From ab412da27f76c4390eb7d8bef87ce65fcd2f06dc Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Sun, 1 Jul 2012 23:25:05 +0100 Subject: [PATCH] I am back on stage and here to stay!!! to start.. a removal of confirm switch which masked cases where file write operations failed when set to False automatically, now at least it asks the user and defaults to Yes --- lib/takeover/icmpsh.py | 2 +- lib/takeover/metasploit.py | 2 +- lib/takeover/registry.py | 2 +- lib/takeover/udf.py | 2 +- plugins/dbms/access/filesystem.py | 2 +- plugins/dbms/firebird/filesystem.py | 2 +- plugins/dbms/maxdb/filesystem.py | 2 +- plugins/dbms/mssqlserver/filesystem.py | 4 ++-- plugins/dbms/mysql/filesystem.py | 12 +++++------- plugins/dbms/oracle/filesystem.py | 2 +- plugins/dbms/postgresql/filesystem.py | 7 +++---- plugins/dbms/sqlite/filesystem.py | 2 +- plugins/dbms/sybase/filesystem.py | 2 +- plugins/generic/filesystem.py | 10 +++++----- 14 files changed, 25 insertions(+), 28 deletions(-) diff --git a/lib/takeover/icmpsh.py b/lib/takeover/icmpsh.py index 21df81f94..a631a97f5 100644 --- a/lib/takeover/icmpsh.py +++ b/lib/takeover/icmpsh.py @@ -80,7 +80,7 @@ class ICMPsh: if web: self.webFileUpload(self.__icmpslave, self.__icmpslaveRemote, self.webDirectory) else: - self.writeFile(self.__icmpslave, self.__icmpslaveRemote, "binary", False) + self.writeFile(self.__icmpslave, self.__icmpslaveRemote, "binary") def icmpPwn(self): self.__prepareIngredients() diff --git a/lib/takeover/metasploit.py b/lib/takeover/metasploit.py index 33edce1fb..13d6ed567 100644 --- a/lib/takeover/metasploit.py +++ b/lib/takeover/metasploit.py @@ -554,7 +554,7 @@ class Metasploit: if web: self.webFileUpload(self.shellcodeexecLocal, self.shellcodeexecRemote, self.webDirectory) else: - self.writeFile(self.shellcodeexecLocal, self.shellcodeexecRemote, "binary", False) + self.writeFile(self.shellcodeexecLocal, self.shellcodeexecRemote, "binary") def pwn(self, goUdf=False): if goUdf: diff --git a/lib/takeover/registry.py b/lib/takeover/registry.py index 4dbadb403..07b120f37 100644 --- a/lib/takeover/registry.py +++ b/lib/takeover/registry.py @@ -65,7 +65,7 @@ class Registry: logger.debug("creating batch file '%s'" % self.__batPathRemote) self.__createLocalBatchFile() - self.writeFile(self.__batPathLocal, self.__batPathRemote, "text", False) + self.writeFile(self.__batPathLocal, self.__batPathRemote, "text") os.unlink(self.__batPathLocal) diff --git a/lib/takeover/udf.py b/lib/takeover/udf.py index 51591056e..a6fe79dc4 100644 --- a/lib/takeover/udf.py +++ b/lib/takeover/udf.py @@ -156,7 +156,7 @@ class UDF: if len(self.udfToCreate) > 0: self.udfSetRemotePath() - self.writeFile(self.udfLocalFile, self.udfRemoteFile, "binary", False) + self.writeFile(self.udfLocalFile, self.udfRemoteFile, "binary") for udf, inpRet in udfDict.items(): if udf in self.udfToCreate and udf not in self.createdUdf: diff --git a/plugins/dbms/access/filesystem.py b/plugins/dbms/access/filesystem.py index b92cecae7..79cf15f8b 100644 --- a/plugins/dbms/access/filesystem.py +++ b/plugins/dbms/access/filesystem.py @@ -16,6 +16,6 @@ class Filesystem(GenericFilesystem): errMsg = "on Microsoft Access it is not possible to read files" raise sqlmapUnsupportedFeatureException, errMsg - def writeFile(self, wFile, dFile, fileType=None, confirm=True): + def writeFile(self, wFile, dFile, fileType=None): errMsg = "on Microsoft Access it is not possible to write files" raise sqlmapUnsupportedFeatureException, errMsg diff --git a/plugins/dbms/firebird/filesystem.py b/plugins/dbms/firebird/filesystem.py index 09575e3d3..573400efd 100644 --- a/plugins/dbms/firebird/filesystem.py +++ b/plugins/dbms/firebird/filesystem.py @@ -16,6 +16,6 @@ class Filesystem(GenericFilesystem): errMsg = "on Firebird it is not possible to read files" raise sqlmapUnsupportedFeatureException, errMsg - def writeFile(self, wFile, dFile, fileType=None, confirm=True): + def writeFile(self, wFile, dFile, fileType=None): errMsg = "on Firebird it is not