NSE: Multiple Bugs in ms-sql-* scripts (e.g. ms-sql-info)

[secmxx]

Describe the bug
The ms-sql-info NSE script fails to run:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 10:50 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000078s latency).

PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.4188.00; CU14
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.76 seconds

Stack Trace:

NSE: ms-sql-info against 127.0.0.1:1433 threw an error!                                                              
attempt to index a nil value                                                                                         
stack traceback:                                                                                                     
        [C]: in for iterator 'for iterator'                                                                          
        /usr/bin/../share/nmap/nselib/mssql.lua:3334: in function </usr/bin/../share/nmap/nselib/mssql.lua:3327>     
        (...tail calls...)                                                                                           
                                                                                                                     
Completed NSE at 10:51, 0.01s elapsed 

To Reproduce
Run the following nmap scan against a single instance of mssql server (e.g. SQL Server 2019):
sudo nmap -sS -p 1433 --script ms-sql-info -sV 127.0.0.1

Expected behavior
Expecting the full NSE script output for ms-sql-info:

─$ sudo nmap -sS -p 1433 --script ms-sql-info -sV 127.0.0.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 12:21 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00019s latency).

PORT     STATE SERVICE  VERSION
1433/tcp open  ms-sql-s Microsoft SQL Server 2019 15.00.4188.00; CU14
| ms-sql-info: 
|   127.0.0.1:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 CU14
|       number: 15.00.4188.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: CU14
|       Post-SP patches applied: false
|_    TCP port: 1433

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.97 seconds

Version info (please complete the following information):

• OS: Linux kali 6.1.0-kali5-amd64
• Output of nmap --version:

Nmap version 7.93 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.6 openssl-3.0.8 libssh2-1.10.0 libz-1.2.13 libpcre-8.39 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Quick Fix
I have patched my mssql.lua as follows. I can't guarantee that this won't break compatibility with other scripts...

nselib/mssql.lua (diff):

3206,3207c3206,3207                                                                                                   
<       local status, instances = Helper.GetDiscoveredInstances(host, port)                                           
<       if status then                                                                                                                                                                                                                      
---                                                                                                                   
>       local instances = Helper.GetDiscoveredInstances(host, port)                                                   
>       if instances then   

Note: Helper.GetDiscoveredInstances only returns one value, this is the source of the stack trace.

With this fix, the script works but still doesn't create the full output when run against a single SQL instance. It might work if you run against multiple instances but i haven't checked.

The reason is the following segment:

nmap/nselib/mssql.lua

Lines 3337 to 3340 in ad3935b

	if #output > 0 then
	return outlib.sorted_by_key(output)
	end
	return nil

#output will always return 0 when scanning a single instance since it is indexed by a string (e.g. ("127.0.0.1:1433", table:0xaaaaaaaa) (s. https://www.lua.org/manual/5.4/manual.html on ipairs vs pairs, # only counts index-value pairs i.e. ipairs)

As a quick fix you can comment out lines 3337, 3339 and 3340.

Additional Issues
For me, only few of the ms-sql-* scripts actually work. This is partly due to the use of the deprecated format_output function e.g. in the following scripts:

• ms-sql-hasdbaccess.nse
• ms-sql-query.nse
• ms-sql-brute.nse
• ms-sql-config.nse
• broadcast-ms-sql-discover.nse
• ms-sql-xp-cmdshell.nse
• ms-sql-tables.nse

Also, there is a typo in ms-sql-tables.nse ("ouptut" vs "output", s. below)

nmap/scripts/ms-sql-tables.nse

Line 248 in ad3935b

return stdnse.format_ouptut(true, instanceOutput)

[gorbehnare]

Thanks for this... well, I gave homework to my students, and now they are all screwed :D I'll have them download older versions of nmap for now...
Edit: Only some Windows systems are affected by this. I can only tell from student assignment submissions as the majority of them seem to be able to get results. I tested this on my own systems and Windows 10 Pro in VM is unaffected, but Windows 10 Home in VM is affected by this. I only installed these two VMs to check, so this is not a complete test or even a good sample size for narrowing down the problem. There may be other factors contributing to this than nmap itself.

