Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
sqlmapproject
GitHub Repository: sqlmapproject/sqlmap
 Path: blob/master/plugins/dbms/mssqlserver/fingerprint.py
2992 views
1
#!/usr/bin/env python

2


3
"""

4
Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org)

5
See the file 'LICENSE' for copying permission

6
"""

7


8
from lib.core.common import Backend

9
from lib.core.common import Format

10
from lib.core.convert import getUnicode

11
from lib.core.data import conf

12
from lib.core.data import kb

13
from lib.core.data import logger

14
from lib.core.enums import DBMS

15
from lib.core.enums import OS

16
from lib.core.session import setDbms

17
from lib.core.settings import MSSQL_ALIASES

18
from lib.request import inject

19
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint

20


21
class Fingerprint(GenericFingerprint):

22
    def __init__(self):

23
        GenericFingerprint.__init__(self, DBMS.MSSQL)

24


25
    def getFingerprint(self):

26
        value = ""

27
        wsOsFp = Format.getOs("web server", kb.headersFp)

28


29
        if wsOsFp:

30
            value += "%s\n" % wsOsFp

31


32
        if kb.data.banner:

33
            dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)

34


35
            if dbmsOsFp:

36
                value += "%s\n" % dbmsOsFp

37


38
        value += "back-end DBMS: "

39
        actVer = Format.getDbms()

40


41
        if not conf.extensiveFp:

42
            value += actVer

43
            return value

44


45
        blank = " " * 15

46
        value += "active fingerprint: %s" % actVer

47


48
        if kb.bannerFp:

49
            release = kb.bannerFp.get("dbmsRelease")

50
            version = kb.bannerFp.get("dbmsVersion")

51
            servicepack = kb.bannerFp.get("dbmsServicePack")

52


53
            if release and version and servicepack:

54
                banVer = "%s %s " % (DBMS.MSSQL, release)

55
                banVer += "Service Pack %s " % servicepack

56
                banVer += "version %s" % version

57


58
                value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)

59


60
        htmlErrorFp = Format.getErrorParsedDBMSes()

61


62
        if htmlErrorFp:

63
            value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)

64


65
        return value

66


67
    def checkDbms(self):

68
        if not conf.extensiveFp and Backend.isDbmsWithin(MSSQL_ALIASES):

69
            setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion()))

70


71
            self.getBanner()

72


73
            Backend.setOs(OS.WINDOWS)

74


75
            return True

76


77
        infoMsg = "testing %s" % DBMS.MSSQL

78
        logger.info(infoMsg)

79


80
        # NOTE: SELECT LEN(@@VERSION)=LEN(@@VERSION) FROM DUAL does not

81
        # work connecting directly to the Microsoft SQL Server database

82
        if conf.direct:

83
            result = True

84
        else:

85
            result = inject.checkBooleanExpression("UNICODE(SQUARE(NULL)) IS NULL")

86


87
        if result:

88
            infoMsg = "confirming %s" % DBMS.MSSQL

89
            logger.info(infoMsg)

90


91
            for version, check in (

92
                ("Azure", "@@VERSION LIKE '%Azure%'"),

93
                ("2025", "CHARINDEX('17.0.',@@VERSION)>0"),

94
                ("2022", "GREATEST(NULL,NULL) IS NULL"),

95
                ("2019", "CHARINDEX('15.0.',@@VERSION)>0"),

96
                ("2017", "TRIM(NULL) IS NULL"),

97
                ("2016", "ISJSON(NULL) IS NULL"),

98
                ("2014", "CHARINDEX('12.0.',@@VERSION)>0"),

99
                ("2012", "CONCAT(NULL,NULL)=CONCAT(NULL,NULL)"),

100
                ("2008", "SYSDATETIME()=SYSDATETIME()"),

101
                ("2005", "XACT_STATE()=XACT_STATE()"),

102
                ("2000", "HOST_NAME()=HOST_NAME()"),

103
            ):

104
                result = inject.checkBooleanExpression(check)

