Minor bug fix in MSSQL version fingerprint

2024-11-22 09:36:35 +03:00 · 2009-08-11 09:16:20 +00:00 · 2009-08-11 09:16:20 +00:00 · 458d59416c
commit 458d59416c
parent 14578a7a4d
2 changed files with 10 additions and 3 deletions
--- a/doc/THANKS
+++ b/doc/THANKS
@ -113,6 +113,9 @@ Guido Landi <lists@keamera.org>
    'sp_replwritetovarbin' stored procedure heap-based buffer overflow
    (MS09-004) exploit development, http://www.milw0rm.com/author/1413

+Lee Lawson <Lee.Lawson@dns.co.uk>
+    for reporting a minor bug
+
 Nico Leidecker <nico@leidecker.info>
    for providing me with feedback on a few features
    for reporting a couple of bugs
--- a/plugins/dbms/mssqlserver.py
+++ b/plugins/dbms/mssqlserver.py
@ -32,6 +32,7 @@ from lib.core.common import formatDBMSfp
 from lib.core.common import formatFingerprint
 from lib.core.common import getHtmlErrorFp
 from lib.core.common import getRange
+from lib.core.common import randomInt
 from lib.core.common import randomStr
 from lib.core.convert import urlencode
 from lib.core.data import conf
@ -192,10 +193,12 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeov
            logger.info(infoMsg)

            for version in ( 0, 5, 8 ):
-                payload = agent.fullPayload(" AND ( ( SUBSTRING((@@VERSION), 22, 1)=2 AND SUBSTRING((@@VERSION), 25, 1)=%d ) OR ( SUBSTRING((@@VERSION), 23, 1)=2 AND SUBSTRING((@@VERSION), 26, 1)=%d ) )" % (version, version))
+                randInt = randomInt()
+                query   = " AND %d=(SELECT (CASE WHEN (( SUBSTRING((@@VERSION), 22, 1)=2 AND SUBSTRING((@@VERSION), 25, 1)=%d ) OR ( SUBSTRING((@@VERSION), 23, 1)=2 AND SUBSTRING((@@VERSION), 26, 1)=%d )) THEN %d ELSE %d END))" % (randInt, version, version, randInt, (randInt + 1))
+                payload = agent.fullPayload(query)
                result  = Request.queryPage(payload)

-                if result == True:
+                if result is True:
                    if version == 8:
                        kb.dbmsVersion = [ "2008" ]

@ -212,7 +215,8 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeov
                        break

                    else:
-                        payload = agent.fullPayload(" AND SUBSTRING((@@VERSION), 22, 1)=7")
+                        query   = " AND %d=(SELECT (CASE WHEN (SUBSTRING((@@VERSION), 22, 1)=7) THEN %d ELSE %d END))" % (randInt, randInt, (randInt + 1))
+                        payload = agent.fullPayload(query)
                        result  = Request.queryPage(payload)

                        if result == True: