Outher types inputs issues #2

New Issue

Open

opened 2020-03-16 11:54:18 +01:00 by kaczalapa · 1 comment

kaczalapa commented 2020-03-16 11:54:18 +01:00 (Migrated from github.com)

Copy Link

Hi!
I have just tested your script and I have found issues with other type on inputs than json.

Burp suite request snapshot:

POST /bWAPP/commandi.php HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://<IP>/bWAPP/commandi.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Connection: close
Cookie: security_level=1; PHPSESSID=2871ed8afbfcd800836a8111df1522da
Upgrade-Insecure-Requests: 1

target=www.nsa.gov&form=submit

command: ./mando.me.py --url "http://<IP>/bWAPP/commandi.php" --cookie "http://<IP>/bWAPP/commandi.php" --post "target=_INJECT_&form=submit"

Logs:

[*] Testing different injection techniques
 [*] METHOD: Result based injection

 [-] Something went wrong. Terminating program.


Traceback (most recent call last):
 File "./mando.me.py", line 2339, in <module>
   if __name__ == "__main__": main(sys.argv[1:])
 File "./mando.me.py", line 2259, in main
   CommandInjector.init()
 File "./mando.me.py", line 1945, in init
   CommandInjector.exploit()
 File "./mando.me.py", line 2151, in exploit
   if technique() and not _gs["url_stager"] == None:
 File "./mando.me.py", line 2034, in technique_result_based
   if _placeholder == interactor("echo " + _placeholder).strip():
 File "./mando.me.py", line 2013, in interactor
   request = urllib.request.Request(url, headers=urllib.parse.urlencode(json.loads(_gs["post"].replace("'", "\"").replace("_INJECT_", "\"" + special + command + "\""))))
 File "/usr/lib/python3.7/json/__init__.py", line 348, in loads
   return _default_decoder.decode(s)
 File "/usr/lib/python3.7/json/decoder.py", line 337, in decode
   obj, end = self.raw_decode(s, idx=_w(s, 0).end())
 File "/usr/lib/python3.7/json/decoder.py", line 355, in raw_decode
   raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
None

Tested on: python 2.7.17 and 3.7.6

Please take a look of that, if you are still working with this tool :)

Hi! I have just tested your script and I have found issues with other type on inputs than json. Burp suite request snapshot: ``` POST /bWAPP/commandi.php HTTP/1.1 Host: <IP> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://<IP>/bWAPP/commandi.php Content-Type: application/x-www-form-urlencoded Content-Length: 30 Connection: close Cookie: security_level=1; PHPSESSID=2871ed8afbfcd800836a8111df1522da Upgrade-Insecure-Requests: 1 target=www.nsa.gov&form=submit ``` command: `./mando.me.py --url "http://<IP>/bWAPP/commandi.php" --cookie "http://<IP>/bWAPP/commandi.php" --post "target=_INJECT_&form=submit"` Logs: ``` [*] Testing different injection techniques [*] METHOD: Result based injection [-] Something went wrong. Terminating program. Traceback (most recent call last): File "./mando.me.py", line 2339, in <module> if __name__ == "__main__": main(sys.argv[1:]) File "./mando.me.py", line 2259, in main CommandInjector.init() File "./mando.me.py", line 1945, in init CommandInjector.exploit() File "./mando.me.py", line 2151, in exploit if technique() and not _gs["url_stager"] == None: File "./mando.me.py", line 2034, in technique_result_based if _placeholder == interactor("echo " + _placeholder).strip(): File "./mando.me.py", line 2013, in interactor request = urllib.request.Request(url, headers=urllib.parse.urlencode(json.loads(_gs["post"].replace("'", "\"").replace("_INJECT_", "\"" + special + command + "\"")))) File "/usr/lib/python3.7/json/__init__.py", line 348, in loads return _default_decoder.decode(s) File "/usr/lib/python3.7/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "/usr/lib/python3.7/json/decoder.py", line 355, in raw_decode raise JSONDecodeError("Expecting value", s, err.value) from None json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0) None ``` Tested on: _python 2.7.17 and 3.7.6_ Please take a look of that, if you are still working with this tool :)

z0noxz commented 2020-03-16 14:05:01 +01:00 (Migrated from github.com)

Copy Link

Development of mando.me has kinda ceased, as I have moved to other projects and
simply lack the time. If you are willing please send a pull request for a fix.

On 2020-03-16 03:54:32, kaczalapa wrote:

Hi!
I have just tested your script and I have found issues with other type on inputs than json.

