some updates

stamparm · stamparm · commit 3f0a443b83e3 · 2010-11-04T23:08:59.000Z
diff --git a/lib/core/agent.py b/lib/core/agent.py
@@ -227,7 +227,10 @@ def nullAndCastField(self, field):
             nulledCastedField = field
         else:
             nulledCastedField = queries[kb.dbms].cast.query % field
-            nulledCastedField = queries[kb.dbms].isnull.query % nulledCastedField
+            if kb.dbms == DBMS.ACCESS:
+                nulledCastedField = queries[kb.dbms].isnull.query % (nulledCastedField, nulledCastedField)
+            else:
+                nulledCastedField = queries[kb.dbms].isnull.query % nulledCastedField
 
         return nulledCastedField
 
diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
@@ -138,7 +138,7 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
         continuousOrder means that distance between each two neighbour's
         numerical values is exactly 1
         """
-
+        
         result = tryHint(idx)
 
         if result:
@@ -167,7 +167,7 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
             position = (len(charTbl) >> 1)
             posValue = charTbl[position]
 
-            if kb.dbms in (DBMS.SQLITE, DBMS.ACCESS, DBMS.MAXDB):
+            if kb.dbms in (DBMS.SQLITE, DBMS.MAXDB):
                 pushValue(posValue)
                 posValue = chr(posValue) if posValue < 128 else unichr(posValue)
 
@@ -176,7 +176,7 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
             queriesCount[0] += 1
             result = Request.queryPage(forgedPayload)
 
-            if kb.dbms in (DBMS.SQLITE, DBMS.ACCESS, DBMS.MAXDB):
+            if kb.dbms in (DBMS.SQLITE, DBMS.MAXDB):
                 posValue = popValue()
 
             if result:
diff --git a/plugins/dbms/access/fingerprint.py b/plugins/dbms/access/fingerprint.py
@@ -189,3 +189,6 @@ def checkDbms(self):
             logger.warn(warnMsg)
 
             return False
+
+    def forceDbmsEnum(self):
+        conf.db = "Access"
diff --git a/xml/queries.xml b/xml/queries.xml
@@ -341,7 +341,7 @@
     <dbms value="Microsoft Access">
         <cast query="CVAR(%s)"/>
         <length query="LEN(%s)"/>
-        <isnull query="ISNULL(%s)"/>
+        <isnull query="IIF(ISNULL(%s), ' ', %s)"/>
         <delimiter query=","/>
         <limit query="TOP %d"/>
         <limitregexp query="\s+TOP\s+([\d]+)"/>
@@ -354,7 +354,6 @@
         <timedelay/>
         <substring query="MID((%s), %d, %d)"/>
         <case query="IIF(%s,1,0)"/>
-        <inference query="AND MID((%s), %d, 1) > '%s'"/>
         <banner/>
         <current_user query="SELECT CURRENTUSER()"/>
         <current_db/>
@@ -363,6 +362,7 @@
         <dbs/>
         <tables>
             <inband query="SELECT Name FROM MSysObjects WHERE (Left([Name],1) &lt;&gt; '~') AND (Left([Name],4) &lt;&gt; 'MSys') AND ([Type] In (1, 4, 6))"/>
+            <blind query="SELECT MIN(Name) FROM MSysObjects WHERE Type = 1 AND name > '%s'" count="SELECT COUNT(*) FROM MSysObjects WHERE Type = 1"/>
         </tables>
    </dbms>
 
