PageRenderTime 58ms CodeModel.GetById 21ms RepoModel.GetById 0ms app.codeStats 0ms

/nselib/pgsql.lua

https://github.com/prakashgamit/nmap
Lua | 628 lines | 348 code | 104 blank | 176 comment | 66 complexity | 4df630c8b7139f13e017f6c7a8e5f0b4 MD5 | raw file
Possible License(s): BSD-3-Clause, GPL-2.0, LGPL-2.0, LGPL-2.1 
    

  1. ---
    2. 

  2. -- PostgreSQL library supporting both version 2 and version 3 of the protocol.
    3. 

  3. -- The library currently contains the bare minimum to perform authentication.
    4. 

  4. -- Authentication is supported with or without SSL enabled and using the
    5. 

  5. -- plain-text or MD5 authentication mechanisms.
    6. 

  6. --
    7. 

  7. -- The PGSQL protocol is explained in detail in the following references.
    8. 

  8. -- * http://developer.postgresql.org/pgdocs/postgres/protocol.html
    9. 

  9. -- * http://developer.postgresql.org/pgdocs/postgres/protocol-flow.html
    10. 

  10. -- * http://developer.postgresql.org/pgdocs/postgres/protocol-message-formats.html
    11. 

  11. --
    12. 

  12. -- @copyright Same as Nmap--See http://nmap.org/book/man-legal.html
    13. 

  13. -- @author "Patrik Karlsson <patrik@cqure.net>"
    14. 

  14. 

  15. local bin = require "bin"
    16. 

  16. local nmap = require "nmap"
    17. 

  17. local stdnse = require "stdnse"
    18. 

  18. local openssl = stdnse.silent_require "openssl"
    19. 

  19. local string = require "string"
    20. 

  20. local table = require "table"
    21. 

  21. _ENV = stdnse.module("pgsql", stdnse.seeall)
    22. 

  22. 

  23. -- Version 0.3
    24. 

  24. -- Created 02/05/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net> 
    25. 

  25. -- Revised 02/20/2010 - v0.2 - added detectVersion to automaticaly detect and return 
    26. 

  26. --                             the correct version class
    27. 

  27. -- Revised 03/04/2010 - v0.3 - added support for trust authentication method
    28. 

  28. 

  29. --- Supported pgsql message types
    30. 

  30. MessageType = {
    31. 

  31. 	Error = 0x45,
    32. 

  32. 	BackendKeyData = 0x4b,
    33. 

  33. 	AuthRequest=0x52,
    34. 

  34. 	ParameterStatus = 0x53,
    35. 

  35. 	ReadyForQuery = 0x5a,
    36. 

  36. 	PasswordMessage = 0x70,
    37. 

  37. }
    38. 

  38. 

  39. --- Supported authentication types
    40. 

  40. AuthenticationType = {
    41. 

  41. 	Success = 0x00,
    42. 

  42. 	Plain = 0x03,
    43. 

  43. 	MD5 = 0x05
    44. 

  44. }
    45. 

  45. 

  46. -- Version 2 of the protocol
    47. 

  47. v2 =
    48. 

  48. {
    49. 

  49. 	
    50. 

  50. 	--- Pad a string with zeroes
    51. 

  51. 	--
    52. 

  52. 	-- @param str string containing the string to be padded
    53. 

  53. 	-- @param len number containing the wanted length
    54. 

  54. 	-- @return string containing the padded string value
    55. 

  55. 	zeroPad = function(str, len)
    56. 

  56. 		local padding = len - str:len()
    57. 

  57. 

  58. 		if ( padding < 0 ) then
    59. 

  59. 			return str
    60. 

  60. 		end
    61. 

  61. 		for i=1,padding do
    62. 

  62. 			str = str .. string.char(0x00)
    63. 

  63. 		end
    64. 

  64. 		return str
    65. 

  65. 	end,
    66. 

  66. 	
    67. 

  67. 	messageDecoder = {
    68. 

  68. 		
    69. 

  69. 		--- Decodes an Auth Request packet
    70. 

  70. 		--
    71. 

  71. 		-- @param data string containing raw data recieved from socket
    72. 

