Metasploit mailing list archives
bug in parsing mssql output
From: Robin Wood <robin () digininja org>
Date: Wed, 9 Jun 2010 16:09:19 +0100
I'm running an MSSQL query and the data that is coming back isn't being parsed into the hash structure correctly. An example of the statement is: with tmp as (select *,ROW_NUMBER() over (order by " + column_name + ") as rownumber from " + full_table + " ) select * from tmp where rownumber between " + x + " and " + y + ";" where different variables are being looped through. I'm calling the SQL like this: result = mssql_query(sql, false) if mssql_login_datastore puts result.inspect Here is a sample of the data coming back. {:colinfos=>[{:type=>56, :utype=>0, :msg_len=>9, :flags=>16, :name=>"AddressID", :id=>:rawint}, {:codepage=>1033, :type=>231, :cflags=>192, :charset_id=>0, :utype=>0, :msg_len=>12, :max_size=>120, :flags=>10, :name=>"AddressLine1", :id=>:string}, {:codepage=>1033, :type=>231, :cflags=>192, :charset_id=>0, :utype=>0, :msg_len=>12, :max_size=>120, :flags=>11, :name=>"AddressLine2", :id=>:string}, {:codepage=>1033, :type=>231, :cflags=>192, :charset_id=>0, :utype=>0, :msg_len=>4, :max_size=>60, :flags=>10, :name=>"City", :id=>:string}, {:type=>56, :utype=>0, :msg_len=>15, :flags=>8, :name=>"StateProvinceID", :id=>:rawint}, {:codepage=>1033, :type=>231, :cflags=>192, :charset_id=>0, :utype=>0, :msg_len=>10, :max_size=>30, :flags=>10, :name=>"PostalCode", :id=>:string}, {:type=>36, :utype=>0, :msg_len=>16, :flags=>8, :name=>"\arowguid\b=\fModifi", :id=>:string}, {:type=>0, :utype=>25856, :msg_len=>68, :flags=>25600, :name=>"ate\v\357\024\t\004\300\nMyPassword\001&\b\trownumber\321\001\0321970 Napa Ct.\377\377\016BothellO\n98011\020\r\313\255", :id=>:unknown}, {:type=>72, :utype=>53146, :msg_len=>132, :flags=>16182, :name=>"\330X\\-N\306\351\325\213\377\377\b\001\375\021\301\001\201\n\0208\tAddressID\n\347x\t\004\300\fAddressLine1\v\347x\t\004\300\fAddressLine2\n\347<\t\004\300\004City\b8\017StateProvinceID\n\347\036\t\004\300\nPostalCode\b$\020\arowguid\b=\fModifi", :id=>:unknown}, {:type=>0, :utype=>25856, :msg_len=>68, :flags=>25600, :name=>"ate\v\357\024\t\004\300\nMyPassword\001&\b\trownumber\321}N&157 Birch Bark Road\377\377\016Fremont\t\n9", :id=>:unknown}], :login_ack=>true, :colnames=>["AddressID", "AddressLine1", "AddressLine2", "City", "StateProvinceID", "PostalCode", "\arowguid\b=\fModifi", "ate\v\357\024\t\004\300\nMyPassword\001&\b\trownumber\321\001\0321970 Napa Ct.\377\377\016BothellO\n98011\020\r\313\255", "\330X\\-N\306\351\325\213\377\377\b\001\375\021\301\001\201\n\0208\tAddressID\n\347x\t\004\300\fAddressLine1\v\347x\t\004\300\fAddressLine2\n\347<\t\004\300\004City\b8\017StateProvinceID\n\347\036\t\004\300\nPostalCode\b$\020\arowguid\b=\fModifi", "ate\v\357\024\t\004\300\nMyPassword\001&\b\trownumber\321}N&157 Birch Bark Road\377\377\016Fremont\t\n9"], :errors=>["unsupported token: 52", "unsupported token: 0", "unsupported token: 53", "unsupported token: 0", "unsupported token: 51", "unsupported token: 0", "unsupported token: 54", "unsupported token: 0", "unsupported token: 16", "unsupported token: 156", "unsupported token: 21", "unsupported token: 2"], :sql=>"\n\t\t\t\t\t\t\twith tmp as (select *,ROW_NUMBER() over (order by MyPassword) as rownumber from AdventureWorks.Person.Address )\n\t\t\t\t\t\t\t\tselect * from tmp where rownumber between 1 and 1;\n\t\t\t\t\t\t\twith tmp as (select *,ROW_NUMBER() over (order by MyPassword) as rownumber from AdventureWorks.Person.Address )\n\t\t\t\t\t\t\t\tselect * from tmp where rownumber between 9807 and 9807;\n\t\t\t\t\t\t\twith tmp as (select *,ROW_NUMBER() over (order by MyPassword) as rownumber from AdventureWorks.Person.Address )\n\t\t\t\t\t\t\t\tselect * from tmp where rownumber between 19614 and 19614;\n\t\t\t\t\t\t"} If you split this down you can see some of the fields aren't being parsed correctly, for example the colnames values should be AddressID, AddressLine1, AddressLine2, City, StateProvinceID, PostalCode, rowguid, modified date, my password and rownumber. If I run the mssql_query with true rather than false I get a lot of [-] unsupported token: 0 [-] unsupported token: 0 [-] unsupported token: 11 [-] unsupported token: 0 [-] unsupported token: 231 [-] unsupported token: 20 with all sorts of different values Reading through msf/lib/msf/core/exploit/mssql.rb you are only expecting a few fixed values and looking at the TDS spec I'd guess that it is the parsing that is failing rather than new tokens being missed as some of the token values mentioned in the debug don't appear in the spec. The query is running against SQL Server 2005 if that matters. Robin _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- bug in parsing mssql output Robin Wood (Jun 09)
- Re: bug in parsing mssql output HD Moore (Jun 09)
- Re: bug in parsing mssql output Robin Wood (Jun 09)
- Re: bug in parsing mssql output HD Moore (Jun 09)
- Re: bug in parsing mssql output Robin Wood (Jun 09)
- Re: bug in parsing mssql output Robin Wood (Jun 09)
- Re: bug in parsing mssql output HD Moore (Jun 09)