There was no point relying on a support table (sqlmapoutput) to get the stdout of executed OS commands when using direct connection (-d) and it saves also number of requests.

Also, BULK INSERT apparently does not work on MSSQL when running as Network Service (at least on Windows XP) so one more reason to avoid using support table. Minor fix also to threat MSSQL's EXEC statements as SELECT ones
2024-11-22 17:46:37 +03:00 · 2012-02-17 15:54:49 +00:00 · 2012-02-17 15:54:49 +00:00 · 121148f27f
commit 121148f27f
parent ebd40b3933
4 changed files with 54 additions and 22 deletions
--- a/lib/request/direct.py
+++ b/lib/request/direct.py
@ -47,7 +47,7 @@ def direct(query, content=True):
    logger.log(9, query)
    start = time.time()
-    if not select:
+    if not select and "EXEC " not in query:
        _ = timeout(func=conf.dbmsConnector.execute, args=(query,), duration=conf.timeout, default=None)
    elif conf.hostname in kb.resumedQueries and query in kb.resumedQueries[conf.hostname] and "sqlmapoutput" not in query and "sqlmapfile" not in query:
        try:
--- a/lib/takeover/udf.py
+++ b/lib/takeover/udf.py
@ -76,21 +76,39 @@ class UDF:
        self.createSupportTbl(self.cmdTblName, self.tblField, dataType)
    def udfForgeCmd(self, cmd):
        if not cmd.startswith("'"):
            cmd = "'%s" % cmd
        if not cmd.endswith("'"):
            cmd = "%s'" % cmd
        return cmd
    def udfExecCmd(self, cmd, silent=False, udfName=None):
        if udfName is None:
            cmd = "'%s'" % cmd
            udfName = "sys_exec"
-        cmd = unescaper.unescape(cmd)
+        cmd = unescaper.unescape(self.udfForgeCmd(cmd))
-        inject.goStacked("SELECT %s(%s)" % (udfName, cmd), silent)
+        return inject.goStacked("SELECT %s(%s)" % (udfName, cmd), silent)
    def udfEvalCmd(self, cmd, first=None, last=None, udfName=None):
        if udfName is None:
            cmd = "'%s'" % cmd
            udfName = "sys_eval"
-        cmd = unescaper.unescape(cmd)
+        if conf.direct:
            output = self.udfExecCmd(cmd, udfName=udfName)
            if output and isinstance(output, (list, tuple)):
                new_output = ""
                for line in output:
                    new_output += line.replace("\r", "\n")
                output = new_output
        else:
            cmd = unescaper.unescape(self.udfForgeCmd(cmd))
            inject.goStacked("INSERT INTO %s(%s) VALUES (%s(%s))" % (self.cmdTblName, self.tblField, udfName, cmd))
            output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, firstChar=first, lastChar=last, safeCharEncode=False)
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@ -107,11 +107,25 @@ class xp_cmdshell:
    def xpCmdshellExecCmd(self, cmd, silent=False):
        cmd = self.xpCmdshellForgeCmd(cmd)
-        inject.goStacked(cmd, silent)
+        return inject.goStacked(cmd, silent)
    def xpCmdshellEvalCmd(self, cmd, first=None, last=None):
        self.getRemoteTempPath()
        if conf.direct:
            output = self.xpCmdshellExecCmd(cmd)
            if output and isinstance(output, (list, tuple)):
                new_output = ""
                for line in output:
                    if line == "NULL":
                        new_output += "\n"
                    else:
                        new_output += "%s\n" % line.strip("\r")
                output = new_output
        else:
            tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
            cmd = "%s > \"%s\"" % (cmd, tmpFile)
--- a/plugins/dbms/postgresql/filesystem.py
+++ b/plugins/dbms/postgresql/filesystem.py
@ -34,7 +34,7 @@ class Filesystem(GenericFilesystem):
        self.initEnv()
-        return self.udfEvalCmd(cmd="'%s'" % rFile, udfName="sys_fileread")
+        return self.udfEvalCmd(cmd=rFile, udfName="sys_fileread")
    def unionWriteFile(self, wFile, dFile, fileType, confirm=True):
        errMsg = "PostgreSQL does not support file upload with UNION "