PageRenderTime 32ms CodeModel.GetById 13ms RepoModel.GetById 1ms app.codeStats 0ms

/nselib/pgsql.lua

https://gitlab.com/g10h4ck/nmap-gsoc2015
Lua | 620 lines | 341 code | 103 blank | 176 comment | 64 complexity | 4aeafe9d8de7c751b14f158cb56a1b13 MD5 | raw file
Possible License(s): BSD-3-Clause, GPL-2.0, Apache-2.0, LGPL-2.0, LGPL-2.1, MIT 
    

  1. ---
    2. 

  2. -- PostgreSQL library supporting both version 2 and version 3 of the protocol.
    3. 

  3. -- The library currently contains the bare minimum to perform authentication.
    4. 

  4. -- Authentication is supported with or without SSL enabled and using the
    5. 

  5. -- plain-text or MD5 authentication mechanisms.
    6. 

  6. --
    7. 

  7. -- The PGSQL protocol is explained in detail in the following references.
    8. 

  8. -- * http://developer.postgresql.org/pgdocs/postgres/protocol.html
    9. 

  9. -- * http://developer.postgresql.org/pgdocs/postgres/protocol-flow.html
    10. 

  10. -- * http://developer.postgresql.org/pgdocs/postgres/protocol-message-formats.html
    11. 

  11. --
    12. 

  12. -- @copyright Same as Nmap--See http://nmap.org/book/man-legal.html
    13. 

  13. -- @author "Patrik Karlsson <patrik@cqure.net>"
    14. 

  14. 

  15. local bin = require "bin"
    16. 

  16. local nmap = require "nmap"
    17. 

  17. local stdnse = require "stdnse"
    18. 

  18. local openssl = stdnse.silent_require "openssl"
    19. 

  19. local string = require "string"
    20. 

  20. local table = require "table"
    21. 

  21. _ENV = stdnse.module("pgsql", stdnse.seeall)
    22. 

  22. 

  23. -- Version 0.3
    24. 

  24. -- Created 02/05/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
    25. 

  25. -- Revised 02/20/2010 - v0.2 - added detectVersion to automatically detect and return
    26. 

  26. --                             the correct version class
    27. 

  27. -- Revised 03/04/2010 - v0.3 - added support for trust authentication method
    28. 

  28. 

  29. --- Supported pgsql message types
    30. 

  30. MessageType = {
    31. 

  31.   Error = 0x45,
    32. 

  32.   BackendKeyData = 0x4b,
    33. 

  33.   AuthRequest=0x52,
    34. 

  34.   ParameterStatus = 0x53,
    35. 

  35.   ReadyForQuery = 0x5a,
    36. 

  36.   PasswordMessage = 0x70,
    37. 

  37. }
    38. 

  38. 

  39. --- Supported authentication types
    40. 

  40. AuthenticationType = {
    41. 

  41.   Success = 0x00,
    42. 

  42.   Plain = 0x03,
    43. 

  43.   MD5 = 0x05
    44. 

  44. }
    45. 

  45. 

  46. -- Version 2 of the protocol
    47. 

  47. v2 =
    48. 

  48. {
    49. 

  49. 

  50.   --- Pad a string with zeroes
    51. 

  51.   --
    52. 

  52.   -- @param str string containing the string to be padded
    53. 

  53.   -- @param len number containing the wanted length
    54. 

  54.   -- @return string containing the padded string value
    55. 

  55.   zeroPad = function(str, len)
    56. 

  56.     return str .. string.rep('\0', len - #str)
    57. 

  57.   end,
    58. 

  58. 

  59.   messageDecoder = {
    60. 

  60. 

  61.     --- Decodes an Auth Request packet
    62. 

  62.     --
    63. 

  63.     -- @param data string containing raw data received from socket
    64. 

  64.     -- @param len number containing the length as retrieved from the header
    65. 

  65.     -- @param pos number containing the offset into the data buffer
    66. 

