Update regarding #3418 (fallback for MsSQL's --passwords)

Author: stamparm

lib/core/settings.py

@@ -19,7 +19,7 @@
 from lib.core.enums import OS
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.2.12.40"
+VERSION = "1.2.12.41"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

plugins/generic/users.py

@@ -201,6 +201,9 @@ def getPasswordHashes(self):
             else:
                 values = inject.getValue(query, blind=False, time=False)
 
+                if isNoneValue(values) and Backend.isDbms(DBMS.MSSQL):
+                    values = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), blind=False, time=False)
+
                 for user, password in filterPairValues(values):
                     if not user or user == " ":
                         continue
@@ -213,6 +216,8 @@ def getPasswordHashes(self):
                         kb.data.cachedUsersPasswords[user].append(password)
 
         if not kb.data.cachedUsersPasswords and isInferenceAvailable() and not conf.direct:
+            fallback = False
+
             if not len(users):
                 users = self.getUsers()
 
@@ -263,6 +268,10 @@ def getPasswordHashes(self):
 
                         count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
 
+                        if not isNumPosStrValue(count) and Backend.isDbms(DBMS.MSSQL):
+                            fallback = True
+                            count = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
+
                         if not isNumPosStrValue(count):
                             warnMsg = "unable to retrieve the number of password "
                             warnMsg += "hashes for user '%s'" % user
@@ -283,10 +292,16 @@ def getPasswordHashes(self):
                                 query = rootQuery.blind.query2 % (user, index, user)
                             else:
                                 query = rootQuery.blind.query % (user, index, user)
+
+                            if fallback:
+                                query = query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr")
+
                         elif Backend.isDbms(DBMS.INFORMIX):
                             query = rootQuery.blind.query % (user,)
+
                         elif Backend.isDbms(DBMS.HSQLDB):
                             query = rootQuery.blind.query % (index, user)
+
                         else:
                             query = rootQuery.blind.query % (user, index)
 

txt/checksum.md5

@@ -49,7 +49,7 @@ c8c386d644d57c659d74542f5f57f632  lib/core/patch.py
 0c3eef46bdbf87e29a3f95f90240d192  lib/core/replication.py
 a7db43859b61569b601b97f187dd31c5  lib/core/revision.py
 fcb74fcc9577523524659ec49e2e964b  lib/core/session.py
-03f706e4caefe69887515d9e7cb56748  lib/core/settings.py
+eb8b62b1dc94be51a6c3d44d47af8f4a  lib/core/settings.py
 a971ce157d04de96ba6e710d3d38a9a8  lib/core/shell.py
 a7edc9250d13af36ac0108f259859c19  lib/core/subprocessng.py
 1581be48127a3a7a9fd703359b6e7567  lib/core/target.py
@@ -223,7 +223,7 @@ f7874230e5661910d5fd21544c7d1022  plugins/generic/misc.py
 30b421f06dc98998ddc1923a9048b7fc  plugins/generic/search.py
 a70cc0ada4b0cc9e7df23cb6d48a4a0c  plugins/generic/syntax.py
 f990d799e578dfbc3cde5728655a7854  plugins/generic/takeover.py
-1265241e309da72bb82c3863a4c1b4bd  plugins/generic/users.py
+8ab0b84fda105459913715b98e1b8a4a  plugins/generic/users.py
 1e5532ede194ac9c083891c2f02bca93  plugins/__init__.py
 5dc693e22f5d020c5c568d7325bd4226  shell/backdoors/backdoor.asp_
 158bfa168128393dde8d6ed11fe9a1b8  shell/backdoors/backdoor.aspx_