From 8220b6264c16a41d05525ee353c0589013014df3 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Sun, 16 Jun 2019 17:23:46 +0200
Subject: [PATCH] Fixes #3759

---
 data/xml/queries.xml     |  6 ++++--
 lib/core/settings.py     |  2 +-
 plugins/generic/users.py | 19 +++++++++++++++----
 3 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/data/xml/queries.xml b/data/xml/queries.xml
index db50087b3..7a8592438 100644
--- a/data/xml/queries.xml
+++ b/data/xml/queries.xml
@@ -32,9 +32,11 @@
             <inband query="SELECT grantee FROM INFORMATION_SCHEMA.USER_PRIVILEGES" query2="SELECT user FROM mysql.user"/>
             <blind query="SELECT DISTINCT(grantee) FROM INFORMATION_SCHEMA.USER_PRIVILEGES LIMIT %d,1" query2="SELECT DISTINCT(user) FROM mysql.user LIMIT %d,1" count="SELECT COUNT(DISTINCT(grantee)) FROM INFORMATION_SCHEMA.USER_PRIVILEGES" count2="SELECT COUNT(DISTINCT(user)) FROM mysql.user"/>
         </users>
+        <!-- https://github.com/dev-sec/mysql-baseline/issues/35 -->
+        <!-- https://stackoverflow.com/a/31122246 -->
         <passwords>
-            <inband query="SELECT user,password FROM mysql.user" condition="user"/>
-            <blind query="SELECT DISTINCT(password) FROM mysql.user WHERE user='%s' LIMIT %d,1" count="SELECT COUNT(DISTINCT(password)) FROM mysql.user WHERE user='%s'"/>
+            <inband query="SELECT user,authentication_string FROM mysql.user" condition="user"/>
+            <blind query="SELECT DISTINCT(authentication_string) FROM mysql.user WHERE user='%s' LIMIT %d,1" count="SELECT COUNT(DISTINCT(authentication_string)) FROM mysql.user WHERE user='%s'"/>
         </passwords>
         <privileges>
             <inband query="SELECT grantee,privilege_type FROM INFORMATION_SCHEMA.USER_PRIVILEGES" condition="grantee" query2="SELECT user,select_priv,insert_priv,update_priv,delete_priv,create_priv,drop_priv,reload_priv,shutdown_priv,process_priv,file_priv,grant_priv,references_priv,index_priv,alter_priv,show_db_priv,super_priv,create_tmp_table_priv,lock_tables_priv,execute_priv,repl_slave_priv,repl_client_priv,create_view_priv,show_view_priv,create_routine_priv,alter_routine_priv,create_user_priv FROM mysql.user" condition2="user"/>
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 1cb6249a5..88f3320a9 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -18,7 +18,7 @@ from lib.core.enums import OS
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.3.6.43"
+VERSION = "1.3.6.44"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/plugins/generic/users.py b/plugins/generic/users.py
index 79bf750f0..a20707d21 100644
--- a/plugins/generic/users.py
+++ b/plugins/generic/users.py
@@ -15,6 +15,7 @@ from lib.core.common import getLimitRange
 from lib.core.common import isAdminFromPrivileges
 from lib.core.common import isInferenceAvailable
 from lib.core.common import isNoneValue
+from lib.core.common import isNullValue
 from lib.core.common import isNumPosStrValue
 from lib.core.common import isTechniqueAvailable
 from lib.core.common import parsePasswordHash
@@ -203,8 +204,10 @@ class Users(object):
             else:
                 values = inject.getValue(query, blind=False, time=False)
 
-                if isNoneValue(values) and Backend.isDbms(DBMS.MSSQL):
+                if Backend.isDbms(DBMS.MSSQL) and isNoneValue(values):
                     values = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), blind=False, time=False)
+                elif Backend.isDbms(DBMS.MYSQL) and (isNoneValue(values) or all(len(value) == 2 and (isNullValue(value[1]) or isNoneValue(value[1])) for value in values)):
+                    values = inject.getValue(query.replace("authentication_string", "password"), blind=False, time=False)
 
                 for user, password in filterPairValues(values):
                     if not user or user == " ":
@@ -270,9 +273,13 @@ class Users(object):
 
                         count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
 
-                        if not isNumPosStrValue(count) and Backend.isDbms(DBMS.MSSQL):
-                            fallback = True
-                            count = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
+                        if not isNumPosStrValue(count):
+                            if Backend.isDbms(DBMS.MSSQL):
+                                fallback = True
+                                count = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
+                            elif Backend.isDbms(DBMS.MYSQL):
+                                fallback = True
+                                count = inject.getValue(query.replace("authentication_string", "password"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
 
                         if not isNumPosStrValue(count):
                             warnMsg = "unable to retrieve the number of password "
@@ -307,6 +314,10 @@ class Users(object):
                         else:
                             query = rootQuery.blind.query % (user, index)
 
+                        if Backend.isDbms(DBMS.MYSQL):
+                            if fallback:
+                                query = query.replace("authentication_string", "password")
+
                         password = unArrayizeValue(inject.getValue(query, union=False, error=False))
                         password = parsePasswordHash(password)