diff --git a/lib/contrib/tokenkidnapping/README.txt b/lib/contrib/tokenkidnapping/README.txt index b5517ddff..bd293d573 100644 --- a/lib/contrib/tokenkidnapping/README.txt +++ b/lib/contrib/tokenkidnapping/README.txt @@ -1,7 +1,7 @@ Due to the anti-virus positive detection of executable stored inside this folder, we needed to somehow circumvent this. As from the plain sqlmap users perspective nothing -has to be done prior to it's usage by sqlmap, but if you want to have access to the -original use the decrypt functionality of the ../extra/cloak/cloak.py utility. +has to be done prior to its usage by sqlmap, but if you want to have access to the +original executable use the decrypt functionality of the ../extra/cloak/cloak.py utility. To prepare the executable to the cloaked form use this command: python ../extra/cloak/cloak.py -i Churrasco.exe diff --git a/lib/core/common.py b/lib/core/common.py index 5c5a7e147..2a598d8a6 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -32,6 +32,7 @@ import time import urlparse import ntpath import posixpath + from tempfile import NamedTemporaryFile from extra.cloak.cloak import decloak diff --git a/lib/takeover/metasploit.py b/lib/takeover/metasploit.py index 9bd178e71..c215e7c6c 100644 --- a/lib/takeover/metasploit.py +++ b/lib/takeover/metasploit.py @@ -36,6 +36,7 @@ from lib.core.agent import agent from lib.core.common import dataToStdout from lib.core.common import getLocalIP from lib.core.common import getRemoteIP +from lib.core.common import normalizePath from lib.core.common import pollProcess from lib.core.common import randomRange from lib.core.common import randomStr @@ -647,6 +648,8 @@ class Metasploit: else: self.exeFilePathRemote = "%s/%s" % (conf.tmpPath, os.path.basename(self.exeFilePathLocal)) + self.exeFilePathRemote = normalizePath(self.exeFilePathRemote) + logger.info("uploading payload stager to '%s'" % self.exeFilePathRemote) if web: diff --git a/lib/takeover/web.py b/lib/takeover/web.py index d90bd1a09..a95e34347 100644 --- a/lib/takeover/web.py +++ b/lib/takeover/web.py @@ -76,10 +76,10 @@ class Web: return output def webFileUpload(self, fileToUpload, destFileName, directory): - file = open(fileToUpload, "r") - self.__webFileStreamUpload(file, destFileName, directory) - file.close() - + inputFile = open(fileToUpload, "r") + self.__webFileStreamUpload(inputFile, destFileName, directory) + inputFile.close() + def __webFileStreamUpload(self, stream, destFileName, directory): if self.webApi == "php": multipartParams = { @@ -89,7 +89,7 @@ class Web: } page = Request.getPage(url=self.webUploaderUrl, multipart=multipartParams) - if "Backdoor uploaded" not in page: + if "File uploaded" not in page: warnMsg = "unable to upload the backdoor through " warnMsg += "the uploader agent on '%s'" % directory logger.warn(warnMsg) @@ -179,7 +179,7 @@ class Web: self.webUploaderUrl = self.webUploaderUrl.replace("./", "/").replace("\\", "/") uplPage, _ = Request.getPage(url=self.webUploaderUrl, direct=True) - if "sqlmap backdoor uploader" not in uplPage: + if "sqlmap file uploader" not in uplPage: warnMsg = "unable to upload the uploader " warnMsg += "agent on '%s'" % directory logger.warn(warnMsg) @@ -200,6 +200,5 @@ class Web: logger.info(infoMsg) break - + backdoorStream.name = backdoorStream.old_name - \ No newline at end of file diff --git a/shell/uploader.php_ b/shell/uploader.php_ index 96832b835..1f05f1d62 100644 Binary files a/shell/uploader.php_ and b/shell/uploader.php_ differ