Implements #2557

lib/core/settings.py

@@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
 from lib.core.enums import OS
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.1.6.4"
+VERSION = "1.1.6.5"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

lib/techniques/error/use.py

@@ -352,6 +352,7 @@ def errorUse(expression, dump=False):
                     value = []  # for empty tables
                 return value
 
+            if isNumPosStrValue(count) and int(count) > 1:
                 if " ORDER BY " in expression and (stopLimit - startLimit) > SLOW_ORDER_COUNT_THRESHOLD:
                     message = "due to huge table size do you want to remove "
                     message += "ORDER BY clause gaining speed over consistency? [y/N] "

lib/techniques/union/use.py

@@ -284,6 +284,7 @@ def unionUse(expression, unpack=True, dump=False):
                     value = []  # for empty tables
                 return value
 
+            if isNumPosStrValue(count) and int(count) > 1:
                 threadData = getCurrentThreadData()
 
                 try:

plugins/generic/entries.py

@@ -170,6 +170,26 @@ class Entries:
                         if not (isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.ORIGINAL):
                             table = "%s.%s" % (conf.db, tbl)
 
+                            if Backend.isDbms(DBMS.MSSQL):
+                                query = rootQuery.blind.count % table
+                                query = agent.whereQuery(query)
+
+                                count = inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
+                                if isNumPosStrValue(count):
+                                    indexRange = getLimitRange(count, plusOne=True)
+
+                                    for index in indexRange:
+                                        row = []
+
+                                        for column in colList:
+                                            query = rootQuery.blind.query3 % (column, column, table, index)
+                                            query = agent.whereQuery(query)
+                                            value = inject.getValue(query, blind=False, time=False, dump=True) or ""
+                                            row.append(value)
+
+                                        entries.append(row)
+
+                            if not entries:
                                 try:
                                     retVal = pivotDumpTable(table, colList, blind=False)
                                 except KeyboardInterrupt:
@@ -285,6 +305,25 @@ class Entries:
                         elif Backend.isDbms(DBMS.MAXDB):
                             table = "%s.%s" % (conf.db, tbl)
 
+                        if Backend.isDbms(DBMS.MSSQL):
+                            indexRange = getLimitRange(count, plusOne=True)
+                            for index in indexRange:
+                                for column in colList:
+                                    query = rootQuery.blind.query3 % (column, column, table, index)
+                                    query = agent.whereQuery(query)
+
+                                    value = inject.getValue(query, union=False, error=False, dump=True) or ""
+
+                                    if column not in lengths:
+                                        lengths[column] = 0
+
+                                    if column not in entries:
+                                        entries[column] = BigArray()
+
+                                    lengths[column] = max(lengths[column], len(DUMP_REPLACEMENTS.get(getUnicode(value), getUnicode(value))))
+                                    entries[column].append(value)
+
+                        if not entries:
                             try:
                                 retVal = pivotDumpTable(table, colList, count, blind=True)
                             except KeyboardInterrupt:

txt/checksum.md5

@@ -46,7 +46,7 @@ a09c6ceee8dbb624cc3ca1d17749c8a5  lib/core/option.py
 d8e9250f3775119df07e9070eddccd16  lib/core/replication.py
 785f86e3f963fa3798f84286a4e83ff2  lib/core/revision.py
 40c80b28b3a5819b737a5a17d4565ae9  lib/core/session.py
-6e7731aa5bc04ef76a597c91e0701665  lib/core/settings.py
+d556e1cf87bd101aa7f0a46fdbbbdff3  lib/core/settings.py
 d91291997d2bd2f6028aaf371bf1d3b6  lib/core/shell.py
 2ad85c130cc5f2b3701ea85c2f6bbf20  lib/core/subprocessng.py
 8136241fdbdb99a5dc0e51ba72918f6e  lib/core/target.py
@@ -93,11 +93,11 @@ b7dd3a2697a08108ddc9a4264922c2e8  lib/takeover/web.py
 ab1601a7f429b47637c4fb8af703d0f1  lib/techniques/dns/test.py
 d3da4c7ceaf57c4687a052d58722f6bb  lib/techniques/dns/use.py
 310efc965c862cfbd7b0da5150a5ad36  lib/techniques/error/__init__.py
-c7e6589ef171819c4630ca8434f0250b  lib/techniques/error/use.py
+84b729215fd00e789ed75d9c00c97761  lib/techniques/error/use.py
 310efc965c862cfbd7b0da5150a5ad36  lib/techniques/__init__.py
 310efc965c862cfbd7b0da5150a5ad36  lib/techniques/union/__init__.py
 d71e48e6fd08f75cc612bf8b260994ce  lib/techniques/union/test.py
-36194e6c0a8dd14139f57ebf87bb80f9  lib/techniques/union/use.py
+db3090ff9a740ba096ba676fcf44ebfc  lib/techniques/union/use.py
 67f0ad96ec2207d7e59c788b858afd6d  lib/utils/api.py
 7d10ba0851da8ee9cd3c140dcd18798e  lib/utils/brute.py
 ed70f1ca9113664043ec9e6778e48078  lib/utils/crawler.py
@@ -203,7 +203,7 @@ deed74334b637767fc9de8f74b37647a  plugins/dbms/sybase/fingerprint.py
 be7481a96214220bcd8f51ca00239bed  plugins/generic/connector.py
 5390591ca955036d492de11355b52e8f  plugins/generic/custom.py
 4ad4bccc03256b8f3d21ba4f8f759404  plugins/generic/databases.py
-5eae2e0992a719bfce9cf78ed0a0ea2f  plugins/generic/entries.py
+12b0420d9588828e4a83fe8e89bef162  plugins/generic/entries.py
 55802d1d5d65938414c77ccc27731cab  plugins/generic/enumeration.py
 0d10a0410c416fece51c26a935e68568  plugins/generic/filesystem.py
 2e397afd83939889d1a7a07893b19ae7  plugins/generic/fingerprint.py
@@ -459,4 +459,4 @@ a279656ea3fcb85c727249b02f828383  xml/livetests.xml
 3194e2688a7576e1f877d5b137f7c260  xml/payloads/stacked_queries.xml
 c2d8dd03db5a663e79eabb4495dd0723  xml/payloads/time_blind.xml
 ac649aff0e7db413e4937e446e398736  xml/payloads/union_query.xml
-5bd467d86d7cb55fbe5f66e4ff9a6bec  xml/queries.xml
+7fa7db2c2296baa5e9ea381d4880492f  xml/queries.xml

xml/queries.xml

@@ -194,7 +194,7 @@
         </columns>
         <dump_table>
             <inband query="SELECT %s FROM %s.%s"/>
-            <blind query="SELECT MIN(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s)>'%s'" query2="SELECT MAX(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s) LIKE '%s'" count="SELECT LTRIM(STR(COUNT(*))) FROM %s" count2="SELECT LTRIM(STR(COUNT(DISTINCT(%s)))) FROM %s"/>
+            <blind query="SELECT MIN(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s)>'%s'" query2="SELECT MAX(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s) LIKE '%s'" query3="SELECT %s FROM (SELECT %s, ROW_NUMBER() OVER (ORDER BY (SELECT 1)) AS LIMIT FROM %s)x WHERE LIMIT=%d" count="SELECT LTRIM(STR(COUNT(*))) FROM %s" count2="SELECT LTRIM(STR(COUNT(DISTINCT(%s)))) FROM %s"/>
         </dump_table>
         <search_db>
             <inband query="SELECT name FROM master..sysdatabases WHERE %s" condition="name"/>