Metasploit mailing list archives
bug in parsing mssql output
From: Robin Wood <robin () digininja org>
Date: Wed, 9 Jun 2010 16:09:19 +0100
I'm running an MSSQL query and the data that is coming back isn't
being parsed into the hash structure correctly.
An example of the statement is:
with tmp as (select *,ROW_NUMBER() over (order by " + column_name + ")
as rownumber from " + full_table + " )
select * from tmp where rownumber between " + x + " and " + y + ";"
where different variables are being looped through. I'm calling the
SQL like this:
result = mssql_query(sql, false) if mssql_login_datastore
puts result.inspect
Here is a sample of the data coming back.
{:colinfos=>[{:type=>56, :utype=>0, :msg_len=>9, :flags=>16,
:name=>"AddressID", :id=>:rawint}, {:codepage=>1033, :type=>231,
:cflags=>192, :charset_id=>0, :utype=>0, :msg_len=>12, :max_size=>120,
:flags=>10, :name=>"AddressLine1", :id=>:string}, {:codepage=>1033,
:type=>231, :cflags=>192, :charset_id=>0, :utype=>0, :msg_len=>12,
:max_size=>120, :flags=>11, :name=>"AddressLine2", :id=>:string},
{:codepage=>1033, :type=>231, :cflags=>192, :charset_id=>0, :utype=>0,
:msg_len=>4, :max_size=>60, :flags=>10, :name=>"City", :id=>:string},
{:type=>56, :utype=>0, :msg_len=>15, :flags=>8,
:name=>"StateProvinceID", :id=>:rawint}, {:codepage=>1033, :type=>231,
:cflags=>192, :charset_id=>0, :utype=>0, :msg_len=>10, :max_size=>30,
:flags=>10, :name=>"PostalCode", :id=>:string}, {:type=>36, :utype=>0,
:msg_len=>16, :flags=>8, :name=>"\arowguid\b=\fModifi", :id=>:string},
{:type=>0, :utype=>25856, :msg_len=>68, :flags=>25600,
:name=>"ate\v\357\024\t\004\300\nMyPassword\001&\b\trownumber\321\001\0321970
Napa Ct.\377\377\016BothellO\n98011\020\r\313\255", :id=>:unknown},
{:type=>72, :utype=>53146, :msg_len=>132, :flags=>16182,
:name=>"\330X\\-N\306\351\325\213\377\377\b\001\375\021\301\001\201\n\0208\tAddressID\n\347x\t\004\300\fAddressLine1\v\347x\t\004\300\fAddressLine2\n\347<\t\004\300\004City\b8\017StateProvinceID\n\347\036\t\004\300\nPostalCode\b$\020\arowguid\b=\fModifi",
:id=>:unknown}, {:type=>0, :utype=>25856, :msg_len=>68, :flags=>25600,
:name=>"ate\v\357\024\t\004\300\nMyPassword\001&\b\trownumber\321}N&157
Birch Bark Road\377\377\016Fremont\t\n9", :id=>:unknown}],
:login_ack=>true, :colnames=>["AddressID", "AddressLine1",
"AddressLine2", "City", "StateProvinceID", "PostalCode",
"\arowguid\b=\fModifi",
"ate\v\357\024\t\004\300\nMyPassword\001&\b\trownumber\321\001\0321970
Napa Ct.\377\377\016BothellO\n98011\020\r\313\255",
"\330X\\-N\306\351\325\213\377\377\b\001\375\021\301\001\201\n\0208\tAddressID\n\347x\t\004\300\fAddressLine1\v\347x\t\004\300\fAddressLine2\n\347<\t\004\300\004City\b8\017StateProvinceID\n\347\036\t\004\300\nPostalCode\b$\020\arowguid\b=\fModifi",
"ate\v\357\024\t\004\300\nMyPassword\001&\b\trownumber\321}N&157 Birch
Bark Road\377\377\016Fremont\t\n9"], :errors=>["unsupported token:
52", "unsupported token: 0", "unsupported token: 53", "unsupported
token: 0", "unsupported token: 51", "unsupported token: 0",
"unsupported token: 54", "unsupported token: 0", "unsupported token:
16", "unsupported token: 156", "unsupported token: 21", "unsupported
token: 2"], :sql=>"\n\t\t\t\t\t\t\twith tmp as (select *,ROW_NUMBER()
over (order by MyPassword) as rownumber from
AdventureWorks.Person.Address )\n\t\t\t\t\t\t\t\tselect * from tmp
where rownumber between 1 and 1;\n\t\t\t\t\t\t\twith tmp as (select
*,ROW_NUMBER() over (order by MyPassword) as rownumber from
AdventureWorks.Person.Address )\n\t\t\t\t\t\t\t\tselect * from tmp
where rownumber between 9807 and 9807;\n\t\t\t\t\t\t\twith tmp as
(select *,ROW_NUMBER() over (order by MyPassword) as rownumber from
AdventureWorks.Person.Address )\n\t\t\t\t\t\t\t\tselect * from tmp
where rownumber between 19614 and 19614;\n\t\t\t\t\t\t"}
If you split this down you can see some of the fields aren't being
parsed correctly, for example the colnames values should be
AddressID, AddressLine1, AddressLine2, City, StateProvinceID,
PostalCode, rowguid, modified date, my password and rownumber.
If I run the mssql_query with true rather than false I get a lot of
[-] unsupported token: 0
[-] unsupported token: 0
[-] unsupported token: 11
[-] unsupported token: 0
[-] unsupported token: 231
[-] unsupported token: 20
with all sorts of different values
Reading through msf/lib/msf/core/exploit/mssql.rb you are only
expecting a few fixed values and looking at the TDS spec I'd guess
that it is the parsing that is failing rather than new tokens being
missed as some of the token values mentioned in the debug don't appear
in the spec.
The query is running against SQL Server 2005 if that matters.
Robin
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- bug in parsing mssql output Robin Wood (Jun 09)
- Re: bug in parsing mssql output HD Moore (Jun 09)
- Re: bug in parsing mssql output Robin Wood (Jun 09)
- Re: bug in parsing mssql output HD Moore (Jun 09)
- Re: bug in parsing mssql output Robin Wood (Jun 09)
- Re: bug in parsing mssql output Robin Wood (Jun 09)
- Re: bug in parsing mssql output HD Moore (Jun 09)