  66.     -- @return pos number containing the offset after decoding, -1 on error
    67. 

  67.     -- @return response table containing zero or more of the following <code>salt</code> and <code>success</code>
    68. 

  68.     --         error string containing error message if pos is -1
    69. 

  69.     [MessageType.AuthRequest] = function( data, len, pos )
    70. 

  70.       local _, authtype
    71. 

  71.       local response = {}
    72. 

  72.       pos, authtype = bin.unpack(">I", data, pos)
    73. 

  73. 

  74.       if ( authtype == AuthenticationType.MD5 ) then
    75. 

  75.         if  ( len - pos + 1 ) < 3 then
    76. 

  76.           return -1, "ERROR: Malformed AuthRequest received"
    77. 

  77.         end
    78. 

  78.         pos, response.salt = bin.unpack("A4", data, pos)
    79. 

  79.       elseif ( authtype == AuthenticationType.Plain ) then
    80. 

  80.         --do nothing
    81. 

  81.       elseif ( authtype == 0 ) then
    82. 

  82.         response.success = true
    83. 

  83.       else
    84. 

  84.         stdnse.debug1("unknown auth type: %d", authtype)
    85. 

  85.       end
    86. 

  86. 

  87.       response.authtype = authtype
    88. 

  88.       return pos, response
    89. 

  89.     end,
    90. 

  90. 

  91. 

  92. 

  93.     --- Decodes an Error packet
    94. 

  94.     --
    95. 

  95.     -- @param data string containing raw data received from socket
    96. 

  96.     -- @param len number containing the length as retrieved from the header
    97. 

  97.     -- @param pos number containing the offset into the data buffer
    98. 

  98.     -- @return pos number containing the offset after decoding
    99. 

  99.     -- @return response table containing zero or more of the following <code>error.severity</code>,
    100. 

  100.     -- <code>error.code</code>, <code>error.message</code>, <code>error.file</code>,
    101. 

  101.     -- <code>error.line</code> and <code>error.routine</code>
    102. 

  102.     [MessageType.Error] = function( data, len, pos )
    103. 

  103.       local tmp = data:sub(pos, pos + len - 4)
    104. 

  104.       local response = {}
    105. 

  105.       local pos_end = pos + len
    106. 

  106. 

  107.       response.error = {}
    108. 

  108.       pos, response.error.message = bin.unpack("z", data, pos)
    109. 

  109.       return pos, response
    110. 

  110.     end,
    111. 

  111. 

  112.   },
    113. 

  113. 

  114.   --- Process the server response
    115. 

  115.   --
    116. 

  116.   -- @param data string containing the server response
    117. 

  117.   -- @param pos number containing the offset into the data buffer
    118. 

  118.   processResponse = function(data, pos)
    119. 

  119.     local ptype, len, status, response
    120. 

  120.     local pos = pos or 1
    121. 

  121. 

  122.     pos, ptype = bin.unpack("C", data, pos)
    123. 

  123.     len = data:len() - 1
    124. 

  124. 

  125.     if v2.messageDecoder[ptype] then
    126. 

  126.       pos, response = v2.messageDecoder[ptype](data, len, pos)
    127. 

  127. 

  128.       if pos ~= -1 then
    129. 

  129.         response.type = ptype
    130. 

  130.         return pos, response
    131. 

  131.       end
    132. 

  132.     else
    133. 

  133.       stdnse.debug1("Missing decoder for %d", ptype)
    134. 

  134.       return -1, ("Missing decoder for %d"):format(ptype)
    135. 

  135.     end
    136. 

  136.     return -1, "Decoding failed"
    137. 

  137.   end,
    138. 

  138. 

  139. 

  140.   --- Reads a packet and handles additional socket reads to retrieve remaining data
    141. 

  141.   --
    142. 

  142.   -- @param socket socket already connected to the pgsql server
    143. 

  143.   -- @param data string containing any data already retrieved from the socket
    144. 

