Added support for --privileges on MSSQL to test wheter or not the DBMS users are DBA

lib/core/dump.py

@@ -125,11 +125,17 @@ class Dump:
         for user in users:
             settings = userSettings[user]
 
-            if user in self.__areAdmins:
-                self.__write("[*] %s (administrator) [%d]:" % (user, len(settings)))
+            if settings is None:
+                stringSettings = ""
             else:
-                self.__write("[*] %s [%d]:" % (user, len(settings)))
+                stringSettings = " [%d]:" % len(settings)
 
+            if user in self.__areAdmins:
+                self.__write("[*] %s (administrator)%s" % (user, stringSettings))
+            else:
+                self.__write("[*] %s%s" % (user, stringSettings))
+
+            if settings:
                 settings.sort()
 
                 for setting in settings:

plugins/dbms/mssqlserver/enumeration.py

@@ -30,10 +30,32 @@ class Enumeration(GenericEnumeration):
 
     def getPrivileges(self, *args):
         warnMsg = "on Microsoft SQL Server it is not possible to fetch "
-        warnMsg += "database users privileges"
+        warnMsg += "database users privileges, sqlmap will check whether "
+        warnMsg += "or not the database users are database administrators"
         logger.warn(warnMsg)
 
-        return {}
+        users = []
+        areAdmins = set()
+
+        if conf.user:
+            users = [ conf.user ]
+        elif not len(kb.data.cachedUsers):
+            users = self.getUsers()
+        else:
+            users = kb.data.cachedUsers
+
+        for user in users:
+            if user is None:
+                continue
+
+            isDba = self.isDba(user)
+
+            if isDba is True:
+                areAdmins.add(user)
+
+            kb.data.cachedUsersPrivileges[user] = None
+
+        return ( kb.data.cachedUsersPrivileges, areAdmins )
 
     def getTables(self):
         infoMsg = "fetching tables"

plugins/generic/enumeration.py

@@ -126,21 +126,25 @@ class Enumeration:
 
         return kb.data.currentDb
 
-    def isDba(self):
+    def isDba(self, user=None):
         infoMsg = "testing if current user is DBA"
         logger.info(infoMsg)
 
         if Backend.getIdentifiedDbms() == DBMS.MYSQL:
             self.getCurrentUser()
             query = queries[Backend.getIdentifiedDbms()].is_dba.query % kb.data.currentUser.split("@")[0]
+        elif Backend.getIdentifiedDbms() == DBMS.MSSQL and user is not None:
+            query = queries[Backend.getIdentifiedDbms()].is_dba.query2 % user
         else:
             query = queries[Backend.getIdentifiedDbms()].is_dba.query
 
         query = agent.forgeCaseStatement(query)
+        isDba = inject.getValue(query, unpack=False, charsetType=1)
 
-        kb.data.isDba = inject.getValue(query, unpack=False, charsetType=1)
+        if user is None:
+            kb.data.isDba = isDba
 
-        return kb.data.isDba == "1"
+        return isDba == "1"
 
     def getUsers(self):
         infoMsg = "fetching database users"