  72. 		-- @param len number containing the length as retrieved from the header
    73. 

  73. 		-- @param pos number containing the offset into the data buffer
    74. 

  74. 		-- @return pos number containing the offset after decoding, -1 on error
    75. 

  75. 		-- @return response table containing zero or more of the following <code>salt</code> and <code>success</code>
    76. 

  76. 		--		   error string containing error message if pos is -1
    77. 

  77. 		[MessageType.AuthRequest] = function( data, len, pos )
    78. 

  78. 			local _, authtype
    79. 

  79. 			local response = {}
    80. 

  80. 			pos, authtype = bin.unpack(">I", data, pos)
    81. 

  81. 

  82. 			if ( authtype == AuthenticationType.MD5 ) then
    83. 

  83. 				if  ( len - pos + 1 ) < 3 then
    84. 

  84. 					return -1, "ERROR: Malformed AuthRequest received"
    85. 

  85. 				end
    86. 

  86. 				pos, response.salt = bin.unpack("A4", data, pos)
    87. 

  87. 			elseif ( authtype == AuthenticationType.Plain ) then
    88. 

  88. 				--do nothing
    89. 

  89. 			elseif ( authtype == 0 ) then
    90. 

  90. 				response.success = true
    91. 

  91. 			else
    92. 

  92. 				stdnse.print_debug( ("unknown auth type: %d"):format(authtype) )
    93. 

  93. 			end
    94. 

  94. 

  95. 			response.authtype = authtype
    96. 

  96. 			return pos, response
    97. 

  97. 		end,
    98. 

  98. 

  99. 

  100. 

  101. 		--- Decodes an Error packet
    102. 

  102. 		--
    103. 

  103. 		-- @param data string containing raw data recieved from socket
    104. 

  104. 		-- @param len number containing the length as retrieved from the header
    105. 

  105. 		-- @param pos number containing the offset into the data buffer
    106. 

  106. 		-- @return pos number containing the offset after decoding
    107. 

  107. 		-- @return response table containing zero or more of the following <code>error.severity</code>,
    108. 

  108. 		-- <code>error.code</code>, <code>error.message</code>, <code>error.file</code>, 
    109. 

  109. 		-- <code>error.line</code> and <code>error.routine</code>
    110. 

  110. 		[MessageType.Error] = function( data, len, pos )
    111. 

  111. 			local tmp = data:sub(pos, pos + len - 4)
    112. 

  112. 			local response = {}
    113. 

  113. 			local pos_end = pos + len
    114. 

  114. 

  115. 			response.error = {}
    116. 

  116. 			pos, response.error.message = bin.unpack("z", data, pos)
    117. 

  117. 			return pos, response
    118. 

  118. 		end,
    119. 

  119. 

  120. 	},
    121. 

  121. 

  122. 	--- Process the server response
    123. 

  123. 	--
    124. 

  124. 	-- @param data string containing the server response
    125. 

  125. 	-- @param pos number containing the offset into the data buffer
    126. 

  126. 	processResponse = function(data, pos)
    127. 

  127. 		local ptype, len, status, response
    128. 

  128. 		local pos = pos or 1
    129. 

  129. 

  130. 		pos, ptype = bin.unpack("C", data, pos)
    131. 

  131. 		len = data:len() - 1
    132. 

  132. 

  133. 		if v2.messageDecoder[ptype] then
    134. 

  134. 			pos, response = v2.messageDecoder[ptype](data, len, pos)
    135. 

  135. 

  136. 			if pos ~= -1 then
    137. 

  137. 				response.type = ptype
    138. 

  138. 				return pos, response
    139. 

  139. 			end
    140. 

  140. 		else
    141. 

  141. 			stdnse.print_debug( ("Missing decoder for %d"):format(ptype) )
    142. 

  142. 			return -1, ("Missing decoder for %d"):format(ptype)
    143. 

  143. 		end
    144. 

  144. 		return -1, "Decoding failed"
    145. 

  145. 	end,
    146. 

  146. 	
    147. 

  147. 	
    148. 

  148. 	--- Reads a packet and handles additional socket reads to retrieve remaining data
    149. 

  149. 	--
    150. 

