''' getShell.py Copyright 2006 Andres Riancho This file is part of w3af, w3af.sourceforge.net . w3af is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License. w3af is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with w3af; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ''' import core.controllers.outputManager as om import core.data.kb.knowledgeBase as kb import core.data.parsers.urlParser as urlParser from core.controllers.w3afException import w3afException import os,time import os.path import urllib def getShell( extension, forceExtension=False ): ''' This method returns a webshell content to be used in exploits, based on the extension, or based on the x-powered-by header. Plugins calling this function, should depend on "discovery.serverHeader" if they want to use the complete power if this function. ''' realExtension = extension poweredBy = kb.kb.getData( 'serverHeader' , 'poweredBy' ) filename = '' if poweredBy != [] and not forceExtension: # Using the powered By header if poweredBy.lower().count( 'php' ): filename = 'plugins' + os.path.sep + 'attack' + os.path.sep + 'shells' + os.path.sep + 'cmd.php' realExtension = 'php' elif poweredBy.lower().count( 'asp' ): filename = 'plugins' + os.path.sep + 'attack' + os.path.sep + 'shells' + os.path.sep + 'cmd.asp' om.out.information('ASP Shell hasnt been tested, please report any issues. ') realExtension = 'asp' # Python doesnt send a "powered by" header elif extension.lower()=='py': filename = 'plugins' + os.path.sep + 'attack' + os.path.sep + 'shells' + os.path.sep + 'cmd.py' realExtension = 'py' elif poweredBy.lower().count( 'jsp' ): filename = 'plugins'+os.path.sep+'attack'+os.path.sep+'shells'+os.path.sep+'cmd.jsp' om.out.information('JSP Shell hasnt been tested, please report any issues. ') realExtension = 'jsp' else: # Using the extension if extension.lower().count('php'): filename = 'plugins' + os.path.sep + 'attack' + os.path.sep + 'shells' + os.path.sep + 'cmd.php' elif extension.lower().count('asp'): filename = 'plugins' + os.path.sep + 'attack' + os.path.sep + 'shells' + os.path.sep + 'cmd.asp' om.out.information('ASP Shell hasnt been tested, please report any issues. ') elif extension.lower().count('py'): filename = 'plugins' + os.path.sep + 'attack' + os.path.sep + 'shells' + os.path.sep + 'cmd.py' elif extension.lower().count( 'jsp' ): filename = 'plugins'+os.path.sep+'attack'+os.path.sep+'shells'+os.path.sep+'cmd.jsp' om.out.information('JSP Shell hasnt been tested, please report any issues. ') if filename == '': raise w3afException('Could not find any cmd shell that matches the remote system.' ) try: cmdFile = open( filename ) except: raise w3afException('Failed to open filename: ' + filename ) else: fileContent = cmdFile.read() cmdFile.close() return fileContent, realExtension