From 981c7a4428afe9101fe9494239ac9cf42a9e6663 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Thu, 22 Jan 2009 22:30:45 +0000 Subject: [PATCH] Updated Microsoft SQL Server XML signature db --- doc/README.sgml | 23 +++++++++++++---------- xml/banner/mssql.xml | 24 ++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 10 deletions(-) diff --git a/doc/README.sgml b/doc/README.sgml index 687d9fc32..42a5ea57c 100644 --- a/doc/README.sgml +++ b/doc/README.sgml @@ -2567,13 +2567,12 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --is- [...] back-end DBMS: PostgreSQL -[hh:mm:52] [INFO] testing if current user is DBA -[hh:mm:52] [INFO] query: SELECT (CASE WHEN ((SELECT usesuper=true FROM pg_user WHERE -usename=CURRENT_USER OFFSET 0 LIMIT 1)=CHR(116)||CHR(114)||CHR(117)||CHR(101)) THEN 1 -ELSE 0 END) -[hh:mm:52] [INFO] retrieved: -[hh:mm:52] [INFO] performed 6 queries in 0 seconds -current user is DBA: 'False' +[hh:mm:49] [INFO] testing if current user is DBA +[hh:mm:49] [INFO] query: SELECT (CASE WHEN ((SELECT usesuper=true FROM pg_user WHERE +usename=CURRENT_USER OFFSET 0 LIMIT 1)) THEN 1 ELSE 0 END) +[hh:mm:49] [INFO] retrieved: 1 +[hh:mm:50] [INFO] performed 13 queries in 0 seconds +current user is DBA: 'True'

@@ -3612,6 +3611,8 @@ Example of TAB completion on a MySQL 5.0.67 target: $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --sql-shell -v 0 sql> [TAB TAB] + LIMIT +(SELECT super_priv FROM mysql.user WHERE user=(SUBSTRING_INDEX(CURRENT_USER(), '@', 1)) LIMIT 0, 1)='Y' AND ORD(MID((%s), %d, 1)) > %d CAST(%s AS CHAR(10000)) COUNT(%s) @@ -3623,14 +3624,16 @@ LIMIT %d, %d MID((%s), %d, %d) ORDER BY %s ASC SELECT %s FROM %s.%s -SELECT column_name, column_type FROM information_schema.COLUMNS WHERE table_name='%s' AND -table_schema='%s' +SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) +SELECT column_name, column_type FROM information_schema.COLUMNS WHERE table_name='%s' AND table_schema='%s' SELECT grantee FROM information_schema.USER_PRIVILEGES SELECT grantee, privilege_type FROM information_schema.USER_PRIVILEGES SELECT schema_name FROM information_schema.SCHEMATA SELECT table_schema, table_name FROM information_schema.TABLES SELECT user, password FROM mysql.user +SLEEP(%d) VERSION() +\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+) sql> SE[TAB] sql> SELECT @@ -3676,7 +3679,7 @@ table_schema=CHAR(116,101,115,116) LIMIT 2, 1 [hh:mm:48] [INFO] retrieved: surname [hh:mm:48] [INFO] performed 55 queries in 0 seconds [hh:mm:48] [INFO] the query with column names is: SELECT id, name, surname FROM test.users -[hh:mm:48] [INPUT] does the SQL query that you provide might return multiple entries? [Y/n] y +[hh:mm:48] [INPUT] can the SQL query provided return multiple entries? [Y/n] y [hh:mm:04] [INFO] query: SELECT IFNULL(CAST(COUNT(id) AS CHAR(10000)), CHAR(32)) FROM test.users [hh:mm:04] [INFO] retrieved: 5 [hh:mm:04] [INFO] performed 13 queries in 0 seconds diff --git a/xml/banner/mssql.xml b/xml/banner/mssql.xml index c3c3984d8..06a7d2802 100644 --- a/xml/banner/mssql.xml +++ b/xml/banner/mssql.xml @@ -1,6 +1,22 @@ + + + 10.00.1779 + + + +Q958186 + + + + + 10.00.1771 + + + +Q958611 + + 10.00.1750 @@ -43,6 +59,14 @@ + + + 9.00.4207 + + + 3+Q959195 + + 9.00.4035