diff --git a/lib/core/settings.py b/lib/core/settings.py index 30de22c11..0db323823 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME from lib.core.enums import OS # sqlmap version (...) -VERSION = "1.2.12.40" +VERSION = "1.2.12.41" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/plugins/generic/users.py b/plugins/generic/users.py index 742a8ec5c..cbb2fa791 100644 --- a/plugins/generic/users.py +++ b/plugins/generic/users.py @@ -201,6 +201,9 @@ class Users: else: values = inject.getValue(query, blind=False, time=False) + if isNoneValue(values) and Backend.isDbms(DBMS.MSSQL): + values = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), blind=False, time=False) + for user, password in filterPairValues(values): if not user or user == " ": continue @@ -213,6 +216,8 @@ class Users: kb.data.cachedUsersPasswords[user].append(password) if not kb.data.cachedUsersPasswords and isInferenceAvailable() and not conf.direct: + fallback = False + if not len(users): users = self.getUsers() @@ -263,6 +268,10 @@ class Users: count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + if not isNumPosStrValue(count) and Backend.isDbms(DBMS.MSSQL): + fallback = True + count = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + if not isNumPosStrValue(count): warnMsg = "unable to retrieve the number of password " warnMsg += "hashes for user '%s'" % user @@ -283,10 +292,16 @@ class Users: query = rootQuery.blind.query2 % (user, index, user) else: query = rootQuery.blind.query % (user, index, user) + + if fallback: + query = query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr") + elif Backend.isDbms(DBMS.INFORMIX): query = rootQuery.blind.query % (user,) + elif Backend.isDbms(DBMS.HSQLDB): query = rootQuery.blind.query % (index, user) + else: query = rootQuery.blind.query % (user, index) diff --git a/txt/checksum.md5 b/txt/checksum.md5 index e96e0f067..050d29f93 100644 --- a/txt/checksum.md5 +++ b/txt/checksum.md5 @@ -49,7 +49,7 @@ c8c386d644d57c659d74542f5f57f632 lib/core/patch.py 0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py a7db43859b61569b601b97f187dd31c5 lib/core/revision.py fcb74fcc9577523524659ec49e2e964b lib/core/session.py -03f706e4caefe69887515d9e7cb56748 lib/core/settings.py +eb8b62b1dc94be51a6c3d44d47af8f4a lib/core/settings.py a971ce157d04de96ba6e710d3d38a9a8 lib/core/shell.py a7edc9250d13af36ac0108f259859c19 lib/core/subprocessng.py 1581be48127a3a7a9fd703359b6e7567 lib/core/target.py @@ -223,7 +223,7 @@ f7874230e5661910d5fd21544c7d1022 plugins/generic/misc.py 30b421f06dc98998ddc1923a9048b7fc plugins/generic/search.py a70cc0ada4b0cc9e7df23cb6d48a4a0c plugins/generic/syntax.py f990d799e578dfbc3cde5728655a7854 plugins/generic/takeover.py -1265241e309da72bb82c3863a4c1b4bd plugins/generic/users.py +8ab0b84fda105459913715b98e1b8a4a plugins/generic/users.py 1e5532ede194ac9c083891c2f02bca93 plugins/__init__.py 5dc693e22f5d020c5c568d7325bd4226 shell/backdoors/backdoor.asp_ 158bfa168128393dde8d6ed11fe9a1b8 shell/backdoors/backdoor.aspx_