  144.   -- @param pos number containing the offset into the data buffer
    145. 

  145.   -- @return data string containing the initial and any additional data
    146. 

  146.   readPacket=function(socket, data, pos)
    147. 

  147. 

  148.     local pos = pos or 1
    149. 

  149.     local data = data or ""
    150. 

  150.     local status = true
    151. 

  151.     local tmp = ""
    152. 

  152.     local ptype, len
    153. 

  153. 

  154.     local catch = function() socket:close() stdnse.debug1("processResponse(): failed") end
    155. 

  155.     local try = nmap.new_try(catch)
    156. 

  156. 

  157.     if ( data == nil or data:len() == 0 ) then
    158. 

  158.       data = try(socket:receive())
    159. 

  159.     end
    160. 

  160.     return data
    161. 

  161.   end,
    162. 

  162. 

  163.   --- Sends a startup message to the server containing the username and database to connect to
    164. 

  164.   --
    165. 

  165.   -- @param socket socket already connected to the pgsql server
    166. 

  166.   -- @param user string containing the name of the user
    167. 

  167.   -- @param database string containing the name of the database
    168. 

  168.   -- @return status true on success, false on failure
    169. 

  169.   -- @return table containing a processed response from <code>processResponse</code>
    170. 

  170.   --         string containing error message if status is false
    171. 

  171.   sendStartup=function(socket, user, database)
    172. 

  172.     local data, response, status, pos
    173. 

  173.     local proto_ver, ptype, _, tmp
    174. 

  174. 

  175.     local tty, unused, args = "", "", ""
    176. 

  176.     proto_ver = 0x0020000
    177. 

  177.     user = v2.zeroPad(user, 32)
    178. 

  178.     database = v2.zeroPad(database, 64)
    179. 

  179.     data = bin.pack(">I>IAAAAA", 296, proto_ver, database, user, v2.zeroPad(args, 64), v2.zeroPad(unused, 64), v2.zeroPad(tty,64) )
    180. 

  180. 

  181.     socket:send( data )
    182. 

  182. 

  183.     -- attempt to verify version
    184. 

  184.     status, data = socket:receive_bytes( 1 )
    185. 

  185. 

  186.     if ( not(status) ) then
    187. 

  187.       return false, "sendStartup failed"
    188. 

  188.     end
    189. 

  189. 

  190.     data = v2.readPacket(socket, data )
    191. 

  191.     pos, response = v2.processResponse( data )
    192. 

  192. 

  193.     if ( pos < 0 or response.type == MessageType.Error) then
    194. 

  194.       return false, response.error.message or "unknown error"
    195. 

  195.     end
    196. 

  196. 

  197.     return true, response
    198. 

  198.   end,
    199. 

  199. 

  200.   --- Attempts to authenticate to the pgsql server
    201. 

  201.   -- Supports plain-text and MD5 authentication
    202. 

  202.   --
    203. 

  203.   -- @param socket socket already connected to the pgsql server
    204. 

  204.   -- @param params table containing any additional parameters <code>authtype</code>, <code>version</code>
    205. 

  205.   -- @param username string containing the username to use for authentication
    206. 

  206.   -- @param password string containing the password to use for authentication
    207. 

  207.   -- @param salt string containing the cryptographic salt value
    208. 

  208.   -- @return status true on success, false on failure
    209. 

  209.   -- @return result table containing parameter status information,
    210. 

  210.   --         result string containing an error message if login fails
    211. 

  211.   loginRequest = function ( socket, params, username, password, salt )
    212. 

  212. 

  213.     local catch = function() socket:close() stdnse.debug1("loginRequest(): failed") end
    214. 

  214.     local try = nmap.new_try(catch)
    215. 

  215.     local response = {}
    216. 

  216.     local status, data, len, pos, tmp
    217. 

  217. 

  218.     if ( params.authtype == AuthenticationType.MD5 ) then
    219. 

