now ASPX works too for --os-shell

lib/core/common.py

@@ -1626,3 +1626,13 @@ def getPublicTypeMembers(type_):
             retVal.append((name, value))
 
     return retVal
+
+def extractRegexResult(regex, content):
+    retVal = None
+
+    if regex and content and '?P<result>' in regex:
+        match = re.search(regex, content)
+        if match:
+            retVal = match.group("result")
+
+    return retVal

lib/takeover/web.py

@@ -15,6 +15,7 @@ import re
 from extra.cloak.cloak import decloak
 from lib.core.agent import agent
 from lib.core.common import decloakToNamedTemporaryFile
+from lib.core.common import extractRegexResult
 from lib.core.common import getDirs
 from lib.core.common import getDocRoot
 from lib.core.common import ntToPosixSlashes
@@ -83,6 +84,11 @@ class Web:
                                 "uploadDir": directory,
                               }
 
+            if self.webApi == "aspx":
+                page = Request.getPage(url=self.webStagerUrl, content=True, raise404=False)
+                multipartParams['__EVENTVALIDATION'] = extractRegexResult(r"__EVENTVALIDATION[^>]+value=\"(?P<result>[^\"]+)\"", page[0])
+                multipartParams['__VIEWSTATE'] = extractRegexResult(r"__VIEWSTATE[^>]+value=\"(?P<result>[^\"]+)\"", page[0])
+
             page = Request.getPage(url=self.webStagerUrl, multipart=multipartParams, raise404=False)
 
             if "File uploaded" not in page: