diff --git a/lib/core/settings.py b/lib/core/settings.py index 741fe3c27..118286cc6 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME from lib.core.enums import OS # sqlmap version (...) -VERSION = "1.2.2.8" +VERSION = "1.2.2.9" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) @@ -299,6 +299,10 @@ BASIC_HELP_ITEMS = ( "wizard", ) +# Tags used for value replacements inside shell scripts +SHELL_WRITABLE_DIR_TAG = "%WRITABLE_DIR%" +SHELL_RUNCMD_EXE_TAG = "%RUNCMD_EXE%" + # String representation for NULL value NULL = "NULL" diff --git a/lib/takeover/web.py b/lib/takeover/web.py index 2952a127f..2395b06b2 100644 --- a/lib/takeover/web.py +++ b/lib/takeover/web.py @@ -47,6 +47,8 @@ from lib.core.enums import WEB_API from lib.core.exception import SqlmapNoneDataException from lib.core.settings import BACKDOOR_RUN_CMD_TIMEOUT from lib.core.settings import EVENTVALIDATION_REGEX +from lib.core.settings import SHELL_RUNCMD_EXE_TAG +from lib.core.settings import SHELL_WRITABLE_DIR_TAG from lib.core.settings import VIEWSTATE_REGEX from lib.request.connect import Connect as Request from thirdparty.oset.pyoset import oset @@ -134,7 +136,7 @@ class Web: def _webFileInject(self, fileContent, fileName, directory): outFile = posixpath.join(ntToPosixSlashes(directory), fileName) - uplQuery = getUnicode(fileContent).replace("WRITABLE_DIR", directory.replace('/', '\\\\') if Backend.isOs(OS.WINDOWS) else directory) + uplQuery = getUnicode(fileContent).replace(SHELL_WRITABLE_DIR_TAG, directory.replace('/', '\\\\') if Backend.isOs(OS.WINDOWS) else directory) query = "" if isTechniqueAvailable(kb.technique): @@ -324,7 +326,7 @@ class Web: with open(filename, "w+b") as f: _ = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "stagers", "stager.%s_" % self.webApi)) - _ = _.replace("WRITABLE_DIR", utf8encode(directory.replace('/', '\\\\') if Backend.isOs(OS.WINDOWS) else directory)) + _ = _.replace(SHELL_WRITABLE_DIR_TAG, utf8encode(directory.replace('/', '\\\\') if Backend.isOs(OS.WINDOWS) else directory)) f.write(_) self.unionWriteFile(filename, self.webStagerFilePath, "text", forceCheck=True) @@ -369,7 +371,7 @@ class Web: continue _ = "tmpe%s.exe" % randomStr(lowercase=True) - if self.webUpload(backdoorName, backdoorDirectory, content=backdoorContent.replace("WRITABLE_DIR", backdoorDirectory).replace("RUNCMD_EXE", _)): + if self.webUpload(backdoorName, backdoorDirectory, content=backdoorContent.replace(SHELL_WRITABLE_DIR_TAG, backdoorDirectory).replace(SHELL_RUNCMD_EXE_TAG, _)): self.webUpload(_, backdoorDirectory, filepath=os.path.join(paths.SQLMAP_EXTRAS_PATH, "runcmd", "runcmd.exe_")) self.webBackdoorUrl = "%s/Scripts/%s" % (self.webBaseUrl, backdoorName) self.webDirectory = backdoorDirectory diff --git a/shell/backdoors/backdoor.asp_ b/shell/backdoors/backdoor.asp_ index d126faee7..9f9a20586 100644 Binary files a/shell/backdoors/backdoor.asp_ and b/shell/backdoors/backdoor.asp_ differ diff --git a/shell/stagers/stager.asp_ b/shell/stagers/stager.asp_ index 75a64c1fc..7918d6ac7 