Swagshop RCE

Hi, I don't know if this is the right place to do this, but I am stuck with the SwagShop machine. I try to make the RCE work but the script keeps giving me this error:

Traceback (most recent call last):
File "37811.py", line 56, in
br['login[username]'] = username
File "/usr/lib/python2.7/dist-packages/mechanize/_mechanize.py", line 796, in setitem
self.form[name] = val
File "/usr/lib/python2.7/dist-packages/mechanize/_form_controls.py", line 1963, in setitem
control = self.find_control(name)
File "/usr/lib/python2.7/dist-packages/mechanize/_form_controls.py", line 2355, in find_control
return self._find_control(name, type, kind, id, label, predicate, nr)
File "/usr/lib/python2.7/dist-packages/mechanize/_form_controls.py", line 2446, in _find_control
description)
mechanize._form_controls.AmbiguityError: more than one control matching name 'login[username]'

If you have any idea how this might be happing I would love to hear from you,

Thanks in advance

Tagged:

Comments

  • Look at the machine's URL formatting a bit more, you have to modify the script

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • edited October 2019

    @clubby789 said:

    Look at the machine's URL formatting a bit more, you have to modify the script

    Please actually read the post and the error rather than just giving the canned response based on the writeup. This error is not encountered in the writeup or Ippsec video. I get the error too; it's happening when Mechanize tries to log in, rather than when it tries to send the payload, which is the error the modification in the writeup fixes.

    This error results because for whatever reason, Mechanize is seeing multiple username/password fields. The index parameter must be used to select the correct one. Comment out the following in the script:

    #br.form.new_control('text', 'login[username]', {'value': username})  # Had to manually add username control.
    #br.form.fixup()
    #br['login[username]'] = username
    #br['login[password]'] = password
    

    And replace it with this:

    userone = br.find_control(name="login[username]", nr=0)
    userone.value = username
    pwone = br.find_control(name="login[password]", nr=0)
    pwone.value = password
    

    This should fix the issue and allow Mechanize to log in. Note that more modification to the script will be required per the Ippsec video and official write-up.

  • Hi, I'm having the same error, in my I though it is because of adding a new login['username'] and login['password'] in the python code, so it have two of each on the form instead of one. So, just commenting out:

    br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control.

    br.form.fixup()

    Fix THAT issue for me, but then I have an issue later:

    Traceback (most recent call last):
    File "v2.py", line 54, in
    url = url.group(1)
    AttributeError: 'NoneType' object has no attribute 'group'

    Analyzing the request in BURP what I see is that:
    -It does the POST and in the response there is a Cookie called "adminhtml" set with a value.
    -It does the GET to the new location, but this Cookie ("adminhtml") is not among the headers, so the response doesn't include the authenticated Admin page but again the login one.
    -If I send this GET request to BURP and insert manually the "adminhtml" Cookie among the headers with the value received in response to my POST, it works, meaning I got the proper response with the Admin page content.

    Any help on how to force mechanize to send all Cookies he receives? Any clue why in other writeups they don't need to do that may be Mechanize version?

    Thanks!

  • I'll answer myself it seems that mechanize didn't handle the cookie properly because I'm using entry on "hosts" for swagshop IP, and calling it by name, instead of calling it by IP. And then the redirection follows an IP so mechanize notice is not the same domain so it doesn't send the cookie.

    If I try the same, targeting by IP (instead of hostname), it seems to handle the cookies properly.

  • @Jess hello! forgive me if i don't format my question properly.. this is my first time on here.

    I am getting the same error as you did:
    File "code_exec.py", line 66 in
    url = url.group(1)
    AttributeError: 'NoneType' object has no attribute 'group'

    i see what you wrote about mechanize not handling the cookies properly. can you please explain exactly what you did to fix this? Where is this entry you are talking about? Is this something i need to edit in my script?

    Really appreciate your help, thank you.

  • never mind. i was having a totally separate issue. got it :)

  • @starberry OK, I'm happy you found it :) I hope being useful next time :)

  • edited May 4

    @desmanado Based on the last line of the error message you are receiving, I think that the mechanize module may have added support for the login[username] control. At the time the exploit was developed, the developer had to create a custom control for it. The exploit is getting confused because now there are two different controls that match that name.

    If you comment out that line in the exploit, you should get past this error:

    mechanize._form_controls.AmbiguityError: more than one control matching name 'login[username]'

    Just revisited this box the other day for exam practice and it worked for me.

  • Type your comment> @Jess said:

    @starberry OK, I'm happy you found it :) I hope being useful next time :)

    you were incredibly useful!! you helped me fix my mechanize errors! :) Thank you!

  • @starberry you're welcome, I'm glad you fix that.

Sign In to comment.