Fixes #5581

sqlmapproject · Dec 13, 2023 · 53b8a95 · 53b8a95
1 parent 6dd383f
commit 53b8a95
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 55 deletions.
diff --git a/lib/core/convert.py b/lib/core/convert.py
@@ -135,6 +135,23 @@ def dejsonize(data):
 
     return json.loads(data)
 
+def rot13(data):
+    """
+    Returns ROT13 encoded/decoded text
+
+    >>> rot13('foobar was here!!')
+    'sbbone jnf urer!!'
+    >>> rot13('sbbone jnf urer!!')
+    'foobar was here!!'
+    """
+
+    # Reference: https://stackoverflow.com/a/62662878
+    retVal = ""
+    alphabit = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ"
+    for char in data:
+        retVal += alphabit[alphabit.index(char) + 13] if char in alphabit else char
+    return retVal
+
 def decodeHex(value, binary=True):
     """
     Returns a decoded representation of provided hexadecimal value

diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -20,7 +20,7 @@
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.7.12.5"
+VERSION = "1.7.12.6"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

diff --git a/plugins/dbms/mssqlserver/filesystem.py b/plugins/dbms/mssqlserver/filesystem.py
@@ -18,6 +18,7 @@
 from lib.core.compat import xrange
 from lib.core.convert import encodeBase64
 from lib.core.convert import encodeHex
+from lib.core.convert import rot13
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -278,60 +279,62 @@ def _stackedWriteFileVbs(self, tmpPath, localFileContent, remoteFile, fileType):
         randFile = "tmpf%s.txt" % randomStr(lowercase=True)
         randFilePath = "%s\\%s" % (tmpPath, randFile)
 
-        vbs = """Dim inputFilePath, outputFilePath
-        inputFilePath = "%s"
-        outputFilePath = "%s"
-        Set fs = CreateObject("Scripting.FileSystemObject")
-        Set file = fs.GetFile(inputFilePath)
-        If file.Size Then
-            Wscript.Echo "Loading from: " & inputFilePath
-            Wscript.Echo
-            Set fd = fs.OpenTextFile(inputFilePath, 1)
-            data = fd.ReadAll
-            fd.Close
-            data = Replace(data, " ", "")
-            data = Replace(data, vbCr, "")
-            data = Replace(data, vbLf, "")
-            Wscript.Echo "Fixed Input: "
-            Wscript.Echo data
-            Wscript.Echo
-            decodedData = base64_decode(data)
-            Wscript.Echo "Output: "
-            Wscript.Echo decodedData
-            Wscript.Echo
-            Wscript.Echo "Writing output in: " & outputFilePath
-            Wscript.Echo
-            Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile(outputFilePath, 2, True)
-            ofs.Write decodedData
-            ofs.close
-        Else
-            Wscript.Echo "The file is empty."
-        End If
-        Function base64_decode(byVal strIn)
-            Dim w1, w2, w3, w4, n, strOut
-            For n = 1 To Len(strIn) Step 4
-                w1 = mimedecode(Mid(strIn, n, 1))
-                w2 = mimedecode(Mid(strIn, n + 1, 1))
-                w3 = mimedecode(Mid(strIn, n + 2, 1))
-                w4 = mimedecode(Mid(strIn, n + 3, 1))
-                If Not w2 Then _
-                strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255))
-                If  Not w3 Then _
-                strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255))
-                If Not w4 Then _
-                strOut = strOut + Chr(((w3 * 64 + w4) And 255))
-            Next
-            base64_decode = strOut
-            End Function
-        Function mimedecode(byVal strIn)
-            Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
-            If Len(strIn) = 0 Then
-                mimedecode = -1 : Exit Function
-            Else
-                mimedecode = InStr(Base64Chars, strIn) - 1
-            End If
-        End Function""" % (randFilePath, remoteFile)
-
+        vbs = """Qvz vachgSvyrCngu, bhgchgSvyrCngu
+        vachgSvyrCngu = "%f"
+        bhgchgSvyrCngu = "%f"
+        Frg sf = PerngrBowrpg("Fpevcgvat.SvyrFlfgrzBowrpg")
+        Frg svyr = sf.TrgSvyr(vachgSvyrCngu)
+        Vs svyr.Fvmr Gura
+            Jfpevcg.Rpub "Ybnqvat sebz: " & vachgSvyrCngu
+            Jfpevcg.Rpub
+            Frg sq = sf.BcraGrkgSvyr(vachgSvyrCngu, 1)
+            qngn = sq.ErnqNyy
+            sq.Pybfr
+            qngn = Ercynpr(qngn, " ", "")
+            qngn = Ercynpr(qngn, ioPe, "")
+            qngn = Ercynpr(qngn, ioYs, "")
+            Jfpevcg.Rpub "Svkrq Vachg: "
+            Jfpevcg.Rpub qngn
+            Jfpevcg.Rpub
+            qrpbqrqQngn = onfr64_qrpbqr(qngn)
+            Jfpevcg.Rpub "Bhgchg: "
+            Jfpevcg.Rpub qrpbqrqQngn
+            Jfpevcg.Rpub
+            Jfpevcg.Rpub "Jevgvat bhgchg va: " & bhgchgSvyrCngu
+            Jfpevcg.Rpub
+            Frg bsf = PerngrBowrpg("Fpevcgvat.SvyrFlfgrzBowrpg").BcraGrkgSvyr(bhgchgSvyrCngu, 2, Gehr)
+            bsf.Jevgr qrpbqrqQngn
+            bsf.pybfr
+        Ryfr
+            Jfpevcg.Rpub "Gur svyr vf rzcgl."
+        Raq Vs
+        Shapgvba onfr64_qrpbqr(olIny fgeVa)
+            Qvz j1, j2, j3, j4, a, fgeBhg
+            Sbe a = 1 Gb Yra(fgeVa) Fgrc 4
+                j1 = zvzrqrpbqr(Zvq(fgeVa, a, 1))
+                j2 = zvzrqrpbqr(Zvq(fgeVa, a + 1, 1))
+                j3 = zvzrqrpbqr(Zvq(fgeVa, a + 2, 1))
+                j4 = zvzrqrpbqr(Zvq(fgeVa, a + 3, 1))
+                Vs Abg j2 Gura _
+                fgeBhg = fgeBhg + Pue(((j1 * 4 + Vag(j2 / 16)) Naq 255))
+                Vs  Abg j3 Gura _
+                fgeBhg = fgeBhg + Pue(((j2 * 16 + Vag(j3 / 4)) Naq 255))
+                Vs Abg j4 Gura _
+                fgeBhg = fgeBhg + Pue(((j3 * 64 + j4) Naq 255))
+            Arkg
+            onfr64_qrpbqr = fgeBhg
+            Raq Shapgvba
+        Shapgvba zvzrqrpbqr(olIny fgeVa)
+            Onfr64Punef = "NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/"
+            Vs Yra(fgeVa) = 0 Gura
+                zvzrqrpbqr = -1 : Rkvg Shapgvba
+            Ryfr
+                zvzrqrpbqr = VaFge(Onfr64Punef, fgeVa) - 1
+            Raq Vs
+        Raq Shapgvba"""
+
+        # NOTE: https://github.com/sqlmapproject/sqlmap/issues/5581
+        vbs = rot13(vbs)
         vbs = vbs.replace("    ", "")
         encodedFileContent = encodeBase64(localFileContent, binary=False)