1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
|
---
-- PostgreSQL library supporting both version 2 and version 3 of the protocol.
-- The library currently contains the bare minimum to perform authentication.
-- Authentication is supported with or without SSL enabled and using the
-- plain-text or MD5 authentication mechanisms.
--
-- The PGSQL protocol is explained in detail in the following references.
-- * http://developer.postgresql.org/pgdocs/postgres/protocol.html
-- * http://developer.postgresql.org/pgdocs/postgres/protocol-flow.html
-- * http://developer.postgresql.org/pgdocs/postgres/protocol-message-formats.html
--
-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
-- @author Patrik Karlsson <patrik@cqure.net>
local nmap = require "nmap"
local stdnse = require "stdnse"
local openssl = stdnse.silent_require "openssl"
local string = require "string"
local table = require "table"
_ENV = stdnse.module("pgsql", stdnse.seeall)
-- Version 0.3
-- Created 02/05/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
-- Revised 02/20/2010 - v0.2 - added detectVersion to automatically detect and return
-- the correct version class
-- Revised 03/04/2010 - v0.3 - added support for trust authentication method
--- Supported pgsql message types
MessageType = {
Error = 0x45,
BackendKeyData = 0x4b,
AuthRequest=0x52,
ParameterStatus = 0x53,
ReadyForQuery = 0x5a,
PasswordMessage = 0x70,
}
--- Supported authentication types
AuthenticationType = {
Success = 0x00,
Plain = 0x03,
MD5 = 0x05
}
-- Version 2 of the protocol
v2 =
{
--- Pad a string with zeroes
--
-- @param str string containing the string to be padded
-- @param len number containing the wanted length
-- @return string containing the padded string value
zeroPad = function(str, len)
return str .. string.rep('\0', len - #str)
end,
messageDecoder = {
--- Decodes an Auth Request packet
--
-- @param data string containing raw data received from socket
-- @param len number containing the length as retrieved from the header
-- @param pos number containing the offset into the data buffer
-- @return pos number containing the offset after decoding, -1 on error
-- @return response table containing zero or more of the following <code>salt</code> and <code>success</code>
-- error string containing error message if pos is -1
[MessageType.AuthRequest] = function( data, len, pos )
local _, authtype
local response = {}
authtype, pos = string.unpack(">I4", data, pos)
if ( authtype == AuthenticationType.MD5 ) then
if ( len - pos + 1 ) < 3 then
return -1, "ERROR: Malformed AuthRequest received"
end
response.salt, pos = string.unpack("c4", data, pos)
elseif ( authtype == AuthenticationType.Plain ) then
--do nothing
elseif ( authtype == 0 ) then
response.success = true
else
stdnse.debug1("unknown auth type: %d", authtype)
end
response.authtype = authtype
return pos, response
end,
--- Decodes an Error packet
--
-- @param data string containing raw data received from socket
-- @param len number containing the length as retrieved from the header
-- @param pos number containing the offset into the data buffer
-- @return pos number containing the offset after decoding
-- @return response table containing zero or more of the following <code>error.severity</code>,
-- <code>error.code</code>, <code>error.message</code>, <code>error.file</code>,
-- <code>error.line</code> and <code>error.routine</code>
[MessageType.Error] = function( data, len, pos )
local tmp = data:sub(pos, pos + len - 4)
local response = {}
local pos_end = pos + len
response.error = {}
response.error.message, pos = string.unpack("z", data, pos)
return pos, response
end,
},
--- Process the server response
--
-- @param data string containing the server response
-- @param pos number containing the offset into the data buffer
processResponse = function(data, pos)
local ptype, len, status, response
local pos = pos or 1
ptype, pos = string.unpack("B", data, pos)
len = data:len() - 1
if v2.messageDecoder[ptype] then
pos, response = v2.messageDecoder[ptype](data, len, pos)
if pos ~= -1 then
response.type = ptype
return pos, response
end
else
stdnse.debug1("Missing decoder for %d", ptype)
return -1, ("Missing decoder for %d"):format(ptype)
end
return -1, "Decoding failed"
end,
--- Reads a packet and handles additional socket reads to retrieve remaining data
--
-- @param socket socket already connected to the pgsql server
-- @param data string containing any data already retrieved from the socket
-- @param pos number containing the offset into the data buffer
-- @return data string containing the initial and any additional data
readPacket=function(socket, data, pos)
local pos = pos or 1
local data = data or ""
local status = true
local tmp = ""
local ptype, len
