New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error handling response - admin/mssql/mssql_sql - unsupported token and invalid number of columns #18970
Comments
@Himself132 Could you try this again with the latest version of Metasploit? I believe this might have been fixed by #18872 |
Looks like it is still an issue with this version - up to date on apt get update && apt get upgrade && apt get dist-upgrade on Kali.
Here is the meaningful error output, the alternating unsupported token with 0 and integer alternating is also still present:
|
@Himself132 Thanks for taking a look! We've got a PR up to make error detection improvements here - would you mind applying this patch and letting us know what the error is this time: |
The pull request is merged in now, but it will actually be multiple days until it's available by default on Kali's repository to download If you want to apply that patch to your Kali instance locally, it should be pretty safe to do so 💯 |
Can you please provide insutrctions on how to do that? i just unzipped it and tried ./msfconsole and got errors about missing gems.... I know I'm missing something obvious but dont live in this space - or a link with instructions |
If you copy the code here: Into this file on your Kali machine:
Then close and reopen metasploit-framework - then the module code should have been updated with better error reporting that we can investigate 🤞 |
this is what was put in the console, do you need more, or was the hope that the more verbose or helpful errors were recorded elsewhere?
|
Looks like it is dying on NTEXTTYPE = %x63 ; NText Wireshark packet shows column type field is populated with 63 for what i suspect is where it is failing and the number 99 in the error. |
If you modify your file and add when 99 to the line that interprets the response as string you get this error: when 173
I'm guessing it has something to do with the Collate charset ID: which shows as 52 in wireshark |
this is the value for the collate charset ID in the database I'm querying which is master according to wireshark which I think equates to 52 SQL_Latin1_General_CP1_CI_AS |
Thanks for the extra details! 💯 @zgoldman-r7 has put this PR up now, does this patch work for your environment? |
i did not use the PR, but i copied and pasted the code into my client_mixin.rb file and ran it and it worked like a charm thank you so much this is great!!! That query is abusing view server privileges to see the last SQL queries run and can be set to poll and collect sensitive information, so this is terrific. |
Sorry I jumped the gun, looks like if you set sql to
|
That's interesting, thanks! Looks like that would have to be fixed. As a temporary work around, would the
There's also |
that workaround does work thank you! |
Hi! This issue has been left open with no activity for a while now. We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. |
Fixed by #19054 - thanks! |
Steps to reproduce
How'd you do it?
set sql select t.[text] from sys.dm_exec_requests as r cross apply sys.dm_exec_sql_text(r.sql_handle) as t
unsupported token:
followed by an integer, e.g. 0, 53, alternating between 0 and a number:[*] SCRUBBED_IP_ADDRESS:1433 - SQL Query: select t.[text] from sys.dm_exec_requests as r cross apply sys.dm_exec_sql_text(r.sql_handle) as t [*] SCRUBBED_IP_ADDRESS:1433 - Row Count: 5 (Status: 16 Command: 193) [-] SCRUBBED_IP_ADDRESS:1433 - unsupported token: 0 [-] SCRUBBED_IP_ADDRESS:1433 - unsupported token: 53 [-] SCRUBBED_IP_ADDRESS:1433 - unsupported token: 0 [-] SCRUBBED_IP_ADDRESS:1433 - unsupported token: 44 ...SNIPPED... [-] SCRUBBED_IP_ADDRESS:1433 - unsupported token: 0 [-] SCRUBBED_IP_ADDRESS:1433 - unsupported token: 10 [-] SCRUBBED_IP_ADDRESS:1433 - unsupported token: 0 [-] SCRUBBED_IP_ADDRESS:1433 - unknown column type: {:utype=>0, :flags=>9, :type=>99, :id=>:unknown, :msg_len=>254, :name=>"\xFF\xFF\x7F\t\x04\xD04\x14sys.dm_exec_sql_text\x04text\xD1\x10dummy textptrdummyTS(\x02(@1 int,@2 int,@3 int,@4 int,@5 numeric(8,1),@6 numeric(8,1),@7 varchar(8000),@8 int)UPDATE [SCRUBBED] set [deal_num] = @1,[tran_num] = @2,[currency] = @3,[tran_status] = @4,[SCRUBBED] = @"} [-] SCRUBBED_IP_ADDRESS:1433 - unsupported token: 16 [-] SCRUBBED_IP_ADDRESS:1433 - unsupported token: 100 ...SNIPPED... [-] SCRUBBED_IP_ADDRESS:1433 - unsupported token: 0 [-] SCRUBBED_IP_ADDRESS:1433 - Auxiliary failed: Rex::RuntimeError Invalid number of columns! [-] SCRUBBED_IP_ADDRESS:1433 - Call stack: [-] SCRUBBED_IP_ADDRESS:1433 - /usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-text-0.2.55/lib/rex/text/wrapped_table.rb:194:in 'add_row' [-] SCRUBBED_IP_ADDRESS:1433 - /usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-text-0.2.55/lib/rex/text/wrapped_table.rb:186:in '<<' [-] SCRUBBED_IP_ADDRESS:1433 - /usr/share/metasploit-framework/lib/rex/proto/mssql/client_mixin.rb:58:in 'block in mssql_print_reply' [-] SCRUBBED_IP_ADDRESS:1433 - /usr/share/metasploit-framework/lib/rex/proto/mssql/client_mixin.rb:57:in 'each' [-] SCRUBBED_IP_ADDRESS:1433 - /usr/share/metasploit-framework/lib/rex/proto/mssql/client_mixin.rb:57:in 'mssql_print_reply' [-] SCRUBBED_IP_ADDRESS:1433 - /usr/share/metasploit-framework/lib/rex/proto/mssql/client.rb:577:in 'mssql_query' [-] SCRUBBED_IP_ADDRESS:1433 - /usr/share/metasploit-framework/lib/msf/core/exploit/remote/mssql.rb:201:in 'mssql_query' [-] SCRUBBED_IP_ADDRESS:1433 - /usr/share/metasploit-framework/modules/auxiliary/admin/mssql/mssql_sql.rb:41:in 'run' [*] Auxiliary module execution completed
This section should also tell us any relevant information about the
environment; for example, if an exploit that used to work is failing,
tell us the victim operating system and service versions.
Victim:
Microsoft SQL Server 2019 (RTM-CU24) (KB5031908) - 15.0.4345.5 (X64) Dec 4 2023 14:44:16 Copyright (C) 2019 Microsoft Corporation Standard Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
Attacker:
Linux SCRUBBED_HOSTNAME 6.6.9-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.9-1kali1 (2024-01-08) x86_64 GNU/Linux
Were you following a specific guide/tutorial or reading documentation?
No
Expected behavior
Output returned properly as observed in wireshark capture
What should happen?
Resultant output parsed properly and displayed in the msfconsole prompt
Current behavior
What happens instead?
Errors parsing responses as shown above
Metasploit version
Framework: 6.3.55-dev
Console : 6.3.55-dev
Additional Information
Module/Datastore
The following global/module datastore, and database setup was configured before the issue occurred:
Collapse
Database Configuration
The database contains the following information:
Collapse
History
The following commands were ran during the session and before this issue occurred:
Collapse
Framework Errors
The following framework errors occurred before the issue occurred:
Collapse
Web Service Errors
The following web service errors occurred before the issue occurred:
Collapse
Framework Logs
The following framework logs were recorded before the issue occurred:
Collapse
Web Service Logs
The following web service logs were recorded before the issue occurred:
Collapse
Version/Install
The versions and install method of your Metasploit setup:
Collapse
The text was updated successfully, but these errors were encountered: