Skip to content
No description, website, or topics provided.
Python Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md
pull.py
pull.sh

README.md

Lightshot Filename Path Disclosure (POC)

This proof of concept shows how lightshot screenshot hosting service can be easily crawled without any restriction.
This weakness was first discovered with Naïm GALLOUJ.
Script Author : Charles SENGES (me, btw).

Update !

Seems like cloudflare protection has been added since. May bypass this later. If you have any suggestion, just drop me an email.

Monster-Geek : Bash crawler seems to crawl swlowly but without getting banned. Python script got banned pretty fast...

Usage

$  ./pull.sh <url> <number of level>
  • URL : Your startig point
  • Levels : How much you want to crawl the url. (See exemples)

Exemples

$  ./pull.sh https://prnt.sc/abc123 1

Will go from https://prnt.sc/abc120 to https://prnt.sc/abc12z
Could also be seen as https://prnt.sc/abc12*

In the same way :

$  ./pull.sh https://prnt.sc/abc123 6

Could be seend as https://prnt.sc/****** The script would then crawl the whole website (could be long if you don't have a quantum computer (I know quantum computer wouldn't help but.. come on))

References

  • Korben published an article about this weakness.
You can’t perform that action at this time.