  219.       local hash = createMD5LoginHash(username,password,salt)
    220. 

  220.       data = bin.pack( ">Iz", 40, hash)
    221. 

  221.       try( socket:send( data ) )
    222. 

  222.     elseif ( params.authtype == AuthenticationType.Plain ) then
    223. 

  223.       local data
    224. 

  224.       data = bin.pack(">Iz", password:len() + 4, password)
    225. 

  225.       try( socket:send( data ) )
    226. 

  226.     elseif ( params.authtype == AuthenticationType.Success ) then
    227. 

  227.       return true, nil
    228. 

  228.     end
    229. 

  229. 

  230.     data, response.params = "", {}
    231. 

  231. 

  232.     data = v2.readPacket(socket, data, 1)
    233. 

  233.     pos, tmp = v2.processResponse(data, 1)
    234. 

  234. 

  235.     -- this should contain the AuthRequest packet
    236. 

  236.     if tmp.type ~= MessageType.AuthRequest then
    237. 

  237.       return false, "Expected AuthRequest got something else"
    238. 

  238.     end
    239. 

  239. 

  240.     if not tmp.success then
    241. 

  241.       return false, "Login failure"
    242. 

  242.     end
    243. 

  243. 

  244.     return true, response
    245. 

  245.   end,
    246. 

  246. 

  247. }
    248. 

  248. 

  249. -- Version 3 of the protocol
    250. 

  250. v3 =
    251. 

  251. {
    252. 

  252.   messageDecoder = {
    253. 

  253. 

  254.     --- Decodes an Auth Request packet
    255. 

  255.     --
    256. 

  256.     -- @param data string containing raw data received from socket
    257. 

  257.     -- @param len number containing the length as retrieved from the header
    258. 

  258.     -- @param pos number containing the offset into the data buffer
    259. 

  259.     -- @return pos number containing the offset after decoding, -1 on error
    260. 

  260.     -- @return response table containing zero or more of the following <code>salt</code> and <code>success</code>
    261. 

  261.     --         error string containing error message if pos is -1
    262. 

  262.     [MessageType.AuthRequest] = function( data, len, pos )
    263. 

  263.       local _, authtype
    264. 

  264.       local response = {}
    265. 

  265. 

  266.       pos, authtype = bin.unpack(">I", data, pos)
    267. 

  267. 

  268.       if ( authtype == AuthenticationType.MD5 ) then
    269. 

  269.         if  ( len - pos + 1 ) < 3 then
    270. 

  270.           return -1, "ERROR: Malformed AuthRequest received"
    271. 

  271.         end
    272. 

  272.         pos, response.salt = bin.unpack("A4", data, pos)
    273. 

  273.       elseif ( authtype == AuthenticationType.Plain ) then
    274. 

  274.         --do nothing
    275. 

  275.       elseif ( authtype == 0 ) then
    276. 

  276.         response.success = true
    277. 

  277.       else
    278. 

  278.         stdnse.debug1("unknown auth type: %d", authtype )
    279. 

  279.       end
    280. 

  280. 

  281.       response.authtype = authtype
    282. 

  282.       return pos, response
    283. 

  283.     end,
    284. 

  284. 

  285.     --- Decodes an ParameterStatus packet
    286. 

  286.     --
    287. 

  287.     -- @param data string containing raw data received from socket
    288. 

  288.     -- @param len number containing the length as retrieved from the header
    289. 

  289.     -- @param pos number containing the offset into the data buffer
    290. 

  290.     -- @return pos number containing the offset after decoding
    291. 

  291.     -- @return response table containing zero or more of the following <code>key</code> and <code>value</code>
    292. 

  292.     [MessageType.ParameterStatus] = function( data, len, pos )
    293. 

  293.       local tmp, _
    294. 

  294.       local response = {}
    295. 

  295. 

  296.       tmp = data:sub(pos, pos + len - 4)
    297. 

  297.       _, response.key, response.value = bin.unpack("zz", tmp)
    298. 

