implemented support for __pivotDumpTable on MSSQL as normal tables tend to not play well with normal TOP 1 ..NOT IN..ORDER BY mechanism if the argument for ORDER BY is not the unique one (returns only number of rows equal to the number of distinct values for that field)

stamparm · stamparm · commit 6fa2fd139c3e · 2011-04-08T15:17:57.000Z
diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py
@@ -195,7 +195,7 @@ def errorUse(expression, expected=None, resumeValue=True, dump=False):
        or (Backend.getIdentifiedDbms() in FROM_TABLE and not \
        expression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]))) \
        and ("(CASE" not in expression.upper() or ("(CASE" in expression.upper() and "WHEN use" in expression))) \
-       and not any(map(lambda x: x in expression.upper(), ["COUNT(*)", "EXISTS(", "MAX(", "MIN("])):
+       and not any(map(lambda x: x in expression.upper(), ["COUNT(*)", "EXISTS(", "MAX(", "MIN(", "COUNT(DISTINCT"])):
 
         limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
         topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
diff --git a/lib/techniques/inband/union/use.py b/lib/techniques/inband/union/use.py
@@ -137,7 +137,7 @@ def unionUse(expression, unpack=True, dump=False):
        " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \
        not in FROM_TABLE) or (Backend.getIdentifiedDbms() in FROM_TABLE \
        and not expression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]))) \
-       and not any(map(lambda x: x in expression.upper(), ["(CASE", "COUNT(*)", "EXISTS(", "MAX(", "MIN("])):
+       and not any(map(lambda x: x in expression.upper(), ["(CASE", "COUNT(*)", "EXISTS(", "MAX(", "MIN(", "COUNT(DISTINCT"])):
 
         limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
         topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py
@@ -1304,10 +1304,14 @@ def dumpTable(self):
                 query = rootQuery.inband.query % (colString, conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())))
             elif Backend.getIdentifiedDbms() == DBMS.SQLITE:
                 query = rootQuery.inband.query % (colString, conf.tbl)
-            elif Backend.getIdentifiedDbms() == DBMS.SYBASE:
-                table = "%s..%s" % (conf.db, conf.tbl)
-                entries, _ = self.__pivotDumpTable(table, colList, blind=False)
-                entries = zip(*[entries[colName] for colName in colList])
+            elif Backend.getIdentifiedDbms() in (DBMS.SYBASE, DBMS.MSSQL):
+                # Partial inband and error
+                if not (isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.ORIGINAL):
+                    table = "%s.%s" % (conf.db, conf.tbl)
+                    entries, _ = self.__pivotDumpTable(table, colList, blind=False)
+                    entries = zip(*[entries[colName] for colName in colList])
+                else:
+                    query = rootQuery.inband.query % (colString, conf.db, conf.tbl)
             else:
                 query = rootQuery.inband.query % (colString, conf.db, conf.tbl)
 
@@ -1358,8 +1362,8 @@ def dumpTable(self):
                 query = rootQuery.blind.count % (conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())))
             elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
                 query = rootQuery.blind.count % conf.tbl
-            elif Backend.getIdentifiedDbms() == DBMS.SYBASE:
-                query = rootQuery.blind.count % ("%s..%s" % (conf.db, conf.tbl))
+            elif Backend.getIdentifiedDbms() in (DBMS.SYBASE, DBMS.MSSQL):
+                query = rootQuery.blind.count % ("%s.%s" % (conf.db, conf.tbl))
             elif Backend.getIdentifiedDbms() == DBMS.MAXDB:
                 query = rootQuery.blind.count % ("%s" % conf.tbl)
             else:
@@ -1381,17 +1385,17 @@ def dumpTable(self):
             entries = {}
 
             try:
-                if Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.SYBASE, DBMS.MAXDB):
+                if Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.SYBASE, DBMS.MAXDB, DBMS.MSSQL):
                     if Backend.getIdentifiedDbms() == DBMS.ACCESS:
                         table = conf.tbl
-                    elif Backend.getIdentifiedDbms() == DBMS.SYBASE:
-                        table = "%s..%s" % (conf.db, conf.tbl)
+                    elif Backend.getIdentifiedDbms() in (DBMS.SYBASE, DBMS.MSSQL):
+                        table = "%s.%s" % (conf.db, conf.tbl)
                     elif Backend.getIdentifiedDbms() == DBMS.MAXDB:
                         table = "%s.%s" % (conf.db, conf.tbl)
                     entries, lengths = self.__pivotDumpTable(table, colList, count, blind=True)
 
                 else:
-                    if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.MSSQL, DBMS.SYBASE):
+                    if Backend.getIdentifiedDbms() == DBMS.ORACLE:
                         plusOne = True
                     else:
                         plusOne = False
@@ -1412,11 +1416,6 @@ def dumpTable(self):
                                 query = rootQuery.blind.query % (column, column,
                                                                        conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())),
                                                                        index)
-                            elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
-                                query = rootQuery.blind.query % (column, index, conf.db,
-                                                                       conf.tbl, colList[0],
-                                                                       colList[0], colList[0])
-
                             elif Backend.getIdentifiedDbms() == DBMS.SQLITE:
                                 query = rootQuery.blind.query % (column, conf.tbl, index)
 
diff --git a/xml/queries.xml b/xml/queries.xml
@@ -193,8 +193,7 @@
         </columns>
         <dump_table>
             <inband query="SELECT %s FROM %s.%s"/>
-            <!--<blind query="SELECT TOP 1 %s FROM %s..%s WHERE %s NOT IN (SELECT TOP %d %s FROM %s..%s)" count="SELECT LTRIM(STR(COUNT(*))) FROM %s..%s"/>-->
-            <blind query="SELECT TOP 1 %s FROM (SELECT TOP 1 * FROM ( SELECT TOP %d * FROM %s.%s ORDER BY %s ASC ) AS t1 ORDER BY %s DESC) AS t2 ORDER BY %s ASC" count="SELECT LTRIM(STR(COUNT(*))) FROM %s.%s"/>
+            <blind query="SELECT MIN(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s)>'%s'" query2="SELECT MAX(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s) LIKE '%s'" count="SELECT LTRIM(STR(COUNT(*))) FROM %s" count2="SELECT LTRIM(STR(COUNT(DISTINCT(%s)))) FROM %s"/>
         </dump_table>
         <search_db>
             <inband query="SELECT name FROM master..sysdatabases WHERE " condition="name"/>