  150. 	-- @param socket socket already connected to the pgsql server
    151. 

  151. 	-- @param data string containing any data already retrieved from the socket
    152. 

  152. 	-- @param pos number containing the offset into the data buffer
    153. 

  153. 	-- @return data string containing the initial and any additional data
    154. 

  154. 	readPacket=function(socket, data, pos)
    155. 

  155. 

  156. 		local pos = pos or 1
    157. 

  157. 		local data = data or ""
    158. 

  158. 		local status = true
    159. 

  159. 		local tmp = ""
    160. 

  160. 		local ptype, len
    161. 

  161. 

  162. 		local catch = function() socket:close() stdnse.print_debug("processResponse(): failed") end	
    163. 

  163. 		local try = nmap.new_try(catch)
    164. 

  164. 

  165. 		if ( data == nil or data:len() == 0 ) then
    166. 

  166. 			data = try(socket:receive())
    167. 

  167. 		end
    168. 

  168. 		return data
    169. 

  169. 	end,
    170. 

  170. 	
    171. 

  171. 	--- Sends a startup message to the server containing the username and database to connect to
    172. 

  172. 	--
    173. 

  173. 	-- @param socket socket already connected to the pgsql server
    174. 

  174. 	-- @param user string containing the name of the user
    175. 

  175. 	-- @param database string containing the name of the database
    176. 

  176. 	-- @return status true on success, false on failure
    177. 

  177. 	-- @return table containing a processed response from <code>processResponse</code>
    178. 

  178. 	--         string containing error message if status is false
    179. 

  179. 	sendStartup=function(socket, user, database)
    180. 

  180. 		local data, response, status, pos
    181. 

  181. 		local proto_ver, ptype, _, tmp
    182. 

  182. 

  183. 		local tty, unused, args = "", "", ""
    184. 

  184. 		proto_ver = 0x0020000
    185. 

  185. 		user = v2.zeroPad(user, 32)
    186. 

  186. 		database = v2.zeroPad(database, 64)
    187. 

  187. 		data = bin.pack(">I>IAAAAA", 296, proto_ver, database, user, v2.zeroPad(args, 64), v2.zeroPad(unused, 64), v2.zeroPad(tty,64) )
    188. 

  188. 

  189. 		socket:send( data )
    190. 

  190. 

  191. 		-- attempt to verify version
    192. 

  192. 		status, data = socket:receive_bytes( 1 )
    193. 

  193. 

  194. 		if ( not(status) ) then
    195. 

  195. 			return false, "sendStartup failed"
    196. 

  196. 		end
    197. 

  197. 

  198. 		data = v2.readPacket(socket, data )
    199. 

  199. 		pos, response = v2.processResponse( data )
    200. 

  200. 

  201. 		if ( pos < 0 or response.type == MessageType.Error) then
    202. 

  202. 			return false, response.error.message or "unknown error"
    203. 

  203. 		end
    204. 

  204. 

  205. 		return true, response
    206. 

  206. 	end,
    207. 

  207. 	
    208. 

  208. 	--- Attempts to authenticate to the pgsql server
    209. 

  209. 	-- Supports plain-text and MD5 authentication 
    210. 

  210. 	--
    211. 

  211. 	-- @param socket socket already connected to the pgsql server
    212. 

  212. 	-- @param params table containing any additional parameters <code>authtype</code>, <code>version</code>
    213. 

  213. 	-- @param username string containing the username to use for authentication
    214. 

  214. 	-- @param password string containing the password to use for authentication
    215. 

  215. 	-- @param salt string containing the crypthographic salt value
    216. 

  216. 	-- @return status true on success, false on failure
    217. 

  217. 	-- @return result table containing parameter status information,
    218. 

  218. 	--         result string containing an error message if login fails 
    219. 

  219. 	loginRequest = function ( socket, params, username, password, salt )
    220. 

  220. 

  221. 		local catch = function() socket:close() stdnse.print_debug("loginRequest(): failed") end	
    222. 

  222. 		local try = nmap.new_try(catch)
    223. 

  223. 		local response = {}
    224. 

  224. 		local status, data, len, pos, tmp
    225. 

  225. 

