Challenge Name: phash
Challenge Text: login source
Initial Hint: No Hint
First Hint (when no one solved): Marvel characters (lowercased)
Second Hint: Who was the character that fans speculated would appear in a "Marvel Show" but ultimately did not make an appearance? (Third Hint was provided after first 🩸 was obtained by me)
Challenge Name: Conundrum
Challenge Text: Superuser
Hint: No hint provided
URL: https://challs.aupctf.live/conundrum/
Provided:
POST /xmlrpc.php HTTP/1.1
Host: example.com
Content-Length: 91
Content-Type: application/x-www-form-urlencoded
<methodCall>
<methodName>system.listMethods</methodName>
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# From https://github.com/PortSwigger/turbo-intruder/blob/master/resources/examples/race.py | |
def queueRequests(target, wordlists): | |
engine = RequestEngine(endpoint=target.endpoint, | |
concurrentConnections=30, | |
requestsPerConnection=100, | |
pipeline=False | |
) | |
# the 'gate' argument blocks the final byte of each request until openGate is invoked | |
for i in range(30): |
Exploit Title | WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting |
Exploit Author | Muhammad Zeeshan (Xib3rR4dAr) |
Date | February 13, 2022 |
Plugin Link | WP-Statistics |
Plugin Active Installations | 600,000+ |
Version | 13.1.5 (Latest) |
Exploit Title | WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting |
Exploit Author | Muhammad Zeeshan (Xib3rR4dAr) |
Date | February 13, 2022 |
Plugin Link | WP-Statistics |
Plugin Active Installations | 600,000+ |
Version | 13.1.5 (Latest) |
Exploit Title | WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting |
Exploit Author | Muhammad Zeeshan (Xib3rR4dAr) |
Date | February 13, 2022 |
Plugin Link | WP-Statistics |
Plugin Active Installations | 600,000+ |
Version | 13.1.5 (Latest) |
Exploit Title | WordPress Plugin WP Statistics <= 13.1.5 - Multiple Unauthenticated SQL Injection vulnerabilities |
Exploit Author | Muhammad Zeeshan (Xib3rR4dAr) |
Date | February 13, 2022 |
Plugin Link | WP-Statistics |
Plugin Active Installations | 600,000+ |
Version | 13.1.5 (Latest) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// For testing XSS is various status codes | |
http_response_code($_GET['rCode']); // User controlled response code | |
echo $_GET['payload']; // User input reflected as it is | |
?> |
Exploit Title | WordPress Plugin Embed Swagger 1.0.0 - Reflected Cross-Site Scripting |
Exploit Author | Muhammad Zeeshan (Xib3rR4dAr) |
Date | January 21, 2022 |
Plugin Link | Embed Swagger |
Version | 1.0.0 (Latest) |
Tested on | Wordpress 5.8.3 |
NewerOlder