nmap
nmap copied to clipboard
nmap
NSE: Multiple Bugs in ms-sql-* scripts (e.g. ms-sql-info)
Describe the bug The ms-sql-info NSE script fails to run:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 10:50 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000078s latency).
PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.4188.00; CU14
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.76 seconds
Stack Trace:
NSE: ms-sql-info against 127.0.0.1:1433 threw an error!
attempt to index a nil value
stack traceback:
[C]: in for iterator 'for iterator'
/usr/bin/../share/nmap/nselib/mssql.lua:3334: in function </usr/bin/../share/nmap/nselib/mssql.lua:3327>
(...tail calls...)
Completed NSE at 10:51, 0.01s elapsed
To Reproduce
Run the following nmap scan against a single instance of mssql server (e.g. SQL Server 2019):
sudo nmap -sS -p 1433 --script ms-sql-info -sV 127.0.0.1
Expected behavior Expecting the full NSE script output for ms-sql-info:
─$ sudo nmap -sS -p 1433 --script ms-sql-info -sV 127.0.0.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 12:21 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00019s latency).
PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.4188.00; CU14
| ms-sql-info:
| 127.0.0.1:1433:
| Version:
| name: Microsoft SQL Server 2019 CU14
| number: 15.00.4188.00
| Product: Microsoft SQL Server 2019
| Service pack level: CU14
| Post-SP patches applied: false
|_ TCP port: 1433
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.97 seconds
Version info (please complete the following information):
- OS:
Linux kali 6.1.0-kali5-amd64 - Output of
nmap --version:
Nmap version 7.93 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.6 openssl-3.0.8 libssh2-1.10.0 libz-1.2.13 libpcre-8.39 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
Quick Fix I have patched my mssql.lua as follows. I can't guarantee that this won't break compatibility with other scripts...
nselib/mssql.lua (diff):
3206,3207c3206,3207
< local status, instances = Helper.GetDiscoveredInstances(host, port)
< if status then
---
> local instances = Helper.GetDiscoveredInstances(host, port)
> if instances then
Note: Helper.GetDiscoveredInstances only returns one value, this is the source of the stack trace.
With this fix, the script works but still doesn't create the full output when run against a single SQL instance. It might work if you run against multiple instances but i haven't checked.
The reason is the following segment:
https://github.com/nmap/nmap/blob/ad3935b642714d363a2a0a2a4fc892c8c292fc5c/nselib/mssql.lua#L3337-L3340
#output will always return 0 when scanning a single instance since it is indexed by a string (e.g. ("127.0.0.1:1433", table:0xaaaaaaaa) (s. https://www.lua.org/manual/5.4/manual.html on ipairs vs pairs, # only counts index-value pairs i.e. ipairs)
As a quick fix you can comment out lines 3337, 3339 and 3340.
Additional Issues For me, only few of the ms-sql-* scripts actually work. This is partly due to the use of the deprecated format_output function e.g. in the following scripts:
- ms-sql-hasdbaccess.nse
- ms-sql-query.nse
- ms-sql-brute.nse
- ms-sql-config.nse
- broadcast-ms-sql-discover.nse
- ms-sql-xp-cmdshell.nse
- ms-sql-tables.nse
Also, there is a typo in ms-sql-tables.nse ("ouptut" vs "output", s. below) https://github.com/nmap/nmap/blob/ad3935b642714d363a2a0a2a4fc892c8c292fc5c/scripts/ms-sql-tables.nse#L248
Thanks for this... well, I gave homework to my students, and now they are all screwed :D I'll have them download older versions of nmap for now... Edit: Only some Windows systems are affected by this. I can only tell from student assignment submissions as the majority of them seem to be able to get results. I tested this on my own systems and Windows 10 Pro in VM is unaffected, but Windows 10 Home in VM is affected by this. I only installed these two VMs to check, so this is not a complete test or even a good sample size for narrowing down the problem. There may be other factors contributing to this than nmap itself.
Hello!
I've also noticed this issue using nmap 7.93. We have pushed a patch to Kali's repository that should fix it. Feel free to test it and open a bug report (bugs.kali.org) if there's anything else to fix.
Here's the commit with the patch https://gitlab.com/kalilinux/packages/nmap/-/commit/984afc842c6e4a0b4f1b4c3fdd2ecaf10e7127c9
From: Sophie Brun <[email protected]>
Date: Tue, 28 Mar 2023 10:29:02 +0200
Subject: Fix mssql scripts
Fix the following issues:
- GetTargetInstances returns only one value.