  226. 		if ( params.authtype == AuthenticationType.MD5 ) then
    227. 

  227. 			local hash = createMD5LoginHash(username,password,salt)
    228. 

  228. 			data = bin.pack( ">Iz", 40, hash)
    229. 

  229. 			try( socket:send( data ) )
    230. 

  230. 		elseif ( params.authtype == AuthenticationType.Plain ) then
    231. 

  231. 			local data
    232. 

  232. 			data = bin.pack(">Iz", password:len() + 4, password)
    233. 

  233. 			try( socket:send( data ) )
    234. 

  234. 		elseif ( params.authtype == AuthenticationType.Success ) then
    235. 

  235. 			return true, nil
    236. 

  236. 		end
    237. 

  237. 

  238. 		data, response.params = "", {}
    239. 

  239. 

  240. 		data = v2.readPacket(socket, data, 1)
    241. 

  241. 		pos, tmp = v2.processResponse(data, 1)
    242. 

  242. 

  243. 		-- this should contain the AuthRequest packet
    244. 

  244. 		if tmp.type ~= MessageType.AuthRequest then
    245. 

  245. 			return false, "Expected AuthRequest got something else"
    246. 

  246. 		end
    247. 

  247. 

  248. 		if not tmp.success then
    249. 

  249. 			return false, "Login failure"
    250. 

  250. 		end
    251. 

  251. 

  252. 		return true, response
    253. 

  253. 	end,
    254. 

  254. 	
    255. 

  255. }
    256. 

  256. 

  257. -- Version 3 of the protocol
    258. 

  258. v3 =
    259. 

  259. {
    260. 

  260. 	messageDecoder = {
    261. 

  261. 

  262. 		--- Decodes an Auth Request packet
    263. 

  263. 		--
    264. 

  264. 		-- @param data string containing raw data recieved from socket
    265. 

  265. 		-- @param len number containing the length as retrieved from the header
    266. 

  266. 		-- @param pos number containing the offset into the data buffer
    267. 

  267. 		-- @return pos number containing the offset after decoding, -1 on error
    268. 

  268. 		-- @return response table containing zero or more of the following <code>salt</code> and <code>success</code>
    269. 

  269. 		--		   error string containing error message if pos is -1
    270. 

  270. 		[MessageType.AuthRequest] = function( data, len, pos )
    271. 

  271. 			local _, authtype
    272. 

  272. 			local response = {}
    273. 

  273. 

  274. 			pos, authtype = bin.unpack(">I", data, pos)
    275. 

  275. 

  276. 			if ( authtype == AuthenticationType.MD5 ) then
    277. 

  277. 				if  ( len - pos + 1 ) < 3 then
    278. 

  278. 					return -1, "ERROR: Malformed AuthRequest received"
    279. 

  279. 				end
    280. 

  280. 				pos, response.salt = bin.unpack("A4", data, pos)
    281. 

  281. 			elseif ( authtype == AuthenticationType.Plain ) then
    282. 

  282. 				--do nothing
    283. 

  283. 			elseif ( authtype == 0 ) then
    284. 

  284. 				response.success = true
    285. 

  285. 			else
    286. 

  286. 				stdnse.print_debug( "unknown auth type: %d", authtype )
    287. 

  287. 			end
    288. 

  288. 

  289. 			response.authtype = authtype
    290. 

  290. 			return pos, response
    291. 

  291. 		end,
    292. 

  292. 

  293. 		--- Decodes an ParameterStatus packet
    294. 

  294. 		--
    295. 

  295. 		-- @param data string containing raw data recieved from socket
    296. 

  296. 		-- @param len number containing the length as retrieved from the header
    297. 

  297. 		-- @param pos number containing the offset into the data buffer
    298. 

  298. 		-- @return pos number containing the offset after decoding
    299. 

  299. 		-- @return response table containing zero or more of the following <code>key</code> and <code>value</code>
    300. 

  300. 		[MessageType.ParameterStatus] = function( data, len, pos )
    301. 

  301. 			local tmp, _
    302. 

  302. 			local response = {}
    303. 

  303. 

  304. 			tmp = data:sub(pos, pos + len - 4)
    305. 