local catch = function() socket:close() stdnse.debug1("processResponse(): failed") end
local try = nmap.new_try(catch)
if ( data == nil or data:len() == 0 ) then
data = try(socket:receive())
end
return data
end,
--- Sends a startup message to the server containing the username and database to connect to
--
-- @param socket socket already connected to the pgsql server
-- @param user string containing the name of the user
-- @param database string containing the name of the database
-- @return status true on success, false on failure
-- @return table containing a processed response from <code>processResponse</code>
-- string containing error message if status is false
sendStartup=function(socket, user, database)
local data, response, status, pos
local proto_ver, ptype, _, tmp
local tty, unused, args = "", "", ""
proto_ver = 0x0020000
user = v2.zeroPad(user, 32)
database = v2.zeroPad(database, 64)
data = string.pack(">I4I4", 296, proto_ver)
.. database
.. user
.. v2.zeroPad(args, 64)
.. v2.zeroPad(unused, 64)
.. v2.zeroPad(tty,64)
socket:send( data )
-- attempt to verify version
status, data = socket:receive_bytes( 1 )
if ( not(status) ) then
return false, "sendStartup failed"
end
data = v2.readPacket(socket, data )
pos, response = v2.processResponse( data )
if ( pos < 0 or response.type == MessageType.Error) then
return false, response.error.message or "unknown error"
end
return true, response
end,
--- Attempts to authenticate to the pgsql server
-- Supports plain-text and MD5 authentication
--
-- @param socket socket already connected to the pgsql server
-- @param params table containing any additional parameters <code>authtype</code>, <code>version</code>
-- @param username string containing the username to use for authentication
-- @param password string containing the password to use for authentication
-- @param salt string containing the cryptographic salt value
-- @return status true on success, false on failure
-- @return result table containing parameter status information,
-- result string containing an error message if login fails
loginRequest = function ( socket, params, username, password, salt )
local catch = function() socket:close() stdnse.debug1("loginRequest(): failed") end
local try = nmap.new_try(catch)
local response = {}
local status, data, len, pos, tmp
if ( params.authtype == AuthenticationType.MD5 ) then
local hash = createMD5LoginHash(username,password,salt)
data = string.pack( ">I4z", 40, hash)
try( socket:send( data ) )
elseif ( params.authtype == AuthenticationType.Plain ) then
local data
data = string.pack(">I4z", password:len() + 4, password)
try( socket:send( data ) )
elseif ( params.authtype == AuthenticationType.Success ) then
return true, nil
end
data, response.params = "", {}
data = v2.readPacket(socket, data, 1)
pos, tmp = v2.processResponse(data, 1)
-- this should contain the AuthRequest packet
if tmp.type ~= MessageType.AuthRequest then
return false, "Expected AuthRequest got something else"
end
if not tmp.success then
return false, "Login failure"
end
return true, response
end,
}
-- Version 3 of the protocol
v3 =
{
messageDecoder = {
--- Decodes an Auth Request packet
--
-- @param data string containing raw data received from socket
-- @param len number containing the length as retrieved from the header
-- @param pos number containing the offset into the data buffer
-- @return pos number containing the offset after decoding, -1 on error
-- @return response table containing zero or more of the following <code>salt</code> and <code>success</code>
-- error string containing error message if pos is -1
[MessageType.AuthRequest] = function( data, len, pos )
local _, authtype
local response = {}
authtype, pos = string.unpack(">I4", data, pos)
if ( authtype == AuthenticationType.MD5 ) then
if ( len - pos + 1 ) < 3 then
return -1, "ERROR: Malformed AuthRequest received"
end
response.salt, pos = string.unpack("c4", data, pos)
elseif ( authtype == AuthenticationType.Plain ) then
--do nothing
elseif ( authtype == 0 ) then
response.success = true
else
stdnse.debug1("unknown auth type: %d", authtype )
end
response.authtype = authtype
return pos, response
end,
--- Decodes an ParameterStatus packet
--
-- @param data string containing raw data received from socket
-- @param len number containing the length as retrieved from the header
-- @param pos number containing the offset into the data buffer
-- @return pos number containing the offset after decoding
-- @return response table containing zero or more of the following <code>key</code> and <code>value</code>
[MessageType.ParameterStatus] = function( data, len, pos )
local response = {}
local tmp = data:sub(pos, pos + len - 4)
response.key, response.value = string.unpack("zz", tmp)
return pos + len - 4, response
end,
