Merged back from personal branch to trunk (svn merge -r846:940 ...)

Changes:
* Major enhancement to the Microsoft SQL Server stored procedure
heap-based buffer overflow exploit (--os-bof) to automatically bypass
DEP memory protection.
* Added support for MySQL and PostgreSQL to execute Metasploit shellcode
via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an
option instead of uploading the standalone payload stager executable.
* Added options for MySQL, PostgreSQL and Microsoft SQL Server to
read/add/delete Windows registry keys.
* Added options for MySQL and PostgreSQL to inject custom user-defined
functions.
* Added support for --first and --last so the user now has even more
granularity in what to enumerate in the query output.
* Minor enhancement to save the session by default in
'output/hostname/session' file if -s option is not specified.
* Minor improvement to automatically remove sqlmap created temporary
files from the DBMS underlying file system.
* Minor bugs fixed.
* Major code refactoring.

plugins/generic/misc.py

@@ -46,12 +46,15 @@ class Miscellaneous:
             if kb.os == "Windows":
                 # NOTES:
                 #
-                # * MySQL runs by default as SYSTEM and the system-wide
-                #   temporary files directory is C:\WINDOWS\Temp
+                # * The system-wide temporary files directory is
+                # C:\WINDOWS\Temp
+                #
+                # * MySQL runs by default as SYSTEM
                 #
                 # * PostgreSQL runs by default as postgres user and the
                 #   temporary files directory is C:\Documents and Settings\postgres\Local Settings\Temp,
-                #    however the system-wide folder is writable too
+                #   however the system-wide folder is writable too
+                #
                 #infoMsg  = "retrieving remote absolute path of temporary files "
                 #infoMsg += "directory"
                 #logger.info(infoMsg)
@@ -70,12 +73,28 @@ class Miscellaneous:
         setRemoteTempPath()
 
 
+    def delRemoteTempFile(self, tempFile, bat=False):
+        self.checkDbmsOs()
+
+        if kb.os == "Windows":
+            if bat is True:
+                tempFile = tempFile.replace("/", "\\\\")
+            else:
+                tempFile = tempFile.replace("/", "\\")
+
+            cmd = "del /F /Q %s" % tempFile
+        else:
+            cmd = "rm -f %s" % tempFile
+
+        self.execCmd(cmd, forgeCmd=True)
+
+
     def createSupportTbl(self, tblName, tblField, tblType):
         inject.goStacked("DROP TABLE %s" % tblName)
         inject.goStacked("CREATE TABLE %s(%s %s)" % (tblName, tblField, tblType))
 
 
-    def cleanup(self, onlyFileTbl=False):
+    def cleanup(self, onlyFileTbl=False, udfDict=None):
         """
         Cleanup database from sqlmap create tables and functions
         """
@@ -108,17 +127,21 @@ class Miscellaneous:
             if kb.dbms == "Microsoft SQL Server":
                 return
 
-            for udf in ( "sys_exec", "sys_eval" ):
-                message = "do you want to remove %s UDF? [Y/n] " % udf
+            if udfDict is None:
+                udfDict = self.sysUdfs
+
+            for udf, inpRet in udfDict.items():
+                message = "do you want to remove UDF '%s'? [Y/n] " % udf
                 output  = readInput(message, default="Y")
 
                 if not output or output in ("y", "Y"):
                     dropStr = "DROP FUNCTION %s" % udf
 
                     if kb.dbms == "PostgreSQL":
-                        dropStr += "(text)"
+                        inp      = ", ".join(i for i in inpRet["input"])
+                        dropStr += "(%s)" % inp
 
-                    logger.debug("removing %s UDF" % udf)
+                    logger.debug("removing UDF '%s'" % udf)
                     inject.goStacked(dropStr)
 
             logger.info("database management system cleanup finished")