-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NSE: Multiple Bugs in ms-sql-* scripts (e.g. ms-sql-info) #2622
Comments
Thanks for this... well, I gave homework to my students, and now they are all screwed :D I'll have them download older versions of nmap for now... |
Hello! From: Sophie Brun <sophie@offensive-security.com>
Date: Tue, 28 Mar 2023 10:29:02 +0200
Subject: Fix mssql scripts
Fix the following issues:
- GetTargetInstances returns only one value.
- #output will always return 0 when scanning a single instance. Add a
real count of values
- typo in scripts/ms-sql-tables.nse (ouptut != output)
Bug: https://github.com/nmap/nmap/issues/2622
Origin: https://github.com/nmap/nmap/issues/2622
---
nselib/mssql.lua | 9 ++++++---
scripts/ms-sql-tables.nse | 2 +-
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/nselib/mssql.lua b/nselib/mssql.lua
index e275e54..cdf287e 100644
--- a/nselib/mssql.lua
+++ b/nselib/mssql.lua
@@ -3203,8 +3203,9 @@ Helper =
Helper.Discover( host )
if ( port ) then
- local status, instances = Helper.GetDiscoveredInstances(host, port)
- if status then
+ local instances = Helper.GetDiscoveredInstances(host, port)
+
+ if instances then
return true, instances
else
return false, "No SQL Server instance detected on this port"
@@ -3331,10 +3332,12 @@ Helper =
return nil
end
local output = {}
+ local count = 0
for _, instance in ipairs(instances) do
output[instance:GetName()] = process_instance(instance)
+ count = count + 1
end
- if #output > 0 then
+ if count > 0 then
return outlib.sorted_by_key(output)
end
return nil
diff --git a/scripts/ms-sql-tables.nse b/scripts/ms-sql-tables.nse
index caf0a82..45f32c5 100644
--- a/scripts/ms-sql-tables.nse
+++ b/scripts/ms-sql-tables.nse
@@ -245,7 +245,7 @@ local function process_instance( instance )
instanceOutput["name"] = string.format( "[%s]", instance:GetName() )
table.insert( instanceOutput, output )
- return stdnse.format_ouptut(true, instanceOutput)
+ return stdnse.format_output(true, instanceOutput)
end
We have also uploaded the fixed package (version 7.93+dfsg1-0kali3) to the kali-experimental branch, and should be ready in kali-rolling soon. |
Thanks a lot! |
Hello,
When I am using "ms-sql-info" with NMap 7.92, the script gives the list of all the MS-SQL instances from one server. Also, I don't know if it is linked to this issue, but with the 7.93 (patched) or 7.94 (patched) versions, when using the script "ms-sql-config" (or any other ms-sql-* with credentials), when I try to use |
👋 any news on merging/pushing this potential fix? |
I'm currently still learning, but I recently ran an nmap script using ms-* scripts, and I still received the error concerning 'NIL'.. I'm assuming this still needs work |
Still not fixed... I'm probably going to have to provide older version of nmap or find some other solution. Unfortunately it seems that this software is not very well maintained for Windows, so nmap/zenmap may or may not work on student systems which is not something that we can tolerate when they are just starting their learning, and cannot yet identify if they actually got the correct output or not. |
This is not Windows specific and also happens on any other system like a Linux one. |
I also ran into this and did not look for an issue before submitting a PR. However my PR #2784 also addresses this issue. |
fixed this bug :attempt to index a nil value |
Thanks to @secmxx for this excellent write-up. All the issues covered by @johnjaylward's PR #2784 have been hopefully rectified in r38948 (a0d24d0), r38945 (3ab8fc2), and r38943 (f4b0922), albeit partially differently. The issue with misspelled |
Describe the bug
The ms-sql-info NSE script fails to run:
Stack Trace:
To Reproduce
Run the following nmap scan against a single instance of mssql server (e.g. SQL Server 2019):
sudo nmap -sS -p 1433 --script ms-sql-info -sV 127.0.0.1
Expected behavior
Expecting the full NSE script output for ms-sql-info:
Version info (please complete the following information):
Linux kali 6.1.0-kali5-amd64
nmap --version
:Quick Fix
I have patched my mssql.lua as follows. I can't guarantee that this won't break compatibility with other scripts...
nselib/mssql.lua (diff):
Note: Helper.GetDiscoveredInstances only returns one value, this is the source of the stack trace.
With this fix, the script works but still doesn't create the full output when run against a single SQL instance. It might work if you run against multiple instances but i haven't checked.
The reason is the following segment:
nmap/nselib/mssql.lua
Lines 3337 to 3340 in ad3935b
#output will always return 0 when scanning a single instance since it is indexed by a string (e.g. ("127.0.0.1:1433", table:0xaaaaaaaa) (s. https://www.lua.org/manual/5.4/manual.html on ipairs vs pairs, # only counts index-value pairs i.e. ipairs)
As a quick fix you can comment out lines 3337, 3339 and 3340.
Additional Issues
For me, only few of the ms-sql-* scripts actually work. This is partly due to the use of the deprecated format_output function e.g. in the following scripts:
Also, there is a typo in ms-sql-tables.nse ("ouptut" vs "output", s. below)
nmap/scripts/ms-sql-tables.nse
Line 248 in ad3935b
The text was updated successfully, but these errors were encountered: