diff --git a/lib/core/enums.py b/lib/core/enums.py index 36e1fcf19..7283de4b4 100644 --- a/lib/core/enums.py +++ b/lib/core/enums.py @@ -229,3 +229,9 @@ class ADJUST_TIME_DELAY: DISABLE = -1 NO = 0 YES = 1 + +class WEB_API: + PHP = "php" + ASP = "asp" + ASPX = "aspx" + JSP = "jsp" diff --git a/lib/core/settings.py b/lib/core/settings.py index 7cc558dc5..c57cfb1e4 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -469,10 +469,10 @@ MAX_HELP_OPTION_LENGTH = 18 FORMAT_EXCEPTION_STRINGS = ("Type mismatch", "Error converting", "Failed to convert", "System.FormatException", "java.lang.NumberFormatException") # Regular expression used for extracting ASP.NET view state values -VIEWSTATE_REGEX = r'(?P__VIEWSTATE[^"]*)[^>]+value="(?P[^"]+)' +VIEWSTATE_REGEX = r'(?i)(?P__VIEWSTATE[^"]*)[^>]+value="(?P[^"]+)' # Regular expression used for extracting ASP.NET event validation values -EVENTVALIDATION_REGEX = r'(?P__EVENTVALIDATION[^"]*)[^>]+value="(?P[^"]+)' +EVENTVALIDATION_REGEX = r'(?i)(?P__EVENTVALIDATION[^"]*)[^>]+value="(?P[^"]+)' # Number of rows to generate inside the full union test for limited output (mustn't be too large to prevent payload length problems) LIMITED_ROWS_TEST_NUMBER = 15 diff --git a/lib/request/basic.py b/lib/request/basic.py index 130ad0f00..d64609622 100644 --- a/lib/request/basic.py +++ b/lib/request/basic.py @@ -265,7 +265,7 @@ def processResponse(page, responseHeaders): if kb.originalPage is None: for regex in (EVENTVALIDATION_REGEX, VIEWSTATE_REGEX): - match = re.search(regex, page, re.I) + match = re.search(regex, page) if match and PLACE.POST in conf.parameters: name, value = match.groups() if PLACE.POST in conf.paramDict and name in conf.paramDict[PLACE.POST]: diff --git a/lib/takeover/web.py b/lib/takeover/web.py index df0772eb2..2bc816ff2 100644 --- a/lib/takeover/web.py +++ b/lib/takeover/web.py @@ -19,6 +19,7 @@ from lib.core.common import decloakToNamedTemporaryFile from lib.core.common import extractRegexResult from lib.core.common import getDirs from lib.core.common import getDocRoot +from lib.core.common import getPublicTypeMembers from lib.core.common import getSQLSnippet from lib.core.common import ntToPosixSlashes from lib.core.common import isTechniqueAvailable @@ -37,6 +38,9 @@ from lib.core.data import paths from lib.core.enums import DBMS from lib.core.enums import OS from lib.core.enums import PAYLOAD +from lib.core.enums import WEB_API +from lib.core.settings import EVENTVALIDATION_REGEX +from lib.core.settings import VIEWSTATE_REGEX from lib.request.connect import Connect as Request @@ -85,14 +89,14 @@ class Web: def __webFileStreamUpload(self, stream, destFileName, directory): stream.seek(0) # Rewind - if self.webApi in ("php", "asp", "aspx", "jsp"): + if self.webApi in getPublicTypeMembers(WEB_API, True): multipartParams = { "upload": "1", "file": stream, "uploadDir": directory, } - if self.webApi == "aspx": + if self.webApi == WEB_API.ASPX: multipartParams['__EVENTVALIDATION'] = kb.data.__EVENTVALIDATION multipartParams['__VIEWSTATE'] = kb.data.__VIEWSTATE @@ -141,7 +145,7 @@ class Web: logger.info(infoMsg) default = None - choices = ('asp', 'aspx', 'php', 'jsp') + choices = list(getPublicTypeMembers(WEB_API, True)) for ext in choices: if conf.url.endswith(ext): @@ -150,9 +154,9 @@ class Web: if not default: if Backend.isOs(OS.WINDOWS): - default = "asp" + default = WEB_API.ASP else: - default = "php" + default = WEB_API.PHP message = "which web application language does the web server " message += "support?\n" @@ -268,9 +272,9 @@ class Web: logger.warn(warnMsg) continue - elif self.webApi == "aspx": - kb.data.__EVENTVALIDATION = extractRegexResult(r"__EVENTVALIDATION[^>]+value=\"(?P[^\"]+)\"", uplPage, re.I) - kb.data.__VIEWSTATE = extractRegexResult(r"__VIEWSTATE[^>]+value=\"(?P[^\"]+)\"", uplPage, re.I) + elif self.webApi == WEB_API.ASPX: + kb.data.__EVENTVALIDATION = extractRegexResult(EVENTVALIDATION_REGEX, uplPage) + kb.data.__VIEWSTATE = extractRegexResult(VIEWSTATE_REGEX, uplPage) infoMsg = "the file stager has been successfully uploaded " infoMsg += "on '%s' - %s" % (localPath, self.webStagerUrl)