Closing work on Issue #83

lib/core/common.py

@@ -85,6 +85,7 @@ from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
 from lib.core.settings import DEFAULT_COOKIE_DELIMITER
 from lib.core.settings import DEFAULT_GET_POST_DELIMITER
 from lib.core.settings import DUMMY_USER_INJECTION
+from lib.core.settings import GENERIC_DOC_ROOT_DIRECTORY_NAMES
 from lib.core.settings import INFERENCE_UNKNOWN_CHAR
 from lib.core.settings import UNICODE_ENCODING
 from lib.core.settings import DBMS_DICT
@@ -590,38 +591,36 @@ def getDocRoot():
     docRoot = None
     pagePath = directoryPath(conf.path)
 
-    if Backend.isOs(OS.WINDOWS):
+    defaultDocRoot = ("C:/xampp/htdocs/", "C:/Inetpub/wwwroot/") if Backend.isOs(OS.WINDOWS) else ("/var/www/",)
-        defaultDocRoot = ["C:/xampp/htdocs/", "C:/Inetpub/wwwroot/"]
-    else:
-        defaultDocRoot = ["/var/www/"]
 
     if kb.absFilePaths:
         for absFilePath in kb.absFilePaths:
+            if docRoot:
+                break
+
             if directoryPath(absFilePath) == '/':
                 continue
 
             absFilePath = normalizePath(absFilePath)
-            absFilePathWin = None
+            windowsDriveLetter = None
 
-            if isWindowsPath(absFilePath):
+            if isWindowsDriveLetterPath(absFilePath):
-                absFilePathWin = posixToNtSlashes(absFilePath)
+                windowsDriveLetter, absFilePath = absFilePath[:2], absFilePath[2:]
-                absFilePath = ntToPosixSlashes(absFilePath[2:])
+                absFilePath = ntToPosixSlashes(posixToNtSlashes(absFilePath))
-            elif isWindowsDriveLetterPath(absFilePath):
-                absFilePath = absFilePath[2:]
 
-            if pagePath in absFilePath:
+            if any("/%s/" % _ in absFilePath for _ in GENERIC_DOC_ROOT_DIRECTORY_NAMES):
-                index = absFilePath.index(pagePath)
+                for _ in GENERIC_DOC_ROOT_DIRECTORY_NAMES:
-                docRoot = absFilePath[:index]
+                    _ = "/%s/" % _
+                    if _ in absFilePath:
+                        docRoot = "%s%s" % (absFilePath.split(_)[0], _)
+                        break
 
-                if len(docRoot) == 0:
+            elif pagePath in absFilePath:
-                    docRoot = None
+                docRoot = absFilePath.split(pagePath)[0]
-                    continue
+                if windowsDriveLetter:
-
+                    docRoot = "%s/%s" % (windowsDriveLetter, ntToPosixSlashes(docRoot))
-                if absFilePathWin:
-                    docRoot = "C:/%s" % ntToPosixSlashes(docRoot)
 
     docRoot = normalizePath(docRoot)
-                break
 
     if docRoot:
         infoMsg = "retrieved the web server document root: '%s'" % docRoot
@@ -1348,14 +1347,24 @@ def directoryPath(filepath):
     Returns directory path for a given filepath
     """
 
-    return ntpath.dirname(filepath) if isWindowsDriveLetterPath(filepath) else posixpath.dirname(filepath)
+    retVal = filepath
+
+    if filepath:
+        retVal = ntpath.dirname(filepath) if isWindowsDriveLetterPath(filepath) else posixpath.dirname(filepath)
+
+    return retVal
 
 def normalizePath(filepath):
     """
     Returns normalized string representation of a given filepath
     """
 
-    return ntpath.normpath(filepath) if isWindowsDriveLetterPath(filepath) else posixpath.normpath(filepath)
+    retVal = filepath
+
+    if filepath:
+        retVal = ntpath.normpath(filepath) if isWindowsDriveLetterPath(filepath) else posixpath.normpath(filepath)
+
+    return retVal
 
 def safeStringFormat(format_, params):
     """

lib/core/settings.py

@@ -512,3 +512,6 @@ CHECK_ZERO_COLUMNS_THRESHOLD = 10
 
 # Boldify all logger messages containing these "patterns"
 BOLD_PATTERNS = ("' injectable", "might be injectable", "' is vulnerable", "is not injectable")
+
+# Generic www root directory names
+GENERIC_DOC_ROOT_DIRECTORY_NAMES = ("htdocs", "wwwroot", "www")

lib/takeover/web.py

@@ -12,6 +12,7 @@ import re
 
 from extra.cloak.cloak import decloak
 from lib.core.agent import agent
+from lib.core.common import arrayizeValue
 from lib.core.common import Backend
 from lib.core.common import decloakToNamedTemporaryFile
 from lib.core.common import extractRegexResult
@@ -177,7 +178,7 @@ class Web:
                 break
 
         kb.docRoot = getDocRoot()
-        directories = getDirs().sort()
+        directories = sorted(getDirs())
 
         backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi)
         backdoorStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi), backdoorName)
@@ -188,14 +189,14 @@ class Web:
 
         success = False
 
-        for docRoot in kb.docRoot:
+        for docRoot in arrayizeValue(kb.docRoot):
             if success:
                 break
 
             for directory in directories:
                 uriPath = ""
 
-                if not all(isinstance(item, basestring) for item in (docRoot, directory)):
+                if not all(isinstance(_, basestring) for _ in (docRoot, directory)):
                     continue
 
                 directory = ntToPosixSlashes(normalizePath(directory)).replace("//", "/").rstrip('/')