  305. 			_, response.key, response.value = bin.unpack("zz", tmp)
    306. 

  306. 			return pos + len - 4, response
    307. 

  307. 		end,
    308. 

  308. 

  309. 		--- Decodes an Error packet
    310. 

  310. 		--
    311. 

  311. 		-- @param data string containing raw data recieved from socket
    312. 

  312. 		-- @param len number containing the length as retrieved from the header
    313. 

  313. 		-- @param pos number containing the offset into the data buffer
    314. 

  314. 		-- @return pos number containing the offset after decoding
    315. 

  315. 		-- @return response table containing zero or more of the following <code>error.severity</code>,
    316. 

  316. 		-- <code>error.code</code>, <code>error.message</code>, <code>error.file</code>, 
    317. 

  317. 		-- <code>error.line</code> and <code>error.routine</code>
    318. 

  318. 		[MessageType.Error] = function( data, len, pos )
    319. 

  319. 			local tmp = data:sub(pos, pos + len - 4)
    320. 

  320. 			local _, value, prefix
    321. 

  321. 			local response = {}
    322. 

  322. 			local pos_end = pos + len
    323. 

  323. 

  324. 			response.error = {}
    325. 

  325. 

  326. 			while ( pos < pos_end - 5 ) do
    327. 

  327. 				pos, prefix, value = bin.unpack("Az", data, pos)
    328. 

  328. 

  329. 				if prefix == 'S' then
    330. 

  330. 					response.error.severity = value
    331. 

  331. 				elseif prefix == 'C' then
    332. 

  332. 					response.error.code = value
    333. 

  333. 				elseif prefix == 'M' then
    334. 

  334. 					response.error.message = value
    335. 

  335. 				elseif prefix == 'F' then
    336. 

  336. 					response.error.file = value
    337. 

  337. 				elseif prefix == 'L' then
    338. 

  338. 					response.error.line = value
    339. 

  339. 				elseif prefix == 'R' then
    340. 

  340. 					response.error.routine = value
    341. 

  341. 				end
    342. 

  342. 			end
    343. 

  343. 			return pos, response
    344. 

  344. 		end,
    345. 

  345. 

  346. 		--- Decodes the BackendKeyData packet
    347. 

  347. 		--
    348. 

  348. 		-- @param data string containing raw data recieved from socket
    349. 

  349. 		-- @param len number containing the length as retrieved from the header
    350. 

  350. 		-- @param pos number containing the offset into the data buffer
    351. 

  351. 		-- @return pos number containing the offset after decoding, -1 on error
    352. 

  352. 		-- @return response table containing zero or more of the following <code>pid</code> and <code>key</code>
    353. 

  353. 		--		   error string containing error message if pos is -1
    354. 

  354. 		[MessageType.BackendKeyData] = function( data, len, pos )
    355. 

  355. 			local response = {}
    356. 

  356. 		
    357. 

  357. 			if len ~= 12 then
    358. 

  358. 				return -1, "ERROR: Invalid BackendKeyData packet"
    359. 

  359. 			end
    360. 

  360. 

  361. 			pos, response.pid, response.key = bin.unpack(">I>I", data, pos)
    362. 

  362. 			return pos, response
    363. 

  363. 		end,
    364. 

  364. 

  365. 		--- Decodes an ReadyForQuery packet
    366. 

  366. 		--
    367. 

  367. 		-- @param data string containing raw data recieved from socket
    368. 

  368. 		-- @param len number containing the length as retrieved from the header
    369. 

  369. 		-- @param pos number containing the offset into the data buffer
    370. 

  370. 		-- @return pos number containing the offset after decoding, -1 on error
    371. 

  371. 		-- @return response table containing zero or more of the following <code>status</code>
    372. 

  372. 		--		   error string containing error message if pos is -1
    373. 

  373. 		[MessageType.ReadyForQuery] = function( data, len, pos )
    374. 

  374. 			local response = {}
    375. 

  375. 

  376. 			if len ~= 5 then
    377. 

  377. 				return -1, "ERROR: Invalid ReadyForQuery packet"
    378. 

  378. 			end
    379. 

  379. 		
    380. 

  380. 			pos, response.status = bin.unpack("C", data, pos )
    381. 

