mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-01-23 15:54:24 +03:00
Fixes #1248
This commit is contained in:
Miroslav Stampar
parent
17bfda1b9c
commit
699c965bc0
|
|
@ -5,10 +5,11 @@ Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
|
|||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import urlparse
|
||||
import os
|
||||
import posixpath
|
||||
import re
|
||||
import StringIO
|
||||
import urlparse
|
||||
|
||||
from tempfile import mkstemp
|
||||
|
||||
|
|
@ -130,7 +131,7 @@ class Web:
|
|||
return False
|
||||
|
||||
def _webFileInject(self, fileContent, fileName, directory):
|
||||
outFile = ntToPosixSlashes(os.path.join(directory, fileName))
|
||||
outFile = posixpath.join(ntToPosixSlashes(directory), fileName)
|
||||
uplQuery = getUnicode(fileContent).replace("WRITABLE_DIR", directory.replace('/', '\\\\') if Backend.isOs(OS.WINDOWS) else directory)
|
||||
query = ""
|
||||
|
||||
|
|
@ -203,19 +204,16 @@ class Web:
|
|||
backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi)
|
||||
backdoorContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi))
|
||||
|
||||
stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
|
||||
stagerContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "stager.%s_" % self.webApi))
|
||||
success = False
|
||||
|
||||
for directory in directories:
|
||||
self.webStagerFilePath = ntToPosixSlashes(os.path.join(directory, stagerName))
|
||||
|
||||
if success:
|
||||
break
|
||||
|
||||
if not directory:
|
||||
continue
|
||||
|
||||
stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
|
||||
self.webStagerFilePath = posixpath.join(ntToPosixSlashes(directory), stagerName)
|
||||
|
||||
uploaded = False
|
||||
directory = ntToPosixSlashes(normalizePath(directory))
|
||||
|
||||
|
|
@ -224,6 +222,9 @@ class Web:
|
|||
else:
|
||||
directory = directory[2:] if isWindowsDriveLetterPath(directory) else directory
|
||||
|
||||
if not directory.endswith('/'):
|
||||
directory += '/'
|
||||
|
||||
# Upload the file stager with the LIMIT 0, 1 INTO DUMPFILE method
|
||||
infoMsg = "trying to upload the file stager on '%s' " % directory
|
||||
infoMsg += "via LIMIT 'LINES TERMINATED BY' method"
|
||||
|
|
@ -254,6 +255,9 @@ class Web:
|
|||
infoMsg += "via UNION method"
|
||||
logger.info(infoMsg)
|
||||
|
||||
stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
|
||||
self.webStagerFilePath = posixpath.join(ntToPosixSlashes(directory), stagerName)
|
||||
|
||||
handle, filename = mkstemp()
|
||||
os.fdopen(handle).close() # close low level handle (causing problems later)
|
||||
|
||||
|
|
@ -278,19 +282,8 @@ class Web:
|
|||
uploaded = True
|
||||
break
|
||||
|
||||
# Extra check - required
|
||||
if not uploaded:
|
||||
self.webBaseUrl = "%s://%s:%d/" % (conf.scheme, conf.hostname, conf.port)
|
||||
self.webStagerUrl = urlparse.urljoin(self.webBaseUrl, stagerName)
|
||||
|
||||
debugMsg = "trying to see if the file is accessible from '%s'" % self.webStagerUrl
|
||||
logger.debug(debugMsg)
|
||||
|
||||
uplPage, _, _ = Request.getPage(url=self.webStagerUrl, direct=True, raise404=False)
|
||||
uplPage = uplPage or ""
|
||||
|
||||
if "sqlmap file uploader" not in uplPage:
|
||||
continue
|
||||
continue
|
||||
|
||||
if "<%" in uplPage or "<?" in uplPage:
|
||||
warnMsg = "file stager uploaded on '%s', " % directory
|
||||
|
|
@ -343,10 +336,10 @@ class Web:
|
|||
else:
|
||||
continue
|
||||
|
||||
self.webBackdoorUrl = ntToPosixSlashes(os.path.join(self.webBaseUrl, backdoorName))
|
||||
self.webBackdoorUrl = posixpath.join(ntToPosixSlashes(self.webBaseUrl), backdoorName)
|
||||
self.webDirectory = directory
|
||||
|
||||
self.webBackdoorFilePath = ntToPosixSlashes(os.path.join(directory, backdoorName))
|
||||
self.webBackdoorFilePath = posixpath.join(ntToPosixSlashes(directory), backdoorName)
|
||||
|
||||
testStr = "command execution test"
|
||||
output = self.webBackdoorRunCmd("echo %s" % testStr)
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user