From 978f56ad10b4dc7960b576c8b246bc80cb9d7c90 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Mon, 26 Sep 2016 16:38:03 +0200
Subject: [PATCH] One more commit for #552 (--passwords)

---
 lib/core/settings.py     |  2 +-
 plugins/generic/users.py | 32 +++++++++++++++++++-------------
 txt/checksum.md5         |  6 +++---
 xml/queries.xml          |  4 ++--
 4 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/lib/core/settings.py b/lib/core/settings.py
index f5e505d0d..d83dc51c7 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -19,7 +19,7 @@ from lib.core.enums import OS
 from lib.core.revision import getRevisionNumber
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.0.9.33"
+VERSION = "1.0.9.34"
 REVISION = getRevisionNumber()
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
diff --git a/plugins/generic/users.py b/plugins/generic/users.py
index ce2ea0a33..e1f5c77e9 100644
--- a/plugins/generic/users.py
+++ b/plugins/generic/users.py
@@ -252,22 +252,25 @@ class Users:
                     if user in retrievedUsers:
                         continue
 
-                    infoMsg = "fetching number of password hashes "
-                    infoMsg += "for user '%s'" % user
-                    logger.info(infoMsg)
-
-                    if Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")):
-                        query = rootQuery.blind.count2 % user
+                    if Backend.isDbms(DBMS.INFORMIX):
+                        count = 1
                     else:
-                        query = rootQuery.blind.count % user
+                        infoMsg = "fetching number of password hashes "
+                        infoMsg += "for user '%s'" % user
+                        logger.info(infoMsg)
 
-                    count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
+                        if Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")):
+                            query = rootQuery.blind.count2 % user
+                        else:
+                            query = rootQuery.blind.count % user
 
-                    if not isNumPosStrValue(count):
-                        warnMsg = "unable to retrieve the number of password "
-                        warnMsg += "hashes for user '%s'" % user
-                        logger.warn(warnMsg)
-                        continue
+                        count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
+
+                        if not isNumPosStrValue(count):
+                            warnMsg = "unable to retrieve the number of password "
+                            warnMsg += "hashes for user '%s'" % user
+                            logger.warn(warnMsg)
+                            continue
 
                     infoMsg = "fetching password hashes for user '%s'" % user
                     logger.info(infoMsg)
@@ -283,11 +286,14 @@ class Users:
                                 query = rootQuery.blind.query2 % (user, index, user)
                             else:
                                 query = rootQuery.blind.query % (user, index, user)
+                        elif Backend.isDbms(DBMS.INFORMIX):
+                            query = rootQuery.blind.query % (user,)
                         else:
                             query = rootQuery.blind.query % (user, index)
 
                         password = unArrayizeValue(inject.getValue(query, union=False, error=False))
                         password = parsePasswordHash(password)
+
                         passwords.append(password)
 
                     if passwords:
diff --git a/txt/checksum.md5 b/txt/checksum.md5
index 86e3e4dc4..234a073dd 100644
--- a/txt/checksum.md5
+++ b/txt/checksum.md5
@@ -45,7 +45,7 @@ e60456db5380840a586654344003d4e6  lib/core/readlineng.py
 5ef56abb8671c2ca6ceecb208258e360  lib/core/replication.py
 99a2b496b9d5b546b335653ca801153f  lib/core/revision.py
 7c15dd2777af4dac2c89cab6df17462e  lib/core/session.py
-55a79706107d51efb7ed0a771f80e58e  lib/core/settings.py
+2d29c71e80997841c3acb700de58f331  lib/core/settings.py
 7af83e4f18cab6dff5e67840eb65be80  lib/core/shell.py
 23657cd7d924e3c6d225719865855827  lib/core/subprocessng.py
 0bc2fae1dec18cdd11954b22358293f2  lib/core/target.py
@@ -213,7 +213,7 @@ cc9c82cfffd8ee9b25ba3af6284f057e  plugins/generic/__init__.py
 7b3e044a7fca497278d79883697089b7  plugins/generic/search.py
 73f8d047dbbcff307d62357836e382e6  plugins/generic/syntax.py
 da3ebc20998af02e3d952d0417a67792  plugins/generic/takeover.py
-078434ac78aaa539526031ebdd5556f2  plugins/generic/users.py
+d35f994664fb7a7fcee656633dfb31ed  plugins/generic/users.py
 cc9c82cfffd8ee9b25ba3af6284f057e  plugins/__init__.py
 b04db3e861edde1f9dd0a3850d5b96c8  shell/backdoor.asp_
 158bfa168128393dde8d6ed11fe9a1b8  shell/backdoor.aspx_
@@ -455,4 +455,4 @@ a279656ea3fcb85c727249b02f828383  xml/livetests.xml
 96adb9bfbab867d221974d3ddb303cb6  xml/payloads/stacked_queries.xml
 c8b152ecebf04ec997e52c6c78cbd488  xml/payloads/time_blind.xml
 033b39025e8ee0f302935f6db3a39e77  xml/payloads/union_query.xml
-3365321fc0217e148c2fa8a217cbfc5e  xml/queries.xml
+1587a02322a96ac48973e782d6fedf73  xml/queries.xml
diff --git a/xml/queries.xml b/xml/queries.xml
index 1472998fd..b615e6c40 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -749,8 +749,8 @@
             <blind query="SELECT SKIP %d LIMIT 1 USERNAME FROM SYSUSERS ORDER BY USERNAME" count="SELECT COUNT(USERNAME) FROM SYSUSERS"/>
         </users>
         <passwords>
-            <inband query="SELECT USERNAME,HASHED_PASSWORD,SALT FROM SYSUSER:SYSINTAUTHUSERS" condition="USERNAME"/>
-            <blind query="SELECT HASHED_PASSWORD FROM SYSUSER:SYSINTAUTHUSERS WHERE USERNAME='%s'" query2="SELECT SALT FROM SYSUSER:SYSINTAUTHUSERS WHERE USERNAME='%s'"/>
+            <inband query="SELECT USERNAME,HASHED_PASSWORD||':'||SALT FROM SYSUSER:SYSINTAUTHUSERS" condition="USERNAME"/>
+            <blind query="SELECT HASHED_PASSWORD||':'||SALT FROM SYSUSER:SYSINTAUTHUSERS WHERE USERNAME='%s'"/>
         </passwords>
         <privileges>
             <inband query="SELECT USERNAME,USERTYPE FROM SYSUSERS" condition="USERNAME"/>