Skip to content

Instantly share code, notes, and snippets.

View stypr's full-sized avatar
Be Lazy~

Harold Kim stypr

Be Lazy~
View GitHub Profile
stypr / polluted_web.js
Last active May 1, 2024 07:54
maildev preauth RCE 0day
'use strict'
* MailDev - routes.js
const express = require('express')
const compression = require('compression')
const pkg = require('../package.json')
const { filterEmails } = require('./utils')
stypr /
Last active August 3, 2022 17:02
Bird2 connectivity checker (upstream, downstream, exchanges)
#!/usr/bin/python3 -u
#-*- coding: utf-8 -*-
Simple tool for checking Bird2 connectivity (for personal use)
Developed by AS400671 (
You can use description to set speed, countries and names of providers.
stypr /
Created June 12, 2022 10:13
picoCTF 2022 liveart / noted exploit


Exploiting a react app by customElement and is=is pollution


  1. There is a bug with the hydration, so we can pollute prop of the <img> tag.
  2. Error message is triggered when the window.width < 600. Interestingly, location.hash fills the props upon displaying the error message.
  3. When the error message is shown and you try to resize your window.width > 600, <img> is shown again.
  4. Since there is a dehydration bug, prop gets filled with the existing location.hash, making it possible to add additional attributes on the `` tag.
stypr / exploit.js
Last active May 30, 2022 02:41
DEFCON 30 discoteq exploit PoC
// run before send
const originalSend = WebSocket.prototype.send;
window.sockets = [];
WebSocket.prototype.send = function(...args) {
if (window.sockets.indexOf(this) === -1)
return, ...args);
// run after send
stypr /
Last active December 16, 2021 20:32 Telegram Bot
from telegram.ext import Updater
from telegram.ext import CommandHandler
import telegram
import requests
token = "{TELEGRAM TOKEN}"
mention_user = ["stypr", "stypr_jp"]
bugcamp_data = {}
def bugcamp():
stypr /
Last active November 24, 2021 19:43
BingoCTF 2020: Web - Guestbook [Hard]

web: guestbook writeup

Checking configs/worker


Docker-compose is build in a way that

  1. private has flag in /flag
  2. redis / worker are used. this is only used for admin to check the challenge.
stypr /
Last active April 19, 2021 08:15
BingoCTF 2020: Web - simpleboard [Medium]

web: simpleboard writeup

Let's check the main page's source code by view-source (view-source:

As wee see in the following, server loads an image from a website.

        <h3 class="text-center text-white pt-5"><img src="/?image=6c6f676f.png"></h3>

Let's take a look at the function in init.php that loads the image.

stypr /
Last active April 19, 2021 08:15
BingoCTF 2020: Web - Temporary [Easy]

web: temporary writeup

There are two instances namely public and internal. We can get the address of public by leaking $_SERVER['REMOTE_ADDR"] in phpinfo.php?phpinfo

stypr /
Last active June 15, 2020 11:35
DEFCON Quals Web exploit (Participated as r3kapig)


  1. Write one comment
  2. When writing a comment content, do SSTI to leak author's credentials
{'__name__': 'app.loaddata', '__doc__': None, '__package__': 'app', '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x7fa912f51670>, '__spec__': ModuleSpec(name='app.loaddata', loader=<_frozen_importlib_external.SourceFileLoader object at 0x7fa912f51670>, origin='./app/'), '__file__': './app/', '__cached__': './app/__pycache__/loaddata.cpython-38.pyc', '__builtins__': {'__name__': 'builtins', '__doc__': "Built-in functions, exceptions, and other objects.\n\nNoteworthy: None is the `nil' object; Ellipsis represents `...' in slices.", '__package__': '', '__loader__': , '__spec__': ModuleSpec(name='builtins', loader=), '__build_class__': , '__import__': , 'abs': , 'all': , 'any': , 'ascii': , 'bin': , 'breakpoint': , 'callable': , 'chr': , 'compile': , 'delattr': , 'dir': , 'divmod': , 'eval': , 'exec': , 'format':