100644 Binary files a/shell/stagers/stager.asp_ and b/shell/stagers/stager.asp_ differ diff --git a/shell/stagers/stager.aspx_ b/shell/stagers/stager.aspx_ index 54d565039..3a5a9b14e 100644 Binary files a/shell/stagers/stager.aspx_ and b/shell/stagers/stager.aspx_ differ diff --git a/shell/stagers/stager.jsp_ b/shell/stagers/stager.jsp_ index 0aa088601..ccda376ed 100644 Binary files a/shell/stagers/stager.jsp_ and b/shell/stagers/stager.jsp_ differ diff --git a/shell/stagers/stager.php_ b/shell/stagers/stager.php_ index 64f8eacab..54c8930a2 100644 Binary files a/shell/stagers/stager.php_ and b/shell/stagers/stager.php_ differ diff --git a/txt/checksum.md5 b/txt/checksum.md5 index d34a87d36..94ff4745e 100644 --- a/txt/checksum.md5 +++ b/txt/checksum.md5 @@ -46,7 +46,7 @@ ffa5f01f39b17c8d73423acca6cfe86a lib/core/readlineng.py 0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py a7db43859b61569b601b97f187dd31c5 lib/core/revision.py fcb74fcc9577523524659ec49e2e964b lib/core/session.py -a333cf1cf7e533c13bf1aec774c82938 lib/core/settings.py +d4f192e51b660e59391dee667f79c652 lib/core/settings.py d0adc28a38e43a787df4471f7f027413 lib/core/shell.py 63491be462c515a1a3880c27c2acc4a2 lib/core/subprocessng.py 505aaa61e1bba3c3d4567c3e667699e3 lib/core/target.py @@ -85,7 +85,7 @@ acc1db3667bf910b809eb279b60595eb lib/takeover/icmpsh.py 703e15714316a8cc4bbe54cdd0a8cb87 lib/takeover/metasploit.py 0fc9b00596df21c8878ef92f513ecad7 lib/takeover/registry.py 48575dde7bb867b7937769f569a98309 lib/takeover/udf.py -1398cb4ee55becf628367854b5310f33 lib/takeover/web.py +19d2b9d1159ce809907ba71c4fae0d4e lib/takeover/web.py d8c10f278e5943b137a222f4cedca59d lib/takeover/xp_cmdshell.py b84d45fc7349caa714f9769b13d70cab lib/techniques/blind/inference.py 1e5532ede194ac9c083891c2f02bca93 lib/techniques/blind/__init__.py @@ -215,14 +215,14 @@ a70cc0ada4b0cc9e7df23cb6d48a4a0c plugins/generic/syntax.py e522c294676ede15bee751107e9bb449 plugins/generic/takeover.py 4419b13a4b78d7e9e4a2632302344a1a plugins/generic/users.py 1e5532ede194ac9c083891c2f02bca93 plugins/__init__.py -b04db3e861edde1f9dd0a3850d5b96c8 shell/backdoors/backdoor.asp_ +5dc693e22f5d020c5c568d7325bd4226 shell/backdoors/backdoor.asp_ 158bfa168128393dde8d6ed11fe9a1b8 shell/backdoors/backdoor.aspx_ 595f711adf1ecb5f3b9a64532b04d8b9 shell/backdoors/backdoor.jsp_ 09fc3ed6543f4d1885e338b271e5e97a shell/backdoors/backdoor.php_ -0e7aba05423c272f051f31165b0e416d shell/stagers/stager.asp_ -c3cc8b7727161e64ab59f312c33b541a shell/stagers/stager.aspx_ -1f7f125f30e0e800beb21e2ebbab18e1 shell/stagers/stager.jsp_ -01e3505e796edf19aad6a996101c81c9 shell/stagers/stager.php_ +ec2ba8c757ac96425dcd2b97970edd3a shell/stagers/stager.asp_ +4e6d2094bd6afe35032fb8bc8a86e83c shell/stagers/stager.aspx_ +0c48ddb1feb7e38a951ef05a0d48e032 shell/stagers/stager.jsp_ +2f9e459a4cf6a58680978cdce5ff7971 shell/stagers/stager.php_ 4eaeef94314956e4517e5310a28d579a sqlmapapi.py 3e2e790c370442c3d98eaa88a3523b15 sqlmap.py 4c3b8a7daa4bff52e01d4168be0eedbe tamper/apostrophemask.py