From 1bcec80e956cf027f0123e059a665baabd3ef391 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Thu, 22 Apr 2010 10:31:33 +0000
Subject: [PATCH] fix for that takeover bug Ethan Robish posted (Windows/PHP)

---
 lib/core/common.py  | 19 ++++++++++---------
 lib/takeover/web.py | 20 +++++++++++---------
 2 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/lib/core/common.py b/lib/core/common.py
index f133901e6..59aebbdef 100644
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -34,10 +34,8 @@ import ntpath
 import posixpath
 import subprocess
 
-from StringIO import StringIO
 from tempfile import NamedTemporaryFile
 from tempfile import mkstemp
-from xml.sax import parse
 
 from extra.cloak.cloak import decloak
 from lib.contrib import magic
@@ -255,7 +253,9 @@ def getDocRoot(webApi=None):
             if isWindowsPath(absFilePath):
                 absFilePathWin = posixToNtSlashes(absFilePath)
                 absFilePath    = ntToPosixSlashes(absFilePath[2:])
-            
+            elif isWindowsDriveLetterPath(absFilePath): #e.g. C:/xampp/htdocs
+                absFilePath    = absFilePath[2:]
+
             if pagePath in absFilePath:
                 index   = absFilePath.index(pagePath)
                 docRoot = absFilePath[:index]
@@ -266,7 +266,7 @@ def getDocRoot(webApi=None):
 
                 if absFilePathWin:
                     docRoot = "C:/%s" % ntToPosixSlashes(docRoot)
-                    
+
                 docRoot = normalizePath(docRoot)
                 break
 
@@ -308,7 +308,7 @@ def getDirs(webApi=None):
             if absFilePath:
                 directory = directoryPath(absFilePath)
                 if isWindowsPath(directory):
-                    directory = directory.replace('\\', '/')
+                    ntToPosixSlashes(directory)
                 if directory == '/':
                     continue
                 directories.add(directory)
@@ -978,7 +978,7 @@ def urlEncodeCookieValues(cookieStr):
 
 def directoryPath(path):
     retVal = None
-    if isWindowsPath(path):
+    if isWindowsDriveLetterPath(path):
         retVal = ntpath.dirname(path)
     else:
         retVal = posixpath.dirname(path)
@@ -989,10 +989,8 @@ def normalizePath(path):
     This function must be called only after posixToNtSlashes()
     and ntToPosixSlashes()
     """
-
     retVal = None
-
-    if isWindowsPath(path):
+    if isWindowsDriveLetterPath(path):
         retVal = ntpath.normpath(path)
     else:
         retVal = posixpath.normpath(path)
@@ -1054,6 +1052,9 @@ def decloakToMkstemp(filepath, **kwargs):
 def isWindowsPath(filepath):
     return re.search("\A[\w]\:\\\\", filepath) is not None
 
+def isWindowsDriveLetterPath(filepath):
+    return re.search("\A[\w]\:", filepath) is not None
+
 def posixToNtSlashes(filepath):
     return filepath.replace('/', '\\')
 
diff --git a/lib/takeover/web.py b/lib/takeover/web.py
index c709c2781..97c441b71 100644
--- a/lib/takeover/web.py
+++ b/lib/takeover/web.py
@@ -33,7 +33,7 @@ from lib.core.common import fileToStr
 from lib.core.common import getDirs
 from lib.core.common import getDocRoot
 from lib.core.common import ntToPosixSlashes
-from lib.core.common import isWindowsPath
+from lib.core.common import isWindowsDriveLetterPath
 from lib.core.common import normalizePath
 from lib.core.common import posixToNtSlashes
 from lib.core.common import randomStr
@@ -170,24 +170,26 @@ class Web:
         backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi)
         backdoorStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi), backdoorName)
         originalBackdoorContent = backdoorContent = backdoorStream.read()
-        
+
         uploaderName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
         uploaderContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "uploader.%s_" % self.webApi))
-        
+
         for directory in directories:
             # Upload the uploader agent
             self.__webFileInject(uploaderContent, uploaderName, directory)
-            
-            requestDir  = ntToPosixSlashes(directory).replace(ntToPosixSlashes(kb.docRoot), "/")
-            if isWindowsPath(requestDir):
+            requestDir  = ntToPosixSlashes(directory)
+            if requestDir[-1] != '/':
+                requestDir += '/'
+            requestDir  = requestDir.replace(ntToPosixSlashes(kb.docRoot), "/")
+            if isWindowsDriveLetterPath(requestDir):
                 requestDir = requestDir[2:]
             requestDir  = normalizePath(requestDir)
-            
+
             self.webBaseUrl     = "%s://%s:%d%s" % (conf.scheme, conf.hostname, conf.port, requestDir)
             self.webUploaderUrl = "%s/%s" % (self.webBaseUrl.rstrip('/'), uploaderName)
             self.webUploaderUrl = ntToPosixSlashes(self.webUploaderUrl.replace("./", "/"))
             uplPage, _  = Request.getPage(url=self.webUploaderUrl, direct=True, raise404=False)
-            
+
             if "sqlmap file uploader" not in uplPage:
                 warnMsg  = "unable to upload the uploader "
                 warnMsg += "agent on '%s'" % directory
@@ -198,7 +200,7 @@ class Web:
             infoMsg  = "the uploader agent has been successfully uploaded "
             infoMsg += "on '%s' ('%s')" % (directory, self.webUploaderUrl)
             logger.info(infoMsg)
-            
+
             if self.webApi == "asp":
                 runcmdName = "tmpe%s.exe" % randomStr(lowercase=True)
                 runcmdStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, 'runcmd.exe_'), runcmdName)