Re: [sqlmap-users] 64-bit pgsql 9.1 udf missing?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] 64-bit pgsql 9.1 udf missing?
|
From: Bernardo D. A. G. <ber...@gm...> - 2014-06-20 19:17:08
|
Yes, not high priority but it would be an improvement. Please first verify if the current code works with SELinux without modifications - I havent tested it myself. Bernardo On Thursday, June 19, 2014, Brandon Perry <bpe...@gm...> wrote: > So, reading the source for the pgsql udf here: > > > https://github.com/sqlmapproject/udfhack/blob/master/linux/64/lib_postgresqludf_sys/lib_postgresqludf_sys.c > > It looks like we mmap RWX memory in order to eval some commands. Was this > tested on a machine with SELinux? In my experience, this actually fails to > allocate when RWX is used as the permissions on the memory region (line > 186). > > I have successfully gotten around this on some systems using a technique > similar to that described at the bottom of this page (basically mapping two > pointers to the same file, require FS access though…): > > http://www.akkadia.org/drepper/selinux-mem.html > > I am going to pull down the udfhack code and try it in a CentOS VM with > SELinux enabled and see what happens. If it performs how I expect, would > this be a useful addition to the UDF? > > > On Tue, Jun 17, 2014 at 2:22 PM, Brandon Perry <bpe...@gm... > <javascript:_e(%7B%7D,'cvml','bpe...@gm...');>> wrote: > >> Hey Bernardo, >> >> Any update to this? >> >> >> On Sat, Jun 14, 2014 at 4:16 AM, Bernardo Damele A. G. < >> ber...@gm... >> <javascript:_e(%7B%7D,'cvml','ber...@gm...');>> wrote: >> >>> I will be fixing this shortly. >>> >>> Bernardo >>> >>> >>> On Saturday, June 14, 2014, Brandon Perry <bpe...@gm... >>> <javascript:_e(%7B%7D,'cvml','bpe...@gm...');>> wrote: >>> >>>> Hello! >>>> >>>> I have run into a small issue, it seems that the 9.1 pgsql udf wasn't >>>> compiled/checked into source control. >>>> >>>> brandons-imac:sqlmap bperry$ find . | grep postgresqludf >>>> ./udf/postgresql/linux/32/8.2/lib_postgresqludf_sys.so >>>> ./udf/postgresql/linux/32/8.3/lib_postgresqludf_sys.so >>>> ./udf/postgresql/linux/32/8.4/lib_postgresqludf_sys.so >>>> ./udf/postgresql/linux/32/9.0/lib_postgresqludf_sys.so >>>> ./udf/postgresql/linux/32/9.1/lib_postgresqludf_sys.so >>>> ./udf/postgresql/linux/64/8.2/lib_postgresqludf_sys.so >>>> ./udf/postgresql/linux/64/8.3/lib_postgresqludf_sys.so >>>> ./udf/postgresql/linux/64/8.4/lib_postgresqludf_sys.so >>>> ./udf/postgresql/linux/64/9.0/lib_postgresqludf_sys.so >>>> ./udf/postgresql/windows/32/8.2/lib_postgresqludf_sys.dll >>>> ./udf/postgresql/windows/32/8.3/lib_postgresqludf_sys.dll >>>> ./udf/postgresql/windows/32/8.4/lib_postgresqludf_sys.dll >>>> ./udf/postgresql/windows/32/9.0/lib_postgresqludf_sys.dll >>>> brandons-imac:sqlmap bperry$ >>>> >>>> You can see that: >>>> >>>> ./udf/postgresql/linux/64/9.1/lib_postgresqludf_sys.so >>>> >>>> is missing. This leads to the following error. Anything I can do to >>>> help, let me know: >>>> >>>> what is the back-end database management system architecture? >>>> [1] 32-bit (default) >>>> [2] 64-bit >>>> > 2 >>>> [22:48:43] [INFO] checking if UDF 'sys_eval' already exist >>>> [22:48:43] [INFO] checking if UDF 'sys_exec' already exist >>>> >>>> [22:48:43] [CRITICAL] unhandled exception in sqlmap/1.0-dev-f558b80, >>>> retry your run with the latest development version from the GitHub >>>> repository. If the exception persists, please send by e-mail to ' >>>> sql...@li...' or open a new issue at ' >>>> https://github.com/sqlmapproject/sqlmap/issues/new' with the following >>>> text and any information required to reproduce the bug. The developers will >>>> try to reproduce the bug, fix it accordingly and get back to you. >>>> sqlmap version: 1.0-dev-f558b80 >>>> Python version: 2.7.5 >>>> Operating system: posix >>>> Command line: ./sqlmap.py -r /Users/bperry/tmp/req.req --level=5 >>>> --risk=3 --dbms=postgresql -o --os-shell >>>> Technique: TIME >>>> Back-end DBMS: PostgreSQL (fingerprinted) >>>> Traceback (most recent call last): >>>> File "./sqlmap.py", line 95, in main >>>> start() >>>> File "/Users/bperry/projects/sqlmap/lib/controller/controller.py", >>>> line 585, in start >>>> action() >>>> File "/Users/bperry/projects/sqlmap/lib/controller/action.py", line >>>> 160, in action >>>> conf.dbmsHandler.osShell() >>>> File "/Users/bperry/projects/sqlmap/plugins/generic/takeover.py", >>>> line 80, in osShell >>>> self.initEnv(web=web) >>>> File "/Users/bperry/projects/sqlmap/lib/takeover/abstraction.py", >>>> line 198, in initEnv >>>> success = self.udfInjectSys() >>>> File "/Users/bperry/projects/sqlmap/lib/takeover/udf.py", line 184, >>>> in udfInjectSys >>>> return self.udfInjectCore(self.sysUdfs) >>>> File "/Users/bperry/projects/sqlmap/lib/takeover/udf.py", line 149, >>>> in udfInjectCore >>>> written = self.writeFile(self.udfLocalFile, self.udfRemoteFile, >>>> "binary", forceCheck=True) >>>> File "/Users/bperry/projects/sqlmap/plugins/generic/filesystem.py", >>>> line 270, in writeFile >>>> written = self.stackedWriteFile(localFile, remoteFile, fileType, >>>> forceCheck) >>>> File >>>> "/Users/bperry/projects/sqlmap/plugins/dbms/postgresql/filesystem.py", line >>>> 37, in stackedWriteFile >>>> wFileSize = os.path.getsize(wFile) >>>> File >>>> "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/genericpath.py", >>>> line 49, in getsize >>>> return os.stat(filename).st_size >>>> OSError: [Errno 2] No such file or directory: >>>> '/Users/bperry/projects/sqlmap/udf/postgresql/linux/64/9.1/lib_postgresqludf_sys.so' >>>> >>>> [*] shutting down at 22:48:43 >>>> >>>> >>>> -- >>>> http://volatile-minds.blogspot.com -- blog >>>> http://www.volatileminds.net -- website >>>> >>> >>> >>> -- >>> Bernardo Damele A. G. >>> >>> E-mail / Jabber: bernardo.damele (at) gmail.com >>> Mobile: +447788962949 (UK 07788962949) >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
