From c5b71cff1082d91a51f6de237db36cacdd496b7b Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Thu, 21 Aug 2014 01:12:44 +0200
Subject: [PATCH] Some filtering

---
 lib/core/common.py   |  6 +++---
 lib/core/dicts.py    |  2 +-
 lib/core/settings.py |  2 +-
 lib/takeover/web.py  | 11 ++++++-----
 4 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/lib/core/common.py b/lib/core/common.py
index 5d7deff09..e14e4a0d3 100755
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -665,7 +665,7 @@ def getManualDirectories():
         message += "[1] common location(s) '%s' (default)\n" % ", ".join(root for root in defaultDocRoot)
         message += "[2] custom location(s)\n"
         message += "[3] custom directory list file\n"
-        message += "[4] brute force search\n"
+        message += "[4] brute force search"
         choice = readInput(message, default="1").strip()
 
         if choice == "2":
@@ -701,10 +701,10 @@ def getManualDirectories():
                         if BRUTE_DOC_ROOT_TARGET_MARK not in prefix:
                             break
 
-            infoMsg = "using common directories: %s" % ','.join(directories)
+            infoMsg = "using generated directory list: %s" % ','.join(directories)
             logger.info(infoMsg)
 
-            msg = "use additional custom directories [Enter for None]: "
+            msg = "use any additional custom directories [Enter for None]: "
             answer = readInput(msg)
 
             if answer:
diff --git a/lib/core/dicts.py b/lib/core/dicts.py
index 0641f22c2..c9cd0cd51 100644
--- a/lib/core/dicts.py
+++ b/lib/core/dicts.py
@@ -223,5 +223,5 @@ DUMP_DATA_PREPROCESS = {
 
 DEFAULT_DOC_ROOTS = {
                         OS.WINDOWS: ("C:/xampp/htdocs/", "C:/Inetpub/wwwroot/"),
-                        OS.LINUX: ("/var/www/",)
+                        OS.LINUX: ("/var/www/", "/var/www/html", "/usr/local/apache2/htdocs", "/var/www/nginx-default")  # Reference: https://wiki.apache.org/httpd/DistrosDefaultLayout
                     }
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 250bedf8e..457faeabd 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -592,7 +592,7 @@ NETSCAPE_FORMAT_HEADER_COOKIES = "# Netscape HTTP Cookie File."
 
 # Prefixes used in brute force search for web server document root
 BRUTE_DOC_ROOT_PREFIXES = {
-    OS.LINUX: ("/var/www", "/usr/local/apache", "/usr/local/apache2", "/usr/local/www/apache22", "/usr/local/www/apache24", "/usr/local/httpd", "/srv/www", "/var/www/%TARGET%", "/var/www/vhosts/%TARGET%", "/var/www/virtual/%TARGET%", "/var/www/clients/vhosts/%TARGET%", "/var/www/clients/virtual/%TARGET%"),
+    OS.LINUX: ("/var/www", "/usr/local/apache", "/usr/local/apache2", "/usr/local/www/apache22", "/usr/local/www/apache24", "/usr/local/httpd", "/var/www/nginx-default", "/srv/www", "/var/www/%TARGET%", "/var/www/vhosts/%TARGET%", "/var/www/virtual/%TARGET%", "/var/www/clients/vhosts/%TARGET%", "/var/www/clients/virtual/%TARGET%"),
     OS.WINDOWS: ("/xampp", "/Program Files/xampp", "/wamp", "/Program Files/wampp", "/apache", "/Program Files/Apache Group/Apache", "/Program Files/Apache Group/Apache2", "/Program Files/Apache Group/Apache2.2", "/Program Files/Apache Group/Apache2.4", "/Inetpub/wwwroot", "/Inetpub/wwwroot/%TARGET%", "/Inetpub/vhosts/%TARGET%")
 }
 
diff --git a/lib/takeover/web.py b/lib/takeover/web.py
index 61f376949..cee0afd88 100644
--- a/lib/takeover/web.py
+++ b/lib/takeover/web.py
@@ -46,6 +46,7 @@ from lib.core.settings import BACKDOOR_RUN_CMD_TIMEOUT
 from lib.core.settings import EVENTVALIDATION_REGEX
 from lib.core.settings import VIEWSTATE_REGEX
 from lib.request.connect import Connect as Request
+from thirdparty.oset.pyoset import oset
 
 
 class Web:
@@ -197,7 +198,7 @@ class Web:
 
         directories = list(arrayizeValue(getManualDirectories()))
         directories.extend(getAutoDirectories())
-        directories = sorted(set(directories))
+        directories = list(oset(directories))
 
         backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi)
         backdoorContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi))
@@ -220,9 +221,9 @@ class Web:
             else:
                 directory = directory[2:] if isWindowsDriveLetterPath(directory) else directory
 
-            # Upload the file stager with the LIMIT 0, 1 INTO DUMPFILE technique
+            # Upload the file stager with the LIMIT 0, 1 INTO DUMPFILE method
             infoMsg = "trying to upload the file stager on '%s' " % directory
-            infoMsg += "via LIMIT 'LINES TERMINATED BY' technique"
+            infoMsg += "via LIMIT 'LINES TERMINATED BY' method"
             logger.info(infoMsg)
             self._webFileInject(stagerContent, stagerName, directory)
 
@@ -239,7 +240,7 @@ class Web:
                     uploaded = True
                     break
 
-            # Fall-back to UNION queries file upload technique
+            # Fall-back to UNION queries file upload method
             if not uploaded:
                 warnMsg = "unable to upload the file stager "
                 warnMsg += "on '%s'" % directory
@@ -247,7 +248,7 @@ class Web:
 
                 if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
                     infoMsg = "trying to upload the file stager on '%s' " % directory
-                    infoMsg += "via UNION technique"
+                    infoMsg += "via UNION method"
                     logger.info(infoMsg)
 
                     handle, filename = mkstemp()