diff --git a/lib/core/common.py b/lib/core/common.py index 6a56258a0..d794e712e 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -1127,6 +1127,7 @@ def cleanQuery(query): def setPaths(): # sqlmap paths paths.SQLMAP_EXTRAS_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "extra") + paths.SQLMAP_PROCS_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "procs") paths.SQLMAP_SHELL_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "shell") paths.SQLMAP_TAMPER_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "tamper") paths.SQLMAP_TXT_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "txt") @@ -1806,6 +1807,17 @@ def parseXmlFile(xmlFile, handler): parse(stream, handler) stream.close() +def getSPLSnippet(name, **variables): + """ + Returns content of snippet stored in program's "procs" directory + """ + filename = os.path.join(paths.SQLMAP_PROCS_PATH, "%s.txt" % name) + checkFile(filename) + retVal = readCachedFileContent(filename) + for _ in variables.keys(): + retVal = re.sub(r"%%%s%%" % _, variables[_], retVal, flags=re.I) + return retVal + def readCachedFileContent(filename, mode='rb'): """ Cached reading of file content (avoiding multiple same file reading) diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py index 7e36faf0a..87338dd84 100644 --- a/lib/takeover/xp_cmdshell.py +++ b/lib/takeover/xp_cmdshell.py @@ -8,12 +8,15 @@ See the file 'doc/COPYING' for copying permission """ from lib.core.common import Backend +from lib.core.common import getSPLSnippet from lib.core.common import randomStr +from lib.core.common import readCachedFileContent from lib.core.common import readInput from lib.core.common import wasLastRequestDelayed from lib.core.data import conf from lib.core.data import kb from lib.core.data import logger +from lib.core.data import paths from lib.core.exception import sqlmapUnsupportedFeatureException from lib.core.session import setXpCmdshellAvailability from lib.core.unescaper import unescaper @@ -60,12 +63,7 @@ class xp_cmdshell: debugMsg += "stored procedure" logger.debug(debugMsg) - cmd = "EXEC master..sp_configure 'show advanced options', 1; " - cmd += "RECONFIGURE WITH OVERRIDE; " - cmd += "EXEC master..sp_configure 'xp_cmdshell', %d; " % mode - cmd += "RECONFIGURE WITH OVERRIDE; " - cmd += "EXEC sp_configure 'show advanced options', 0; " - cmd += "RECONFIGURE WITH OVERRIDE; " + cmd = getSPLSnippet("configure_xp_cmdshell", ENABLE=str(mode)) return cmd diff --git a/procs/README.txt b/procs/README.txt index 784914352..60cb9acca 100755 --- a/procs/README.txt +++ b/procs/README.txt @@ -1,3 +1,3 @@ -Files in this folder represent SQL stored procedure declarations used +Files in this folder represent SQL Procedural Language snippets used by sqlmap on the target system. They are licensed under the terms of the GNU Lesser General Public License. diff --git a/procs/configure_xp_cmdshell.txt b/procs/configure_xp_cmdshell.txt new file mode 100644 index 000000000..3a686d381 --- /dev/null +++ b/procs/configure_xp_cmdshell.txt @@ -0,0 +1,6 @@ +EXEC master..sp_configure 'show advanced options', 1; +RECONFIGURE WITH OVERRIDE; +EXEC master..sp_configure 'xp_cmdshell', %ENABLE%; +RECONFIGURE WITH OVERRIDE; +EXEC sp_configure 'show advanced options', 0; +RECONFIGURE WITH OVERRIDE; \ No newline at end of file