implemented support for __pivotDumpTable on MSSQL as normal tables tend to not play well with normal TOP 1 ..NOT IN..ORDER BY mechanism if the argument for ORDER BY is not the unique one (returns only number of rows equal to the number of distinct values for that field)

2024-11-22 09:36:35 +03:00 · 2011-04-08 15:17:57 +00:00 · 2011-04-08 15:17:57 +00:00 · 6fa2fd139c
commit 6fa2fd139c
parent beb98140b3
4 changed files with 17 additions and 19 deletions
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@ -195,7 +195,7 @@ def errorUse(expression, expected=None, resumeValue=True, dump=False):
       or (Backend.getIdentifiedDbms() in FROM_TABLE and not \
       expression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]))) \
       and ("(CASE" not in expression.upper() or ("(CASE" in expression.upper() and "WHEN use" in expression))) \
-       and not any(map(lambda x: x in expression.upper(), ["COUNT(*)", "EXISTS(", "MAX(", "MIN("])):
+       and not any(map(lambda x: x in expression.upper(), ["COUNT(*)", "EXISTS(", "MAX(", "MIN(", "COUNT(DISTINCT"])):

        limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
        topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@ -137,7 +137,7 @@ def unionUse(expression, unpack=True, dump=False):
       " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \
       not in FROM_TABLE) or (Backend.getIdentifiedDbms() in FROM_TABLE \
       and not expression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]))) \
-       and not any(map(lambda x: x in expression.upper(), ["(CASE", "COUNT(*)", "EXISTS(", "MAX(", "MIN("])):
+       and not any(map(lambda x: x in expression.upper(), ["(CASE", "COUNT(*)", "EXISTS(", "MAX(", "MIN(", "COUNT(DISTINCT"])):

        limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
        topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@ -1304,10 +1304,14 @@ class Enumeration:
                query = rootQuery.inband.query % (colString, conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())))
            elif Backend.getIdentifiedDbms() == DBMS.SQLITE:
                query = rootQuery.inband.query % (colString, conf.tbl)
-            elif Backend.getIdentifiedDbms() == DBMS.SYBASE:
-                table = "%s..%s" % (conf.db, conf.tbl)
-                entries, _ = self.__pivotDumpTable(table, colList, blind=False)
-                entries = zip(*[entries[colName] for colName in colList])
+            elif Backend.getIdentifiedDbms() in (DBMS.SYBASE, DBMS.MSSQL):
+                # Partial inband and error
+                if not (isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.ORIGINAL):
+                    table = "%s.%s" % (conf.db, conf.tbl)
+                    entries, _ = self.__pivotDumpTable(table, colList, blind=False)
+                    entries = zip(*[entries[colName] for colName in colList])
+                else:
+                    query = rootQuery.inband.query % (colString, conf.db, conf.tbl)
            else:
                query = rootQuery.inband.query % (colString, conf.db, conf.tbl)

@ -1358,8 +1362,8 @@ class Enumeration:
                query = rootQuery.blind.count % (conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())))
            elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
                query = rootQuery.blind.count % conf.tbl
-            elif Backend.getIdentifiedDbms() == DBMS.SYBASE:
-                query = rootQuery.blind.count % ("%s..%s" % (conf.db, conf.tbl))
+            elif Backend.getIdentifiedDbms() in (DBMS.SYBASE, DBMS.MSSQL):
+                query = rootQuery.blind.count % ("%s.%s" % (conf.db, conf.tbl))
            elif Backend.getIdentifiedDbms() == DBMS.MAXDB:
                query = rootQuery.blind.count % ("%s" % conf.tbl)
            else:
@ -1381,17 +1385,17 @@ class Enumeration:
            entries = {}

            try:
-                if Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.SYBASE, DBMS.MAXDB):
+                if Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.SYBASE, DBMS.MAXDB, DBMS.MSSQL):
                    if Backend.getIdentifiedDbms() == DBMS.ACCESS:
                        table = conf.tbl
-                    elif Backend.getIdentifiedDbms() == DBMS.SYBASE:
-                        table = "%s..%s" % (conf.db, conf.tbl)
+                    elif Backend.getIdentifiedDbms() in (DBMS.SYBASE, DBMS.MSSQL):
+                        table = "%s.%s" % (conf.db, conf.tbl)
                    elif Backend.getIdentifiedDbms() == DBMS.MAXDB:
                        table = "%s.%s" % (conf.db, conf.tbl)
                    entries, lengths = self.__pivotDumpTable(table, colList, count, blind=True)

                else:
-                    if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.MSSQL, DBMS.SYBASE):
+                    if Backend.getIdentifiedDbms() == DBMS.ORACLE:
                        plusOne = True
                    else:
                        plusOne = False
@ -1412,11 +1416,6 @@ class Enumeration:
                                query = rootQuery.blind.query % (column, column,
                                                                       conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())),
                                                                       index)
-                            elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
-                                query = rootQuery.blind.query % (column, index, conf.db,
-                                                                       conf.tbl, colList[0],
-                                                                       colList[0], colList[0])
-
                            elif Backend.getIdentifiedDbms() == DBMS.SQLITE:
                                query = rootQuery.blind.query % (column, conf.tbl, index)

--- a/xml/queries.xml
+++ b/xml/queries.xml
@ -193,8 +193,7 @@
        </columns>
        <dump_table>
            <inband query="SELECT %s FROM %s.%s"/>
-            <!--<blind query="SELECT TOP 1 %s FROM %s..%s WHERE %s NOT IN (SELECT TOP %d %s FROM %s..%s)" count="SELECT LTRIM(STR(COUNT(*))) FROM %s..%s"/>-->
-            <blind query="SELECT TOP 1 %s FROM (SELECT TOP 1 * FROM ( SELECT TOP %d * FROM %s.%s ORDER BY %s ASC ) AS t1 ORDER BY %s DESC) AS t2 ORDER BY %s ASC" count="SELECT LTRIM(STR(COUNT(*))) FROM %s.%s"/>
+            <blind query="SELECT MIN(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s)>'%s'" query2="SELECT MAX(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s) LIKE '%s'" count="SELECT LTRIM(STR(COUNT(*))) FROM %s" count2="SELECT LTRIM(STR(COUNT(DISTINCT(%s)))) FROM %s"/>
        </dump_table>
        <search_db>
            <inband query="SELECT name FROM master..sysdatabases WHERE " condition="name"/>