some updates

2025-01-24 00:04:23 +03:00 · 2010-11-04 23:08:59 +00:00 · 2010-11-04 23:08:59 +00:00 · 3f0a443b83
commit 3f0a443b83
parent c8fe2fa8d8
4 changed files with 12 additions and 6 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -227,7 +227,10 @@ class Agent:
            nulledCastedField = field
        else:
            nulledCastedField = queries[kb.dbms].cast.query % field
-            nulledCastedField = queries[kb.dbms].isnull.query % nulledCastedField
+            if kb.dbms == DBMS.ACCESS:
+                nulledCastedField = queries[kb.dbms].isnull.query % (nulledCastedField, nulledCastedField)
+            else:
+                nulledCastedField = queries[kb.dbms].isnull.query % nulledCastedField

        return nulledCastedField

--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@ -138,7 +138,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
        continuousOrder means that distance between each two neighbour's
        numerical values is exactly 1
        """
-
+        
        result = tryHint(idx)

        if result:
@ -167,7 +167,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
            position = (len(charTbl) >> 1)
            posValue = charTbl[position]

-            if kb.dbms in (DBMS.SQLITE, DBMS.ACCESS, DBMS.MAXDB):
+            if kb.dbms in (DBMS.SQLITE, DBMS.MAXDB):
                pushValue(posValue)
                posValue = chr(posValue) if posValue < 128 else unichr(posValue)

@ -176,7 +176,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
            queriesCount[0] += 1
            result = Request.queryPage(forgedPayload)

-            if kb.dbms in (DBMS.SQLITE, DBMS.ACCESS, DBMS.MAXDB):
+            if kb.dbms in (DBMS.SQLITE, DBMS.MAXDB):
                posValue = popValue()

            if result:
--- a/plugins/dbms/access/fingerprint.py
+++ b/plugins/dbms/access/fingerprint.py
@ -189,3 +189,6 @@ class Fingerprint(GenericFingerprint):
            logger.warn(warnMsg)

            return False
+
+    def forceDbmsEnum(self):
+        conf.db = "Access"
--- a/xml/queries.xml
+++ b/xml/queries.xml
@ -341,7 +341,7 @@
    <dbms value="Microsoft Access">
        <cast query="CVAR(%s)"/>
        <length query="LEN(%s)"/>
-        <isnull query="ISNULL(%s)"/>
+        <isnull query="IIF(ISNULL(%s), ' ', %s)"/>
        <delimiter query=","/>
        <limit query="TOP %d"/>
        <limitregexp query="\s+TOP\s+([\d]+)"/>
@ -354,7 +354,6 @@
        <timedelay/>
        <substring query="MID((%s), %d, %d)"/>
        <case query="IIF(%s,1,0)"/>
-        <inference query="AND MID((%s), %d, 1) > '%s'"/>
        <banner/>
        <current_user query="SELECT CURRENTUSER()"/>
        <current_db/>
@ -363,6 +362,7 @@
        <dbs/>
        <tables>
            <inband query="SELECT Name FROM MSysObjects WHERE (Left([Name],1) &lt;&gt; '~') AND (Left([Name],4) &lt;&gt; 'MSys') AND ([Type] In (1, 4, 6))"/>
+            <blind query="SELECT MIN(Name) FROM MSysObjects WHERE Type = 1 AND name > '%s'" count="SELECT COUNT(*) FROM MSysObjects WHERE Type = 1"/>
        </tables>
   </dbms>