From dc1f2deb743fbed6aeebc298e0b997da85f1640f Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Tue, 25 Nov 2008 11:33:44 +0000
Subject: [PATCH] Minor bug fix to correctly enumerate columns on Microsoft SQL
 Server. Minor adjustments to XML signatures. Updated documentation.

---
 doc/ChangeLog                  |  3 ++-
 doc/THANKS                     |  3 +++
 lib/core/common.py             |  5 ++---
 lib/core/settings.py           |  2 +-
 plugins/generic/enumeration.py |  7 ++++++-
 sqlmap.conf                    |  4 ++--
 xml/banner/generic.xml         | 16 +++++++++++++++-
 xml/banner/server.xml          |  4 ++--
 xml/queries.xml                |  8 +++-----
 9 files changed, 36 insertions(+), 16 deletions(-)

diff --git a/doc/ChangeLog b/doc/ChangeLog
index 704593cbe..1ea7867c8 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -18,13 +18,14 @@ sqlmap (0.6.3-1) stable; urgency=low
   * Minor improvement to set by default in all HTTP requests the standard
     HTTP headers (Accept, Accept-Encoding, etc);
   * Minor improvements to sqlmap Debian package files: sqlmap uploaded
-    to official Debian project repository;
+    to official Debian project repository, on queue at the moment;
   * Major bug fix to correctly handle httplib.BadStatusLine exception;
   * Minor bug fix to handle session.error and session.timeout in HTTP
     requests;
   * Minor bug fix so that when the user provide a SELECT statement to be
     processed with an asterisk as columns, now it also work if in the FROM
     there is no database name specified;
+  * Minor bug fix to correctly enumerate columns on Microsoft SQL Server;
   * Minor bug fix to correctly dump table entries when the column is
     provided;
 
diff --git a/doc/THANKS b/doc/THANKS
index 8fc8d1164..7bdb270e7 100644
--- a/doc/THANKS
+++ b/doc/THANKS
@@ -105,6 +105,9 @@ Sven Schluter <sschlueter@netzwerk.cc>
 M Simkin <mlsimkin@cox.net>
     for suggesting a feature
 
+Jason Swan <jasoneswan@gmail.com>
+    for reporting a bug when enumerating columns on Microsoft SQL Server
+
 Alessandro Tanasi <alessandro@tanasi.it>
     for extensively beta-testing sqlmap
     for suggesting many features and reporting some bugs
diff --git a/lib/core/common.py b/lib/core/common.py
index 1d6f75edf..adbf534d5 100644
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -599,7 +599,7 @@ def expandAsteriskForColumns(expression):
     return expression
 
 
-def getRange(count, dump=False):
+def getRange(count, dump=False, plusOne=False):
     count      = int(count)
     indexRange = None
     limitStart = 1
@@ -612,8 +612,7 @@ def getRange(count, dump=False):
         if isinstance(conf.limitStart, int) and conf.limitStart > 0 and conf.limitStart <= limitStop:
             limitStart = conf.limitStart
 
-    # TODO: also for Microsoft SQL Server in getColumns method?
-    if kb.dbms == "Oracle":
+    if kb.dbms == "Oracle" or plusOne == True:
         indexRange = range(limitStart, limitStop + 1)
     else:
         indexRange = range(limitStart - 1, limitStop)
diff --git a/lib/core/settings.py b/lib/core/settings.py
index dbb947b55..331ad437f 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -30,7 +30,7 @@ import sys
 
 
 # sqlmap version and site
-VERSION            = "0.6.3-rc1"
+VERSION            = "0.6.3-rc2"
 VERSION_STRING     = "sqlmap/%s" % VERSION
 SITE               = "http://sqlmap.sourceforge.net"
 
diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py
index 91f75756d..35633ea31 100644
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@@ -772,9 +772,14 @@ class Enumeration:
                 errMsg += "on database '%s'" % conf.db
                 raise sqlmapNoneDataException, errMsg
 
+            if kb.dbms == "Microsoft SQL Server":
+                plusOne = True
+            else:
+                plusOne = False
+
             table      = {}
             columns    = {}
-            indexRange = getRange(count)
+            indexRange = getRange(count, plusOne=plusOne)
 
             for index in indexRange:
                 if kb.dbms in ( "MySQL", "PostgreSQL" ):
diff --git a/sqlmap.conf b/sqlmap.conf
index 21262dde5..85fcc4018 100644
--- a/sqlmap.conf
+++ b/sqlmap.conf
@@ -3,13 +3,13 @@
 # Target URL.
 # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
 # PHP and MySQL (local)
-url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1
+#url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1
 # PHP and Oracle (local)
 #url = http://127.0.0.1/sqlmap/oracle/get_int.php?id=1
 # PHP and PostgreSQL (local)
 #url = http://127.0.0.1/sqlmap/pgsql/get_int.php?id=1
 # PHP and Microsoft SQL Server (remote)
-#url = http://127.0.0.1/sqlmap/mssql/get_int.php?id=1
+url = http://127.0.0.1/sqlmap/mssql/get_int.php?id=1
 # PHP and MySQL (remote on Windows)
 #url = http://127.0.0.1/sqlmap/mysql/win_get_int.php?id=1
 # ASP and Microsoft SQL Server (local)
diff --git a/xml/banner/generic.xml b/xml/banner/generic.xml
index 0c358b36d..65fcf5621 100644
--- a/xml/banner/generic.xml
+++ b/xml/banner/generic.xml
@@ -73,14 +73,22 @@
         <info type="Linux" distrib="Knoppix"/>
     </regexp>
 
