Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 1bcec80

Browse files
stamparmstamparm
committed
fix for that takeover bug Ethan Robish posted (Windows/PHP)
1 parent 7d3a200 commit 1bcec80

2 files changed

Lines changed: 21 additions & 18 deletions

File tree

lib/core/common.py

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -34,10 +34,8 @@
3434
import posixpath
3535
import subprocess
3636

37-
from StringIO import StringIO
3837
from tempfile import NamedTemporaryFile
3938
from tempfile import mkstemp
40-
from xml.sax import parse
4139

4240
from extra.cloak.cloak import decloak
4341
from lib.contrib import magic
@@ -255,7 +253,9 @@ def getDocRoot(webApi=None):
255253
if isWindowsPath(absFilePath):
256254
absFilePathWin = posixToNtSlashes(absFilePath)
257255
absFilePath = ntToPosixSlashes(absFilePath[2:])
258-
256+
elif isWindowsDriveLetterPath(absFilePath): #e.g. C:/xampp/htdocs
257+
absFilePath = absFilePath[2:]
258+
259259
if pagePath in absFilePath:
260260
index = absFilePath.index(pagePath)
261261
docRoot = absFilePath[:index]
@@ -266,7 +266,7 @@ def getDocRoot(webApi=None):
266266

267267
if absFilePathWin:
268268
docRoot = "C:/%s" % ntToPosixSlashes(docRoot)
269-
269+
270270
docRoot = normalizePath(docRoot)
271271
break
272272

@@ -308,7 +308,7 @@ def getDirs(webApi=None):
308308
if absFilePath:
309309
directory = directoryPath(absFilePath)
310310
if isWindowsPath(directory):
311-
directory = directory.replace('\\', '/')
311+
ntToPosixSlashes(directory)
312312
if directory == '/':
313313
continue
314314
directories.add(directory)
@@ -978,7 +978,7 @@ def urlEncodeCookieValues(cookieStr):
978978

979979
def directoryPath(path):
980980
retVal = None
981-
if isWindowsPath(path):
981+
if isWindowsDriveLetterPath(path):
982982
retVal = ntpath.dirname(path)
983983
else:
984984
retVal = posixpath.dirname(path)
@@ -989,10 +989,8 @@ def normalizePath(path):
989989
This function must be called only after posixToNtSlashes()
990990
and ntToPosixSlashes()
991991
"""
992-
993992
retVal = None
994-
995-
if isWindowsPath(path):
993+
if isWindowsDriveLetterPath(path):
996994
retVal = ntpath.normpath(path)
997995
else:
998996
retVal = posixpath.normpath(path)
@@ -1054,6 +1052,9 @@ def decloakToMkstemp(filepath, **kwargs):
10541052
def isWindowsPath(filepath):
10551053
return re.search("\A[\w]\:\\\\", filepath) is not None
10561054

1055+
def isWindowsDriveLetterPath(filepath):
1056+
return re.search("\A[\w]\:", filepath) is not None
1057+
10571058
def posixToNtSlashes(filepath):
10581059
return filepath.replace('/', '\\')
10591060

lib/takeover/web.py

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@
3333
from lib.core.common import getDirs
3434
from lib.core.common import getDocRoot
3535
from lib.core.common import ntToPosixSlashes
36-
from lib.core.common import isWindowsPath
36+
from lib.core.common import isWindowsDriveLetterPath
3737
from lib.core.common import normalizePath
3838
from lib.core.common import posixToNtSlashes
3939
from lib.core.common import randomStr
@@ -170,24 +170,26 @@ def webInit(self):
170170
backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi)
171171
backdoorStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi), backdoorName)
172172
originalBackdoorContent = backdoorContent = backdoorStream.read()
173-
173+
174174
uploaderName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
175175
uploaderContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "uploader.%s_" % self.webApi))
176-
176+
177177
for directory in directories:
178178
# Upload the uploader agent
179179
self.__webFileInject(uploaderContent, uploaderName, directory)
180-
181-
requestDir = ntToPosixSlashes(directory).replace(ntToPosixSlashes(kb.docRoot), "/")
182-
if isWindowsPath(requestDir):
180+
requestDir = ntToPosixSlashes(directory)
181+
if requestDir[-1] != '/':
182+
requestDir += '/'
183+
requestDir = requestDir.replace(ntToPosixSlashes(kb.docRoot), "/")
184+
if isWindowsDriveLetterPath(requestDir):
183185
requestDir = requestDir[2:]
184186
requestDir = normalizePath(requestDir)
185-
187+
186188
self.webBaseUrl = "%s://%s:%d%s" % (conf.scheme, conf.hostname, conf.port, requestDir)
187189
self.webUploaderUrl = "%s/%s" % (self.webBaseUrl.rstrip('/'), uploaderName)
188190
self.webUploaderUrl = ntToPosixSlashes(self.webUploaderUrl.replace("./", "/"))
189191
uplPage, _ = Request.getPage(url=self.webUploaderUrl, direct=True, raise404=False)
190-
192+
191193
if "sqlmap file uploader" not in uplPage:
192194
warnMsg = "unable to upload the uploader "
193195
warnMsg += "agent on '%s'" % directory
@@ -198,7 +200,7 @@ def webInit(self):
198200
infoMsg = "the uploader agent has been successfully uploaded "
199201
infoMsg += "on '%s' ('%s')" % (directory, self.webUploaderUrl)
200202
logger.info(infoMsg)
201-
203+
202204
if self.webApi == "asp":
203205
runcmdName = "tmpe%s.exe" % randomStr(lowercase=True)
204206
runcmdStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, 'runcmd.exe_'), runcmdName)

0 commit comments

Comments
 (0)