There was no point relying on a support table (sqlmapoutput) to get the stdout of executed OS commands when using direct connection (-d) and it saves also number of requests.

Also, BULK INSERT apparently does not work on MSSQL when running as Network Service (at least on Windows XP) so one more reason to avoid using support table. Minor fix also to threat MSSQL's EXEC statements as SELECT ones
2025-12-06 12:41:30 +00:00 · 2012-02-17 15:54:49 +00:00
parent ebd40b3933
commit 121148f27f
4 changed files with 54 additions and 22 deletions
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@@ -107,29 +107,43 @@ class xp_cmdshell:

    def xpCmdshellExecCmd(self, cmd, silent=False):
        cmd = self.xpCmdshellForgeCmd(cmd)
-        inject.goStacked(cmd, silent)
+        return inject.goStacked(cmd, silent)

    def xpCmdshellEvalCmd(self, cmd, first=None, last=None):
        self.getRemoteTempPath()

-        tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
-        cmd = "%s > \"%s\"" % (cmd, tmpFile)
+        if conf.direct:
+            output = self.xpCmdshellExecCmd(cmd)

-        self.xpCmdshellExecCmd(cmd)
+            if output and isinstance(output, (list, tuple)):
+                new_output = ""

-        inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (self.cmdTblName, tmpFile, randomStr(10), randomStr(10)))
+                for line in output:
+                    if line == "NULL":
+                        new_output += "\n"
+                    else:
+                        new_output += "%s\n" % line.strip("\r")

-        self.delRemoteFile(tmpFile)
+                output = new_output
+        else:
+            tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
+            cmd = "%s > \"%s\"" % (cmd, tmpFile)

-        output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, unique=False, firstChar=first, lastChar=last, safeCharEncode=False)
-        inject.goStacked("DELETE FROM %s" % self.cmdTblName)
+            self.xpCmdshellExecCmd(cmd)

-        if output and isinstance(output, (list, tuple)):
-            output = output[0]
+            inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (self.cmdTblName, tmpFile, randomStr(10), randomStr(10)))
+
+            self.delRemoteFile(tmpFile)
+
+            output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, unique=False, firstChar=first, lastChar=last, safeCharEncode=False)
+            inject.goStacked("DELETE FROM %s" % self.cmdTblName)

            if output and isinstance(output, (list, tuple)):
                output = output[0]

+                if output and isinstance(output, (list, tuple)):
+                    output = output[0]
+
        return output

    def xpCmdshellInit(self):