possible to write files" raise sqlmapUnsupportedFeatureException, errMsg diff --git a/plugins/dbms/maxdb/filesystem.py b/plugins/dbms/maxdb/filesystem.py index 7d7f95dd1..52c43657e 100644 --- a/plugins/dbms/maxdb/filesystem.py +++ b/plugins/dbms/maxdb/filesystem.py @@ -16,6 +16,6 @@ class Filesystem(GenericFilesystem): errMsg = "on SAP MaxDB reading of files is not supported" raise sqlmapUnsupportedFeatureException, errMsg - def writeFile(self, wFile, dFile, fileType=None, confirm=True): + def writeFile(self, wFile, dFile, fileType=None): errMsg = "on SAP MaxDB writing of files is not supported" raise sqlmapUnsupportedFeatureException, errMsg diff --git a/plugins/dbms/mssqlserver/filesystem.py b/plugins/dbms/mssqlserver/filesystem.py index bff4a7909..ef3f4c2ff 100644 --- a/plugins/dbms/mssqlserver/filesystem.py +++ b/plugins/dbms/mssqlserver/filesystem.py @@ -164,7 +164,7 @@ class Filesystem(GenericFilesystem): return result - def unionWriteFile(self, wFile, dFile, fileType, confirm=True): + def unionWriteFile(self, wFile, dFile, fileType): errMsg = "Microsoft SQL Server does not support file upload with " errMsg += "UNION query SQL injection technique" raise sqlmapUnsupportedFeatureException(errMsg) @@ -332,7 +332,7 @@ class Filesystem(GenericFilesystem): self.execCmd(complComm) - def stackedWriteFile(self, wFile, dFile, fileType, confirm=True): + def stackedWriteFile(self, wFile, dFile, fileType): # NOTE: this is needed here because we use xp_cmdshell extended # procedure to write a file on the back-end Microsoft SQL Server # file system diff --git a/plugins/dbms/mysql/filesystem.py b/plugins/dbms/mysql/filesystem.py index ee2b0809c..1c3467c07 100644 --- a/plugins/dbms/mysql/filesystem.py +++ b/plugins/dbms/mysql/filesystem.py @@ -59,7 +59,7 @@ class Filesystem(GenericFilesystem): warnMsg += "file '%s'" % rFile if conf.direct or isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION): - warnMsg += ", going to fall-back to simpler technique" + warnMsg += ", going to fall-back to simpler UNION technique" logger.warn(warnMsg) result = self.unionReadFile(rFile) else: @@ -80,7 +80,7 @@ class Filesystem(GenericFilesystem): return result - def unionWriteFile(self, wFile, dFile, fileType, confirm=True): + def unionWriteFile(self, wFile, dFile, fileType): logger.debug("encoding file to its hexadecimal string value") fcEncodedList = self.fileEncode(wFile, "hex", True) @@ -100,14 +100,13 @@ class Filesystem(GenericFilesystem): sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile) unionUse(sqlQuery, unpack=False) - if confirm: - self.askCheckWrittenFile(wFile, dFile, fileType) + self.askCheckWrittenFile(wFile, dFile, fileType) warnMsg = "expect junk characters inside the " warnMsg += "file as a leftover from UNION query" singleTimeWarnMessage(warnMsg) - def stackedWriteFile(self, wFile, dFile, fileType, confirm=True): + def stackedWriteFile(self, wFile, dFile, fileType): debugMsg = "creating a support table to write the hexadecimal " debugMsg += "encoded file to" logger.debug(debugMsg) @@ -134,5 +133,4 @@ class Filesystem(GenericFilesystem): # Reference: http://dev.mysql.com/doc/refman/5.1/en/select.html inject.goStacked("SELECT %s FROM %s INTO DUMPFILE '%s'" % (self.tblField, self.fileTblName, dFile), silent=True) - if confirm: - self.askCheckWrittenFile(wFile, dFile, fileType) + self.askCheckWrittenFile(wFile, dFile, fileType) diff --git a/plugins/dbms/oracle/filesystem.py b/plugins/dbms/oracle/filesystem.py index 4b2ab799c..1a69e4005 100644 --- a/plugins/dbms/oracle/filesystem.py +++ b/plugins/dbms/oracle/filesystem.py @@ -17,7 +17,7 @@ class Filesystem(GenericFilesystem): errMsg += "Oracle" raise sqlmapUnsupportedFeatureException, errMsg - def writeFile(self, wFile, dFile, fileType=None, confirm=True): + def writeFile(self, wFile, dFile, fileType=None): errMsg = "File system write access not yet implemented for " errMsg += "Oracle" raise sqlmapUnsupportedFeatureException, errMsg diff --git a/plugins/dbms/postgresql/filesystem.py