diff --git a/plugins/dbms/mssqlserver/enumeration.py b/plugins/dbms/mssqlserver/enumeration.py
index d10797e5f..a7503b26a 100644
--- a/plugins/dbms/mssqlserver/enumeration.py
+++ b/plugins/dbms/mssqlserver/enumeration.py
@@ -115,20 +115,25 @@ class Enumeration(GenericEnumeration):
infoMsg += "database '%s'" % db
logger.info(infoMsg)
- query = rootQuery.blind.count % db
- count = inject.getValue(query, inband=False, error=False, charsetType=2)
+ for query in (rootQuery.blind.count, rootQuery.blind.count2):
+ _ = query % db
+ count = inject.getValue(_, inband=False, error=False, charsetType=2)
+ if not isNoneValue(count):
+ break
if not isNumPosStrValue(count):
- warnMsg = "unable to retrieve the number of "
- warnMsg += "tables for database '%s'" % db
- logger.warn(warnMsg)
+ if count != "0":
+ warnMsg = "unable to retrieve the number of "
+ warnMsg += "tables for database '%s'" % db
+ logger.warn(warnMsg)
continue
tables = []
for index in xrange(int(count)):
- query = rootQuery.blind.query.replace("%s", db) % index
- table = inject.getValue(query, inband=False, error=False)
+ _ = (rootQuery.blind.query if query == rootQuery.blind.count else rootQuery.blind.query2).replace("%s", db) % index
+
+ table = inject.getValue(_, inband=False, error=False)
kb.hintValue = table
table = safeSQLIdentificatorNaming(table, True)
tables.append(table)
diff --git a/xml/queries.xml b/xml/queries.xml
index deb84feef..cc518a786 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -185,7 +185,7 @@
-
+