  298.       return pos + len - 4, response
    299. 

  299.     end,
    300. 

  300. 

  301.     --- Decodes an Error packet
    302. 

  302.     --
    303. 

  303.     -- @param data string containing raw data received from socket
    304. 

  304.     -- @param len number containing the length as retrieved from the header
    305. 

  305.     -- @param pos number containing the offset into the data buffer
    306. 

  306.     -- @return pos number containing the offset after decoding
    307. 

  307.     -- @return response table containing zero or more of the following <code>error.severity</code>,
    308. 

  308.     -- <code>error.code</code>, <code>error.message</code>, <code>error.file</code>,
    309. 

  309.     -- <code>error.line</code> and <code>error.routine</code>
    310. 

  310.     [MessageType.Error] = function( data, len, pos )
    311. 

  311.       local tmp = data:sub(pos, pos + len - 4)
    312. 

  312.       local _, value, prefix
    313. 

  313.       local response = {}
    314. 

  314.       local pos_end = pos + len
    315. 

  315. 

  316.       response.error = {}
    317. 

  317. 

  318.       while ( pos < pos_end - 5 ) do
    319. 

  319.         pos, prefix, value = bin.unpack("Az", data, pos)
    320. 

  320. 

  321.         if prefix == 'S' then
    322. 

  322.           response.error.severity = value
    323. 

  323.         elseif prefix == 'C' then
    324. 

  324.           response.error.code = value
    325. 

  325.         elseif prefix == 'M' then
    326. 

  326.           response.error.message = value
    327. 

  327.         elseif prefix == 'F' then
    328. 

  328.           response.error.file = value
    329. 

  329.         elseif prefix == 'L' then
    330. 

  330.           response.error.line = value
    331. 

  331.         elseif prefix == 'R' then
    332. 

  332.           response.error.routine = value
    333. 

  333.         end
    334. 

  334.       end
    335. 

  335.       return pos, response
    336. 

  336.     end,
    337. 

  337. 

  338.     --- Decodes the BackendKeyData packet
    339. 

  339.     --
    340. 

  340.     -- @param data string containing raw data received from socket
    341. 

  341.     -- @param len number containing the length as retrieved from the header
    342. 

  342.     -- @param pos number containing the offset into the data buffer
    343. 

  343.     -- @return pos number containing the offset after decoding, -1 on error
    344. 

  344.     -- @return response table containing zero or more of the following <code>pid</code> and <code>key</code>
    345. 

  345.     --         error string containing error message if pos is -1
    346. 

  346.     [MessageType.BackendKeyData] = function( data, len, pos )
    347. 

  347.       local response = {}
    348. 

  348. 

  349.       if len ~= 12 then
    350. 

  350.         return -1, "ERROR: Invalid BackendKeyData packet"
    351. 

  351.       end
    352. 

  352. 

  353.       pos, response.pid, response.key = bin.unpack(">I>I", data, pos)
    354. 

  354.       return pos, response
    355. 

  355.     end,
    356. 

  356. 

  357.     --- Decodes an ReadyForQuery packet
    358. 

  358.     --
    359. 

  359.     -- @param data string containing raw data received from socket
    360. 

  360.     -- @param len number containing the length as retrieved from the header
    361. 

  361.     -- @param pos number containing the offset into the data buffer
    362. 

  362.     -- @return pos number containing the offset after decoding, -1 on error
    363. 

  363.     -- @return response table containing zero or more of the following <code>status</code>
    364. 

  364.     --         error string containing error message if pos is -1
    365. 

  365.     [MessageType.ReadyForQuery] = function( data, len, pos )
    366. 

  366.       local response = {}
    367. 

  367. 

  368.       if len ~= 5 then
    369. 

  369.         return -1, "ERROR: Invalid ReadyForQuery packet"
    370. 

  370.       end
    371. 

  371. 

  372.       pos, response.status = bin.unpack("C", data, pos )
    373. 