b/plugins/dbms/postgresql/filesystem.py index e10b467c8..2701d0660 100644 --- a/plugins/dbms/postgresql/filesystem.py +++ b/plugins/dbms/postgresql/filesystem.py @@ -33,12 +33,12 @@ class Filesystem(GenericFilesystem): return self.udfEvalCmd(cmd=rFile, udfName="sys_fileread") - def unionWriteFile(self, wFile, dFile, fileType, confirm=True): + def unionWriteFile(self, wFile, dFile, fileType): errMsg = "PostgreSQL does not support file upload with UNION " errMsg += "query SQL injection technique" raise sqlmapUnsupportedFeatureException, errMsg - def stackedWriteFile(self, wFile, dFile, fileType, confirm=True): + def stackedWriteFile(self, wFile, dFile, fileType): wFileSize = os.path.getsize(wFile) if wFileSize > 8192: @@ -115,7 +115,6 @@ class Filesystem(GenericFilesystem): # (pg_largeobject 'data' field) inject.goStacked("SELECT lo_export(%d, '%s')" % (self.oid, dFile), silent=True) - if confirm: - self.askCheckWrittenFile(wFile, dFile, fileType) + self.askCheckWrittenFile(wFile, dFile, fileType) inject.goStacked("SELECT lo_unlink(%d)" % self.oid) diff --git a/plugins/dbms/sqlite/filesystem.py b/plugins/dbms/sqlite/filesystem.py index d785993fc..84b78cf40 100644 --- a/plugins/dbms/sqlite/filesystem.py +++ b/plugins/dbms/sqlite/filesystem.py @@ -16,6 +16,6 @@ class Filesystem(GenericFilesystem): errMsg = "on SQLite it is not possible to read files" raise sqlmapUnsupportedFeatureException, errMsg - def writeFile(self, wFile, dFile, fileType=None, confirm=True): + def writeFile(self, wFile, dFile, fileType=None): errMsg = "on SQLite it is not possible to write files" raise sqlmapUnsupportedFeatureException, errMsg diff --git a/plugins/dbms/sybase/filesystem.py b/plugins/dbms/sybase/filesystem.py index 06e00b36e..8f0b54d02 100644 --- a/plugins/dbms/sybase/filesystem.py +++ b/plugins/dbms/sybase/filesystem.py @@ -16,6 +16,6 @@ class Filesystem(GenericFilesystem): errMsg = "on Sybase it is not possible to read files" raise sqlmapUnsupportedFeatureException, errMsg - def writeFile(self, wFile, dFile, fileType=None, confirm=True): + def writeFile(self, wFile, dFile, fileType=None): errMsg = "on Sybase it is not possible to write files" raise sqlmapUnsupportedFeatureException, errMsg diff --git a/plugins/generic/filesystem.py b/plugins/generic/filesystem.py index b1d74c7fb..dec9463b7 100644 --- a/plugins/generic/filesystem.py +++ b/plugins/generic/filesystem.py @@ -176,12 +176,12 @@ class Filesystem: errMsg += "into the specific DBMS plugin" raise sqlmapUndefinedMethod, errMsg - def unionWriteFile(self, wFile, dFile, fileType, confirm=True): + def unionWriteFile(self, wFile, dFile, fileType): errMsg = "'unionWriteFile' method must be defined " errMsg += "into the specific DBMS plugin" raise sqlmapUndefinedMethod, errMsg - def stackedWriteFile(self, wFile, dFile, fileType, confirm=True): + def stackedWriteFile(self, wFile, dFile, fileType): errMsg = "'stackedWriteFile' method must be defined " errMsg += "into the specific DBMS plugin" raise sqlmapUndefinedMethod, errMsg @@ -235,7 +235,7 @@ class Filesystem: return rFilePath - def writeFile(self, wFile, dFile, fileType=None, confirm=True): + def writeFile(self, wFile, dFile, fileType=None): self.checkDbmsOs() if conf.direct or isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED): @@ -244,14 +244,14 @@ class Filesystem: debugMsg += "stacked query SQL injection technique" logger.debug(debugMsg) - self.stackedWriteFile(wFile, dFile, fileType, confirm) + self.stackedWriteFile(wFile, dFile, fileType) self.cleanup(onlyFileTbl=True) elif isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and Backend.isDbms(DBMS.MYSQL): debugMsg = "going to upload the %s file with " % fileType debugMsg += "UNION query SQL injection technique" logger.debug(debugMsg) - self.unionWriteFile(wFile, dFile, fileType, confirm) + self.unionWriteFile(wFile, dFile, fileType) else: errMsg = "none of the SQL injection techniques detected can " errMsg += "be used to write files to the underlying file "