From adf97e630f399e207cf1af502a6e6494b3a8af8f Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Sat, 19 Jan 2013 18:04:33 +0000 Subject: [PATCH] add possibility to provide a list of web server document root possible directories for web shell upload in --os-cmd and --os-shell for MySQL --- lib/core/common.py | 51 ++++++++++++++++++++++++-------- lib/takeover/web.py | 4 +-- plugins/dbms/mysql/filesystem.py | 2 -- 3 files changed, 40 insertions(+), 17 deletions(-) diff --git a/lib/core/common.py b/lib/core/common.py index 890cd1f91..4757e015a 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -622,17 +622,40 @@ def getDocRoot(): warnMsg = "unable to retrieve the web server document root" logger.warn(warnMsg) - message = "please provide the web server document root " - message += "[%s]: " % ",".join(root for root in defaultDocRoot) - inputDocRoot = readInput(message, default=defaultDocRoot) + docRoot = [] - if inputDocRoot: - if isinstance(inputDocRoot, basestring): - docRoot = inputDocRoot.split(',') + message = "do you want to provide a text file with a list of " + message += "directories to try? [y/N] " + answer = readInput(message, default="N") + + if answer and answer.lower() == "y": + message = "please provide the directories list file to try: " + dirFilePath = readInput(message) + + if dirFilePath: + if os.path.isfile(dirFilePath): + fd = codecs.open(dirFilePath, "rb", UNICODE_ENCODING) + + for filepath in fd.readlines(): + docRoot.append(normalizePath(filepath)) + + else: + errMsg = "provided directory list file %s " % dirFilePath + errMsg += "is not a valid file" + logger.error(errMsg) + + if len(docRoot) == 0: + message = "please provide the web server document root " + message += "[%s]: " % ", ".join(root for root in defaultDocRoot) + inputDocRoot = readInput(message, default=defaultDocRoot) + + if inputDocRoot: + if isinstance(inputDocRoot, basestring): + docRoot = inputDocRoot.split(',') + else: + docRoot = inputDocRoot else: - docRoot = inputDocRoot - else: - docRoot = defaultDocRoot + docRoot = defaultDocRoot return docRoot @@ -657,8 +680,9 @@ def getDirs(): if webDir: directories.add(webDir) - message = "please provide any additional web server full path to try " - message += "to upload the agent [Enter for None]: " + message = "please provide additional comma separated file paths to " + message += "try to upload the agent inside the possible document " + message += "root%s [Enter for None]: " % "s" if len(kb.docRoot) > 1 else "" inputDirs = readInput(message) if inputDirs: @@ -1325,8 +1349,9 @@ def normalizePath(filepath): retVal = filepath - if filepath: - retVal = ntpath.normpath(filepath) if isWindowsDriveLetterPath(filepath) else posixpath.normpath(filepath) + if retVal: + retVal = retVal.strip("\r").strip("\n") + retVal = ntpath.normpath(retVal) if isWindowsDriveLetterPath(retVal) else posixpath.normpath(retVal) return retVal diff --git a/lib/takeover/web.py b/lib/takeover/web.py index 04ec5e7f1..74736aee1 100644 --- a/lib/takeover/web.py +++ b/lib/takeover/web.py @@ -191,7 +191,7 @@ class Web: self.webApi = choices[int(choice) - 1] break - kb.docRoot = getDocRoot() + kb.docRoot = arrayizeValue(getDocRoot()) directories = sorted(getDirs()) backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi) @@ -202,7 +202,7 @@ class Web: success = False - for docRoot in arrayizeValue(kb.docRoot): + for docRoot in kb.docRoot: if success: break diff --git a/plugins/dbms/mysql/filesystem.py b/plugins/dbms/mysql/filesystem.py index 20f0c832e..7a57ed09b 100644 --- a/plugins/dbms/mysql/filesystem.py +++ b/plugins/dbms/mysql/filesystem.py @@ -100,8 +100,6 @@ class Filesystem(GenericFilesystem): sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile) unionUse(sqlQuery, unpack=False) - self.askCheckWrittenFile(wFile, dFile) - warnMsg = "expect junk characters inside the " warnMsg += "file as a leftover from UNION query" singleTimeWarnMessage(warnMsg)