  381. 			return pos, response
    382. 

  382. 		end,
    383. 

  383. 	},
    384. 

  384. 	
    385. 

  385. 	--- Reads a packet and handles additional socket reads to retrieve remaining data
    386. 

  386. 	--
    387. 

  387. 	-- @param socket socket already connected to the pgsql server
    388. 

  388. 	-- @param data string containing any data already retrieved from the socket
    389. 

  389. 	-- @param pos number containing the offset into the data buffer
    390. 

  390. 	-- @return data string containing the initial and any additional data
    391. 

  391. 	readPacket = function(socket, data, pos)
    392. 

  392. 

  393. 		local pos = pos or 1
    394. 

  394. 		local data = data or ""
    395. 

  395. 		local status = true
    396. 

  396. 		local tmp = ""
    397. 

  397. 		local ptype, len
    398. 

  398. 		local header
    399. 

  399. 

  400. 		local catch = function() socket:close() stdnse.print_debug("processResponse(): failed") end	
    401. 

  401. 		local try = nmap.new_try(catch)
    402. 

  402. 

  403. 		if ( data:len() - pos < 5 ) then
    404. 

  404. 			status, tmp = socket:receive_bytes( 5 - ( data:len() - pos ) )
    405. 

  405. 		end
    406. 

  406. 

  407. 		if not status then
    408. 

  408. 			return nil, "Failed to read packet"
    409. 

  409. 		end
    410. 

  410. 

  411. 		if tmp:len() ~= 0 then
    412. 

  412. 			data = data .. tmp
    413. 

  413. 		end
    414. 

  414. 

  415. 		pos, header = v3.decodeHeader(data,pos)
    416. 

  416. 

  417. 		while data:len() < header.len do
    418. 

  418. 			data = data .. try(socket:receive_bytes( ( header.len + 1 ) - data:len() ))
    419. 

  419. 		end
    420. 

  420. 		return data
    421. 

  421. 	end,
    422. 

  422. 	
    423. 

  423. 	--- Decodes the postgres header
    424. 

  424. 	--
    425. 

  425. 	-- @param data string containing the server response
    426. 

  426. 	-- @param pos number containing the offset into the data buffer
    427. 

  427. 	-- @return pos number containing the offset after decoding
    428. 

  428. 	-- @return header table containing <code>type</code> and <code>len</code>
    429. 

  429. 	decodeHeader = function(data, pos)
    430. 

  430. 		local ptype, len
    431. 

  431. 		
    432. 

  432. 		pos, ptype, len = bin.unpack("C>I", data, pos)
    433. 

  433. 		return pos, { ['type'] = ptype, ['len'] = len }
    434. 

  434. 	end,
    435. 

  435. 	
    436. 

  436. 	--- Process the server response
    437. 

  437. 	--
    438. 

  438. 	-- @param data string containing the server response
    439. 

  439. 	-- @param pos number containing the offset into the data buffer
    440. 

  440. 	-- @return pos number containing offset after decoding
    441. 

  441. 	-- @return response string containing decoded data
    442. 

  442. 	--         error message if pos is -1
    443. 

  443. 	processResponse = function(data, pos)
    444. 

  444. 		local ptype, len, status, response
    445. 

  445. 		local pos = pos or 1
    446. 

  446. 		local header
    447. 

  447. 		
    448. 

  448. 		pos, header = v3.decodeHeader( data, pos )
    449. 

  449. 

  450. 		if v3.messageDecoder[header.type] then
    451. 

  451. 			pos, response = v3.messageDecoder[header.type](data, header.len, pos)
    452. 

  452. 

  453. 			if pos ~= -1 then
    454. 

  454. 				response.type = header.type
    455. 

  455. 				return pos, response
    456. 

  456. 			end
    457. 

  457. 		else
    458. 

  458. 			stdnse.print_debug( "Missing decoder for %d", header.type )
    459. 

  459. 			return -1, ("Missing decoder for %d"):format(header.type)
    460. 

  460. 		end
    461. 

  461. 		return -1, "Decoding failed"
    462. 

  462. 	end,
    463. 

  463. 	
    464. 

