Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit d8a0e7e

Browse files
bdamelebdamele
committed
fixes #187 
1 parent f3ff239 commit d8a0e7e

6 files changed

Lines changed: 60 additions & 20 deletions

File tree

lib/takeover/abstraction.py

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515
from lib.core.data import logger
1616
from lib.core.enums import DBMS
1717
from lib.core.enums import PAYLOAD
18+
from lib.core.exception import SqlmapFilePathException
1819
from lib.core.exception import SqlmapUnsupportedFeatureException
1920
from lib.core.shell import autoCompletion
2021
from lib.request import inject
@@ -195,7 +196,11 @@ def initEnv(self, mandatory=True, detailed=False, web=False):
195196
logger.warn(warnMsg)
196197

197198
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
198-
self.udfInjectSys()
199+
success = self.udfInjectSys()
200+
201+
if success is not True:
202+
msg = "unable to mount the operating system takeover"
203+
raise SqlmapFilePathException(msg)
199204
elif Backend.isDbms(DBMS.MSSQL):
200205
if mandatory:
201206
self.xpCmdshellInit()

lib/takeover/udf.py

Lines changed: 26 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,8 @@ def udfCreateFromSharedLib(self, udf=None, inpRet=None):
137137
raise SqlmapUnsupportedFeatureException(errMsg)
138138

139139
def udfInjectCore(self, udfDict):
140+
written = False
141+
140142
for udf in udfDict.keys():
141143
if udf in self.createdUdf:
142144
continue
@@ -145,7 +147,22 @@ def udfInjectCore(self, udfDict):
145147

146148
if len(self.udfToCreate) > 0:
147149
self.udfSetRemotePath()
148-
self.writeFile(self.udfLocalFile, self.udfRemoteFile, "binary")
150+
written = self.writeFile(self.udfLocalFile, self.udfRemoteFile, "binary", forceCheck=True)
151+
152+
if written is not True:
153+
errMsg = "there has been a problem uploading the shared library, "
154+
errMsg += "it looks like the binary file has not been written "
155+
errMsg += "on the database underlying file system"
156+
logger.error(errMsg)
157+
158+
message = "do you want to proceed anyway? Beware that the "
159+
message += "operating system takeover will fail [y/N] "
160+
choice = readInput(message, default="N")
161+
162+
if choice and choice.lower() == "y":
163+
written = True
164+
else:
165+
return False
149166

150167
for udf, inpRet in udfDict.items():
151168
if udf in self.udfToCreate and udf not in self.createdUdf:
@@ -158,10 +175,12 @@ def udfInjectCore(self, udfDict):
158175

159176
self.udfCreateSupportTbl(supportTblType)
160177

178+
return written
179+
161180
def udfInjectSys(self):
162181
self.udfSetLocalPaths()
163182
self.udfCheckNeeded()
164-
self.udfInjectCore(self.sysUdfs)
183+
return self.udfInjectCore(self.sysUdfs)
165184

166185
def udfInjectCustom(self):
167186
if Backend.getIdentifiedDbms() not in (DBMS.MYSQL, DBMS.PGSQL):
@@ -297,7 +316,11 @@ def udfInjectCustom(self):
297316
self.udfs[udfName]["return"] = retType
298317
break
299318

300-
self.udfInjectCore(self.udfs)
319+
success = self.udfInjectCore(self.udfs)
320+
321+
if success is False:
322+
self.cleanup(udfDict=self.udfs)
323+
return False
301324

302325
msg = "do you want to call your injected user-defined "
303326
msg += "functions now? [Y/n/q] "

plugins/dbms/mssqlserver/filesystem.py

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -326,7 +326,7 @@ def _stackedWriteFileVbs(self, tmpPath, wFileContent, dFile, fileType):
326326

327327
self.execCmd(complComm)
328328

329-
def stackedWriteFile(self, wFile, dFile, fileType):
329+
def stackedWriteFile(self, wFile, dFile, fileType, forceCheck=False):
330330
# NOTE: this is needed here because we use xp_cmdshell extended
331331
# procedure to write a file on the back-end Microsoft SQL Server
332332
# file system
@@ -341,14 +341,16 @@ def stackedWriteFile(self, wFile, dFile, fileType):
341341

342342
self._stackedWriteFileVbs(tmpPath, wFileContent, dFile, fileType)
343343

344-
sameFile = self.askCheckWrittenFile(wFile, dFile)
344+
written = self.askCheckWrittenFile(wFile, dFile)
345345

346-
if sameFile is False:
346+
if written is False:
347347
message = "do you want to try to upload the file with "
348348
message += "another technique? [Y/n] "
349349
choice = readInput(message, default="Y")
350350