- #output will always return 0 when scanning a single instance. Add a
real count of values
- typo in scripts/ms-sql-tables.nse (ouptut != output)
Bug: https://github.com/nmap/nmap/issues/2622
Origin: https://github.com/nmap/nmap/issues/2622
---
nselib/mssql.lua | 9 ++++++---
scripts/ms-sql-tables.nse | 2 +-
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/nselib/mssql.lua b/nselib/mssql.lua
index e275e54..cdf287e 100644
--- a/nselib/mssql.lua
+++ b/nselib/mssql.lua
@@ -3203,8 +3203,9 @@ Helper =
Helper.Discover( host )
if ( port ) then
- local status, instances = Helper.GetDiscoveredInstances(host, port)
- if status then
+ local instances = Helper.GetDiscoveredInstances(host, port)
+
+ if instances then
return true, instances
else
return false, "No SQL Server instance detected on this port"
@@ -3331,10 +3332,12 @@ Helper =
return nil
end
local output = {}
+ local count = 0
for _, instance in ipairs(instances) do
output[instance:GetName()] = process_instance(instance)
+ count = count + 1
end
- if #output > 0 then
+ if count > 0 then
return outlib.sorted_by_key(output)
end
return nil
diff --git a/scripts/ms-sql-tables.nse b/scripts/ms-sql-tables.nse
index caf0a82..45f32c5 100644
--- a/scripts/ms-sql-tables.nse
+++ b/scripts/ms-sql-tables.nse
@@ -245,7 +245,7 @@ local function process_instance( instance )
instanceOutput["name"] = string.format( "[%s]", instance:GetName() )
table.insert( instanceOutput, output )
- return stdnse.format_ouptut(true, instanceOutput)
+ return stdnse.format_output(true, instanceOutput)
end
We have also uploaded the fixed package (version 7.93+dfsg1-0kali3) to the kali-experimental branch, and should be ready in kali-rolling soon. http://pkg.kali.org/pkg/nmap
Could be possible that the patch is also fixing #2535, #2388, #2571 and #2572
Hello, I tested "ms-sql-info" with 3 versions of NMap:
-
nmap-7.92.tar.bz2: with no changes, ms-sql-* scripts are working. -
nmap-7.93.tar.bz2: ms-sql-* scripts are not working, I changedmssql.luawith the patch from @daniruiz . -
nmap-7.94.tar.bz2: ms-sql-* scripts are not working, I changedmssql.luawith the patch from @daniruiz .
When I am using "ms-sql-info" with NMap 7.92, the script gives the list of all the MS-SQL instances from one server. When I am using "ms-sql-info" with NMap 7.93 (patched) or 7.94 (patched), the script works but gives only one MS-SQL instance per server. Am I the only one experiencing this?
Also, I don't know if it is linked to this issue, but with the 7.93 (patched) or 7.94 (patched) versions, when using the script "ms-sql-config" (or any other ms-sql-* with credentials), when I try to use mssql.domain (with username and password), I get the following error: "No parser for token type: 0x0".
I'm currently still learning, but I recently ran an nmap script using ms-* scripts, and I still received the error concerning 'NIL'.. I'm assuming this still needs work
Still not fixed... I'm probably going to have to provide older version of nmap or find some other solution. Unfortunately it seems that this software is not very well maintained for Windows, so nmap/zenmap may or may not work on student systems which is not something that we can tolerate when they are just starting their learning, and cannot yet identify if they actually got the correct output or not.
not very well maintained for Windows
This is not Windows specific and also happens on any other system like a Linux one.
I also ran into this and did not look for an issue before submitting a PR. However my PR #2784 also addresses this issue.
I also ran into this and did not look for an issue before submitting a PR. However my PR #2784 also addresses this issue.
fixed this bug :attempt to index a nil value
stack traceback:
[C]: in for iterator 'for iterator'
Thanks to @secmxx for this excellent write-up.
All the issues covered by @johnjaylward's PR #2784 have been hopefully rectified in r38948 (a0d24d051855a1eed58d745e0b28239bf2ab1bd8), r38945 (3ab8fc27f83fdee46af7c1a9778eff2b42d2e8bf), and r38943 (f4b092259c49ec9d0e0c1ea3f85cec142c0395a6), albeit partially differently.
The issue with misspelled stdnse.format_ouptut() in ms-sql-tables.nse has been rectified in r38949 (92995af023df9b9423234d3cae37c6706816ebe0).
