the data buffer
    -- @return pos number containing the offset after decoding, -1 on error
    -- @return response table containing zero or more of the following <code>salt</code> and <code>success</code>
    --         error string containing error message if pos is -1
    [MessageType.AuthRequest] = function( data, len, pos )
      local _, authtype
      local response = {}
      authtype, pos = string.unpack(">I4", data, pos)

      if ( authtype == AuthenticationType.MD5 ) then
        if  ( len - pos + 1 ) < 3 then
          return -1, "ERROR: Malformed AuthRequest received"
        end
        response.salt, pos = string.unpack("c4", data, pos)
      elseif ( authtype == AuthenticationType.Plain ) then
        --do nothing
      elseif ( authtype == 0 ) then
        response.success = true
      else
        stdnse.debug1("unknown auth type: %d", authtype)
      end

      response.authtype = authtype
      return pos, response
    end,



    --- Decodes an Error packet
    --
    -- @param data string containing raw data received from socket
    -- @param len number containing the length as retrieved from the header
    -- @param pos number containing the offset into the data buffer
    -- @return pos number containing the offset after decoding
    -- @return response table containing zero or more of the following <code>error.severity</code>,
    -- <code>error.code</code>, <code>error.message</code>, <code>error.file</code>,
    -- <code>error.line</code> and <code>error.routine</code>
    [MessageType.Error] = function( data, len, pos )
      local tmp = data:sub(pos, pos + len - 4)
      local response = {}
      local pos_end = pos + len

      response.error = {}
      response.error.message, pos = string.unpack("z", data, pos)
      return pos, response
    end,

  },

  --- Process the server response
  --
  -- @param data string containing the server response
  -- @param pos number containing the offset into the data buffer
  processResponse = function(data, pos)
    local ptype, len, status, response
    local pos = pos or 1

    ptype, pos = string.unpack("B", data, pos)
    len = data:len() - 1

    if v2.messageDecoder[ptype] then
      pos, response = v2.messageDecoder[ptype](data, len, pos)

      if pos ~= -1 then
        response.type = ptype
        return pos, response
      end
    else
      stdnse.debug1("Missing decoder for %d", ptype)
      return -1, ("Missing decoder for %d"):format(ptype)
    end
    return -1, "Decoding failed"
  end,


  --- Reads a packet and handles additional socket reads to retrieve remaining data
  --
  -- @param socket socket already connected to the pgsql server
  -- @param data string containing any data already retrieved from the socket
  -- @param pos number containing the offset into the data buffer
  -- @return data string containing the initial and any additional data
  readPacket=function(socket, data, pos)

    local pos = pos or 1
    local data = data or ""
    local status = true
    local tmp = ""
    local ptype, len

    local catch = function() socket:close() stdnse.debug1("processResponse(): failed") end
    local try = nmap.new_try(catch)

    if ( data == nil or data:len() == 0 ) then
      data = try(socket:receive())
    end
    return data
  end,

  --- Sends a startup message to the server containing the username and database to connect to
  --
  -- @param socket socket already connected to the pgsql server
  -- @param user string containing the name of the user
  -- @param database string containing the name of the database
  -- @return status true on success, false on failure
  -- @return table containing a processed response from <code>processResponse</code>
  --         string containing error message if status is false
  sendStartup=function(socket, user, database)
    local data, response, status, pos
    local proto_ver, ptype, _, tmp

    local tty, unused, args = "", "", ""
    proto_ver = 0x0020000
    user = v2.zeroPad(user, 32)
    database = v2.zeroPad(database, 64)
    data = string.pack(">I4I4", 296, proto_ver)
    .. database
    .. user
    .. v2.zeroPad(args, 64)
    .. v2.zeroPad(unused, 64)
    .. v2.zeroPad(tty,64)

    socket:send( data )

