Re: [sqlmap-users] 64-bit pgsql 9.1 udf missing?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] 64-bit pgsql 9.1 udf missing?
|
From: Brandon P. <bpe...@gm...> - 2014-06-19 21:29:41
|
So, reading the source for the pgsql udf here: https://github.com/sqlmapproject/udfhack/blob/master/linux/64/lib_postgresqludf_sys/lib_postgresqludf_sys.c It looks like we mmap RWX memory in order to eval some commands. Was this tested on a machine with SELinux? In my experience, this actually fails to allocate when RWX is used as the permissions on the memory region (line 186). I have successfully gotten around this on some systems using a technique similar to that described at the bottom of this page (basically mapping two pointers to the same file, require FS access though…): http://www.akkadia.org/drepper/selinux-mem.html I am going to pull down the udfhack code and try it in a CentOS VM with SELinux enabled and see what happens. If it performs how I expect, would this be a useful addition to the UDF? On Tue, Jun 17, 2014 at 2:22 PM, Brandon Perry <bpe...@gm...> wrote: > Hey Bernardo, > > Any update to this? > > > On Sat, Jun 14, 2014 at 4:16 AM, Bernardo Damele A. G. < > ber...@gm...> wrote: > >> I will be fixing this shortly. >> >> Bernardo >> >> >> On Saturday, June 14, 2014, Brandon Perry <bpe...@gm...> >> wrote: >> >>> Hello! >>> >>> I have run into a small issue, it seems that the 9.1 pgsql udf wasn't >>> compiled/checked into source control. >>> >>> brandons-imac:sqlmap bperry$ find . | grep postgresqludf >>> ./udf/postgresql/linux/32/8.2/lib_postgresqludf_sys.so >>> ./udf/postgresql/linux/32/8.3/lib_postgresqludf_sys.so >>> ./udf/postgresql/linux/32/8.4/lib_postgresqludf_sys.so >>> ./udf/postgresql/linux/32/9.0/lib_postgresqludf_sys.so >>> ./udf/postgresql/linux/32/9.1/lib_postgresqludf_sys.so >>> ./udf/postgresql/linux/64/8.2/lib_postgresqludf_sys.so >>> ./udf/postgresql/linux/64/8.3/lib_postgresqludf_sys.so >>> ./udf/postgresql/linux/64/8.4/lib_postgresqludf_sys.so >>> ./udf/postgresql/linux/64/9.0/lib_postgresqludf_sys.so >>> ./udf/postgresql/windows/32/8.2/lib_postgresqludf_sys.dll >>> ./udf/postgresql/windows/32/8.3/lib_postgresqludf_sys.dll >>> ./udf/postgresql/windows/32/8.4/lib_postgresqludf_sys.dll >>> ./udf/postgresql/windows/32/9.0/lib_postgresqludf_sys.dll >>> brandons-imac:sqlmap bperry$ >>> >>> You can see that: >>> >>> ./udf/postgresql/linux/64/9.1/lib_postgresqludf_sys.so >>> >>> is missing. This leads to the following error. Anything I can do to >>> help, let me know: >>> >>> what is the back-end database management system architecture? >>> [1] 32-bit (default) >>> [2] 64-bit >>> > 2 >>> [22:48:43] [INFO] checking if UDF 'sys_eval' already exist >>> [22:48:43] [INFO] checking if UDF 'sys_exec' already exist >>> >>> [22:48:43] [CRITICAL] unhandled exception in sqlmap/1.0-dev-f558b80, >>> retry your run with the latest development version from the GitHub >>> repository. If the exception persists, please send by e-mail to ' >>> sql...@li...' or open a new issue at ' >>> https://github.com/sqlmapproject/sqlmap/issues/new' with the following >>> text and any information required to reproduce the bug. The developers will >>> try to reproduce the bug, fix it accordingly and get back to you. >>> sqlmap version: 1.0-dev-f558b80 >>> Python version: 2.7.5 >>> Operating system: posix >>> Command line: ./sqlmap.py -r /Users/bperry/tmp/req.req --level=5 >>> --risk=3 --dbms=postgresql -o --os-shell >>> Technique: TIME >>> Back-end DBMS: PostgreSQL (fingerprinted) >>> Traceback (most recent call last): >>> File "./sqlmap.py", line 95, in main >>> start() >>> File "/Users/bperry/projects/sqlmap/lib/controller/controller.py", >>> line 585, in start >>> action() >>> File "/Users/bperry/projects/sqlmap/lib/controller/action.py", line >>> 160, in action >>> conf.dbmsHandler.osShell() >>> File "/Users/bperry/projects/sqlmap/plugins/generic/takeover.py", line >>> 80, in osShell >>> self.initEnv(web=web) >>> File "/Users/bperry/projects/sqlmap/lib/takeover/abstraction.py", line >>> 198, in initEnv >>> success = self.udfInjectSys() >>> File "/Users/bperry/projects/sqlmap/lib/takeover/udf.py", line 184, in >>> udfInjectSys >>> return self.udfInjectCore(self.sysUdfs) >>> File "/Users/bperry/projects/sqlmap/lib/takeover/udf.py", line 149, in >>> udfInjectCore >>> written = self.writeFile(self.udfLocalFile, self.udfRemoteFile, >>> "binary", forceCheck=True) >>> File "/Users/bperry/projects/sqlmap/plugins/generic/filesystem.py", >>> line 270, in writeFile >>> written = self.stackedWriteFile(localFile, remoteFile, fileType, >>> forceCheck) >>> File >>> "/Users/bperry/projects/sqlmap/plugins/dbms/postgresql/filesystem.py", line >>> 37, in stackedWriteFile >>> wFileSize = os.path.getsize(wFile) >>> File >>> "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/genericpath.py", >>> line 49, in getsize >>> return os.stat(filename).st_size >>> OSError: [Errno 2] No such file or directory: >>> '/Users/bperry/projects/sqlmap/udf/postgresql/linux/64/9.1/lib_postgresqludf_sys.so' >>> >>> [*] shutting down at 22:48:43 >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> >> -- >> Bernardo Damele A. G. >> >> E-mail / Jabber: bernardo.damele (at) gmail.com >> Mobile: +447788962949 (UK 07788962949) >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
