Fixes #3759

2025-12-07 13:11:29 +00:00 · 2019-06-16 17:23:46 +02:00
parent 3b3f4926e4
commit 8220b6264c
3 changed files with 20 additions and 7 deletions
--- a/plugins/generic/users.py
+++ b/plugins/generic/users.py
@@ -15,6 +15,7 @@ from lib.core.common import getLimitRange
 from lib.core.common import isAdminFromPrivileges
 from lib.core.common import isInferenceAvailable
 from lib.core.common import isNoneValue
+from lib.core.common import isNullValue
 from lib.core.common import isNumPosStrValue
 from lib.core.common import isTechniqueAvailable
 from lib.core.common import parsePasswordHash
@@ -203,8 +204,10 @@ class Users(object):
            else:
                values = inject.getValue(query, blind=False, time=False)

-                if isNoneValue(values) and Backend.isDbms(DBMS.MSSQL):
+                if Backend.isDbms(DBMS.MSSQL) and isNoneValue(values):
                    values = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), blind=False, time=False)
+                elif Backend.isDbms(DBMS.MYSQL) and (isNoneValue(values) or all(len(value) == 2 and (isNullValue(value[1]) or isNoneValue(value[1])) for value in values)):
+                    values = inject.getValue(query.replace("authentication_string", "password"), blind=False, time=False)

                for user, password in filterPairValues(values):
                    if not user or user == " ":
@@ -270,9 +273,13 @@ class Users(object):

                        count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)

-                        if not isNumPosStrValue(count) and Backend.isDbms(DBMS.MSSQL):
-                            fallback = True
-                            count = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
+                        if not isNumPosStrValue(count):
+                            if Backend.isDbms(DBMS.MSSQL):
+                                fallback = True
+                                count = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
+                            elif Backend.isDbms(DBMS.MYSQL):
+                                fallback = True
+                                count = inject.getValue(query.replace("authentication_string", "password"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)

                        if not isNumPosStrValue(count):
                            warnMsg = "unable to retrieve the number of password "
@@ -307,6 +314,10 @@ class Users(object):
                        else:
                            query = rootQuery.blind.query % (user, index)

+                        if Backend.isDbms(DBMS.MYSQL):
+                            if fallback:
+                                query = query.replace("authentication_string", "password")
+
                        password = unArrayizeValue(inject.getValue(query, union=False, error=False))
                        password = parsePasswordHash(password)