    -- attempt to verify version
    status, data = socket:receive_bytes( 1 )

    if ( not(status) ) then
      return false, "sendStartup failed"
    end

    data = v2.readPacket(socket, data )
    pos, response = v2.processResponse( data )

    if ( pos < 0 or response.type == MessageType.Error) then
      return false, response.error.message or "unknown error"
    end

    return true, response
  end,

  --- Attempts to authenticate to the pgsql server
  -- Supports plain-text and MD5 authentication
  --
  -- @param socket socket already connected to the pgsql server
  -- @param params table containing any additional parameters <code>authtype</code>, <code>version</code>
  -- @param username string containing the username to use for authentication
  -- @param password string containing the password to use for authentication
  -- @param salt string containing the cryptographic salt value
  -- @return status true on success, false on failure
  -- @return result table containing parameter status information,
  --         result string containing an error message if login fails
  loginRequest = function ( socket, params, username, password, salt )

    local catch = function() socket:close() stdnse.debug1("loginRequest(): failed") end
    local try = nmap.new_try(catch)
    local response = {}
    local status, data, len, pos, tmp

    if ( params.authtype == AuthenticationType.MD5 ) then
      local hash = createMD5LoginHash(username,password,salt)
      data = string.pack( ">I4z", 40, hash)
      try( socket:send( data ) )
    elseif ( params.authtype == AuthenticationType.Plain ) then
      local data
      data = string.pack(">I4z", password:len() + 4, password)
      try( socket:send( data ) )
    elseif ( params.authtype == AuthenticationType.Success ) then
      return true, nil
    end

    data, response.params = "", {}

    data = v2.readPacket(socket, data, 1)
    pos, tmp = v2.processResponse(data, 1)

    -- this should contain the AuthRequest packet
    if tmp.type ~= MessageType.AuthRequest then
      return false, "Expected AuthRequest got something else"
    end

    if not tmp.success then
      return false, "Login failure"
    end

    return true, response
  end,

}

-- Version 3 of the protocol
v3 =
{
  messageDecoder = {

    --- Decodes an Auth Request packet
    --
    -- @param data string containing raw data received from socket
    -- @param len number containing the length as retrieved from the header
    -- @param pos number containing the offset into the data buffer
    -- @return pos number containing the offset after decoding, -1 on error
    -- @return response table containing zero or more of the following <code>salt</code> and <code>success</code>
    --         error string containing error message if pos is -1
    [MessageType.AuthRequest] = function( data, len, pos )
      local _, authtype
      local response = {}

      authtype, pos = string.unpack(">I4", data, pos)

      if ( authtype == AuthenticationType.MD5 ) then
        if  ( len - pos + 1 ) < 3 then
          return -1, "ERROR: Malformed AuthRequest received"
        end
        response.salt, pos = string.unpack("c4", data, pos)
      elseif ( authtype == AuthenticationType.Plain ) then
        --do nothing
      elseif ( authtype == 0 ) then
        response.success = true
      else
        stdnse.debug1("unknown auth type: %d", authtype )
      end

      response.authtype = authtype
      return pos, response
    end,

    --- Decodes an ParameterStatus packet
    --
    -- @param data string containing raw data received from socket
    -- @param len number containing the length as retrieved from the header
    -- @param pos number containing the offset into the data buffer
    -- @return pos number containing the offset after decoding
    -- @return response table containing zero or more of the following <code>key</code> and <code>value</code>
    [MessageType.ParameterStatus] = function( data, len, pos )
      local response = {}

      local tmp = data:sub(pos, pos + len - 4)
      response.key, response.value = string.unpack("zz", tmp)
      return pos + len - 4, response
    end,

    --- Decodes an Error packet
    --
    -- @param data string containing raw data received from socket
    -- @param len number containing the length as retrieved from the header
    -- @param pos number containing the offset into the data buffer
    -- @return pos number containing the offset after decoding
    -- @return response table containing zero or more of the following <code>error.severity</code>,
    -- <code>error.code</code>, <code>error.message</code>, <code>error.file</code>,
    -- <code>error.line</code> and <code>error.routine</code>
    [MessageType.Error] = function( data, len, pos )
      local tmp = data:sub(pos, pos + len - 4)
      local _, value, prefix
      local response = {}
      local pos_end = pos + len

      response.error = {}

      while ( pos < pos_end - 5 ) do
        prefix, value, pos = string.unpack("c1z", data, pos)

        if prefix == 'S' then
          response.error.severity = value
        elseif prefix == 'C' then
          response.error.code = value
        elseif prefix == 'M' then
          response.error.message = value
        elseif prefix == 'F' then
          response.error.file = value
        elseif prefix == 'L' then
          response.error.line = value
        elseif prefix == 'R' then
          response.error.routine = value
        end
      end
      return pos, response
    end,

