Fixes #1248

lib/takeover/web.py

@@ -5,10 +5,11 @@ Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
-import urlparse
 import os
+import posixpath
 import re
 import StringIO
+import urlparse
 
 from tempfile import mkstemp
 
@@ -130,7 +131,7 @@ class Web:
             return False
 
     def _webFileInject(self, fileContent, fileName, directory):
-        outFile = ntToPosixSlashes(os.path.join(directory, fileName))
+        outFile = posixpath.join(ntToPosixSlashes(directory), fileName)
         uplQuery = getUnicode(fileContent).replace("WRITABLE_DIR", directory.replace('/', '\\\\') if Backend.isOs(OS.WINDOWS) else directory)
         query = ""
 
@@ -203,19 +204,16 @@ class Web:
         backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi)
         backdoorContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi))
 
-        stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
         stagerContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "stager.%s_" % self.webApi))
         success = False
 
         for directory in directories:
-            self.webStagerFilePath = ntToPosixSlashes(os.path.join(directory, stagerName))
-
-            if success:
-                break
-
             if not directory:
                 continue
 
+            stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
+            self.webStagerFilePath = posixpath.join(ntToPosixSlashes(directory), stagerName)
+
             uploaded = False
             directory = ntToPosixSlashes(normalizePath(directory))
 
@@ -224,6 +222,9 @@ class Web:
             else:
                 directory = directory[2:] if isWindowsDriveLetterPath(directory) else directory
 
+            if not directory.endswith('/'):
+                directory += '/'
+
             # Upload the file stager with the LIMIT 0, 1 INTO DUMPFILE method
             infoMsg = "trying to upload the file stager on '%s' " % directory
             infoMsg += "via LIMIT 'LINES TERMINATED BY' method"
@@ -254,6 +255,9 @@ class Web:
                     infoMsg += "via UNION method"
                     logger.info(infoMsg)
 
+                    stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
+                    self.webStagerFilePath = posixpath.join(ntToPosixSlashes(directory), stagerName)
+
                     handle, filename = mkstemp()
                     os.fdopen(handle).close()  # close low level handle (causing problems later)
 
@@ -278,18 +282,7 @@ class Web:
                             uploaded = True
                             break
 
-            # Extra check - required
             if not uploaded:
-                self.webBaseUrl = "%s://%s:%d/" % (conf.scheme, conf.hostname, conf.port)
-                self.webStagerUrl = urlparse.urljoin(self.webBaseUrl, stagerName)
-
-                debugMsg = "trying to see if the file is accessible from '%s'" % self.webStagerUrl
-                logger.debug(debugMsg)
-
-                uplPage, _, _ = Request.getPage(url=self.webStagerUrl, direct=True, raise404=False)
-                uplPage = uplPage or ""
-
-                if "sqlmap file uploader" not in uplPage:
                 continue
 
             if "<%" in uplPage or "<?" in uplPage:
@@ -343,10 +336,10 @@ class Web:
                     else:
                         continue
 
-                self.webBackdoorUrl = ntToPosixSlashes(os.path.join(self.webBaseUrl, backdoorName))
+                self.webBackdoorUrl = posixpath.join(ntToPosixSlashes(self.webBaseUrl), backdoorName)
                 self.webDirectory = directory
 
-            self.webBackdoorFilePath = ntToPosixSlashes(os.path.join(directory, backdoorName))
+            self.webBackdoorFilePath = posixpath.join(ntToPosixSlashes(directory), backdoorName)
 
             testStr = "command execution test"
             output = self.webBackdoorRunCmd("echo %s" % testStr)