  373.       return pos, response
    374. 

  374.     end,
    375. 

  375.   },
    376. 

  376. 

  377.   --- Reads a packet and handles additional socket reads to retrieve remaining data
    378. 

  378.   --
    379. 

  379.   -- @param socket socket already connected to the pgsql server
    380. 

  380.   -- @param data string containing any data already retrieved from the socket
    381. 

  381.   -- @param pos number containing the offset into the data buffer
    382. 

  382.   -- @return data string containing the initial and any additional data
    383. 

  383.   readPacket = function(socket, data, pos)
    384. 

  384. 

  385.     local pos = pos or 1
    386. 

  386.     local data = data or ""
    387. 

  387.     local status = true
    388. 

  388.     local tmp = ""
    389. 

  389.     local ptype, len
    390. 

  390.     local header
    391. 

  391. 

  392.     local catch = function() socket:close() stdnse.debug1("processResponse(): failed") end
    393. 

  393.     local try = nmap.new_try(catch)
    394. 

  394. 

  395.     if ( data:len() - pos < 5 ) then
    396. 

  396.       status, tmp = socket:receive_bytes( 5 - ( data:len() - pos ) )
    397. 

  397.     end
    398. 

  398. 

  399.     if not status then
    400. 

  400.       return nil, "Failed to read packet"
    401. 

  401.     end
    402. 

  402. 

  403.     if tmp:len() ~= 0 then
    404. 

  404.       data = data .. tmp
    405. 

  405.     end
    406. 

  406. 

  407.     pos, header = v3.decodeHeader(data,pos)
    408. 

  408. 

  409.     while data:len() < header.len do
    410. 

  410.       data = data .. try(socket:receive_bytes( ( header.len + 1 ) - data:len() ))
    411. 

  411.     end
    412. 

  412.     return data
    413. 

  413.   end,
    414. 

  414. 

  415.   --- Decodes the postgres header
    416. 

  416.   --
    417. 

  417.   -- @param data string containing the server response
    418. 

  418.   -- @param pos number containing the offset into the data buffer
    419. 

  419.   -- @return pos number containing the offset after decoding
    420. 

  420.   -- @return header table containing <code>type</code> and <code>len</code>
    421. 

  421.   decodeHeader = function(data, pos)
    422. 

  422.     local ptype, len
    423. 

  423. 

  424.     pos, ptype, len = bin.unpack("C>I", data, pos)
    425. 

  425.     return pos, { ['type'] = ptype, ['len'] = len }
    426. 

  426.   end,
    427. 

  427. 

  428.   --- Process the server response
    429. 

  429.   --
    430. 

  430.   -- @param data string containing the server response
    431. 

  431.   -- @param pos number containing the offset into the data buffer
    432. 

  432.   -- @return pos number containing offset after decoding
    433. 

  433.   -- @return response string containing decoded data
    434. 

  434.   --         error message if pos is -1
    435. 

  435.   processResponse = function(data, pos)
    436. 

  436.     local ptype, len, status, response
    437. 

  437.     local pos = pos or 1
    438. 

  438.     local header
    439. 

  439. 

  440.     pos, header = v3.decodeHeader( data, pos )
    441. 

  441. 

  442.     if v3.messageDecoder[header.type] then
    443. 

  443.       pos, response = v3.messageDecoder[header.type](data, header.len, pos)
    444. 

  444. 

  445.       if pos ~= -1 then
    446. 

  446.         response.type = header.type
    447. 

  447.         return pos, response
    448. 

  448.       end
    449. 

  449.     else
    450. 

  450.       stdnse.debug1("Missing decoder for %d", header.type )
    451. 

  451.       return -1, ("Missing decoder for %d"):format(header.type)
    452. 

  452.     end
    453. 

  453.     return -1, "Decoding failed"
    454. 

  454.   end,
    455. 

  455. 

  456.   --- Attempts to authenticate to the pgsql server
    457. 