--- Decodes an Error packet
--
-- @param data string containing raw data received from socket
-- @param len number containing the length as retrieved from the header
-- @param pos number containing the offset into the data buffer
-- @return pos number containing the offset after decoding
-- @return response table containing zero or more of the following <code>error.severity</code>,
-- <code>error.code</code>, <code>error.message</code>, <code>error.file</code>,
-- <code>error.line</code> and <code>error.routine</code>
[MessageType.Error] = function( data, len, pos )
local tmp = data:sub(pos, pos + len - 4)
local _, value, prefix
local response = {}
local pos_end = pos + len
response.error = {}
while ( pos < pos_end - 5 ) do
prefix, value, pos = string.unpack("c1z", data, pos)
if prefix == 'S' then
response.error.severity = value
elseif prefix == 'C' then
response.error.code = value
elseif prefix == 'M' then
response.error.message = value
elseif prefix == 'F' then
response.error.file = value
elseif prefix == 'L' then
response.error.line = value
elseif prefix == 'R' then
response.error.routine = value
end
end
return pos, response
end,
--- Decodes the BackendKeyData packet
--
-- @param data string containing raw data received from socket
-- @param len number containing the length as retrieved from the header
-- @param pos number containing the offset into the data buffer
-- @return pos number containing the offset after decoding, -1 on error
-- @return response table containing zero or more of the following <code>pid</code> and <code>key</code>
-- error string containing error message if pos is -1
[MessageType.BackendKeyData] = function( data, len, pos )
local response = {}
if len ~= 12 then
return -1, "ERROR: Invalid BackendKeyData packet"
end
response.pid, response.key, pos = string.unpack(">I4I4", data, pos)
return pos, response
end,
--- Decodes an ReadyForQuery packet
--
-- @param data string containing raw data received from socket
-- @param len number containing the length as retrieved from the header
-- @param pos number containing the offset into the data buffer
-- @return pos number containing the offset after decoding, -1 on error
-- @return response table containing zero or more of the following <code>status</code>
-- error string containing error message if pos is -1
[MessageType.ReadyForQuery] = function( data, len, pos )
local response = {}
if len ~= 5 then
return -1, "ERROR: Invalid ReadyForQuery packet"
end
response.status, pos = string.unpack("B", data, pos )
return pos, response
end,
},
--- Reads a packet and handles additional socket reads to retrieve remaining data
--
-- @param socket socket already connected to the pgsql server
-- @param data string containing any data already retrieved from the socket
-- @param pos number containing the offset into the data buffer
-- @return data string containing the initial and any additional data
readPacket = function(socket, data, pos)
pos = pos or 1
data = data or ""
-- Make sure that we have enough data for the header
local targetlen = pos - 1 + 5 -- header is 5 bytes (structure >BI4)
while #data < targetlen do
local status, extra = socket:receive_bytes(targetlen - #data)
if not status then
stdnse.debug1("Not enough data for PGSQL response header")
return nil, extra
end
data = data .. extra
end
local _, header = v3.decodeHeader(data, pos)
targetlen = targetlen + header.len - 4 -- header.len is 4 bytes
while #data < targetlen do
local status, extra = socket:receive_bytes(targetlen - #data)
if not status then
stdnse.debug1("Not enough data for declared PGSQL response size")
return nil, extra
end
data = data .. extra
end
return data
end,
--- Decodes the postgres header
--
-- @param data string containing the server response
-- @param pos number containing the offset into the data buffer
-- @return pos number containing the offset after decoding
-- @return header table containing <code>type</code> and <code>len</code>
decodeHeader = function(data, pos)
local ptype, len
ptype, len, pos = string.unpack(">BI4", data, pos)
return pos, { ['type'] = ptype, ['len'] = len }
end,
--- Process the server response
--
-- @param data string containing the server response
-- @param pos number containing the offset into the data buffer
-- @return pos number containing offset after decoding
-- @return response string containing decoded data
-- error message if pos is -1
processResponse = function(data, pos)
pos = pos or 1
if not data then
return -1, "Not enough response data"
end
local header
pos, header = v3.decodeHeader( data, pos )
if not v3.messageDecoder[header.type] then
stdnse.debug1("Missing decoder for %d", header.type )
return -1, ("Missing decoder for %d"):format(header.type)
end
local response
