sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-28 20:43:49 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix for that takeover bug Ethan Robish posted (Windows/PHP)

Browse Source
This commit is contained in:
Miroslav Stampar 2010-04-22 10:31:33 +00:00
parent 7d3a200ab8
commit 1bcec80e95
2 changed files with 21 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
lib/core/common.py
View File

@ -34,10 +34,8 @@ import ntpath
import posixpath import posixpath
import subprocess import subprocess
from StringIO import StringIO
from tempfile import NamedTemporaryFile from tempfile import NamedTemporaryFile
from tempfile import mkstemp from tempfile import mkstemp
from xml.sax import parse
from extra.cloak.cloak import decloak from extra.cloak.cloak import decloak
from lib.contrib import magic from lib.contrib import magic
@ -255,7 +253,9 @@ def getDocRoot(webApi=None):
if isWindowsPath(absFilePath): if isWindowsPath(absFilePath):
absFilePathWin = posixToNtSlashes(absFilePath) absFilePathWin = posixToNtSlashes(absFilePath)
absFilePath = ntToPosixSlashes(absFilePath[2:]) absFilePath = ntToPosixSlashes(absFilePath[2:])
elif isWindowsDriveLetterPath(absFilePath): #e.g. C:/xampp/htdocs
absFilePath = absFilePath[2:]
if pagePath in absFilePath: if pagePath in absFilePath:
index = absFilePath.index(pagePath) index = absFilePath.index(pagePath)
docRoot = absFilePath[:index] docRoot = absFilePath[:index]
@ -266,7 +266,7 @@ def getDocRoot(webApi=None):
if absFilePathWin: if absFilePathWin:
docRoot = "C:/%s" % ntToPosixSlashes(docRoot) docRoot = "C:/%s" % ntToPosixSlashes(docRoot)
docRoot = normalizePath(docRoot) docRoot = normalizePath(docRoot)
break break
@ -308,7 +308,7 @@ def getDirs(webApi=None):
if absFilePath: if absFilePath:
directory = directoryPath(absFilePath) directory = directoryPath(absFilePath)
if isWindowsPath(directory): if isWindowsPath(directory):
directory = directory.replace('\\', '/') ntToPosixSlashes(directory)
if directory == '/': if directory == '/':
continue continue
directories.add(directory) directories.add(directory)
@ -978,7 +978,7 @@ def urlEncodeCookieValues(cookieStr):
def directoryPath(path): def directoryPath(path):
retVal = None retVal = None
if isWindowsPath(path): if isWindowsDriveLetterPath(path):
retVal = ntpath.dirname(path) retVal = ntpath.dirname(path)
else: else:
retVal = posixpath.dirname(path) retVal = posixpath.dirname(path)
@ -989,10 +989,8 @@ def normalizePath(path):
This function must be called only after posixToNtSlashes() This function must be called only after posixToNtSlashes()
and ntToPosixSlashes() and ntToPosixSlashes()
""" """
retVal = None retVal = None
if isWindowsDriveLetterPath(path):
if isWindowsPath(path):
retVal = ntpath.normpath(path) retVal = ntpath.normpath(path)
else: else:
retVal = posixpath.normpath(path) retVal = posixpath.normpath(path)
@ -1054,6 +1052,9 @@ def decloakToMkstemp(filepath, **kwargs):
def isWindowsPath(filepath): def isWindowsPath(filepath):
return re.search("\A[\w]\:\\\\", filepath) is not None return re.search("\A[\w]\:\\\\", filepath) is not None
def isWindowsDriveLetterPath(filepath):
return re.search("\A[\w]\:", filepath) is not None
def posixToNtSlashes(filepath): def posixToNtSlashes(filepath):
return filepath.replace('/', '\\') return filepath.replace('/', '\\')

20
lib/takeover/web.py
View File

@ -33,7 +33,7 @@ from lib.core.common import fileToStr
from lib.core.common import getDirs from lib.core.common import getDirs
from lib.core.common import getDocRoot from lib.core.common import getDocRoot
from lib.core.common import ntToPosixSlashes from lib.core.common import ntToPosixSlashes
from lib.core.common import isWindowsPath from lib.core.common import isWindowsDriveLetterPath
from lib.core.common import normalizePath from lib.core.common import normalizePath
from lib.core.common import posixToNtSlashes from lib.core.common import posixToNtSlashes
from lib.core.common import randomStr from lib.core.common import randomStr
@ -170,24 +170,26 @@ class Web:
backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi) backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi)
backdoorStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi), backdoorName) backdoorStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi), backdoorName)
originalBackdoorContent = backdoorContent = backdoorStream.read() originalBackdoorContent = backdoorContent = backdoorStream.read()
uploaderName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi) uploaderName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
uploaderContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "uploader.%s_" % self.webApi)) uploaderContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "uploader.%s_" % self.webApi))
for directory in directories: for directory in directories:
# Upload the uploader agent # Upload the uploader agent
self.__webFileInject(uploaderContent, uploaderName, directory) self.__webFileInject(uploaderContent, uploaderName, directory)
requestDir = ntToPosixSlashes(directory)
requestDir = ntToPosixSlashes(directory).replace(ntToPosixSlashes(kb.docRoot), "/") if requestDir[-1] != '/':
if isWindowsPath(requestDir): requestDir += '/'
requestDir = requestDir.replace(ntToPosixSlashes(kb.docRoot), "/")
if isWindowsDriveLetterPath(requestDir):
requestDir = requestDir[2:] requestDir = requestDir[2:]
requestDir = normalizePath(requestDir) requestDir = normalizePath(requestDir)
self.webBaseUrl = "%s://%s:%d%s" % (conf.scheme, conf.hostname, conf.port, requestDir) self.webBaseUrl = "%s://%s:%d%s" % (conf.scheme, conf.hostname, conf.port, requestDir)
self.webUploaderUrl = "%s/%s" % (self.webBaseUrl.rstrip('/'), uploaderName) self.webUploaderUrl = "%s/%s" % (self.webBaseUrl.rstrip('/'), uploaderName)
self.webUploaderUrl = ntToPosixSlashes(self.webUploaderUrl.replace("./", "/")) self.webUploaderUrl = ntToPosixSlashes(self.webUploaderUrl.replace("./", "/"))
uplPage, _ = Request.getPage(url=self.webUploaderUrl, direct=True, raise404=False) uplPage, _ = Request.getPage(url=self.webUploaderUrl, direct=True, raise404=False)
if "sqlmap file uploader" not in uplPage: if "sqlmap file uploader" not in uplPage:
warnMsg = "unable to upload the uploader " warnMsg = "unable to upload the uploader "
warnMsg += "agent on '%s'" % directory warnMsg += "agent on '%s'" % directory
@ -198,7 +200,7 @@ class Web:
infoMsg = "the uploader agent has been successfully uploaded " infoMsg = "the uploader agent has been successfully uploaded "
infoMsg += "on '%s' ('%s')" % (directory, self.webUploaderUrl) infoMsg += "on '%s' ('%s')" % (directory, self.webUploaderUrl)
logger.info(infoMsg) logger.info(infoMsg)
if self.webApi == "asp": if self.webApi == "asp":
runcmdName = "tmpe%s.exe" % randomStr(lowercase=True) runcmdName = "tmpe%s.exe" % randomStr(lowercase=True)
runcmdStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, 'runcmd.exe_'), runcmdName) runcmdStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, 'runcmd.exe_'), runcmdName)