  457.   -- Supports plain-text and MD5 authentication
    458. 

  458.   --
    459. 

  459.   -- @param socket socket already connected to the pgsql server
    460. 

  460.   -- @param params table containing any additional parameters <code>authtype</code>, <code>version</code>
    461. 

  461.   -- @param username string containing the username to use for authentication
    462. 

  462.   -- @param password string containing the password to use for authentication
    463. 

  463.   -- @param salt string containing the cryptographic salt value
    464. 

  464.   -- @return status true on success, false on failure
    465. 

  465.   -- @return result table containing parameter status information,
    466. 

  466.   --         result string containing an error message if login fails
    467. 

  467.   loginRequest = function ( socket, params, username, password, salt )
    468. 

  468. 

  469.     local catch = function() socket:close() stdnse.debug1("loginRequest(): failed") end
    470. 

  470.     local try = nmap.new_try(catch)
    471. 

  471.     local response, header = {}, {}
    472. 

  472.     local status, data, len, tmp, _
    473. 

  473.     local pos = 1
    474. 

  474. 

  475.     if ( params.authtype == AuthenticationType.MD5 ) then
    476. 

  476.       local hash = createMD5LoginHash(username, password, salt)
    477. 

  477.       data = bin.pack( "C>Iz", MessageType.PasswordMessage, 40, hash )
    478. 

  478.       try( socket:send( data ) )
    479. 

  479.     elseif ( params.authtype == AuthenticationType.Plain ) then
    480. 

  480.       local data
    481. 

  481.       data = bin.pack("C>Iz", MessageType.PasswordMessage, password:len() + 4, password)
    482. 

  482.       try( socket:send( data ) )
    483. 

  483.     elseif ( params.authtype == AuthenticationType.Success ) then
    484. 

  484.       return true, nil
    485. 

  485.     end
    486. 

  486. 

  487.     data, response.params = "", {}
    488. 

  488. 

  489.     data = v3.readPacket(socket, data, 1)
    490. 

  490.     pos, tmp = v3.processResponse(data, 1)
    491. 

  491. 

  492.     -- this should contain the AuthRequest packet
    493. 

  493.     if tmp.type ~= MessageType.AuthRequest then
    494. 

  494.       return false, "Expected AuthRequest got something else"
    495. 

  495.     end
    496. 

  496. 

  497.     if not tmp.success then
    498. 

  498.       return false, "Login failure"
    499. 

  499.     end
    500. 

  500. 

  501.     repeat
    502. 

  502.       data = v3.readPacket(socket, data, pos)
    503. 

  503.       pos, tmp = v3.processResponse(data, pos)
    504. 

  504.       if ( tmp.type == MessageType.ParameterStatus ) then
    505. 

  505.         table.insert(response.params, {name=tmp.key, value=tmp.value})
    506. 

  506.       end
    507. 

  507.     until pos >= data:len() or pos == -1
    508. 

  508. 

  509.     return true, response
    510. 

  510.   end,
    511. 

  511. 

  512.   --- Sends a startup message to the server containing the username and database to connect to
    513. 

  513.   --
    514. 

  514.   -- @param socket socket already connected to the pgsql server
    515. 

  515.   -- @param user string containing the name of the user
    516. 

  516.   -- @param database string containing the name of the database
    517. 

  517.   -- @return status true on success, false on failure
    518. 

  518.   -- @return table containing a processed response from <code>processResponse</code>
    519. 

  519.   --         string containing error message if status is false
    520. 

  520.   sendStartup = function(socket, user, database )
    521. 

  521.     local data, response, status, pos
    522. 

  522.     local proto_ver, ptype, _, tmp
    523. 

  523. 

  524.     proto_ver = 0x0030000
    525. 

  525.     data = bin.pack(">IzzzzH", proto_ver, "user", user, "database", database, 0)
    526. 

  526.     data = bin.pack(">I", data:len() + 4) .. data
    527. 

  527. 