  464. 	--- Attempts to authenticate to the pgsql server
    465. 

  465. 	-- Supports plain-text and MD5 authentication 
    466. 

  466. 	--
    467. 

  467. 	-- @param socket socket already connected to the pgsql server
    468. 

  468. 	-- @param params table containing any additional parameters <code>authtype</code>, <code>version</code>
    469. 

  469. 	-- @param username string containing the username to use for authentication
    470. 

  470. 	-- @param password string containing the password to use for authentication
    471. 

  471. 	-- @param salt string containing the crypthographic salt value
    472. 

  472. 	-- @return status true on success, false on failure
    473. 

  473. 	-- @return result table containing parameter status information,
    474. 

  474. 	--         result string containing an error message if login fails 
    475. 

  475. 	loginRequest = function ( socket, params, username, password, salt )
    476. 

  476. 

  477. 		local catch = function() socket:close() stdnse.print_debug("loginRequest(): failed") end	
    478. 

  478. 		local try = nmap.new_try(catch)
    479. 

  479. 		local response, header = {}, {}
    480. 

  480. 		local status, data, len, tmp, _
    481. 

  481. 		local pos = 1
    482. 

  482. 

  483. 		if ( params.authtype == AuthenticationType.MD5 ) then
    484. 

  484. 			local hash = createMD5LoginHash(username, password, salt)
    485. 

  485. 			data = bin.pack( "C>Iz", MessageType.PasswordMessage, 40, hash )
    486. 

  486. 			try( socket:send( data ) )
    487. 

  487. 		elseif ( params.authtype == AuthenticationType.Plain ) then
    488. 

  488. 			local data
    489. 

  489. 			data = bin.pack("C>Iz", MessageType.PasswordMessage, password:len() + 4, password)
    490. 

  490. 			try( socket:send( data ) )
    491. 

  491. 		elseif ( params.authtype == AuthenticationType.Success ) then
    492. 

  492. 			return true, nil
    493. 

  493. 		end
    494. 

  494. 

  495. 		data, response.params = "", {}
    496. 

  496. 

  497. 		data = v3.readPacket(socket, data, 1)
    498. 

  498. 		pos, tmp = v3.processResponse(data, 1)
    499. 

  499. 

  500. 		-- this should contain the AuthRequest packet
    501. 

  501. 		if tmp.type ~= MessageType.AuthRequest then
    502. 

  502. 			return false, "Expected AuthRequest got something else"
    503. 

  503. 		end
    504. 

  504. 

  505. 		if not tmp.success then
    506. 

  506. 			return false, "Login failure"
    507. 

  507. 		end
    508. 

  508. 

  509. 		repeat
    510. 

  510. 			data = v3.readPacket(socket, data, pos)
    511. 

  511. 			pos, tmp = v3.processResponse(data, pos)
    512. 

  512. 			if ( tmp.type == MessageType.ParameterStatus ) then
    513. 

  513. 				table.insert(response.params, {name=tmp.key, value=tmp.value})
    514. 

  514. 			end
    515. 

  515. 		until pos >= data:len() or pos == -1
    516. 

  516. 

  517. 		return true, response
    518. 

  518. 	end,
    519. 

  519. 	
    520. 

  520. 	--- Sends a startup message to the server containing the username and database to connect to
    521. 

  521. 	--
    522. 

  522. 	-- @param socket socket already connected to the pgsql server
    523. 

  523. 	-- @param user string containing the name of the user
    524. 

  524. 	-- @param database string containing the name of the database
    525. 

  525. 	-- @return status true on success, false on failure
    526. 

  526. 	-- @return table containing a processed response from <code>processResponse</code>
    527. 

  527. 	--         string containing error message if status is false
    528. 

  528. 	sendStartup = function(socket, user, database )
    529. 

  529. 		local data, response, status, pos
    530. 

  530. 		local proto_ver, ptype, _, tmp
    531. 

  531. 

  532. 		proto_ver = 0x0030000
    533. 

  533. 		data = bin.pack(">IzzzzH", proto_ver, "user", user, "database", database, 0)
    534. 

  534. 		data = bin.pack(">I", data:len() + 4) .. data
    535. 

  535. 