[daniruiz]

Hello!
I've also noticed this issue using nmap 7.93. We have pushed a patch to Kali's repository that should fix it. Feel free to test it and open a bug report (bugs.kali.org) if there's anything else to fix.
Here's the commit with the patch https://gitlab.com/kalilinux/packages/nmap/-/commit/984afc842c6e4a0b4f1b4c3fdd2ecaf10e7127c9

From: Sophie Brun <sophie@offensive-security.com>
Date: Tue, 28 Mar 2023 10:29:02 +0200
Subject: Fix mssql scripts

Fix the following issues:
- GetTargetInstances returns only one value.
- #output will always return 0 when scanning a single instance. Add a
  real count of values
- typo in scripts/ms-sql-tables.nse (ouptut != output)

Bug: https://github.com/nmap/nmap/issues/2622
Origin: https://github.com/nmap/nmap/issues/2622
---
 nselib/mssql.lua          | 9 ++++++---
 scripts/ms-sql-tables.nse | 2 +-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/nselib/mssql.lua b/nselib/mssql.lua
index e275e54..cdf287e 100644
--- a/nselib/mssql.lua
+++ b/nselib/mssql.lua
@@ -3203,8 +3203,9 @@ Helper =
     Helper.Discover( host )
 
     if ( port ) then
-      local status, instances = Helper.GetDiscoveredInstances(host, port)
-      if status then
+      local instances = Helper.GetDiscoveredInstances(host, port)
+
+      if instances then
         return true, instances
       else
         return false, "No SQL Server instance detected on this port"
@@ -3331,10 +3332,12 @@ Helper =
         return nil
       end
       local output = {}
+      local count = 0
       for _, instance in ipairs(instances) do
         output[instance:GetName()] = process_instance(instance)
+	count = count + 1
       end
-      if #output > 0 then
+      if count > 0 then
         return outlib.sorted_by_key(output)
       end
       return nil
diff --git a/scripts/ms-sql-tables.nse b/scripts/ms-sql-tables.nse
index caf0a82..45f32c5 100644
--- a/scripts/ms-sql-tables.nse
+++ b/scripts/ms-sql-tables.nse
@@ -245,7 +245,7 @@ local function process_instance( instance )
   instanceOutput["name"] = string.format( "[%s]", instance:GetName() )
   table.insert( instanceOutput, output )
 
-  return stdnse.format_ouptut(true, instanceOutput)
+  return stdnse.format_output(true, instanceOutput)
 
 end
 

We have also uploaded the fixed package (version 7.93+dfsg1-0kali3) to the kali-experimental branch, and should be ready in kali-rolling soon.
http://pkg.kali.org/pkg/nmap

[secmxx]

Thanks a lot!

[iasdeoupxe]

Could be possible that the patch is also fixing #2535, #2388, #2571 and #2572

[Lukas-Ldc]

Hello,
I tested "ms-sql-info" with 3 versions of NMap:

• nmap-7.92.tar.bz2 : with no changes, ms-sql-* scripts are working.
• nmap-7.93.tar.bz2 : ms-sql-* scripts are not working, I changed mssql.lua with the patch from @daniruiz .
• nmap-7.94.tar.bz2 : ms-sql-* scripts are not working, I changed mssql.lua with the patch from @daniruiz .

When I am using "ms-sql-info" with NMap 7.92, the script gives the list of all the MS-SQL instances from one server.
When I am using "ms-sql-info" with NMap 7.93 (patched) or 7.94 (patched), the script works but gives only one MS-SQL instance per server.
Am I the only one experiencing this?

Also, I don't know if it is linked to this issue, but with the 7.93 (patched) or 7.94 (patched) versions, when using the script "ms-sql-config" (or any other ms-sql-* with credentials), when I try to use mssql.domain (with username and password), I get the following error: "No parser for token type: 0x0".

[ShutdownRepo]

👋 any news on merging/pushing this potential fix?

[redbankdev]

I'm currently still learning, but I recently ran an nmap script using ms-* scripts, and I still received the error concerning 'NIL'.. I'm assuming this still needs work

[gorbehnare]

Still not fixed... I'm probably going to have to provide older version of nmap or find some other solution. Unfortunately it seems that this software is not very well maintained for Windows, so nmap/zenmap may or may not work on student systems which is not something that we can tolerate when they are just starting their learning, and cannot yet identify if they actually got the correct output or not.

[iasdeoupxe]

not very well maintained for Windows

This is not Windows specific and also happens on any other system like a Linux one.

[johnjaylward]

I also ran into this and did not look for an issue before submitting a PR. However my PR #2784 also addresses this issue.

[Arthurlu0421]

I also ran into this and did not look for an issue before submitting a PR. However my PR #2784 also addresses this issue.

fixed this bug :attempt to index a nil value
stack traceback:
[C]: in for iterator 'for iterator'

[nnposter]

Thanks to @secmxx for this excellent write-up.

All the issues covered by @johnjaylward's PR #2784 have been hopefully rectified in r38948 (a0d24d0), r38945 (3ab8fc2), and r38943 (f4b0922), albeit partially differently.

The issue with misspelled stdnse.format_ouptut() in ms-sql-tables.nse has been rectified in r38949 (92995af).