pos, response = v3.messageDecoder[header.type](data, header.len, pos)
if pos == -1 then
return -1, "Decoding failed"
end
response.type = header.type
return pos, response
end,
--- Attempts to authenticate to the pgsql server
-- Supports plain-text and MD5 authentication
--
-- @param socket socket already connected to the pgsql server
-- @param params table containing any additional parameters <code>authtype</code>, <code>version</code>
-- @param username string containing the username to use for authentication
-- @param password string containing the password to use for authentication
-- @param salt string containing the cryptographic salt value
-- @return status true on success, false on failure
-- @return result table containing parameter status information,
-- result string containing an error message if login fails
loginRequest = function ( socket, params, username, password, salt )
local creds
if params.authtype == AuthenticationType.MD5 then
creds = createMD5LoginHash(username, password, salt)
elseif params.authtype == AuthenticationType.Plain then
creds = password
elseif params.authtype == AuthenticationType.Success then
return true, nil
else
return false, "Unexpected authentication type 0x" .. stdnse.tohex(params.authtype)
end
local status, err = socket:send(string.pack(">BI4z", MessageType.PasswordMessage, #creds + 5, creds))
if not status then
return false, "Unable to send AuthRequest: " .. err
end
local data = v3.readPacket(socket)
local pos, tmp = v3.processResponse(data, 1)
-- this should contain the AuthRequest packet
if tmp.type ~= MessageType.AuthRequest then
return false, "Expected AuthRequest; got something else"
end
if not tmp.success then
return false, "Login failure"
end
local params = {}
repeat
data = v3.readPacket(socket, data, pos)
pos, tmp = v3.processResponse(data, pos)
if ( tmp.type == MessageType.ParameterStatus ) then
table.insert(params, {name=tmp.key, value=tmp.value})
end
until pos >= data:len() or pos == -1
return true, {params}
end,
--- Sends a startup message to the server containing the username and database to connect to
--
-- @param socket socket already connected to the pgsql server
-- @param user string containing the name of the user
-- @param database string containing the name of the database
-- @return status true on success, false on failure
-- @return table containing a processed response from <code>processResponse</code>
-- string containing error message if status is false
sendStartup = function(socket, user, database )
local data, response, status, pos
local proto_ver, ptype, _, tmp
proto_ver = 0x0030000
data = string.pack(">I4zzzzB", proto_ver, "user", user, "database", database, 0)
data = string.pack(">I4", data:len() + 4) .. data
socket:send( data )
-- attempt to verify version
status, data = socket:receive_bytes( 2 )
if ( not(status) ) then
return false, "sendStartup failed"
end
if ( not(status) or data:match("^EF") ) then
return false, "Incorrect version"
end
data = v3.readPacket(socket, data )
pos, response = v3.processResponse( data )
if ( pos < 0 or response.type == MessageType.Error) then
return false, response.error.message or "unknown error"
end
return true, response
end
}
--- Sends a packet requesting SSL communication to be activated
--
-- @param socket socket already connected to the pgsql server
-- @return boolean true if request was accepted, false if request was denied
function requestSSL(socket)
-- SSLRequest
local ssl_req_code = 80877103
local data = string.pack( ">I4I4", 8, ssl_req_code)
local status, response
socket:send(data)
status, response = socket:receive_bytes(1)
if ( not(status) ) then
return false
end
if ( response == 'S' ) then
return true
end
return false
end
--- Creates a cryptographic hash to be used for login
--
-- @param username username
-- @param password password
-- @param salt salt
-- @return string suitable for login request
function createMD5LoginHash(username, password, salt)
local md5_1 = stdnse.tohex(openssl.md5(password..username))
return "md5" .. stdnse.tohex(openssl.md5(md5_1 .. salt))
end
--- Prints the contents of the error table returned from the Error message decoder
--
-- @param dberror table containing the error
function printErrorMessage( dberror )
if not dberror then
return
end
for k, v in pairs(dberror) do
stdnse.debug1("%s=%s", k, v)
end
end
--- Attempts to determine if the server supports v3 or v2 of the protocol
--
-- @param host table
-- @param port table
-- @return class v2 or v3
function detectVersion(host, port)
local status, response
local socket = nmap.new_socket()
socket:connect(host, port)
status, response = v3.sendStartup(socket, "versionprobe", "versionprobe")
socket:close()
if ( not(status) and response == 'Incorrect version' ) then
return v2
end
return v3
end
return _ENV;
|