  536. 		socket:send( data )
    537. 

  537. 

  538. 		-- attempt to verify version
    539. 

  539. 		status, data = socket:receive_bytes( 2 )
    540. 

  540. 

  541. 		if ( not(status) ) then
    542. 

  542. 			return false, "sendStartup failed"
    543. 

  543. 		end
    544. 

  544. 		
    545. 

  545. 		if ( not(status) or data:match("^EF") ) then
    546. 

  546. 			return false, "Incorrect version"
    547. 

  547. 		end
    548. 

  548. 

  549. 		data = v3.readPacket(socket, data )
    550. 

  550. 		pos, response = v3.processResponse( data )
    551. 

  551. 

  552. 		if ( pos < 0 or response.type == MessageType.Error) then
    553. 

  553. 			return false, response.error.message or "unknown error"
    554. 

  554. 		end
    555. 

  555. 

  556. 		return true, response
    557. 

  557. 	end
    558. 

  558. }
    559. 

  559. 

  560. 

  561. --- Sends a packet requesting SSL communication to be activated
    562. 

  562. -- 
    563. 

  563. -- @param socket socket already connected to the pgsql server
    564. 

  564. -- @return boolean true if request was accepted, false if request was denied
    565. 

  565. function requestSSL(socket)
    566. 

  566. 	-- SSLRequest
    567. 

  567. 	local ssl_req_code = 80877103
    568. 

  568. 	local data = bin.pack( ">I>I", 8, ssl_req_code)
    569. 

  569. 	local status, response
    570. 

  570. 	
    571. 

  571. 	socket:send(data)
    572. 

  572. 	status, response = socket:receive_bytes(1)
    573. 

  573. 	
    574. 

  574. 	if ( not(status) ) then
    575. 

  575. 		return false
    576. 

  576. 	end
    577. 

  577. 	
    578. 

  578. 	if ( response == 'S' ) then
    579. 

  579. 		return true
    580. 

  580. 	end
    581. 

  581. 

  582. 	return false
    583. 

  583. end
    584. 

  584. 

  585. --- Creates a cryptographic hash to be used for login
    586. 

  586. --
    587. 

  587. -- @param username username
    588. 

  588. -- @param password password
    589. 

  589. -- @param salt salt
    590. 

  590. -- @return string suitable for login request
    591. 

  591. function createMD5LoginHash(username, password, salt)
    592. 

  592. 	local md5_1 = select( 2, bin.unpack( "H16", openssl.md5(password..username) ) ):lower()
    593. 

  593. 	return "md5" .. select( 2, bin.unpack("H16", openssl.md5(  md5_1 .. salt  ) ) ):lower()
    594. 

  594. end
    595. 

  595. 

  596. --- Prints the contents of the error table returned from the Error message decoder
    597. 

  597. --
    598. 

  598. -- @param dberror table containing the error
    599. 

  599. function printErrorMessage( dberror )
    600. 

  600. 	if not dberror then
    601. 

  601. 		return
    602. 

  602. 	end
    603. 

  603. 	for k, v in pairs(dberror) do
    604. 

  604. 		stdnse.print_debug( ("%s=%s"):format(k, v) )
    605. 

  605. 	end
    606. 

  606. end
    607. 

  607. 

  608. --- Attempts to determine if the server supports v3 or v2 of the protocol
    609. 

  609. --
    610. 

  610. -- @param host table
    611. 

  611. -- @param port table
    612. 

  612. -- @return class v2 or v3
    613. 

  613. function detectVersion(host, port)
    614. 

  614. 	local status, response
    615. 

  615. 	local socket = nmap.new_socket()
    616. 

  616. 

  617. 	socket:connect(host, port)
    618. 

  618. 	status, response = v3.sendStartup(socket, "versionprobe", "versionprobe")
    619. 

  619. 	socket:close()
    620. 

  620. 	
    621. 

  621. 	if ( not(status) and response == 'Incorrect version' ) then		
    622. 

  622. 		return v2
    623. 

  623. 	end
    624. 

  624. 	
    625. 

  625. 	return v3
    626. 

  626. end
    627. 

  627. 

  628. return _ENV;
    629. 

  629.