    --- Decodes the BackendKeyData packet
    --
    -- @param data string containing raw data received from socket
    -- @param len number containing the length as retrieved from the header
    -- @param pos number containing the offset into the data buffer
    -- @return pos number containing the offset after decoding, -1 on error
    -- @return response table containing zero or more of the following <code>pid</code> and <code>key</code>
    --         error string containing error message if pos is -1
    [MessageType.BackendKeyData] = function( data, len, pos )
      local response = {}

      if len ~= 12 then
        return -1, "ERROR: Invalid BackendKeyData packet"
      end

      response.pid, response.key, pos = string.unpack(">I4I4", data, pos)
      return pos, response
    end,

    --- Decodes an ReadyForQuery packet
    --
    -- @param data string containing raw data received from socket
    -- @param len number containing the length as retrieved from the header
    -- @param pos number containing the offset into the data buffer
    -- @return pos number containing the offset after decoding, -1 on error
    -- @return response table containing zero or more of the following <code>status</code>
    --         error string containing error message if pos is -1
    [MessageType.ReadyForQuery] = function( data, len, pos )
      local response = {}

      if len ~= 5 then
        return -1, "ERROR: Invalid ReadyForQuery packet"
      end

      response.status, pos = string.unpack("B", data, pos )
      return pos, response
    end,
  },

  --- Reads a packet and handles additional socket reads to retrieve remaining data
  --
  -- @param socket socket already connected to the pgsql server
  -- @param data string containing any data already retrieved from the socket
  -- @param pos number containing the offset into the data buffer
  -- @return data string containing the initial and any additional data
  readPacket = function(socket, data, pos)
    pos = pos or 1
    data = data or ""

    -- Make sure that we have enough data for the header
    local targetlen = pos - 1 + 5 -- header is 5 bytes (structure >BI4)
    while #data < targetlen do
      local status, extra = socket:receive_bytes(targetlen - #data)
      if not status then
        stdnse.debug1("Not enough data for PGSQL response header")
        return nil, extra
      end
      data = data .. extra
    end

    local _, header = v3.decodeHeader(data, pos)

    targetlen = targetlen + header.len - 4 -- header.len is 4 bytes
    while #data < targetlen do
      local status, extra = socket:receive_bytes(targetlen - #data)
      if not status then
        stdnse.debug1("Not enough data for declared PGSQL response size")
        return nil, extra
      end
      data = data .. extra
    end
    return data
  end,

  --- Decodes the postgres header
  --
  -- @param data string containing the server response
  -- @param pos number containing the offset into the data buffer
  -- @return pos number containing the offset after decoding
  -- @return header table containing <code>type</code> and <code>len</code>
  decodeHeader = function(data, pos)
    local ptype, len

    ptype, len, pos = string.unpack(">BI4", data, pos)
    return pos, { ['type'] = ptype, ['len'] = len }
  end,

  --- Process the server response
  --
  -- @param data string containing the server response
  -- @param pos number containing the offset into the data buffer
  -- @return pos number containing offset after decoding
  -- @return response string containing decoded data
  --         error message if pos is -1
  processResponse = function(data, pos)
    pos = pos or 1

    if not data then
      return -1, "Not enough response data"
    end

    local header
    pos, header = v3.decodeHeader( data, pos )
    if not v3.messageDecoder[header.type] then
      stdnse.debug1("Missing decoder for %d", header.type )
      return -1, ("Missing decoder for %d"):format(header.type)
    end

    local response
    pos, response = v3.messageDecoder[header.type](data, header.len, pos)
    if pos == -1 then
      return -1, "Decoding failed"
    end

    response.type = header.type
    return pos, response
  end,

  --- Attempts to authenticate to the pgsql server
  -- Supports plain-text and MD5 authentication
  --
  -- @param socket socket already connected to the pgsql server
  -- @param params table containing any additional parameters <code>authtype</code>, <code>version</code>
  -- @param username string containing the username to use for authentication
  -- @param password string containing the password to use for authentication
  -- @param salt string containing the cryptographic salt value
  -- @return status true on success, false on failure
  -- @return result table containing parameter status information,
  --         result string containing an error message if login fails
  loginRequest = function ( socket, params, username, password, salt )