  528.     socket:send( data )
    529. 

  529. 

  530.     -- attempt to verify version
    531. 

  531.     status, data = socket:receive_bytes( 2 )
    532. 

  532. 

  533.     if ( not(status) ) then
    534. 

  534.       return false, "sendStartup failed"
    535. 

  535.     end
    536. 

  536. 

  537.     if ( not(status) or data:match("^EF") ) then
    538. 

  538.       return false, "Incorrect version"
    539. 

  539.     end
    540. 

  540. 

  541.     data = v3.readPacket(socket, data )
    542. 

  542.     pos, response = v3.processResponse( data )
    543. 

  543. 

  544.     if ( pos < 0 or response.type == MessageType.Error) then
    545. 

  545.       return false, response.error.message or "unknown error"
    546. 

  546.     end
    547. 

  547. 

  548.     return true, response
    549. 

  549.   end
    550. 

  550. }
    551. 

  551. 

  552. 

  553. --- Sends a packet requesting SSL communication to be activated
    554. 

  554. --
    555. 

  555. -- @param socket socket already connected to the pgsql server
    556. 

  556. -- @return boolean true if request was accepted, false if request was denied
    557. 

  557. function requestSSL(socket)
    558. 

  558.   -- SSLRequest
    559. 

  559.   local ssl_req_code = 80877103
    560. 

  560.   local data = bin.pack( ">I>I", 8, ssl_req_code)
    561. 

  561.   local status, response
    562. 

  562. 

  563.   socket:send(data)
    564. 

  564.   status, response = socket:receive_bytes(1)
    565. 

  565. 

  566.   if ( not(status) ) then
    567. 

  567.     return false
    568. 

  568.   end
    569. 

  569. 

  570.   if ( response == 'S' ) then
    571. 

  571.     return true
    572. 

  572.   end
    573. 

  573. 

  574.   return false
    575. 

  575. end
    576. 

  576. 

  577. --- Creates a cryptographic hash to be used for login
    578. 

  578. --
    579. 

  579. -- @param username username
    580. 

  580. -- @param password password
    581. 

  581. -- @param salt salt
    582. 

  582. -- @return string suitable for login request
    583. 

  583. function createMD5LoginHash(username, password, salt)
    584. 

  584.   local md5_1 = select( 2, bin.unpack( "H16", openssl.md5(password..username) ) ):lower()
    585. 

  585.   return "md5" .. select( 2, bin.unpack("H16", openssl.md5(  md5_1 .. salt  ) ) ):lower()
    586. 

  586. end
    587. 

  587. 

  588. --- Prints the contents of the error table returned from the Error message decoder
    589. 

  589. --
    590. 

  590. -- @param dberror table containing the error
    591. 

  591. function printErrorMessage( dberror )
    592. 

  592.   if not dberror then
    593. 

  593.     return
    594. 

  594.   end
    595. 

  595.   for k, v in pairs(dberror) do
    596. 

  596.     stdnse.debug1("%s=%s", k, v)
    597. 

  597.   end
    598. 

  598. end
    599. 

  599. 

  600. --- Attempts to determine if the server supports v3 or v2 of the protocol
    601. 

  601. --
    602. 

  602. -- @param host table
    603. 

  603. -- @param port table
    604. 

  604. -- @return class v2 or v3
    605. 

  605. function detectVersion(host, port)
    606. 

  606.   local status, response
    607. 

  607.   local socket = nmap.new_socket()
    608. 

  608. 

  609.   socket:connect(host, port)
    610. 

  610.   status, response = v3.sendStartup(socket, "versionprobe", "versionprobe")
    611. 

  611.   socket:close()
    612. 

  612. 

  613.   if ( not(status) and response == 'Incorrect version' ) then
    614. 

  614.     return v2
    615. 

  615.   end
    616. 

  616. 

  617.   return v3
    618. 

  618. end
    619. 

  619. 

  620. return _ENV;
    621. 

  621.