diff --git a/lib/core/common.py b/lib/core/common.py index 67362973c..815f47035 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -304,7 +304,7 @@ def getDocRoot(webApi=None): pagePath = directoryPath(conf.path) if kb.os == "Windows": - if webApi == "php": + if webApi in ("php", "jsp"): defaultDocRoot = "C:/xampp/htdocs/" else: defaultDocRoot = "C:/Inetpub/wwwroot/" @@ -361,7 +361,7 @@ def getDirs(webApi=None): directories = set() if kb.os == "Windows": - if webApi == "php": + if webApi in ("php", "jsp"): defaultDirs = ["C:/xampp/htdocs/"] else: defaultDirs = ["C:/Inetpub/wwwroot/"] diff --git a/lib/takeover/web.py b/lib/takeover/web.py index a21c09edb..2ed0ecfd8 100644 --- a/lib/takeover/web.py +++ b/lib/takeover/web.py @@ -76,7 +76,7 @@ class Web: def __webFileStreamUpload(self, stream, destFileName, directory): stream.seek(0) # Rewind - if self.webApi in ("php", "asp"): + if self.webApi in ("php", "asp", "aspx", "jsp"): multipartParams = { "upload": "1", "file": stream, @@ -93,9 +93,6 @@ class Web: else: return True - elif self.webApi == "jsp": - return False - def __webFileInject(self, fileContent, fileName, directory): outFile = posixpath.normpath("%s/%s" % (directory, fileName)) uplQuery = fileContent.replace("WRITABLE_DIR", directory.replace('/', '\\') if kb.os == "Windows" else directory) @@ -124,30 +121,34 @@ class Web: message = "which web application language does the web server " message += "support?\n" message += "[1] ASP%s\n" % (" (default)" if kb.os == "Windows" else "") - message += "[2] PHP%s\n" % ("" if kb.os == "Windows" else " (default)") - message += "[3] JSP" + message += "[2] ASPX\n" + message += "[3] PHP%s\n" % ("" if kb.os == "Windows" else " (default)") + message += "[4] JSP" while True: choice = readInput(message, default="1" if kb.os == "Windows" else "2") - if not choice or choice == "2": - self.webApi = "php" - break - - elif choice == "1": + if choice == "1": self.webApi = "asp" break + elif choice == "2": + self.webApi = "aspx" + break + elif choice == "3": - errMsg = "JSP web backdoor functionality is not yet " - errMsg += "implemented" - raise sqlmapUnsupportedDBMSException(errMsg) + self.webApi = "php" + break + + elif choice == "4": + self.webApi = "jsp" + break elif not choice.isdigit(): logger.warn("invalid value, only digits are allowed") - elif int(choice) < 1 or int(choice) > 3: - logger.warn("invalid value, it must be 1 or 3") + elif int(choice) < 1 or int(choice) > 4: + logger.warn("invalid value, it must be between 1 and 4") kb.docRoot = getDocRoot(self.webApi) directories = getDirs(self.webApi) @@ -188,7 +189,12 @@ class Web: warnMsg = "unable to upload the file stager " warnMsg += "on '%s'" % directory logger.warn(warnMsg) + continue + elif "<%" in uplPage or "