    local creds
    if params.authtype == AuthenticationType.MD5 then
      creds = createMD5LoginHash(username, password, salt)
    elseif params.authtype == AuthenticationType.Plain then
      creds = password
    elseif params.authtype == AuthenticationType.Success then
      return true, nil
    else
      return false, "Unexpected authentication type 0x" .. stdnse.tohex(params.authtype)
    end

    local status, err = socket:send(string.pack(">BI4z", MessageType.PasswordMessage, #creds + 5, creds))
    if not status then
      return false, "Unable to send AuthRequest: " .. err
    end

    local data = v3.readPacket(socket)
    local pos, tmp = v3.processResponse(data, 1)

    -- this should contain the AuthRequest packet
    if tmp.type ~= MessageType.AuthRequest then
      return false, "Expected AuthRequest; got something else"
    end

    if not tmp.success then
      return false, "Login failure"
    end

    local params = {}
    repeat
      data = v3.readPacket(socket, data, pos)
      pos, tmp = v3.processResponse(data, pos)
      if ( tmp.type == MessageType.ParameterStatus ) then
        table.insert(params, {name=tmp.key, value=tmp.value})
      end
    until pos >= data:len() or pos == -1

    return true, {params}
  end,

  --- Sends a startup message to the server containing the username and database to connect to
  --
  -- @param socket socket already connected to the pgsql server
  -- @param user string containing the name of the user
  -- @param database string containing the name of the database
  -- @return status true on success, false on failure
  -- @return table containing a processed response from <code>processResponse</code>
  --         string containing error message if status is false
  sendStartup = function(socket, user, database )
    local data, response, status, pos
    local proto_ver, ptype, _, tmp

    proto_ver = 0x0030000
    data = string.pack(">I4zzzzB", proto_ver, "user", user, "database", database, 0)
    data = string.pack(">I4", data:len() + 4) .. data

    socket:send( data )

    -- attempt to verify version
    status, data = socket:receive_bytes( 2 )

    if ( not(status) ) then
      return false, "sendStartup failed"
    end

    if ( not(status) or data:match("^EF") ) then
      return false, "Incorrect version"
    end

    data = v3.readPacket(socket, data )
    pos, response = v3.processResponse( data )

    if ( pos < 0 or response.type == MessageType.Error) then
      return false, response.error.message or "unknown error"
    end

    return true, response
  end
}


--- Sends a packet requesting SSL communication to be activated
--
-- @param socket socket already connected to the pgsql server
-- @return boolean true if request was accepted, false if request was denied
function requestSSL(socket)
  -- SSLRequest
  local ssl_req_code = 80877103
  local data = string.pack( ">I4I4", 8, ssl_req_code)
  local status, response

  socket:send(data)
  status, response = socket:receive_bytes(1)

  if ( not(status) ) then
    return false
  end

  if ( response == 'S' ) then
    return true
  end

  return false
end

--- Creates a cryptographic hash to be used for login
--
-- @param username username
-- @param password password
-- @param salt salt
-- @return string suitable for login request
function createMD5LoginHash(username, password, salt)
  local md5_1 = stdnse.tohex(openssl.md5(password..username))
  return "md5" .. stdnse.tohex(openssl.md5(md5_1 .. salt))
end

--- Prints the contents of the error table returned from the Error message decoder
--
-- @param dberror table containing the error
function printErrorMessage( dberror )
  if not dberror then
    return
  end
  for k, v in pairs(dberror) do
    stdnse.debug1("%s=%s", k, v)
  end
end

--- Attempts to determine if the server supports v3 or v2 of the protocol
--
-- @param host table
-- @param port table
-- @return class v2 or v3
function detectVersion(host, port)
  local status, response
  local socket = nmap.new_socket()

  socket:connect(host, port)
  status, response = v3.sendStartup(socket, "versionprobe", "versionprobe")
  socket:close()

  if ( not(status) and response == 'Incorrect version' ) then
    return v2
  end

  return v3
end

return _ENV;

Youez - 2016 - github.com/yon3zu
LinuXploit