You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Dec 6, 2023. It is now read-only.
Currently, your mimikatz results parsing with --mimikatz option could generate an exception.
Send a raw HTTP POST request with the following body `
Password: toto
Domain: toto
User: titi
Your buf variable is equal to ['Password: totoDomain: totoUser: titi'] so only 1 item
See the following bug related to non existent index in the bug variable
192.168.11.136 - - [08/Nov/2015 19:01:07] "POST /toto HTTP/1.1" 200 -
----------------------------------------
Exception happened during processing of request from ('192.168.11.136', 56129)
Traceback (most recent call last):
File "C:\Python27\lib\SocketServer.py", line 295, in _handle_request_noblock
self.process_request(request, client_address)
File "C:\Python27\lib\SocketServer.py", line 321, in process_request
self.finish_request(request, client_address)
File "C:\Python27\lib\SocketServer.py", line 334, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "C:\Python27\lib\SocketServer.py", line 655, in __init__
self.handle()
File "C:\Python27\lib\BaseHTTPServer.py", line 340, in handle
self.handle_one_request()
File "C:\Python27\lib\BaseHTTPServer.py", line 328, in handle_one_request
method()
File "crackmapexecwin.py", line 266, in do_POST
user = buf[i-2].split(':')[1].strip()
IndexError: list index out of range
Relying on receiving a good CRLF formatted input is not really reliable.
More over you could even try to parse the result before writing anything (for instance with that implementation) because as the attacker has a listening web server on for that feature, he could be attacked by automated scanner that would fill its disk with wrong/polluted data :)
The text was updated successfully, but these errors were encountered:
Hello @byt3bl33d3r,
Currently, your mimikatz results parsing with
--mimikatz
option could generate an exception.buf
variable is equal to['Password: totoDomain: totoUser: titi']
so only 1 itemRelying on receiving a good CRLF formatted input is not really reliable.
More over you could even try to parse the result before writing anything (for instance with that implementation) because as the attacker has a listening web server on for that feature, he could be attacked by automated scanner that would fill its disk with wrong/polluted data :)
The text was updated successfully, but these errors were encountered: