I am back on stage and here to stay!!! to start.. a removal of confirm switch which masked cases where file write operations failed when set to False automatically, now at least it asks the user and defaults to Yes

This commit is contained in:
Bernardo Damele 2012-07-01 23:25:05 +01:00
parent d7cd55fb28
commit ab412da27f
14 changed files with 25 additions and 28 deletions

View File

@ -80,7 +80,7 @@ class ICMPsh:
if web: if web:
self.webFileUpload(self.__icmpslave, self.__icmpslaveRemote, self.webDirectory) self.webFileUpload(self.__icmpslave, self.__icmpslaveRemote, self.webDirectory)
else: else:
self.writeFile(self.__icmpslave, self.__icmpslaveRemote, "binary", False) self.writeFile(self.__icmpslave, self.__icmpslaveRemote, "binary")
def icmpPwn(self): def icmpPwn(self):
self.__prepareIngredients() self.__prepareIngredients()

View File

@ -554,7 +554,7 @@ class Metasploit:
if web: if web:
self.webFileUpload(self.shellcodeexecLocal, self.shellcodeexecRemote, self.webDirectory) self.webFileUpload(self.shellcodeexecLocal, self.shellcodeexecRemote, self.webDirectory)
else: else:
self.writeFile(self.shellcodeexecLocal, self.shellcodeexecRemote, "binary", False) self.writeFile(self.shellcodeexecLocal, self.shellcodeexecRemote, "binary")
def pwn(self, goUdf=False): def pwn(self, goUdf=False):
if goUdf: if goUdf:

View File

@ -65,7 +65,7 @@ class Registry:
logger.debug("creating batch file '%s'" % self.__batPathRemote) logger.debug("creating batch file '%s'" % self.__batPathRemote)
self.__createLocalBatchFile() self.__createLocalBatchFile()
self.writeFile(self.__batPathLocal, self.__batPathRemote, "text", False) self.writeFile(self.__batPathLocal, self.__batPathRemote, "text")
os.unlink(self.__batPathLocal) os.unlink(self.__batPathLocal)

View File

@ -156,7 +156,7 @@ class UDF:
if len(self.udfToCreate) > 0: if len(self.udfToCreate) > 0:
self.udfSetRemotePath() self.udfSetRemotePath()
self.writeFile(self.udfLocalFile, self.udfRemoteFile, "binary", False) self.writeFile(self.udfLocalFile, self.udfRemoteFile, "binary")
for udf, inpRet in udfDict.items(): for udf, inpRet in udfDict.items():
if udf in self.udfToCreate and udf not in self.createdUdf: if udf in self.udfToCreate and udf not in self.createdUdf:

View File

@ -16,6 +16,6 @@ class Filesystem(GenericFilesystem):
errMsg = "on Microsoft Access it is not possible to read files" errMsg = "on Microsoft Access it is not possible to read files"
raise sqlmapUnsupportedFeatureException, errMsg raise sqlmapUnsupportedFeatureException, errMsg
def writeFile(self, wFile, dFile, fileType=None, confirm=True): def writeFile(self, wFile, dFile, fileType=None):
errMsg = "on Microsoft Access it is not possible to write files" errMsg = "on Microsoft Access it is not possible to write files"
raise sqlmapUnsupportedFeatureException, errMsg raise sqlmapUnsupportedFeatureException, errMsg

View File

@ -16,6 +16,6 @@ class Filesystem(GenericFilesystem):
errMsg = "on Firebird it is not possible to read files" errMsg = "on Firebird it is not possible to read files"
raise sqlmapUnsupportedFeatureException, errMsg raise sqlmapUnsupportedFeatureException, errMsg
def writeFile(self, wFile, dFile, fileType=None, confirm=True): def writeFile(self, wFile, dFile, fileType=None):
errMsg = "on Firebird it is not possible to write files" errMsg = "on Firebird it is not possible to write files"
raise sqlmapUnsupportedFeatureException, errMsg raise sqlmapUnsupportedFeatureException, errMsg

View File

@ -16,6 +16,6 @@ class Filesystem(GenericFilesystem):
errMsg = "on SAP MaxDB reading of files is not supported" errMsg = "on SAP MaxDB reading of files is not supported"
raise sqlmapUnsupportedFeatureException, errMsg raise sqlmapUnsupportedFeatureException, errMsg
def writeFile(self, wFile, dFile, fileType=None, confirm=True): def writeFile(self, wFile, dFile, fileType=None):
errMsg = "on SAP MaxDB writing of files is not supported" errMsg = "on SAP MaxDB writing of files is not supported"
raise sqlmapUnsupportedFeatureException, errMsg raise sqlmapUnsupportedFeatureException, errMsg

View File

@ -164,7 +164,7 @@ class Filesystem(GenericFilesystem):
return result return result
def unionWriteFile(self, wFile, dFile, fileType, confirm=True): def unionWriteFile(self, wFile, dFile, fileType):
errMsg = "Microsoft SQL Server does not support file upload with " errMsg = "Microsoft SQL Server does not support file upload with "
errMsg += "UNION query SQL injection technique" errMsg += "UNION query SQL injection technique"
raise sqlmapUnsupportedFeatureException(errMsg) raise sqlmapUnsupportedFeatureException(errMsg)
@ -332,7 +332,7 @@ class Filesystem(GenericFilesystem):
self.execCmd(complComm) self.execCmd(complComm)
def stackedWriteFile(self, wFile, dFile, fileType, confirm=True): def stackedWriteFile(self, wFile, dFile, fileType):
# NOTE: this is needed here because we use xp_cmdshell extended # NOTE: this is needed here because we use xp_cmdshell extended
# procedure to write a file on the back-end Microsoft SQL Server # procedure to write a file on the back-end Microsoft SQL Server
# file system # file system

View File

@ -59,7 +59,7 @@ class Filesystem(GenericFilesystem):
warnMsg += "file '%s'" % rFile warnMsg += "file '%s'" % rFile
if conf.direct or isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION): if conf.direct or isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
warnMsg += ", going to fall-back to simpler technique" warnMsg += ", going to fall-back to simpler UNION technique"
logger.warn(warnMsg) logger.warn(warnMsg)
result = self.unionReadFile(rFile) result = self.unionReadFile(rFile)
else: else:
@ -80,7 +80,7 @@ class Filesystem(GenericFilesystem):
return result return result
def unionWriteFile(self, wFile, dFile, fileType, confirm=True): def unionWriteFile(self, wFile, dFile, fileType):
logger.debug("encoding file to its hexadecimal string value") logger.debug("encoding file to its hexadecimal string value")
fcEncodedList = self.fileEncode(wFile, "hex", True) fcEncodedList = self.fileEncode(wFile, "hex", True)
@ -100,14 +100,13 @@ class Filesystem(GenericFilesystem):
sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile) sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile)
unionUse(sqlQuery, unpack=False) unionUse(sqlQuery, unpack=False)
if confirm: self.askCheckWrittenFile(wFile, dFile, fileType)
self.askCheckWrittenFile(wFile, dFile, fileType)
warnMsg = "expect junk characters inside the " warnMsg = "expect junk characters inside the "
warnMsg += "file as a leftover from UNION query" warnMsg += "file as a leftover from UNION query"
singleTimeWarnMessage(warnMsg) singleTimeWarnMessage(warnMsg)
def stackedWriteFile(self, wFile, dFile, fileType, confirm=True): def stackedWriteFile(self, wFile, dFile, fileType):
debugMsg = "creating a support table to write the hexadecimal " debugMsg = "creating a support table to write the hexadecimal "
debugMsg += "encoded file to" debugMsg += "encoded file to"
logger.debug(debugMsg) logger.debug(debugMsg)
@ -134,5 +133,4 @@ class Filesystem(GenericFilesystem):
# Reference: http://dev.mysql.com/doc/refman/5.1/en/select.html # Reference: http://dev.mysql.com/doc/refman/5.1/en/select.html
inject.goStacked("SELECT %s FROM %s INTO DUMPFILE '%s'" % (self.tblField, self.fileTblName, dFile), silent=True) inject.goStacked("SELECT %s FROM %s INTO DUMPFILE '%s'" % (self.tblField, self.fileTblName, dFile), silent=True)
if confirm: self.askCheckWrittenFile(wFile, dFile, fileType)
self.askCheckWrittenFile(wFile, dFile, fileType)

View File

@ -17,7 +17,7 @@ class Filesystem(GenericFilesystem):
errMsg += "Oracle" errMsg += "Oracle"
raise sqlmapUnsupportedFeatureException, errMsg raise sqlmapUnsupportedFeatureException, errMsg
def writeFile(self, wFile, dFile, fileType=None, confirm=True): def writeFile(self, wFile, dFile, fileType=None):
errMsg = "File system write access not yet implemented for " errMsg = "File system write access not yet implemented for "
errMsg += "Oracle" errMsg += "Oracle"
raise sqlmapUnsupportedFeatureException, errMsg raise sqlmapUnsupportedFeatureException, errMsg

