Skip to content

Commit

Permalink
adds ntext parsing to mssql
Browse files Browse the repository at this point in the history
  • Loading branch information
zgoldman-r7 committed Apr 15, 2024
1 parent 2cf8ea3 commit 995d609
Show file tree
Hide file tree
Showing 5 changed files with 47 additions and 9 deletions.
27 changes: 26 additions & 1 deletion lib/rex/proto/mssql/client_mixin.rb
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ def mssql_print_reply(info)
)

info[:rows].each do |row|
tbl << row
tbl << row.map{ |x| x.nil? ? 'nil' : x }
end

print_line(tbl.to_s)
Expand Down Expand Up @@ -206,6 +206,15 @@ def mssql_parse_tds_reply(data, info)
when 50
col[:id] = :bit

when 99
col[:id] = :ntext
col[:max_size] = data.slice!(0, 4).unpack('V')[0]
col[:codepage] = data.slice!(0, 2).unpack('v')[0]
col[:cflags] = data.slice!(0, 2).unpack('v')[0]
col[:charset_id] = data.slice!(0, 1).unpack('C')[0]
col[:namelen] = data.slice!(0, 1).unpack('C')[0]
col[:table_name] = data.slice!(0, (col[:namelen] * 2) + 1).gsub("\x00", '')

when 104
col[:id] = :bitn
col[:int_size] = data.slice!(0, 1).unpack('C')[0]
Expand Down Expand Up @@ -328,6 +337,22 @@ def mssql_parse_tds_row(data, info)
end
row << str.gsub("\x00", '')

when :ntext
str = nil
ptrlen = data.slice!(0, 1).unpack("C")[0]
ptr = data.slice!(0, ptrlen)
unless ptrlen == 0
timestamp = data.slice!(0, 8)
datalen = data.slice!(0, 4).unpack("V")[0]
if datalen > 0 && datalen < 65535
str = data.slice!(0, datalen).gsub("\x00", '')
else
str = ''
end
end
row << str


when :datetime
row << data.slice!(0, 8).unpack("H*")[0]

Expand Down
5 changes: 3 additions & 2 deletions modules/auxiliary/scanner/mssql/mssql_hashdump.rb
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,10 @@ def run_host(ip)

unless is_sysadmin == 0
mssql_hashes = mssql_hashdump(version_year)
unless mssql_hashes.nil?
unless mssql_hashes.nil? || mssql_hashes.empty?
report_hashes(mssql_hashes,version_year)
else
print_error("Unsupported SQL Version: #{version_year}")
end
end
end
Expand All @@ -93,7 +95,6 @@ def report_hashes(mssql_hashes, version_year)
case version_year
when "2000"
hashtype = "mssql"

when "2005", "2008"
hashtype = "mssql05"
when "2012", "2014"
Expand Down
6 changes: 5 additions & 1 deletion modules/auxiliary/scanner/mssql/mssql_schemadump.rb
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,11 @@ def run_host(ip)

# Grab all the DB schema and save it as notes
mssql_schema = get_mssql_schema
return nil if mssql_schema.nil? or mssql_schema.empty?
if mssql_schema.nil? or mssql_schema.empty?
print_good output if datastore['DISPLAY_RESULTS']
print_error("Unable to retrieve schema information")
return nil
end
mssql_schema.each do |db|
report_note(
:host => mssql_client.peerhost,
Expand Down
8 changes: 3 additions & 5 deletions spec/acceptance/mssql_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
lines: {
all: {
required: [
'Instance Name:'
/Instance Name: "\w+"/,
]
},
}
Expand Down Expand Up @@ -64,8 +64,8 @@
lines: {
all: {
required: [
'Instance Name:',
'Scanned 1 of 1 hosts (100% complete)'
/Instance Name: "\w+"/,
'[+] Microsoft SQL Server Schema',
]
},
}
Expand All @@ -78,9 +78,7 @@
lines: {
all: {
required: [
# Default module query
"Response",
# Result
"Microsoft SQL Server",
]
},
Expand Down
10 changes: 10 additions & 0 deletions test/modules/post/test/mssql.rb
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,16 @@ def test_console_query
end
end

def test_datatypes
it "should support ntext TDS datatype" do
stdout = with_mocked_console(session) {|console| console.run_single(%{ query "select cast('foo' as ntext);"})}
ret = true
require 'pry-byebug'; binding.pry
ret &&= stdout.buf.match?(/0 foo/)
ret
end
end

def test_console_help
it "should support the help command" do
stdout = with_mocked_console(session) { |console| console.run_single("help") }
Expand Down

0 comments on commit 995d609

Please sign in to comment.