major improvement of ERROR data retrieval on MSSQL

2025-03-03 19:55:47 +03:00 · 2011-05-03 13:25:20 +00:00 · 2011-05-03 13:25:20 +00:00 · 742b0ef76e
commit 742b0ef76e
parent 2a7838928e
2 changed files with 13 additions and 4 deletions
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -295,6 +295,9 @@ URI_INJECTION_MARK_CHAR = '*'
 # Maximum length used for retrieving data over MySQL error based payload due to "known" problems with longer result strings
 MYSQL_ERROR_CHUNK_LENGTH = 50

+# Maximum length used for retrieving data over MSSQL error based payload due to trimming problems with longer result strings
+MSSQL_ERROR_CHUNK_LENGTH = 100
+
 # Do not unescape the injected statement if it contains any of the following SQL words
 EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ", "BULK ", "EXEC ", "RECONFIGURE ", "DECLARE ", CHAR_INFERENCE_MARK)

--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@ -35,6 +35,7 @@ from lib.core.enums import PAYLOAD
 from lib.core.exception import sqlmapConnectionException
 from lib.core.settings import FROM_TABLE
 from lib.core.settings import MYSQL_ERROR_CHUNK_LENGTH
+from lib.core.settings import MSSQL_ERROR_CHUNK_LENGTH
 from lib.core.settings import TURN_OFF_RESUME_INFO_LIMIT
 from lib.core.threads import getCurrentThreadData
 from lib.core.unescaper import unescaper
@ -50,6 +51,7 @@ def __oneShotErrorUse(expression, field):

    retVal = None
    offset = 1
+    chunk_length = None

    while True:
        check = "%s(?P<result>.*?)%s" % (kb.misc.start, kb.misc.stop)
@ -58,7 +60,11 @@ def __oneShotErrorUse(expression, field):
        nulledCastedField = agent.nullAndCastField(field)

        if Backend.isDbms(DBMS.MYSQL):
-            nulledCastedField = queries[DBMS.MYSQL].substring.query % (nulledCastedField, offset, MYSQL_ERROR_CHUNK_LENGTH)
+            chunk_length = MYSQL_ERROR_CHUNK_LENGTH
+            nulledCastedField = queries[DBMS.MYSQL].substring.query % (nulledCastedField, offset, chunk_length)
+        elif Backend.isDbms(DBMS.MSSQL):
+            chunk_length = MSSQL_ERROR_CHUNK_LENGTH
+            nulledCastedField = queries[DBMS.MSSQL].substring.query % (nulledCastedField, offset, chunk_length)

        # Forge the error-based SQL injection request
        vector = kb.injection.data[PAYLOAD.TECHNIQUE.ERROR].vector
@ -101,16 +107,16 @@ def __oneShotErrorUse(expression, field):
        if isinstance(output, basestring):
            output = htmlunescape(output).replace("<br>", "\n")

-        if Backend.isDbms(DBMS.MYSQL):
+        if any(map(lambda dbms: Backend.isDbms(dbms), [DBMS.MYSQL, DBMS.MSSQL])):
            if offset == 1:
                retVal = output
            else:
                retVal += output if output else ''

-            if not (output and len(output) == MYSQL_ERROR_CHUNK_LENGTH):
+            if not (output and len(output) == chunk_length):
                break
            else:
-                offset += MYSQL_ERROR_CHUNK_LENGTH
+                offset += chunk_length
        else:
            retVal = output
            break