View File

@ -33,12 +33,12 @@ class Filesystem(GenericFilesystem):
return self.udfEvalCmd(cmd=rFile, udfName="sys_fileread") return self.udfEvalCmd(cmd=rFile, udfName="sys_fileread")
def unionWriteFile(self, wFile, dFile, fileType, confirm=True): def unionWriteFile(self, wFile, dFile, fileType):
errMsg = "PostgreSQL does not support file upload with UNION " errMsg = "PostgreSQL does not support file upload with UNION "
errMsg += "query SQL injection technique" errMsg += "query SQL injection technique"
raise sqlmapUnsupportedFeatureException, errMsg raise sqlmapUnsupportedFeatureException, errMsg
def stackedWriteFile(self, wFile, dFile, fileType, confirm=True): def stackedWriteFile(self, wFile, dFile, fileType):
wFileSize = os.path.getsize(wFile) wFileSize = os.path.getsize(wFile)
if wFileSize > 8192: if wFileSize > 8192:
@ -115,7 +115,6 @@ class Filesystem(GenericFilesystem):
# (pg_largeobject 'data' field) # (pg_largeobject 'data' field)
inject.goStacked("SELECT lo_export(%d, '%s')" % (self.oid, dFile), silent=True) inject.goStacked("SELECT lo_export(%d, '%s')" % (self.oid, dFile), silent=True)
if confirm: self.askCheckWrittenFile(wFile, dFile, fileType)
self.askCheckWrittenFile(wFile, dFile, fileType)
inject.goStacked("SELECT lo_unlink(%d)" % self.oid) inject.goStacked("SELECT lo_unlink(%d)" % self.oid)

View File

@ -16,6 +16,6 @@ class Filesystem(GenericFilesystem):
errMsg = "on SQLite it is not possible to read files" errMsg = "on SQLite it is not possible to read files"
raise sqlmapUnsupportedFeatureException, errMsg raise sqlmapUnsupportedFeatureException, errMsg
def writeFile(self, wFile, dFile, fileType=None, confirm=True): def writeFile(self, wFile, dFile, fileType=None):
errMsg = "on SQLite it is not possible to write files" errMsg = "on SQLite it is not possible to write files"
raise sqlmapUnsupportedFeatureException, errMsg raise sqlmapUnsupportedFeatureException, errMsg

View File

@ -16,6 +16,6 @@ class Filesystem(GenericFilesystem):
errMsg = "on Sybase it is not possible to read files" errMsg = "on Sybase it is not possible to read files"
raise sqlmapUnsupportedFeatureException, errMsg raise sqlmapUnsupportedFeatureException, errMsg
def writeFile(self, wFile, dFile, fileType=None, confirm=True): def writeFile(self, wFile, dFile, fileType=None):
errMsg = "on Sybase it is not possible to write files" errMsg = "on Sybase it is not possible to write files"
raise sqlmapUnsupportedFeatureException, errMsg raise sqlmapUnsupportedFeatureException, errMsg

View File

@ -176,12 +176,12 @@ class Filesystem:
errMsg += "into the specific DBMS plugin" errMsg += "into the specific DBMS plugin"
raise sqlmapUndefinedMethod, errMsg raise sqlmapUndefinedMethod, errMsg
def unionWriteFile(self, wFile, dFile, fileType, confirm=True): def unionWriteFile(self, wFile, dFile, fileType):
errMsg = "'unionWriteFile' method must be defined " errMsg = "'unionWriteFile' method must be defined "
errMsg += "into the specific DBMS plugin" errMsg += "into the specific DBMS plugin"
raise sqlmapUndefinedMethod, errMsg raise sqlmapUndefinedMethod, errMsg
def stackedWriteFile(self, wFile, dFile, fileType, confirm=True): def stackedWriteFile(self, wFile, dFile, fileType):
errMsg = "'stackedWriteFile' method must be defined " errMsg = "'stackedWriteFile' method must be defined "
errMsg += "into the specific DBMS plugin" errMsg += "into the specific DBMS plugin"
raise sqlmapUndefinedMethod, errMsg raise sqlmapUndefinedMethod, errMsg
@ -235,7 +235,7 @@ class Filesystem:
return rFilePath return rFilePath
def writeFile(self, wFile, dFile, fileType=None, confirm=True): def writeFile(self, wFile, dFile, fileType=None):
self.checkDbmsOs() self.checkDbmsOs()
if conf.direct or isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED): if conf.direct or isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):
@ -244,14 +244,14 @@ class Filesystem:
debugMsg += "stacked query SQL injection technique" debugMsg += "stacked query SQL injection technique"
logger.debug(debugMsg) logger.debug(debugMsg)
self.stackedWriteFile(wFile, dFile, fileType, confirm) self.stackedWriteFile(wFile, dFile, fileType)
self.cleanup(onlyFileTbl=True) self.cleanup(onlyFileTbl=True)
elif isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and Backend.isDbms(DBMS.MYSQL): elif isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and Backend.isDbms(DBMS.MYSQL):
debugMsg = "going to upload the %s file with " % fileType debugMsg = "going to upload the %s file with " % fileType
debugMsg += "UNION query SQL injection technique" debugMsg += "UNION query SQL injection technique"
logger.debug(debugMsg) logger.debug(debugMsg)
self.unionWriteFile(wFile, dFile, fileType, confirm) self.unionWriteFile(wFile, dFile, fileType)
else: else:
errMsg = "none of the SQL injection techniques detected can " errMsg = "none of the SQL injection techniques detected can "
errMsg += "be used to write files to the underlying file " errMsg += "be used to write files to the underlying file "