351351
if not choice or choice.lower() == "y":
352352
self._stackedWriteFileDebugExe(tmpPath, wFile, wFileContent, dFile, fileType)
353353
#self._stackedWriteFilePS(tmpPath, wFileContent, dFile, fileType)
354-
self.askCheckWrittenFile(wFile, dFile)
354+
written = self.askCheckWrittenFile(wFile, dFile, forceCheck)
355+
356+
return written

plugins/dbms/mysql/filesystem.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,7 @@ def unionWriteFile(self, wFile, dFile, fileType):
104104
warnMsg += "file as a leftover from UNION query"
105105
singleTimeWarnMessage(warnMsg)
106106

107-
def stackedWriteFile(self, wFile, dFile, fileType):
107+
def stackedWriteFile(self, wFile, dFile, fileType, forceCheck=False):
108108
debugMsg = "creating a support table to write the hexadecimal "
109109
debugMsg += "encoded file to"
110110
logger.debug(debugMsg)
@@ -131,4 +131,4 @@ def stackedWriteFile(self, wFile, dFile, fileType):
131131
# Reference: http://dev.mysql.com/doc/refman/5.1/en/select.html
132132
inject.goStacked("SELECT %s FROM %s INTO DUMPFILE '%s'" % (self.tblField, self.fileTblName, dFile), silent=True)
133133

134-
self.askCheckWrittenFile(wFile, dFile)
134+
return self.askCheckWrittenFile(wFile, dFile, forceCheck)

plugins/dbms/postgresql/filesystem.py

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ def unionWriteFile(self, wFile, dFile, fileType):
3333
errMsg += "query SQL injection technique"
3434
raise SqlmapUnsupportedFeatureException(errMsg)
3535

36-
def stackedWriteFile(self, wFile, dFile, fileType):
36+
def stackedWriteFile(self, wFile, dFile, fileType, forceCheck=False):
3737
wFileSize = os.path.getsize(wFile)
3838

3939
if wFileSize > 8192:
@@ -110,6 +110,8 @@ def stackedWriteFile(self, wFile, dFile, fileType):
110110
# (pg_largeobject 'data' field)
111111
inject.goStacked("SELECT lo_export(%d, '%s')" % (self.oid, dFile), silent=True)
112112

113-
self.askCheckWrittenFile(wFile, dFile)
113+
written = self.askCheckWrittenFile(wFile, dFile, forceCheck)
114114

115115
inject.goStacked("SELECT lo_unlink(%d)" % self.oid)
116+
117+
return written

plugins/generic/filesystem.py

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -135,13 +135,17 @@ def fileEncode(self, fileName, encoding, single):
135135

136136
return retVal
137137

138-
def askCheckWrittenFile(self, localFile, remoteFile):
139-
message = "do you want confirmation that the local file '%s' " % localFile
140-
message += "has been successfully written on the back-end DBMS "
141-
message += "file system (%s)? [Y/n] " % remoteFile
142-
output = readInput(message, default="Y")
138+
def askCheckWrittenFile(self, localFile, remoteFile, forceCheck=False):
139+
output = None
140+
if forceCheck is not True:
141+
message = "do you want confirmation that the local file '%s' " % localFile
142+
message += "has been successfully written on the back-end DBMS "
143+
message += "file system (%s)? [Y/n] " % remoteFile
144+
output = readInput(message, default="Y")
143145

144-
if not output or output in ("y", "Y"):
146+
readInput("press ENTER to continue :)")
147+
148+
if forceCheck or (not output or output in ("y", "Y")):
145149
return self._checkFileLength(localFile, remoteFile)
146150

147151
return True
@@ -249,7 +253,9 @@ def readFile(self, remoteFiles):
249253

250254
return localFilePaths
251255

252-
def writeFile(self, localFile, remoteFile, fileType=None):
256+
def writeFile(self, localFile, remoteFile, fileType=None, forceCheck=False):
257+
written = False
258+
253259
self.checkDbmsOs()
254260

255261
if localFile.endswith('_'):
@@ -261,7 +267,7 @@ def writeFile(self, localFile, remoteFile, fileType=None):
261267
debugMsg += "stacked query SQL injection technique"
262268
logger.debug(debugMsg)
263269

264-
self.stackedWriteFile(localFile, remoteFile, fileType)
270+
written = self.stackedWriteFile(localFile, remoteFile, fileType, forceCheck)
265271
self.cleanup(onlyFileTbl=True)
266272
elif isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and Backend.isDbms(DBMS.MYSQL):
267273
debugMsg = "going to upload the %s file with " % fileType
@@ -276,3 +282,5 @@ def writeFile(self, localFile, remoteFile, fileType=None):
276282
logger.error(errMsg)
277283

278284
return None
285+
286+
return written

0 commit comments

Comments
 (0)