51 lines
1.6 KiB
Python
51 lines
1.6 KiB
Python
#!/usr/bin/env python3
|
|
from Cryptodome.Cipher import ChaCha20
|
|
from Cryptodome.Random import get_random_bytes
|
|
from Cryptodome.Util.number import long_to_bytes, bytes_to_long
|
|
import time
|
|
from random import randint
|
|
from pwn import *
|
|
import base64
|
|
import requests
|
|
import time
|
|
from requests.utils import cookiejar_from_dict
|
|
LOGIN ="http://130.192.5.212:6522/login"
|
|
FLAG = "http://130.192.5.212:6522/flag"
|
|
|
|
#LOGIN="http://127.0.0.1:5000/login"
|
|
#FLAG="http://127.0.0.1:5000/flag"
|
|
# expire = 1.748.345.396
|
|
PARAMS = {"username":'aa','admin':1}
|
|
givenTime = int(time.time())
|
|
|
|
minAdminDate = givenTime - 10 * 24 * 60 * 60
|
|
maxAdminDate = givenTime - 259 * 24 * 60 * 60
|
|
avgAdminDate = int((minAdminDate + maxAdminDate)/2)
|
|
expire_date = givenTime + 30 * 24 * 60 * 60
|
|
eMin = expire_date - minAdminDate
|
|
eMax = expire_date - maxAdminDate
|
|
eAvg = (eMin+eMax) / 2
|
|
plaintext = f"username={PARAMS['username']}&expires={expire_date}&admin={PARAMS['admin']}"
|
|
plaintext = plaintext.encode()
|
|
s = requests.Session()
|
|
r = s.get(url=LOGIN,params=PARAMS)
|
|
cookie= r.json()['cookie']
|
|
cookie = long_to_bytes(cookie)
|
|
print(f"Cookie encrypted len:{len(cookie)}, Plaintext len:{len(plaintext)}")
|
|
nonce = r.json()['nonce']
|
|
|
|
ks = bytes([c ^ p for c,p in zip(cookie, plaintext)])
|
|
|
|
print(f"Keystream len:{len(ks)}")
|
|
for i in range(1):
|
|
|
|
payload = f"username={PARAMS['username']}&expires={maxAdminDate + 295 * 24 * 60 * 60}&admin={1}".encode()
|
|
|
|
cookie = bytes([p ^ k for p,k in zip(payload,ks)])
|
|
print(f"Malicious cookie len:{len(cookie)}")
|
|
COOKIES = {'cookie':bytes_to_long(cookie),'nonce':nonce}
|
|
f = s.get(url=FLAG,params=COOKIES)
|
|
print(f.text)
|
|
|
|
##########
|