Patch for MsSQL column name injection

stamparm · stamparm · commit 2b56bdfaa6fc · 2018-09-06T13:59:07.000+02:00
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -19,7 +19,7 @@
 from lib.core.enums import OS
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.2.9.9"
+VERSION = "1.2.9.10"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -324,6 +324,7 @@
 
 # Regular expressions used for parsing error messages (--parse-errors)
 ERROR_PARSING_REGEXES = (
+    r"\[Microsoft\]\[ODBC SQL Server Driver\]\[SQL Server\](?P<result>[^<]+)",
     r"<b>[^<]*(fatal|error|warning|exception)[^<]*</b>:?\s*(?P<result>.+?)<br\s*/?\s*>",
     r"(?m)^\s*(fatal|error|warning|exception):?\s*(?P<result>[^\n]+?)$",
     r"(?P<result>[^\n>]*SQL Syntax[^\n<]+)",
diff --git a/thirdparty/ansistrm/ansistrm.py b/thirdparty/ansistrm/ansistrm.py
@@ -182,15 +182,25 @@ def colorize(self, message, levelno):
                         message = message.replace(counter, ''.join((self.csi, str(self.color_map["yellow"] + 30), 'm', counter, reset)), 1)
 
                     if level != "PAYLOAD":
-                        for match in re.finditer(r"[^\w]'([^']+)'", message):  # single-quoted
-                            string = match.group(1)
+                        if any(_ in message for _ in ("parsed DBMS error message",)):
+                            string = re.search(r": '(.+)'", message).group(1)
                             if not message.endswith(self.reset):
                                 reset = self.reset
                             elif self.bold in message:  # bold
                                 reset = self.reset + self.bold
                             else:
                                 reset = self.reset
                             message = message.replace("'%s'" % string, "'%s'" % ''.join((self.csi, str(self.color_map["white"] + 30), 'm', string, reset)), 1)
+                        else:
+                            for match in re.finditer(r"[^\w]'([^']+)'", message):  # single-quoted
+                                string = match.group(1)
+                                if not message.endswith(self.reset):
+                                    reset = self.reset
+                                elif self.bold in message:  # bold
+                                    reset = self.reset + self.bold
+                                else:
+                                    reset = self.reset
+                                message = message.replace("'%s'" % string, "'%s'" % ''.join((self.csi, str(self.color_map["white"] + 30), 'm', string, reset)), 1)
                 else:
                     message = ''.join((self.csi, ';'.join(params), 'm', message, self.reset))
 
diff --git a/txt/checksum.md5 b/txt/checksum.md5
@@ -50,7 +50,7 @@ c8c386d644d57c659d74542f5f57f632  lib/core/patch.py
 0c3eef46bdbf87e29a3f95f90240d192  lib/core/replication.py
 a7db43859b61569b601b97f187dd31c5  lib/core/revision.py
 fcb74fcc9577523524659ec49e2e964b  lib/core/session.py
-c762da4ab30d1e245ca359df355ff7a7  lib/core/settings.py
+021d606c9405fd23d630108bf5c39853  lib/core/settings.py
 dd68a9d02fccb4fa1428b20e15b0db5d  lib/core/shell.py
 a7edc9250d13af36ac0108f259859c19  lib/core/subprocessng.py
 815d1cf27f0f8738d81531e73149867d  lib/core/target.py
@@ -287,7 +287,7 @@ f2b9eac52d346315f5705f71beeda791  tamper/varnish.py
 0e40966a51d1eb5d42a2159d2015a8a4  tamper/versionedkeywords.py
 0fba004bf1be6edbefbda89f23f4e518  tamper/versionedmorekeywords.py
 de532c4e3160039335010c499129d54f  tamper/xforwardedfor.py
-1996d6afa985a526df02efa1bf121976  thirdparty/ansistrm/ansistrm.py
+b422795c5e589decec725963e480ffba  thirdparty/ansistrm/ansistrm.py
 d41d8cd98f00b204e9800998ecf8427e  thirdparty/ansistrm/__init__.py
 8e775c25bc9e84891ad6fcb4f0005c23  thirdparty/beautifulsoup/beautifulsoup.py
 cb2e1fe7c404dff41a2ae9132828f532  thirdparty/beautifulsoup/__init__.py
@@ -469,7 +469,7 @@ d48c971769c6131e35bd52d2315a8d58  xml/banner/servlet-engine.xml
 d989813ee377252bca2103cea524c06b  xml/banner/sharepoint.xml
 350605448f049cd982554123a75f11e1  xml/banner/x-aspnet-version.xml
 817078783e1edaa492773d3b34d8eef0  xml/banner/x-powered-by.xml
-b306c99a038b03421beea655dc804b64  xml/boundaries.xml
+de871ef9c982799a7f7f84621f103f26  xml/boundaries.xml
 6cffc395cd0280f5c1a84542da6642e5  xml/errors.xml
 a279656ea3fcb85c727249b02f828383  xml/livetests.xml
 fe2a865a8579f2045d2be057a00f5b49  xml/payloads/boolean_blind.xml
diff --git a/xml/boundaries.xml b/xml/boundaries.xml
@@ -513,8 +513,8 @@ Formats:
         <clause>8</clause>
         <where>1</where>
         <ptype>6</ptype>
-        <prefix>]=[[ORIGINAL]]</prefix>
-        <suffix> AND [[ORIGINAL]]=[[ORIGINAL]</suffix>
+        <prefix>]-(SELECT 0 WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>)|[[ORIGINAL]</suffix>
     </boundary>
     <!-- End of escaped column name boundaries -->
 
