From 80bd1466961e58a35a552de7617569098b923837 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Sun, 10 Jan 2010 19:12:54 +0000
Subject: [PATCH] Added support for --dump with -C also on MSSQL

---
 plugins/dbms/mssqlserver.py    |  5 ---
 plugins/generic/enumeration.py | 65 +++++++++++++++++++++-------------
 xml/queries.xml                |  5 ++-
 3 files changed, 45 insertions(+), 30 deletions(-)

diff --git a/plugins/dbms/mssqlserver.py b/plugins/dbms/mssqlserver.py
index 8f2f0403e..6422fbf44 100644
--- a/plugins/dbms/mssqlserver.py
+++ b/plugins/dbms/mssqlserver.py
@@ -392,11 +392,6 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeov
 
         return kb.data.cachedTables
 
-    def dumpColumn(self):
-        errMsg  = "Table(s) dump by providing only -C is not "
-        errMsg += "yet implemented for Microsoft SQL Server"
-        raise sqlmapUnsupportedFeatureException, errMsg
-
     def unionReadFile(self, rFile):
         errMsg  = "Microsoft SQL Server does not support file reading "
         errMsg += "with UNION query SQL injection technique"
diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py
index 71921a767..a3703e40f 100644
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@@ -960,15 +960,18 @@ class Enumeration:
             errMsg = "invalid value"
             raise sqlmapNoneDataException, errMsg
 
-        if kb.dbms == "Microsoft SQL Server":
-            plusOne = True
-        else:
-            plusOne = False
-
         for column in colList:
             if kb.dbms == "Oracle":
                 column = column.upper()
                 conf.db = "USERS"
+            elif kb.dbms == "Microsoft SQL Server":
+                if not conf.db:
+                    if not len(kb.data.cachedDbs):
+                        enumDbs = self.getDbs()
+                    else:
+                        enumDbs = kb.data.cachedDbs
+
+                    conf.db = ",".join(db for db in enumDbs)
 
             foundCols[column] = {}
 
@@ -1053,11 +1056,16 @@ class Enumeration:
 
                 if kb.unionPosition:
                     query = rootQuery["inband"]["query2"]
-                    if kb.dbms == "Oracle":
-                        query += " WHERE %s" % colQuery
-                    else:
+
+                    if kb.dbms in ( "MySQL", "PostgreSQL" ):
                         query = query % db
                         query += " AND %s" % colQuery
+                    elif kb.dbms == "Oracle":
+                        query += " WHERE %s" % colQuery
+                    elif kb.dbms == "Microsoft SQL Server":
+                        query = query % (db, db, db, db, db)
+                        query += " AND %s" % colQuery.replace("[DB]", db)
+
                     values = inject.getValue(query, blind=False)
 
                     if values:
@@ -1078,18 +1086,23 @@ class Enumeration:
                     logger.info(infoMsg)
 
                     query = rootQuery["blind"]["count2"]
-                    if kb.dbms == "Oracle":
-                        query += " WHERE %s" % colQuery
-                    else:
+
+                    if kb.dbms in ( "MySQL", "PostgreSQL" ):
                         query = query % db
                         query += " AND %s" % colQuery
+                    elif kb.dbms == "Oracle":
+                        query += " WHERE %s" % colQuery
+                    elif kb.dbms == "Microsoft SQL Server":
+                        query = query % (db, db, db, db, db)
+                        query += " AND %s" % colQuery.replace("[DB]", db)
+
                     count = inject.getValue(query, inband=False, expected="int", charsetType=2)
 
                     if not count.isdigit() or not len(count) or count == "0":
                         warnMsg = "no tables contain column"
                         if colConsider == "1":
                             warnMsg += "s like"
-                        warnMsg += " '%s'" % column
+                        warnMsg += " '%s' " % column
                         warnMsg += "in database '%s'" % db
                         logger.warn(warnMsg)
 
@@ -1099,12 +1112,20 @@ class Enumeration:
 
                     for index in indexRange:
                         query = rootQuery["blind"]["query2"]
-                        if kb.dbms == "Oracle":
-                            query += " WHERE %s" % colQuery
-                        else:
+
+                        if kb.dbms in ( "MySQL", "PostgreSQL" ):
                             query = query % db
                             query += " AND %s" % colQuery
-                        query = agent.limitQuery(index, query)
+                            field = None
+                        elif kb.dbms == "Oracle":
+                            query += " WHERE %s" % colQuery
+                            field = None
+                        elif kb.dbms == "Microsoft SQL Server":
+                            query = query % (db, db, db, db, db)
+                            query += " AND %s" % colQuery.replace("[DB]", db)
+                            field = colCond.replace("[DB]", db)
+
+                        query = agent.limitQuery(index, query, field)
                         tbl = inject.getValue(query, inband=False)
 
                         if tbl not in dbs[db]:
@@ -1154,23 +1175,22 @@ class Enumeration:
         dumpFromDbs = []
         message = "which database(s)?\n[a]ll (default)\n"
 
-        for db in dbs:
-            message += "[%s]\n" % db
+        for db, tblData in dbs.items():
+            if tblData:
+                message += "[%s]\n" % db
 
         message += "[q]uit"
         test = readInput(message, default="a")
 
         if not test or test in ("a", "A"):
             dumpFromDbs = dbs.keys()
-
         elif test in ("q", "Q"):
             return
-
         else:
             dumpFromDbs = test.replace(" ", "").split(",")
 
         for db, tblData in dbs.items():
-            if db not in dumpFromDbs:
+            if db not in dumpFromDbs or not tblData:
                 continue
 
             conf.db = db
@@ -1187,13 +1207,10 @@ class Enumeration:
 
             if not test or test in ("a", "A"):
                 dumpFromTbls = tblData
-
             elif test in ("s", "S"):
                 continue
-
             elif test in ("q", "Q"):
                 return
-
             else:
                 dumpFromTbls = test.replace(" ", "").split(",")
 
diff --git a/xml/queries.xml b/xml/queries.xml
index 5c8823197..a90b34f83 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -226,7 +226,10 @@
             <inband query="SELECT %s..syscolumns.name, TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" condition="[DB]..syscolumns.name"/>
             <blind query="SELECT %s..syscolumns.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" query2="SELECT TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.name='%s' AND %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..syscolumns WHERE id=(SELECT id FROM %s..sysobjects WHERE name='%s')" condition="[DB]..syscolumns.name"/>
         </columns>
-        <dump_column/>
+        <dump_column>
+            <inband query="" query2="SELECT %s..sysobjects.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" condition="[DB]..syscolumns.name"/>
+            <blind query="" query2="SELECT %s..sysobjects.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" count="" count2="SELECT COUNT(%s..sysobjects.name) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" condition="[DB]..syscolumns.name"/>
+        </dump_column>
         <dump_table>
             <inband query="SELECT %s FROM %s..%s"/>
             <blind query="SELECT TOP 1 %s FROM %s..%s WHERE %s NOT IN (SELECT TOP %d %s FROM %s..%s)" count="SELECT LTRIM(STR(COUNT(*))) FROM %s..%s"/>