Minor bug fix to correctly enumerate columns on Microsoft SQL Server.

Minor adjustments to XML signatures.
Updated documentation.

doc/ChangeLog

@@ -18,13 +18,14 @@ sqlmap (0.6.3-1) stable; urgency=low
   * Minor improvement to set by default in all HTTP requests the standard
     HTTP headers (Accept, Accept-Encoding, etc);
   * Minor improvements to sqlmap Debian package files: sqlmap uploaded
-    to official Debian project repository;
+    to official Debian project repository, on queue at the moment;
   * Major bug fix to correctly handle httplib.BadStatusLine exception;
   * Minor bug fix to handle session.error and session.timeout in HTTP
     requests;
   * Minor bug fix so that when the user provide a SELECT statement to be
     processed with an asterisk as columns, now it also work if in the FROM
     there is no database name specified;
+  * Minor bug fix to correctly enumerate columns on Microsoft SQL Server;
   * Minor bug fix to correctly dump table entries when the column is
     provided;
 

doc/THANKS

@@ -105,6 +105,9 @@ Sven Schluter <sschlueter@netzwerk.cc>
 M Simkin <mlsimkin@cox.net>
     for suggesting a feature
 
+Jason Swan <jasoneswan@gmail.com>
+    for reporting a bug when enumerating columns on Microsoft SQL Server
+
 Alessandro Tanasi <alessandro@tanasi.it>
     for extensively beta-testing sqlmap
     for suggesting many features and reporting some bugs

lib/core/common.py

@@ -599,7 +599,7 @@ def expandAsteriskForColumns(expression):
     return expression
 
 
-def getRange(count, dump=False):
+def getRange(count, dump=False, plusOne=False):
     count      = int(count)
     indexRange = None
     limitStart = 1
@@ -612,8 +612,7 @@ def getRange(count, dump=False):
         if isinstance(conf.limitStart, int) and conf.limitStart > 0 and conf.limitStart <= limitStop:
             limitStart = conf.limitStart
 
-    # TODO: also for Microsoft SQL Server in getColumns method?
+    if kb.dbms == "Oracle" or plusOne == True:
-    if kb.dbms == "Oracle":
         indexRange = range(limitStart, limitStop + 1)
     else:
         indexRange = range(limitStart - 1, limitStop)

lib/core/settings.py

@@ -30,7 +30,7 @@ import sys
 
 
 # sqlmap version and site
-VERSION            = "0.6.3-rc1"
+VERSION            = "0.6.3-rc2"
 VERSION_STRING     = "sqlmap/%s" % VERSION
 SITE               = "http://sqlmap.sourceforge.net"
 

plugins/generic/enumeration.py

@@ -772,9 +772,14 @@ class Enumeration:
                 errMsg += "on database '%s'" % conf.db
                 raise sqlmapNoneDataException, errMsg
 
+            if kb.dbms == "Microsoft SQL Server":
+                plusOne = True
+            else:
+                plusOne = False
+
             table      = {}
             columns    = {}
-            indexRange = getRange(count)
+            indexRange = getRange(count, plusOne=plusOne)
 
             for index in indexRange:
                 if kb.dbms in ( "MySQL", "PostgreSQL" ):

sqlmap.conf

@@ -3,13 +3,13 @@
 # Target URL.
 # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
 # PHP and MySQL (local)
-url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1
+#url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1
 # PHP and Oracle (local)
 #url = http://127.0.0.1/sqlmap/oracle/get_int.php?id=1
 # PHP and PostgreSQL (local)
 #url = http://127.0.0.1/sqlmap/pgsql/get_int.php?id=1
 # PHP and Microsoft SQL Server (remote)
-#url = http://127.0.0.1/sqlmap/mssql/get_int.php?id=1
+url = http://127.0.0.1/sqlmap/mssql/get_int.php?id=1
 # PHP and MySQL (remote on Windows)
 #url = http://127.0.0.1/sqlmap/mysql/win_get_int.php?id=1
 # ASP and Microsoft SQL Server (local)

xml/banner/generic.xml

@@ -73,14 +73,22 @@
         <info type="Linux" distrib="Knoppix"/>
     </regexp>
 