-    <regexp value="(Mandrake|Mandriva)">
+    <regexp value="Mandrake">
         <info type="Linux" distrib="Mandrake"/>
     </regexp>
 
+    <regexp value="Mandriva">
+        <info type="Linux" distrib="Mandriva"/>
+    </regexp>
+
     <regexp value="Red[\-\_\ ]*Hat">
         <info type="Linux" distrib="Red Hat"/>
     </regexp>
 
+    <regexp value="Slackware">
+        <info type="Linux" distrib="Slackware"/>
+    </regexp>
+
     <regexp value="SuSE">
         <info type="Linux" distrib="SuSE"/>
     </regexp>
@@ -103,6 +111,12 @@
         <info type="OpenBSD"/>
     </regexp>
 
+    <!-- Mac OSX -->
+
+    <regexp value="Mac[\-\_\ ]*OSX">
+        <info type="Mac OSX"/>
+    </regexp>
+
     <regexp value="Darwin">
         <info type="Mac OSX"/>
     </regexp>
diff --git a/xml/banner/server.xml b/xml/banner/server.xml
index 092ca29fa..e61b32022 100644
--- a/xml/banner/server.xml
+++ b/xml/banner/server.xml
@@ -236,11 +236,11 @@
     </regexp>
 
     <regexp value="Apache-AdvancedExtranetServer/2.0.54 \(Mandriva Linux/">
-        <info type="Linux" distrib="Mandrive" release="2006.0"/>
+        <info type="Linux" distrib="Mandriva" release="2006.0"/>
     </regexp>
 
     <regexp value="Apache/2.2.3 \(Mandriva Linux/">
-        <info type="Linux" distrib="Mandrive" release="2007"/>
+        <info type="Linux" distrib="Mandriva" release="2007"/>
     </regexp>
 
     <!-- Apache: Red Hat -->
diff --git a/xml/queries.xml b/xml/queries.xml
index 84d7ba66f..7062e62b4 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -193,17 +193,15 @@
         <privileges/>
         <dbs>
             <inband query="SELECT name FROM master..sysdatabases"/>
-            <blind query="SELECT TOP 1 name FROM master..sysdatabases WHERE name NOT IN (SELECT TOP %d name FROM master..sysdatabases)" count="SELECT LTRIM(STR(COUNT(name))) FROM master..sysdatabases"/>
+            <blind query="SELECT TOP 1 name FROM master..sysdatabases WHERE name NOT IN (SELECT TOP %d name FROM master..sysdatabases ORDER BY name) ORDER BY name" count="SELECT LTRIM(STR(COUNT(name))) FROM master..sysdatabases"/>
         </dbs>
-        <!-- TODO: condition? -->
         <tables>
             <inband query="SELECT name FROM %s..sysobjects WHERE xtype IN ('u', 'v')"/>
-            <blind query="SELECT TOP 1 name FROM %s..sysobjects WHERE xtype IN ('u', 'v') AND name NOT IN (SELECT TOP %d name FROM %s..sysobjects WHERE xtype IN ('u', 'v'))" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..sysobjects WHERE xtype IN ('u', 'v')"/>
+            <blind query="SELECT TOP 1 name FROM %s..sysobjects WHERE xtype IN ('u', 'v') AND name NOT IN (SELECT TOP %d name FROM %s..sysobjects WHERE xtype IN ('u', 'v') ORDER BY name ASC) ORDER BY name ASC" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..sysobjects WHERE xtype IN ('u', 'v')"/>
         </tables>
-        <!-- TODO: getRange like Oracle? -->
         <columns>
             <inband query="SELECT %s..syscolumns.name, TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'"/>
-            <blind query="SELECT TOP 1 name FROM (SELECT TOP %s name FROM %s..syscolumns WHERE id=(SELECT id FROM %s..sysobjects WHERE name='%s')) CTABLE" query2="SELECT TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.name='%s' AND %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..syscolumns WHERE id=(SELECT id FROM %s..sysobjects WHERE name='%s')"/>
+            <blind query="SELECT TOP 1 name FROM (SELECT TOP %s name FROM %s..syscolumns WHERE id=(SELECT id FROM %s..sysobjects WHERE name='%s') ORDER BY name ASC) CTABLE ORDER BY name DESC" query2="SELECT TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.name='%s' AND %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..syscolumns WHERE id=(SELECT id FROM %s..sysobjects WHERE name='%s')"/>
         </columns>
         <dump_table>
             <inband query="SELECT %s FROM %s..%s"/>