105


106
                if result:

107
                    Backend.setVersion(version)

108
                    break

109


110
            if Backend.getVersion():

111
                setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion()))

112
            else:

113
                setDbms(DBMS.MSSQL)

114


115
            self.getBanner()

116


117
            Backend.setOs(OS.WINDOWS)

118


119
            return True

120
        else:

121
            warnMsg = "the back-end DBMS is not %s" % DBMS.MSSQL

122
            logger.warning(warnMsg)

123


124
            return False

125


126
    def checkDbmsOs(self, detailed=False):

127
        if Backend.getOs() and Backend.getOsVersion() and Backend.getOsServicePack():

128
            return

129


130
        if not Backend.getOs():

131
            Backend.setOs(OS.WINDOWS)

132


133
        if not detailed:

134
            return

135


136
        infoMsg = "fingerprinting the back-end DBMS operating system "

137
        infoMsg += "version and service pack"

138
        logger.info(infoMsg)

139


140
        infoMsg = "the back-end DBMS operating system is %s" % Backend.getOs()

141


142
        self.createSupportTbl(self.fileTblName, self.tblField, "varchar(1000)")

143
        inject.goStacked("INSERT INTO %s(%s) VALUES (%s)" % (self.fileTblName, self.tblField, "@@VERSION"))

144


145
        # Reference: https://en.wikipedia.org/wiki/Comparison_of_Microsoft_Windows_versions

146
        # https://en.wikipedia.org/wiki/Windows_NT#Releases

147
        versions = {

148
            "NT": ("4.0", (6, 5, 4, 3, 2, 1)),

149
            "2000": ("5.0", (4, 3, 2, 1)),

150
            "XP": ("5.1", (3, 2, 1)),

151
            "2003": ("5.2", (2, 1)),

152
            "Vista or 2008": ("6.0", (2, 1)),

153
            "7 or 2008 R2": ("6.1", (1, 0)),

154
            "8 or 2012": ("6.2", (0,)),

155
            "8.1 or 2012 R2": ("6.3", (0,)),

156
            "10 or 11 or 2016 or 2019 or 2022": ("10.0", (0,))

157
        }

158


159
        # Get back-end DBMS underlying operating system version

160
        for version, data in versions.items():

161
            query = "EXISTS(SELECT %s FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField)

162
            query += "LIKE '%Windows NT " + data[0] + "%')"

163
            result = inject.checkBooleanExpression(query)

164


165
            if result:

166
                Backend.setOsVersion(version)

167
                infoMsg += " %s" % Backend.getOsVersion()

168
                break

169


170
        if not Backend.getOsVersion():

171
            Backend.setOsVersion("2003")

172
            Backend.setOsServicePack(2)

173


174
            warnMsg = "unable to fingerprint the underlying operating "

175
            warnMsg += "system version, assuming it is Windows "

176
            warnMsg += "%s Service Pack %d" % (Backend.getOsVersion(), Backend.getOsServicePack())

177
            logger.warning(warnMsg)

178


179
            self.cleanup(onlyFileTbl=True)

180


181
            return

182


183
        # Get back-end DBMS underlying operating system service pack

184
        sps = versions[Backend.getOsVersion()][1]

185
        for sp in sps:

186
            query = "EXISTS(SELECT %s FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField)

187
            query += "LIKE '%Service Pack " + getUnicode(sp) + "%')"

188
            result = inject.checkBooleanExpression(query)

189


190
            if result:

191
                Backend.setOsServicePack(sp)

192
                break

193


194
        if not Backend.getOsServicePack():

195
            debugMsg = "assuming the operating system has no service pack"

196
            logger.debug(debugMsg)

197


198
            Backend.setOsServicePack(0)

199


200
        if Backend.getOsVersion():

201
            infoMsg += " Service Pack %d" % Backend.getOsServicePack()

202


203
        logger.info(infoMsg)

204


205
        self.cleanup(onlyFileTbl=True)

206


207