So, reading the source for the pgsql udf here:
https://github.com/sqlmapproject/udfhack/blob/master/linux/64/lib_postgresqludf_sys/lib_postgresqludf_sys.c
It looks like we mmap RWX memory in order to eval some commands. Was this
tested on a machine with SELinux? In my experience, this actually fails to
allocate when RWX is used as the permissions on the memory region (line
186).
I have successfully gotten around this on some systems using a technique
similar to that described at the bottom of this page (basically mapping two
pointers to the same file, require FS access though…):
http://www.akkadia.org/drepper/selinux-mem.html
I am going to pull down the udfhack code and try it in a CentOS VM with
SELinux enabled and see what happens. If it performs how I expect, would
this be a useful addition to the UDF?
On Tue, Jun 17, 2014 at 2:22 PM, Brandon Perry <bperry.volat...@gmail.com>
wrote:
> Hey Bernardo,
>
> Any update to this?
>
>
> On Sat, Jun 14, 2014 at 4:16 AM, Bernardo Damele A. G. <
> bernardo.dam...@gmail.com> wrote:
>
>> I will be fixing this shortly.
>>
>> Bernardo
>>
>>
>> On Saturday, June 14, 2014, Brandon Perry <bperry.volat...@gmail.com>
>> wrote:
>>
>>> Hello!
>>>
>>> I have run into a small issue, it seems that the 9.1 pgsql udf wasn't
>>> compiled/checked into source control.
>>>
>>> brandons-imac:sqlmap bperry$ find . | grep postgresqludf
>>> ./udf/postgresql/linux/32/8.2/lib_postgresqludf_sys.so
>>> ./udf/postgresql/linux/32/8.3/lib_postgresqludf_sys.so
>>> ./udf/postgresql/linux/32/8.4/lib_postgresqludf_sys.so
>>> ./udf/postgresql/linux/32/9.0/lib_postgresqludf_sys.so
>>> ./udf/postgresql/linux/32/9.1/lib_postgresqludf_sys.so
>>> ./udf/postgresql/linux/64/8.2/lib_postgresqludf_sys.so
>>> ./udf/postgresql/linux/64/8.3/lib_postgresqludf_sys.so
>>> ./udf/postgresql/linux/64/8.4/lib_postgresqludf_sys.so
>>> ./udf/postgresql/linux/64/9.0/lib_postgresqludf_sys.so
>>> ./udf/postgresql/windows/32/8.2/lib_postgresqludf_sys.dll
>>> ./udf/postgresql/windows/32/8.3/lib_postgresqludf_sys.dll
>>> ./udf/postgresql/windows/32/8.4/lib_postgresqludf_sys.dll
>>> ./udf/postgresql/windows/32/9.0/lib_postgresqludf_sys.dll
>>> brandons-imac:sqlmap bperry$
>>>
>>> You can see that:
>>>
>>> ./udf/postgresql/linux/64/9.1/lib_postgresqludf_sys.so
>>>
>>> is missing. This leads to the following error. Anything I can do to
>>> help, let me know:
>>>
>>> what is the back-end database management system architecture?
>>> [1] 32-bit (default)
>>> [2] 64-bit
>>> > 2
>>> [22:48:43] [INFO] checking if UDF 'sys_eval' already exist
>>> [22:48:43] [INFO] checking if UDF 'sys_exec' already exist
>>>
>>> [22:48:43] [CRITICAL] unhandled exception in sqlmap/1.0-dev-f558b80,
>>> retry your run with the latest development version from the GitHub
>>> repository. If the exception persists, please send by e-mail to '
>>> sqlmap-users@lists.sourceforge.net' or open a new issue at '
>>> https://github.com/sqlmapproject/sqlmap/issues/new' with the following
>>> text and any information required to reproduce the bug. The developers will
>>> try to reproduce the bug, fix it accordingly and get back to you.
>>> sqlmap version: 1.0-dev-f558b80
>>> Python version: 2.7.5
>>> Operating system: posix
>>> Command line: ./sqlmap.py -r /Users/bperry/tmp/req.req --level=5
>>> --risk=3 --dbms=postgresql -o --os-shell
>>> Technique: TIME
>>> Back-end DBMS: PostgreSQL (fingerprinted)
>>> Traceback (most recent call last):
>>> File "./sqlmap.py", line 95, in main
>>> start()
>>> File "/Users/bperry/projects/sqlmap/lib/controller/controller.py",
>>> line 585, in start
>>> action()
>>> File "/Users/bperry/projects/sqlmap/lib/controller/action.py", line
>>> 160, in action
>>> conf.dbmsHandler.osShell()
>>> File "/Users/bperry/projects/sqlmap/plugins/generic/takeover.py", line
>>> 80, in osShell
>>> self.initEnv(web=web)
>>> File "/Users/bperry/projects/sqlmap/lib/takeover/abstraction.py", line
>>> 198, in initEnv
>>> success = self.udfInjectSys()
>>> File "/Users/bperry/projects/sqlmap/lib/takeover/udf.py", line 184, in
>>> udfInjectSys
>>> return self.udfInjectCore(self.sysUdfs)
>>> File "/Users/bperry/projects/sqlmap/lib/takeover/udf.py", line 149, in
>>> udfInjectCore
>>> written = self.writeFile(self.udfLocalFile, self.udfRemoteFile,
>>> "binary", forceCheck=True)
>>> File "/Users/bperry/projects/sqlmap/plugins/generic/filesystem.py",
>>> line 270, in writeFile
>>> written = self.stackedWriteFile(localFile, remoteFile, fileType,
>>> forceCheck)
>>> File
>>> "/Users/bperry/projects/sqlmap/plugins/dbms/postgresql/filesystem.py", line
>>> 37, in stackedWriteFile
>>> wFileSize = os.path.getsize(wFile)
>>> File
>>> "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/genericpath.py",
>>> line 49, in getsize
>>> return os.stat(filename).st_size
>>> OSError: [Errno 2] No such file or directory:
>>> '/Users/bperry/projects/sqlmap/udf/postgresql/linux/64/9.1/lib_postgresqludf_sys.so'
>>>
>>> [*] shutting down at 22:48:43
>>>
>>>
>>> --
>>> http://volatile-minds.blogspot.com -- blog
>>> http://www.volatileminds.net -- website
>>>
>>
>>
>> --
>> Bernardo Damele A. G.
>>
>> E-mail / Jabber: bernardo.damele (at) gmail.com
>> Mobile: +447788962949 (UK 07788962949)
>>
>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