Burp suite request snapshot:

POST /bWAPP/commandi.php HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://<IP>/bWAPP/commandi.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Connection: close
Cookie: security_level=1; PHPSESSID=2871ed8afbfcd800836a8111df1522da
Upgrade-Insecure-Requests: 1

target=www.nsa.gov&form=submit

command: ./mando.me.py --url "http://<IP>/bWAPP/commandi.php" --cookie "http://<IP>/bWAPP/commandi.php" --post "target=_INJECT_&form=submit"

Logs:

[*] Testing different injection techniques
 [*] METHOD: Result based injection

 [-] Something went wrong. Terminating program.


Traceback (most recent call last):
 File "./mando.me.py", line 2339, in <module>
   if __name__ == "__main__": main(sys.argv[1:])
 File "./mando.me.py", line 2259, in main
   CommandInjector.init()
 File "./mando.me.py", line 1945, in init
   CommandInjector.exploit()
 File "./mando.me.py", line 2151, in exploit
   if technique() and not _gs["url_stager"] == None:
 File "./mando.me.py", line 2034, in technique_result_based
   if _placeholder == interactor("echo " + _placeholder).strip():
 File "./mando.me.py", line 2013, in interactor
   request = urllib.request.Request(url, headers=urllib.parse.urlencode(json.loads(_gs["post"].replace("'", "\"").replace("_INJECT_", "\"" + special + command + "\""))))
 File "/usr/lib/python3.7/json/__init__.py", line 348, in loads
   return _default_decoder.decode(s)
 File "/usr/lib/python3.7/json/decoder.py", line 337, in decode
   obj, end = self.raw_decode(s, idx=_w(s, 0).end())
 File "/usr/lib/python3.7/json/decoder.py", line 355, in raw_decode
   raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
None

Tested on: python 2.7.17 and 3.7.6

Please take a look of that, if you are still working with this tool :)

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/z0noxz/mando.me/issues/2

Development of mando.me has kinda ceased, as I have moved to other projects and simply lack the time. If you are willing please send a pull request for a fix. On 2020-03-16 03:54:32, kaczalapa wrote: > Hi! > I have just tested your script and I have found issues with other type on inputs than json. > > Burp suite request snapshot: > ``` > POST /bWAPP/commandi.php HTTP/1.1 > Host: <IP> > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Referer: http://<IP>/bWAPP/commandi.php > Content-Type: application/x-www-form-urlencoded > Content-Length: 30 > Connection: close > Cookie: security_level=1; PHPSESSID=2871ed8afbfcd800836a8111df1522da > Upgrade-Insecure-Requests: 1 > > target=www.nsa.gov&form=submit > ``` > > command: `./mando.me.py --url "http://<IP>/bWAPP/commandi.php" --cookie "http://<IP>/bWAPP/commandi.php" --post "target=_INJECT_&form=submit"` > > Logs: > ``` > [*] Testing different injection techniques > [*] METHOD: Result based injection > > [-] Something went wrong. Terminating program. > > > Traceback (most recent call last): > File "./mando.me.py", line 2339, in <module> > if __name__ == "__main__": main(sys.argv[1:]) > File "./mando.me.py", line 2259, in main > CommandInjector.init() > File "./mando.me.py", line 1945, in init > CommandInjector.exploit() > File "./mando.me.py", line 2151, in exploit > if technique() and not _gs["url_stager"] == None: > File "./mando.me.py", line 2034, in technique_result_based > if _placeholder == interactor("echo " + _placeholder).strip(): > File "./mando.me.py", line 2013, in interactor > request = urllib.request.Request(url, headers=urllib.parse.urlencode(json.loads(_gs["post"].replace("'", "\"").replace("_INJECT_", "\"" + special + command + "\"")))) > File "/usr/lib/python3.7/json/__init__.py", line 348, in loads > return _default_decoder.decode(s) > File "/usr/lib/python3.7/json/decoder.py", line 337, in decode > obj, end = self.raw_decode(s, idx=_w(s, 0).end()) > File "/usr/lib/python3.7/json/decoder.py", line 355, in raw_decode > raise JSONDecodeError("Expecting value", s, err.value) from None > json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0) > None > > ``` > Tested on: _python 2.7.17 and 3.7.6_ > > Please take a look of that, if you are still working with this tool :) > > -- > You are receiving this because you are subscribed to this thread. > Reply to this email directly or view it on GitHub: > https://github.com/z0noxz/mando.me/issues/2

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

No results found.

Labels

Clear labels

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

xnoxz

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: public/mando.me#2