Open marius-benthin opened 5 years ago
Since i'm 95% sure you are doing the same lab that made me develop this exploit i'm leaving it to you to find a workaround.
Good luck!
Hey there,
any chance you can give some sort of hint? Struggeling at the same issue as @marius-benthin since a few days.
Try to understand the bug behind it. Read the advisory from sektioneins.
Some parts of the exploit data can be omitted or shortened. PHP has other filters that do not expand the length, like base64 does. Maybe you can split exploiting this into multiple parts and first drop a different, shorter kind of file?
It depends on the scenario. Oh and check if it really is the correct version. I remember multiple different Piwik challenges.
Hey guys,
I am stuck at the same issue. Did anyone of you got a working solution or any more hints?
Tried to shorten it as much as possible, but still no success. Splitting it into multiple parts might be an option, but I have no glue how to do that ;D
Thanks
Hi, I also did the lab a while ago. If I remember correctly you do not need need to shorten or split it at all. And I am not sure if you are using the correct cookie.
Just keep digging :smile:
Hi, I also did the lab a while ago. If I remember correctly you do not need need to shorten or split it at all. And I am not sure if you are using the correct cookie.
Just keep digging 😄
Thanks for your answer. Actually, I am not sure if I am using the correct cookie 😄 . I installed this old piwik version on a separate vm and did a successful login. I then modified this cookie and added the value from the php exploit and used it on the machine I try to enter.
I'm stuck at this as well. I tried shortening the cookie by entirely removing the Zend_Config object because it doesn't seem to be necessary, right? At least when looking at the source code provided by sektioneins it doesn't seem to be used in the exploit. All the variables
$configFileUpdated
$doWriteFileWhenUpdated
$correctCwd
$pathIniFileUserConfig
$userConfig
seem to be necessary. The problem is that even if I shorten everything down to the minimum, the cookie is still much longer than 128 characters. Could somebody help me out here?
Hello Alexeyan, I am currently trying to exploit a test machine with Piwik 0.4.5 installed on it. Unfortunately this version validates the cookie session length that can not be longer than 128 characters. Do you have any suggestion to reduce the cookie length down to 128 chars?