search

NetSPI / DataLoc

Scan MSSQL databases for payment card data without relying on key words
Other
16 stars 5 forks source link

Doesn't work on some SQL Server databases and tables #3

Open itdept936 opened 1 month ago

itdept936 commented 1 month ago

I know this is an older tool, but a recent PCI Compliance exercise led me here. It's a great tool and a huge leap forward if you just want to scan quickly and "get r done". Obviously, the awesome feature is to have the source code to tweak or fix as required.

I haven't played with all of the settings yet, because I was initially stopped by a few small issues:

  1. Doesn't work for "non-standard" Database names. Our DB names are formatted like: CMP-Test, CMP-Live, CMP-Backup (where CMP is our TLA for company name, which we have a few of). After dusting off my AutoIT skills, this was an easy fix:

under Case $Button1 ;Connect to database

    For $a=1 To UBound($aResults)-1
        $ComboList=$ComboList & "[" & $aResults[$a][0] & "]|" ;put braces around DB names
    Next

EDIT - PLEASE IGNORE PROBLEM 2. Once I got the program working, I ended up reverting back to original code so that the 3rd list will populate correctly when a table name is clicked.

  1. Similar to Problem 1, doesn't work for "non-standard" table names (with dashes or space). Same fix as above:

under Case $Combo1 ;Database drop down menu

    For $a=1 To UBound($aResults)-1
        $aListView1Items[0]+=1  ; add [] around tables also, on LINE BELOW
        $aListView1Items[$a]=GUICtrlCreateListViewItem("[" & $aResults[$a][2] & "]|[" & $aResults[$a][3] & "]",$ListView1)
    Next
  1. When building the SQL query, ORDER BY field is in UPPERCASE and should be lowercase:

in Func _SQL_GetDB, under the Case "tables"

$SQL_Query=$SQL_Query&"ORDER BY table_name;" ;change TABLE_NAME to lowercase, SQL server is CASE Sensitive!

itdept936 commented 1 month ago

If anyone reads this and is interested, I have also successfully:

  1. added the Date/Time to the SQL log filename, so you get a new log for each and every run
  2. used _FileWriteLog to add the exact date/time of the SQL statement
  3. rearranged the output columns for using Excel with CSV output for sorting, etc.
  4. used _WriteCSV to always SAVE the contents of the array, in CSV format and date/time stamped file, before displaying. This allows you to use Excel to give you a To-Do List of the issues.