Closing work on Issue #83

2025-02-03 05:04:11 +03:00 · 2012-07-13 11:23:21 +02:00 · 2012-07-13 11:23:21 +02:00 · c5ecc8b8db
commit c5ecc8b8db
parent 48f68bd076
3 changed files with 39 additions and 26 deletions
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -85,6 +85,7 @@ from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
 from lib.core.settings import DEFAULT_COOKIE_DELIMITER
 from lib.core.settings import DEFAULT_GET_POST_DELIMITER
 from lib.core.settings import DUMMY_USER_INJECTION
+from lib.core.settings import GENERIC_DOC_ROOT_DIRECTORY_NAMES
 from lib.core.settings import INFERENCE_UNKNOWN_CHAR
 from lib.core.settings import UNICODE_ENCODING
 from lib.core.settings import DBMS_DICT
@ -590,38 +591,36 @@ def getDocRoot():
    docRoot = None
    pagePath = directoryPath(conf.path)

-    if Backend.isOs(OS.WINDOWS):
-        defaultDocRoot = ["C:/xampp/htdocs/", "C:/Inetpub/wwwroot/"]
-    else:
-        defaultDocRoot = ["/var/www/"]
+    defaultDocRoot = ("C:/xampp/htdocs/", "C:/Inetpub/wwwroot/") if Backend.isOs(OS.WINDOWS) else ("/var/www/",)

    if kb.absFilePaths:
        for absFilePath in kb.absFilePaths:
+            if docRoot:
+                break
+
            if directoryPath(absFilePath) == '/':
                continue

            absFilePath = normalizePath(absFilePath)
-            absFilePathWin = None
+            windowsDriveLetter = None

-            if isWindowsPath(absFilePath):
-                absFilePathWin = posixToNtSlashes(absFilePath)
-                absFilePath = ntToPosixSlashes(absFilePath[2:])
-            elif isWindowsDriveLetterPath(absFilePath):
-                absFilePath = absFilePath[2:]
+            if isWindowsDriveLetterPath(absFilePath):
+                windowsDriveLetter, absFilePath = absFilePath[:2], absFilePath[2:]
+                absFilePath = ntToPosixSlashes(posixToNtSlashes(absFilePath))

-            if pagePath in absFilePath:
-                index = absFilePath.index(pagePath)
-                docRoot = absFilePath[:index]
+            if any("/%s/" % _ in absFilePath for _ in GENERIC_DOC_ROOT_DIRECTORY_NAMES):
+                for _ in GENERIC_DOC_ROOT_DIRECTORY_NAMES:
+                    _ = "/%s/" % _
+                    if _ in absFilePath:
+                        docRoot = "%s%s" % (absFilePath.split(_)[0], _)
+                        break

-                if len(docRoot) == 0:
-                    docRoot = None
-                    continue
-
-                if absFilePathWin:
-                    docRoot = "C:/%s" % ntToPosixSlashes(docRoot)
+            elif pagePath in absFilePath:
+                docRoot = absFilePath.split(pagePath)[0]
+                if windowsDriveLetter:
+                    docRoot = "%s/%s" % (windowsDriveLetter, ntToPosixSlashes(docRoot))

    docRoot = normalizePath(docRoot)
-                break

    if docRoot:
        infoMsg = "retrieved the web server document root: '%s'" % docRoot
@ -1348,14 +1347,24 @@ def directoryPath(filepath):
    Returns directory path for a given filepath
    """

-    return ntpath.dirname(filepath) if isWindowsDriveLetterPath(filepath) else posixpath.dirname(filepath)
+    retVal = filepath
+
+    if filepath:
+        retVal = ntpath.dirname(filepath) if isWindowsDriveLetterPath(filepath) else posixpath.dirname(filepath)
+
+    return retVal

 def normalizePath(filepath):
    """
    Returns normalized string representation of a given filepath
    """

-    return ntpath.normpath(filepath) if isWindowsDriveLetterPath(filepath) else posixpath.normpath(filepath)
+    retVal = filepath
+
+    if filepath:
+        retVal = ntpath.normpath(filepath) if isWindowsDriveLetterPath(filepath) else posixpath.normpath(filepath)
+
+    return retVal

 def safeStringFormat(format_, params):
    """
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -512,3 +512,6 @@ CHECK_ZERO_COLUMNS_THRESHOLD = 10

 # Boldify all logger messages containing these "patterns"
 BOLD_PATTERNS = ("' injectable", "might be injectable", "' is vulnerable", "is not injectable")
+
+# Generic www root directory names
+GENERIC_DOC_ROOT_DIRECTORY_NAMES = ("htdocs", "wwwroot", "www")
--- a/lib/takeover/web.py
+++ b/lib/takeover/web.py
@ -12,6 +12,7 @@ import re

 from extra.cloak.cloak import decloak
 from lib.core.agent import agent
+from lib.core.common import arrayizeValue
 from lib.core.common import Backend
 from lib.core.common import decloakToNamedTemporaryFile
 from lib.core.common import extractRegexResult
@ -177,7 +178,7 @@ class Web:
                break

        kb.docRoot = getDocRoot()
-        directories = getDirs().sort()
+        directories = sorted(getDirs())

        backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi)
        backdoorStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi), backdoorName)
@ -188,14 +189,14 @@ class Web:

        success = False

-        for docRoot in kb.docRoot:
+        for docRoot in arrayizeValue(kb.docRoot):
            if success:
                break

            for directory in directories:
                uriPath = ""

-                if not all(isinstance(item, basestring) for item in (docRoot, directory)):
+                if not all(isinstance(_, basestring) for _ in (docRoot, directory)):
                    continue

                directory = ntToPosixSlashes(normalizePath(directory)).replace("//", "/").rstrip('/')