-    <regexp value="(Mandrake|Mandriva)">
+    <regexp value="Mandrake">
         <info type="Linux" distrib="Mandrake"/>
     </regexp>
 
+    <regexp value="Mandriva">
+        <info type="Linux" distrib="Mandriva"/>
+    </regexp>
+
     <regexp value="Red[\-\_\ ]*Hat">
         <info type="Linux" distrib="Red Hat"/>
     </regexp>
 
+    <regexp value="Slackware">
+        <info type="Linux" distrib="Slackware"/>
+    </regexp>
+
     <regexp value="SuSE">
         <info type="Linux" distrib="SuSE"/>
     </regexp>
@@ -103,6 +111,12 @@
         <info type="OpenBSD"/>
     </regexp>
 
+    <!-- Mac OSX -->
+
+    <regexp value="Mac[\-\_\ ]*OSX">
+        <info type="Mac OSX"/>
+    </regexp>
+
     <regexp value="Darwin">
         <info type="Mac OSX"/>
     </regexp>

xml/banner/server.xml

@@ -236,11 +236,11 @@
     </regexp>
 
     <regexp value="Apache-AdvancedExtranetServer/2.0.54 \(Mandriva Linux/">
-        <info type="Linux" distrib="Mandrive" release="2006.0"/>
+        <info type="Linux" distrib="Mandriva" release="2006.0"/>
     </regexp>
 
     <regexp value="Apache/2.2.3 \(Mandriva Linux/">
-        <info type="Linux" distrib="Mandrive" release="2007"/>
+        <info type="Linux" distrib="Mandriva" release="2007"/>
     </regexp>
 
     <!-- Apache: Red Hat -->

xml/queries.xml

@@ -193,17 +193,15 @@
         <privileges/>
         <dbs>
             <inband query="SELECT name FROM master..sysdatabases"/>
-            <blind query="SELECT TOP 1 name FROM master..sysdatabases WHERE name NOT IN (SELECT TOP %d name FROM master..sysdatabases)" count="SELECT LTRIM(STR(COUNT(name))) FROM master..sysdatabases"/>
+            <blind query="SELECT TOP 1 name FROM master..sysdatabases WHERE name NOT IN (SELECT TOP %d name FROM master..sysdatabases ORDER BY name) ORDER BY name" count="SELECT LTRIM(STR(COUNT(name))) FROM master..sysdatabases"/>
         </dbs>
-        <!-- TODO: condition? -->
         <tables>
             <inband query="SELECT name FROM %s..sysobjects WHERE xtype IN ('u', 'v')"/>
-            <blind query="SELECT TOP 1 name FROM %s..sysobjects WHERE xtype IN ('u', 'v') AND name NOT IN (SELECT TOP %d name FROM %s..sysobjects WHERE xtype IN ('u', 'v'))" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..sysobjects WHERE xtype IN ('u', 'v')"/>
+            <blind query="SELECT TOP 1 name FROM %s..sysobjects WHERE xtype IN ('u', 'v') AND name NOT IN (SELECT TOP %d name FROM %s..sysobjects WHERE xtype IN ('u', 'v') ORDER BY name ASC) ORDER BY name ASC" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..sysobjects WHERE xtype IN ('u', 'v')"/>
         </tables>
-        <!-- TODO: getRange like Oracle? -->
         <columns>
             <inband query="SELECT %s..syscolumns.name, TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'"/>
-            <blind query="SELECT TOP 1 name FROM (SELECT TOP %s name FROM %s..syscolumns WHERE id=(SELECT id FROM %s..sysobjects WHERE name='%s')) CTABLE" query2="SELECT TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.name='%s' AND %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..syscolumns WHERE id=(SELECT id FROM %s..sysobjects WHERE name='%s')"/>
+            <blind query="SELECT TOP 1 name FROM (SELECT TOP %s name FROM %s..syscolumns WHERE id=(SELECT id FROM %s..sysobjects WHERE name='%s') ORDER BY name ASC) CTABLE ORDER BY name DESC" query2="SELECT TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.name='%s' AND %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..syscolumns WHERE id=(SELECT id FROM %s..sysobjects WHERE name='%s')"/>
         </columns>
         <dump_table>
             <inband query="SELECT %s FROM %s..%s"/>