Update regarding #3418 (fallback for MsSQL's --passwords)

This commit is contained in:
Miroslav Stampar 2018-12-28 00:41:48 +01:00
parent ddee027afb
commit de0df99d8e
3 changed files with 18 additions and 3 deletions

View File

@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
from lib.core.enums import OS from lib.core.enums import OS
# sqlmap version (<major>.<minor>.<month>.<monthly commit>) # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
VERSION = "1.2.12.40" VERSION = "1.2.12.41"
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

View File

@ -201,6 +201,9 @@ class Users:
else: else:
values = inject.getValue(query, blind=False, time=False) values = inject.getValue(query, blind=False, time=False)
if isNoneValue(values) and Backend.isDbms(DBMS.MSSQL):
values = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), blind=False, time=False)
for user, password in filterPairValues(values): for user, password in filterPairValues(values):
if not user or user == " ": if not user or user == " ":
continue continue
@ -213,6 +216,8 @@ class Users:
kb.data.cachedUsersPasswords[user].append(password) kb.data.cachedUsersPasswords[user].append(password)
if not kb.data.cachedUsersPasswords and isInferenceAvailable() and not conf.direct: if not kb.data.cachedUsersPasswords and isInferenceAvailable() and not conf.direct:
fallback = False
if not len(users): if not len(users):
users = self.getUsers() users = self.getUsers()
@ -263,6 +268,10 @@ class Users:
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count) and Backend.isDbms(DBMS.MSSQL):
fallback = True
count = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
warnMsg = "unable to retrieve the number of password " warnMsg = "unable to retrieve the number of password "
warnMsg += "hashes for user '%s'" % user warnMsg += "hashes for user '%s'" % user
@ -283,10 +292,16 @@ class Users:
query = rootQuery.blind.query2 % (user, index, user) query = rootQuery.blind.query2 % (user, index, user)
else: else:
query = rootQuery.blind.query % (user, index, user) query = rootQuery.blind.query % (user, index, user)
if fallback:
query = query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr")
elif Backend.isDbms(DBMS.INFORMIX): elif Backend.isDbms(DBMS.INFORMIX):
query = rootQuery.blind.query % (user,) query = rootQuery.blind.query % (user,)
elif Backend.isDbms(DBMS.HSQLDB): elif Backend.isDbms(DBMS.HSQLDB):
query = rootQuery.blind.query % (index, user) query = rootQuery.blind.query % (index, user)
else: else:
query = rootQuery.blind.query % (user, index) query = rootQuery.blind.query % (user, index)

View File

@ -49,7 +49,7 @@ c8c386d644d57c659d74542f5f57f632 lib/core/patch.py
0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py 0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py
a7db43859b61569b601b97f187dd31c5 lib/core/revision.py a7db43859b61569b601b97f187dd31c5 lib/core/revision.py
fcb74fcc9577523524659ec49e2e964b lib/core/session.py fcb74fcc9577523524659ec49e2e964b lib/core/session.py
03f706e4caefe69887515d9e7cb56748 lib/core/settings.py eb8b62b1dc94be51a6c3d44d47af8f4a lib/core/settings.py
a971ce157d04de96ba6e710d3d38a9a8 lib/core/shell.py a971ce157d04de96ba6e710d3d38a9a8 lib/core/shell.py
a7edc9250d13af36ac0108f259859c19 lib/core/subprocessng.py a7edc9250d13af36ac0108f259859c19 lib/core/subprocessng.py
1581be48127a3a7a9fd703359b6e7567 lib/core/target.py 1581be48127a3a7a9fd703359b6e7567 lib/core/target.py
@ -223,7 +223,7 @@ f7874230e5661910d5fd21544c7d1022 plugins/generic/misc.py
30b421f06dc98998ddc1923a9048b7fc plugins/generic/search.py 30b421f06dc98998ddc1923a9048b7fc plugins/generic/search.py
a70cc0ada4b0cc9e7df23cb6d48a4a0c plugins/generic/syntax.py a70cc0ada4b0cc9e7df23cb6d48a4a0c plugins/generic/syntax.py
f990d799e578dfbc3cde5728655a7854 plugins/generic/takeover.py f990d799e578dfbc3cde5728655a7854 plugins/generic/takeover.py
1265241e309da72bb82c3863a4c1b4bd plugins/generic/users.py 8ab0b84fda105459913715b98e1b8a4a plugins/generic/users.py
1e5532ede194ac9c083891c2f02bca93 plugins/__init__.py 1e5532ede194ac9c083891c2f02bca93 plugins/__init__.py
5dc693e22f5d020c5c568d7325bd4226 shell/backdoors/backdoor.asp_ 5dc693e22f5d020c5c568d7325bd4226 shell/backdoors/backdoor.asp_
158bfa168128393dde8d6ed11fe9a1b8 shell/backdoors/backdoor.aspx_ 158bfa168128393dde8d6ed11fe9a1b8 shell/backdoors/backdoor.aspx_